Freedom9 freeGuard 100 Command Line Interface Manual Download | Manualshive

Page: 213 / 310

background image

206

helo-holddown
<holddown_integer>

The hello state hold-down time, which is the number of seconds
that a cluster unit waits before changing from hello state to work
state. A cluster unit changes from hello state to work statewhen
it starts up.

The hello state hold-down time range is 5 to 300 seconds.

20

load-balance-all
{disable | enable}

Configure active-active HA to load balance all sessions or to
load balance virus scanning sessions only. Enter enable to load
balance all communication sessions. Enter disable to load
balance only virus scanning sessions.

disable

mode {a-a | a-p |
standalone}

Set the HA mode.

Enter a-p to create an Active-Passive HA cluster, in which the
primary cluster unit isactively processing all connections and
the others are passively monitoring the status and remaining
synchronized with the primary cluster unit.

Enter a-a to create an Active-Active HA cluster, in which each
cluster unit is actively processingconnections and monitoring
the status of the other freeGuard 100s.

All members of an HA cluster must be set to the same HA
mode.

Enter standalone to remove the freeGuard 100 from an HA
cluster.

standalone

monitor {<interface-
1_str> <priority-
1_integer><interface_
2_str> <priority-
2_integer>}

Enable or disable monitoring freeGuard 100 interfacesand
setting monitor priorities. You can enter one or more interface
names followed by a space and a monitor priority. Use a space
to separate each interface name and priority pair. If you want to
remove an interface from the list, add an interface to the list, or
change the monitor priority of an interface you must retype the
list with theoptions changed as required.

You can monitor physical interfaces but not VLAN
subinterfaces. Increase the priority of interfaces connected to
higher priority networks or networks with moretraffic. The
monitor priority range is 0 to 255. If a high priority interface on
the primary cluster unit fails, one of the other units in the cluster
becomes the new primary unit to provide better service to the
high priority network.

If a low priority interface fails on one cluster unit and a high
priority interface fails on another cluster unit, a unit in the cluster
with a working connection to the high priority interface would, if
itbecomes necessary to negotiate a new primary unit, be
selected instead of a unit with a working connection to the low
priority interface.

No default

override {disable |
enable}

Configure the freeGuard 100 to always overridethe current
primary cluster unit and become the primary cluster unit in its
place. Enable OverrideMaster for the cluster unit that you have
given thehighest unit priority. Enabling Override Master means

disable

«
...
211
212
213
214
215
...
»

Summary of Contents for freeGuard 100

Page 1: ...freeGuard 100 UTM Firewall CLI USER S MANUAL P N F0025000 Rev 1 1...

Page 2: ...ed or translated into another language without express prior to written consent of freedom9 inc Copyright 2006 freeGuard and the freedom9 company logo are trademarks or registered trademarks of Freedo...

Page 3: ......

Page 4: ...E CATEGORY NAME_STR 30 4 3 HEURISTIC 33 4 4 SERVICE HTTP 34 4 5 SERVICE FTP 36 4 6 SERVICE POP3 37 4 7 SERVICE IMAP 39 4 8 SERVICE SMTP 41 5 CONFIG FIREWALL 43 5 1 ADDRESS 43 5 2 ADDRGRP 45 5 3 DNSTRA...

Page 5: ...77 10 1 ACCPROFILE 178 10 2 ADMIN 180 10 3 AUTOUPDATE CLIENTOVERRIDE 182 10 4 AUTOUPDATE OVERRIDE 183 10 5 AUTOUPDATE PUSH UPDATE 184 10 6 AUTOUPDATE SCHEDULE 186 10 7 AUTOUPDATE TUNNELING 187 10 8 BU...

Page 6: ...TBLOCK 278 13 3 SCRIPT 280 13 4 URLBLOCK 281 13 5 URLEXM 283 13 6 URLPAT 285 14 EXECUTE 287 14 1 BACKUP 287 14 2 DATE 288 14 3 DHCPCLEAR 289 14 4 ENTER 289 14 5 FACTORYRESET 289 14 6 HA MANAGE 289 14...

Page 7: ......

Page 8: ...is an alphabetic reference to the commands used to configure firewall policies and settings CONFIG lOG is an alphabetic reference to the commands used to configure logging CONFIG IPS is an alphabetic...

Page 9: ...by a dotted decimal IPv4 netmask xxx_ipv6 indicates an IPv6 address xxx_v6mask indicates an IPv6 netmask xxx_ipv6mask indicates an IPv6 address followed by an IPv6 netmask Vertical bar and curly brac...

Page 10: ...al documentation You can send information about errors or omissions in this document or any Freedom9 technical documentation to support freedom9 com 1 4 Customer service and technical support For anti...

Page 11: ...the firewall VPN IPS and antivirus features Auth Users Can access the authorized users feature Admin Users Can access the administrative users feature freeGuard Protect Update Can access the update o...

Page 12: ...he freeGuard 100 CLI A prompt similar to the following appears FreeGuard 100 login Type a valid administrator name and press Enter Type the password for this administrator and press Enter The followin...

Page 13: ...freeGuard 100 interface to be configured to accept Telnet connections For example to configure the internal interface to accept Telnet connections enter config system interface edit internal set allow...

Page 14: ...press Enter Type the password for this administrator and press Enter freeGuard 100 is displayed You have connected to the freeGuard 100 CLI and you can enter CLI commands Connecting to the freeGuard 1...

Page 15: ...r example type config system admin and press Enter to access the shell to add or edit administrator accounts end Save the changes you have made in the current shell and leave the shell Every config co...

Page 16: ...or User1 without leaving the config user local shell Continue using the edit set and next commands to continue adding user accounts type end and press Enter to save the last configuration and leave th...

Page 17: ...orward disable type physical ip6 address 0 ip6 send adv disable Example When you type get in the internal interface shell the configuration values for the internal interface are displayed At the inter...

Page 18: ...atus up netbios forward disable type physical ip6 address 0 ip6 send adv disable Example You want to confirm the IP address and netmask of the internal interface from the root prompt At the prompt typ...

Page 19: ...plays config system interface edit internal set allowaccess ssh ping https set ip 192 168 20 200 255 255 255 0 next end Example You are working in the internal interface shell and want to see the syst...

Page 20: ...ers for displaying different levels of diagnostic information The diagnose commands are not documented in this CLI Reference Guide Caution Diagnose commands are intended for advanced users only Contac...

Page 21: ...s shell without saving your changes type abort and press Enter To save your changes and exit the dns sub shell type end and press Enter To confirm your changes have taken effect after leaving the dns...

Page 22: ...e prompt changes to secondaryip At the secondaryip prompt type The following options are displayed edit delete purge get show end To add a secondary IP address with the ID number 0 type edit 0 and pre...

Page 23: ...t ip 192 168 100 90 255 255 255 0 and press Enter To restore the secondary IP address with the ID number 1 to the default type unset ip and press Enter If you want to leave the secondary IP address 1...

Page 24: ...tion combination and a description of each option Command completion You can use the tab key or the question mark key to complete commands You can press the tab key at any prompt to scroll through the...

Page 25: ...ables USERFROM The management access type SSH Telnet and so on and the IP address of the logged inadministrator USERNAME The user account name of the logged in administrator SerialNum The serial numbe...

Page 26: ...ing includes tabs or spaces All special characters are valid within the single quotes Use to include a single quote in a single quoted string Use to include a backslash in a single quoted string For e...

Page 27: ...or errors If the freeGuard 100 finds an error an error message is displayed after the command and the command is rejected Then the freeGuard 100 restarts and loads the new configuration Setting page l...

Page 28: ...b Case sensitivity Regular expression pattern matching is case sensitive in the Web and Spam filters To make a word or phrase case insensitive use the regular expression i For example bad language i...

Page 29: ...8 and foo_1 100 s mk the strings 100 and mk optionally separated by any amount of white space spaces tabs newlines abc b abc when followed by a word boundary e g in abc but not in abcd perl B perl whe...

Page 30: ...email for administrative events such as user logins resets and configuration updates disable Anomaly disable enable Enable or disable sending an alert email when the freeGuard 100 logs an attack cove...

Page 31: ...alert email when the freeGuard 100 logs a DHCP service event disable email disable enable Enable or disable sending an alert email when the freeGuard 100 logs an email filter event disable email_log_i...

Page 32: ...s required critical Functionality is affected error An erroneous condition exists and functionality is probably affected warning Functionality might be affected notification Information about normal e...

Page 33: ...email filter If the show command returns you to the prompt the settings are at default Command History Related Commands config alertemail setting config log 3 2 setting Use this command to configure t...

Page 34: ...lert email for error level messages 5 information interval minutes_integer Enter the number of minutes the freeGuard 100 should wait before sending out alert email for information level messages 30 ma...

Page 35: ...lertemail setting set server mail ourcompany com set username freeGuard 100 ourcompany com set mailto1 admin1 ourcompany com set mailto2 admin2 ourcompany com set alert interval 2 set critical interva...

Page 36: ...filepattern edit filepattern_str set keyword variable end config antivirus filepattern edit filepattern_str unset keyword end config antivirus filepattern delete filepattern_str end get antivirus file...

Page 37: ...This example shows how to display the settings for the bat file pattern get antivirus filepattern bat This example shows how to display the configuration for the entire file pattern list show antiviru...

Page 38: ...as web browsing habits to the advertiser s web site where it may be recorded and analyzed Keylog Keylogger programs can record every keystroke made on a keyboard including passwords chat and instant...

Page 39: ...or disable grayware scanning for the specified category disable Example This example shows how to enable grayware scanning for Adware programs config antivirus grayware Adware set status enable end Th...

Page 40: ...ntivirus heuristic set keyword variable end config antivirus heuristic unset keyword end get antivirus heuristic show antivirus heuristic antivirus heuristic command keywords and variables Keywords Va...

Page 41: ...ans for HTTP Command syntax pattern config antivirus service http set keyword variable end config antivirus service http unset keyword end get antivirus service http show antivirus service http antivi...

Page 42: ...ile is passed or blocked according to the user configuration in the firewall profile The uncompsizelimit applies to the uncompressed size of the file If other files are inlcuded within the file the un...

Page 43: ...the freeGuard 100 RAM size For example a freeGuard 100with 256 MB of RAM could have a threshold range of 1 MB to 25 MB Oversized files can be passed or blocked in a firewall protection profile Note F...

Page 44: ...rt 20 21 end This example shows how to display the antivirus FTP traffic settings get antivirus service ftp This example shows how to display the configuration for antivirus FTP traffic show antivirus...

Page 45: ...ta So a file may be blocked or logged as oversized even if the attachment is several megabytes less than the memfilesizelimit 10 MB port port_integer Configure antivirus scanning on a nonstandard port...

Page 46: ...Command syntax pattern config antivirus service imap set keyword variable end config antivirus service imap unset keyword end get antivirus service imap show antivirus service imap antivirus service i...

Page 47: ...s work See How file size limits work Example This example shows how to set the maximum file size that can be buffered to memory for scanning at 25 MB the maximum uncompressed file size that can be buf...

Page 48: ...MB of RAM could have a threshold range of 1 MB to 25 MB Note For email scanning the memfilesizelimit refers to the final size of the email after encoding by the email client including attachments Emai...

Page 49: ...service smtp set memfilesizelimit 100 set uncompsizelimit 1000 set port 25 set port 465 end This example shows how to display the antivirus SMTP traffic settings get antivirus service smtp This exampl...

Page 50: ...ress range The freeGuard 100 comes configured with the default address All which represents any IP address Addresses address groups and virtual IPs must all have unique names to avoid confusion in fir...

Page 51: ...tmask for a class A subnet should be 255 0 0 0 The netmask for a class B subnet should be 255 255 0 0 The netmask for a class C subnet should be 255 255 255 0 0 0 0 0 0 0 0 0 end_ip address_ipv4 If ty...

Page 52: ...firewall addrgrp config firewall policy 5 2 addrgrp Add edit or delete address groups used in firewall policies You can organize related addresses into address groups to make it easier to configure po...

Page 53: ...dd an address group named Group1 and add the addresses User_Network and User_Range to the group config firewall addrgrp edit Group1 set User_Network User_Range end This example shows how to display th...

Page 54: ...a DNS translation source address DNS translation changes the IP address in the DNS packet to the DNS translation destination IP address and forwards the packet through the firewall to the external us...

Page 55: ...through the FreeGuard 100 You can allow or block traffic not defined in the IP MAC binding table You can enable or disable IP MAC binding for each individual FreeGuard 100 interface using the ipmac ke...

Page 56: ...tofw Configure how IP MAC binding handles packets with IP and MAC addresses that are not defined in the IP MAC list Setting undefinedhost configures thisbehavior for traffic going through the firewall...

Page 57: ...sequence_integer end get firewall ipmacbinding setting sequence_integer show firewall ipmacbinding setting sequence_integer firewall ipmacbinding table command keywords and variables Keywords Variabl...

Page 58: ...tings for the first entry id 1 in the IP MAC binding table get firewall ipmacbinding table 1 This example shows how to display the configuration for IP MAC binding table show firewall ipmacbinding tab...

Page 59: ...escription Default endip address_ipv4 The end IP of the address range The end IP must be higher than the start IP The end IP must be onthe same subnet as the IP address of the interface for which you...

Page 60: ...the firewall ippool command show firewall ippool This example shows how to display the configuration for the id 1 IP pool show firewall ippool 1 Command History Related Commands policy 5 7 multicast p...

Page 61: ...ts 0 0 0 0 0 0 0 0 srcintf name_str Enter the source interface name to match against multicast NAT packets No default Example This example shows how to configure a multicast NAT policy config firewall...

Page 62: ...firewall policy edit id_integer set keyword variable end config firewall policy edit id_integer unset keyword end config firewall policy delete id_integer end config firewall policy move id_integer a...

Page 63: ...servcode_rev reply_binary Set the Differentiated Services Code Point DSCP value in the Diffserv field ofreply packets The value is 6 bits binary The valid range is 000000 111111 000000 dstaddr name_st...

Page 64: ...r VPN tunnels that match this policy disable natip address_ipv4mask Configure natip for a firewall policy with action set to encrypt and with outbound NAT enabled Specify the IP address and subnet mas...

Page 65: ...erface a VLAN subinterface or a zone You cannot use an interface or VLAN subinterface for srcintf if the interface or VLAN subinterface has been added to a zone No default status disable enable Enable...

Page 66: ...ternal set dstintf dmz set status enable set srcaddr all set dstaddr dmz_web_server set schedule Always set service HTTP set action accept set nat enable set trafficshaping enable set gbandwidth 100 s...

Page 67: ...le profilename_str firewall profile command keywords and variables Keywords Variables Description Default cat_allow cat_integer cat_integer cat_integer You must subscribe to a web filtering service fr...

Page 68: ...image_urls to block images rated by freeGuard freeGuard rates images based onthe URL of the image Images that should be bocked are replaced with a blank image on the original web page freeGuard has ra...

Page 69: ...exempt Select the actions that this profile uses for filtering HTTP traffic for a policy Enter bannedword to enable web content blocking based on the banned word list Enter block to enable deleting fi...

Page 70: ...s even if the files do not contain viruses Enter content archive to enable archiving ofIMAP content meta information to a Logappliance Enter fragmail to enable blocking fragmented email messages Enter...

Page 71: ...tions that this profile uses for filtering IPS traffic for a policy Enter anomaly to enable filtering traffic based on the IPS anomaly list Enter signature to enable filtering traffic basedon the IPS...

Page 72: ...hdrcheck to enable filtering based on the MIME header list Enter spamaddrdns to enable filtering based on the return e mail DNS check Enter spamrbl to enable checking traffic against configured DNS ba...

Page 73: ...ubnet address Enter spamaddrdns to enable filtering based on the return e mail DNS check Enter spamrbl to enable checking traffic against configured DNS based Blackhole List DNSBL and Open Relay Datab...

Page 74: ...A tag of more than one word a phrase must be enclosed in single quotes to be accepted bythe CLI Spam smtp_spamtagtype header subject Enter the location for the spam tag The spam tag can be added to t...

Page 75: ...ings for the spammail profile get firewall profile spammail This example shows how to display the configuration for the firewall profile command show firewall profile This example shows how to display...

Page 76: ...5 30 or 45 yyyy 1992 to infinity mm 01to 12 dd 01to 31 No default start hh mm yyyy mm dd The starting day and time of the schedule hh 00to 23 mm 00 15 30 or 45 yyyy 1992 to infinity mm 01to 12 dd 01to...

Page 77: ...times of the day or on specified days of the week Note If you create a recurring schedule with a stop time that occurs before the start time the schedule starts at the start time and finishes at the...

Page 78: ...ay Friday set start 07 45 set end 17 30 end Edit the recurring schedule named access so that it is no longer valid on Fridays config firewall schedule recurring edit access set day monday tuesday wedn...

Page 79: ...t_integer Enter the destination port range for the service If the destination port range can be any port enter 1 65535 To specify a single port enter the same port number for lowport_integer and high...

Page 80: ...tings for the Custom_1 service get firewall service custom Custom_1 This example shows how to display the configuration for the firewall service custom command show firewall service custom This exampl...

Page 81: ...o add to theservice group To view the list of available services enter set member at the prompt service_str is case sensitive No default Example This example shows how to add a service group called we...

Page 82: ...se networks you must create a mapping between an address on the source network and the real address on the destination network This mapping is called a virtual IP You can create two types of virtual I...

Page 83: ...e For port forwarding virtual IP this address can be any IP address including the IP address of the extintf name_str If the IP address of extintf name_str is set using PPPoE or DHCP extip address_ipv4...

Page 84: ...cnat set extintf external set extip 64 32 21 34 set mappedip 192 168 1 44 end This example shows how to edit the static NAT virtual IP named web_Server to change the real IP address of the web server...

Page 85: ...ow to display the settings for the web_Server VIP get firewall vip web_Server This example shows how to display the configuration for the firewall vip command show firewall vip This example shows how...

Page 86: ...mit If the number of concurrent sessions to a single destination is over a threshold the destination session limit session limit is reached You can enable or disable logging for each anomaly and you c...

Page 87: ...80 The config ips anomaly command has 1 subcommand config limit...

Page 88: ...and action is set to Pass the anomaly is effectively disabled pass_session The freeGuard 100 lets the packet that triggered theanomaly and all other packets in the session pass through the firewall re...

Page 89: ...e threshold threshold_integer For the anomalies that include the threshold setting traffic over the specified threshold triggers the anomaly Varies Example This example shows how to change the tcp_lan...

Page 90: ...o more general For example if you define thresholds for 192 168 100 0 24 and 192 168 0 0 16 the address with the 24 bit netmask is matched before the entry with the 16 bit netmask Command syntax patte...

Page 91: ...platform you can add custom signatures based on the security alerts released by the application and platform vendors You can also use custom signatures to block or allow specific traffic Once you add...

Page 92: ...10 config ips custom edit ICMP10 set signature F SBID protocol icmp icmp_type 10 revision 2 end This example shows how to display the list of custom signatures get ips custom This example shows how to...

Page 93: ...type of attack By default all signature groups are enabled You can enable or disable signature groups or individual signatures Disabling unneeded signatures can improve system performance and reduce...

Page 94: ...integer If a session is idle for longer than this number ofseconds the session is be maintained by tcp reassembly 30 min_ttl ttl_integer A packet with a higher ttl number in its IP header than the num...

Page 95: ...the configuration for the dos signature group show ips group dos config rule rule name_str Access the rule subcommand using the ips group command Use the config rule subcommand to configure the settin...

Page 96: ...ts in the sessionpass through the firewall reset The freeGuard 100 drops the packet that triggered the signature sends a reset to both the client and the server and removes the session from the freeGu...

Page 97: ...config rule NAPTHA set action drop end end This example shows how to display the list of signature groups get ips group This example shows how to display the settings for the dos signature group get i...

Page 98: ...yword variable end config log log memory syslogd webtrends filter unset keyword end get log log memory syslogd webtrends filter show log log memory syslogd webtrends filter log log memory syslogd webt...

Page 99: ...Enable or disable archiving of HTTP content Archives can include meta data information such as file sizes source and destination addresses and status disable content_log_ima p disable enable Enable o...

Page 100: ...elect For example if you select error the unit logs error critical alert and emergency level messages emergency The system is unusable alert Immediate action is required critical Functionality is affe...

Page 101: ...ettings for logging to a freeGuard 100 get log memory filter This example shows how to display the configuration for logging to a syslog server show log syslogd filter If the show command returns you...

Page 102: ...sksecret str_psk Enter the pre shared key for the IPSec VPN tunnel to a Log unit You can create anIPSec VPN tunnel if one or more freeGuard 100s are sending log messages to a unit across the Internet...

Page 103: ...d in the memory buffer After all available memory is used by default the freeGuard 100 begins to overwrite the oldest messages All log entries are deleted when the freeGuard 100 restarts Command synta...

Page 104: ...re at default Command History Related Commands log memory syslogd webtrends filter log setting syslogd setting trafficfilter webtrends setting 7 4 syslogd setting Use this command to configure log set...

Page 105: ...s are alert log alert audit log audit auth security authorization messages authpriv security authorization messages private clock clock daemon cron cron daemon performing scheduled commands daemon sys...

Page 106: ...ample shows how to display the configuration for logging to a remote syslog server show log syslogd setting If the show command returns you to the prompt the settings are at default Command History Re...

Page 107: ...es disable Example This example shows how to display the service name and enable resolving IP addresses to host names in log messages config log trafficfilter set display name set resolve enable end T...

Page 108: ...0 0 0 0 0 0 service name_str Enter the service for which you want to filter traffic logs You can choose from any of the predefined services listed and any custom services you haveconfigured No default...

Page 109: ...memory setting syslogd setting webtrends setting 7 6 webtrends setting Use this command to configure log settings for logging to a remote computer running a NetIQ WebTrends firewall reporting server f...

Page 110: ...emote WebTrends server config log webtrends setting set status enable set server 220 210 200 190 end This example shows how to display the settings for logging to a remote WebTrends server get log web...

Page 111: ...hether to match the prefix exactly or to match the prefix and any more specific prefix The freeGuard 100 attempts to match a packet against the rules in an access list starting at the top of the list...

Page 112: ...eyword variable end config rule edit id_integer unset keyword variable end config rule delete id_integer end get router access list name_str show router access list name_str rule command keywords and...

Page 113: ...le next edit 2 set prefix 192 168 0 0 255 255 0 0 set action permit set exact_match disable end end This example shows how to display the list of access lists get router access list This example shows...

Page 114: ...e status of the freeGuard 100 interfaces and whether OSPF is enabled for each interface neighbor Show information about OSPF neighbors route Show the OSPF routing table status Show general information...

Page 115: ...nd variables Keywords Description database Show the entries in the RIP routing database interface Show the status of the FreeGuard 100 interfaces and whether RIP is enabled for each interface Examples...

Page 116: ...ured with the same keys A key chain is a list of one or more keys and the send and receive lifetimes for each key Keys are used for authenticating routing packets only during the specified lifetimes T...

Page 117: ...ariables Keywords Variables Description Default accept lifetime hh mm ss day month year hh mm ss day month year duration_integer infinite Set the time period during which the key can be received The f...

Page 118: ...e duration_integer range is from 1 to 2147483646 seconds No default Example This example shows how to add a key chain named test1 with three keys The first two keys each have send and receive lifetime...

Page 119: ...t path first OSPF on the freeGuard 100 OSPF is an open protocol based on the shortest path first algorithm OSPF is a link state protocol capable of routing larger networks than the simpler distance ve...

Page 120: ...outers that because of limited resources may not be able to maintain a complete link state database disable database overflow max lsas lsas_integer If you have enabled database overflow set the limit...

Page 121: ...Enable or disable RFC 1583 compatibility RFC 1583 compatibility should be enabled only when there is another OSPF router in the network that only supports RFC 1583 When RFC 1583 compatibility is enabl...

Page 122: ...logical groupings called areas Areas are linked together by area border routers ABRs There must be a backbone area that all areas can connect to You can use a virtual link to connect areas that do no...

Page 123: ...erfaces the authentication configured for the area is not used Authentication passwords or keys are defined per interface See config ospf interface none default cost cost_integer Enter the metric to u...

Page 124: ...ator if it is in a NSSA shortcut default disable enable Use this command to specify area shortcut parameters disable stub type no summary summary Enter no summary to prevent an ABR sending summary LSA...

Page 125: ...area You can use access or prefix lists for OSPF area filter lists For more information see access list and prefixlist Command syntax pattern config filter list edit id_integer set keyword variable e...

Page 126: ...ess list named acc_list1 to filter packets entering area 15 1 1 1 config router ospf config area edit 15 1 1 1 config filter list edit 1 set direction in set list acc_list1 end end This example shows...

Page 127: ...id_integer end config range edit id_integer get end config range edit id_integer show end Note Only the prefix keyword is required All other keywords are optional range command Keywords Variables Keyw...

Page 128: ...ows how to display the configuration for area 15 1 1 1 config router ospf config area edit 15 1 1 1 show end config virtual link Access the config virtual link subcommand using the config area command...

Page 129: ...r this virtual link If you select none no authentication is used If you select text the authentication key is sent as plain text If you select md5 an authentication key isused to generate an MD5 hash...

Page 130: ...ange for id_integer is 1 to 255 key_str is an alphanumeric string ofup to 16 characters No default peer address_ipv4 The router id of the remote ABR 0 0 0 0 is not allowed 0 0 0 0 retransmit interval...

Page 131: ...d to use an access list to filter the networks in routing updates Routes not matched by any of the distribute lists will not be advertised You must configure the access list that you want the distribu...

Page 132: ...hespecified protocol and that are permitted by the named access list connected Example This example shows how to configure a distribute list numbered 2 to use an access list named acc_list1 for all st...

Page 133: ...id_integer end config neighbor edit id_integer get end config neighbor edit id_integer show end Note Only the ip keyword is required All other keywords are optional neighbor command keywords and varia...

Page 134: ...e shows how to display the settings for neighbor 1 config router ospf config neighbor edit 1 get end This example shows how to display the configuration for neighbor 1 config router ospf config neighb...

Page 135: ...e associated with the prefix 0 0 0 0 prefix address_ipv4mask Enter the IP address and netmask for the OSPF network 0 0 0 0 0 0 0 0 Example Use the following command to enable OSPF for the interfaces a...

Page 136: ...ated OSPF settings Command syntax pattern Note The interface name_str variable in the syntax pattern below represents a descriptive name for this OSPF configuration To set the freeGuard 100 interface...

Page 137: ...etwork problems that can occur if an unwanted or misconfigured router is mistakenly added to the network If you configure authentication for the interface authentication for areas is not used All rout...

Page 138: ..._integer Change the Maximum Transmission Unit MTU size included in database descriptionpackets sent out this interface The valid range for mtu_integer is 576 to 65535 1500 mtu ignore disable enable Us...

Page 139: ...ble Enable or disable OSPF on this interface enable transmit delay seconds_integer The estimated time in seconds required tosend a link state update packet on this interface OSPF increments the age of...

Page 140: ...edistribute connected static rip set keyword variable end config redistribute connected static rip unset keyword end get router ospf show router ospf redistribute command keywords and variables Exampl...

Page 141: ...ter ospf config summary address Access the config summary address subcommand using the config router ospf command Use this command to summarize external routes for redistribution into OSPF This comman...

Page 142: ...refix 0 0 0 0 0 0 0 0 is not allowed 0 0 0 0 0 0 0 0 tag tag_integer Specify a tag for the summary route The valid range for tag_integer is 0 to 4294967295 0 Example This example shows how to summariz...

Page 143: ...ng any number of static routes can be defined for the same destination IP mask When multiple routes for the same destination IP mask exist the freeGuard 100 chooses the route with the lowest number in...

Page 144: ...0 start_port port_integer The start port number of a port range for apolicy route Match packets that have this destination port range You must configure both the start_port and end_port keywords for...

Page 145: ...1 end Enter the following command to direct all HTTP traffic using port 80 to the next hop gateway at IP address 1 1 1 1 config router policy edit 1 set input_device internal set src 0 0 0 0 0 0 0 0 s...

Page 146: ...to control the length of the prefix netmask Each rule in a prefix list consists of a prefix IP address and netmask the action to take for this prefix permit or deny and maximum and minimum prefix leng...

Page 147: ...s Description Default action deny permit Set the action to take for this prefix permit ge length_integer Match prefix lengths that are greater than orequal to this number The setting for ge should be...

Page 148: ...prefix list edit prf_list1 config rule edit 1 set prefix 192 168 100 0 255 255 255 0 set action permitset ge 26 set le 30 next edit 2 set prefix 10 1 0 0 255 255 0 0 set action denyset ge 20 set le 2...

Page 149: ...support simple authentication and subnet masks RIP is a distance vector routing protocol intended for small relatively homogeneous networks RIP uses hop count as its routing metric Each network is usu...

Page 150: ...le blocking broadcast updates on the specified interface No default timeout timer timer_integer The time interval in seconds after which a route is declared unreachable The route is removed from the r...

Page 151: ...e Access the config distance subcommand using the config router rip command Configure administrative distance to set the priority of routes advertised by different routing protocols to the same destin...

Page 152: ...0 config router rip config distance edit 1 set distance 10 end end This example shows how to display the RIP settings get router rip This example shows how to display the RIP configuration show router...

Page 153: ...erface to apply this distribute list to If you do not specify an interface this distribute list will be used for all interfaces null listname access prefix listname_str Enter the name of the access li...

Page 154: ...ace edit interface name_str set keyword variable end config interface edit interface name_str unset keyword end config interface delete interface name_str end get router rip show router rip interface...

Page 155: ...2 to configure RIP to send RIP version 2 messages from an interface Enter 1 2 to configure RIP to send both RIP version 1 and RIP version 2 messages from an interface No default send version1 compatib...

Page 156: ...nd unicast routing updates to the router at the specified address You can use the neighbor command and passive interface name_str to allow RIP to send unicast updates to the specified neighbor while b...

Page 157: ...ip This example shows how to display the RIP configuration show router rip config network Access the config network subcommand using the config router rip command Use this command to identify the netw...

Page 158: ...0 config router rip config network edit 2 set prefix 10 0 0 0 255 255 255 0 end end This example shows how to display the RIP settings get router rip This example shows how to display the RIP configu...

Page 159: ...r range is from 1 to 16 0 status disable enable Enable or disable this offset list disable Example This example shows how to configure and enable offset list number 5 that adds a metric of 3 to incomi...

Page 160: ...range is from 0 to 16 0 routemap name_str Enter the name of the route map to use for the redistributed routes For information on how to configure route maps see config router route map null status di...

Page 161: ...map starting at the top of the list If it finds a match it makes the changes defined in the set statements and then takes the action specified for the rule If no match is found in the route map the de...

Page 162: ...Enter deny to deny routes that match thisrule permit match interface name_str Match a route with the specified destinationinterface null match ip address access prefix listname_str Match a route if t...

Page 163: ...utes that match a metric of 2 and changes the metric to 4 config router route map edit rtmp2 config rule edit 1 set match ip address acc_list2 set action deny next edit 2 set match metric 2 set action...

Page 164: ...dministrative distance the greater the preferability of the route The freeGuard 100 assigns routes using a best match algorithm To select a route for a packet the freeGuard 100 searches through the ro...

Page 165: ...e IP address of the first next hop router to which this route directs traffic 0 0 0 0 This example shows how to add a static route that has the sequence number 2 config router static edit 2 set dev in...

Page 166: ...s of the packet If a match is not found the freeGuard 100 routes the packet using the default route Command syntax pattern config router static6 edit sequence_integer set keyword variable end config r...

Page 167: ...to display the list of IPV6 static route numbers get router static6 This example shows how to display the settings for IPV6 static route 2 get router static6 2 This example shows how to display the I...

Page 168: ...e final spam filter You can use Perl regular expressions or wildcards to add banned word patterns to the list See Using Perl regular expressions You can add one or more banned words to sort email cont...

Page 169: ...Korean Simplified Chinese Thai Traditional Chinese or Western western pattern banned word_str Enter the banned word or phrase pattern You can use regular expressions or wildcards No default pattern_ty...

Page 170: ...s how to display the settings for the fifth banned word in the list get spamfilter bword 5 This example shows how to display the configuration for the banned word list show spamfilter bword This examp...

Page 171: ...ons or wildcards to add email address patterns to the list See Using Perl regular expressions Command syntax pattern config spamfilter emailbwl edit email address_integer set keyword variable end conf...

Page 172: ...ewhere com next edit 11 set status enable set action clear set pattern freedom9 com set pattern_type wildcard end This example shows how to display the spamfilter email list get spamfilter emailbwl Th...

Page 173: ...spam filter techniques in a two pass process On the first pass if spamfsip is selected in the protection profile extracts the SMTP mail server source address and sends the IP address to a server to se...

Page 174: ...IP address or URL is deleted disable cache_ttl ttl_integer Enter a time to live in seconds for cache entries Enter from 0 to 3600 seconds 3600 hostname url_str The host name of the server The freeGua...

Page 175: ...emailbwl config spamfilter ipbwl config spamfilter mheader config spamfilter rbl 9 4 ipbwl Use this command to filter email based on the IP or subnet address The freeGuard 100 spam filters are genera...

Page 176: ...ter ipbwl edit address ipv4_integer unset keyword end config spamfilter ipbwl delete address ipv4_integer end get spamfilter ipbwl address ipv4_integer show spamfilter ipbwl address ipv4_integer spamf...

Page 177: ...for the entire IP list show spamfilter ipbwl If the show command returns you to the prompt there are no IP addresses in the list This example shows how to display the configuration for the seventh ent...

Page 178: ...t_Type image jpg The first part of the MIME header is called the header key or just header The second part is called the value Spammers often insert comments into header values or leave them blank The...

Page 179: ...value header field name You can use wildcards or Perl regular expressions No default pattern_type regexp wildcard Enter the pattern_type for the MIME header Choose from wildcards or Perl regular expr...

Page 180: ...show spamfilter mheader 7 Command History Related Commands config spamfilter bword config spamfilter emailbwl config spamfilter shield config spamfilter ipbwl config spamfilter rbl 9 6 rbl Use this co...

Page 181: ...ntax pattern config spamfilter rbl edit server_integer set keyword variable end config spamfilter rbl edit server_integer unset keyword end config spamfilter rbl delete server_integer end get spamfilt...

Page 182: ...the second entry in the spamfilter DNSBL list get spamfilter rbl 2 This example shows how to display the configuration for the entire DNSBL list show spamfilter rbl If the show command returns you to...

Page 183: ...176...

Page 184: ...ing bug report console dhcp exclude_range dhcp ipmacbinding dhcp server dns fm get system performance get system status global ha interface ipv6_tunnel mac address table manageip modem oobm interface...

Page 185: ...file name_str unset keyword end config system accprofile delete profile name_str end get system accprofile profile name_str show system accprofile profile name_str accprofile command keywords and vari...

Page 186: ...em and router settings none deny access r read only access rw read write access w write only access none sysshutdowngrp none r rw w Control administrator access to system shutdownand reboot functions...

Page 187: ...olicy_profile access profile get system accprofile policy_profile Command History Related Commands admin 10 2 admin Use this command to add edit and delete administrator accounts Use the admin account...

Page 188: ...ask to 0 0 0 0 0 0 0 0 0 0 0 0 trusthost2 address_ipv4mask An IP address or subnet address and netmask from which the administrator can connect to the freeGuard 100 If you want the administrator to be...

Page 189: ...erface than that connected to This command changes the source IP address of update requests to the server causing it to send the update to the modified source address Command syntax pattern config sys...

Page 190: ...clientoverride Command History Related Commands autoupdate override autoupdate push update autoupdate schedule autoupdate tunneling execute update_now 10 4 autoupdate override Use this command to add...

Page 191: ...ride This example shows how to display the configuration for the system autoupdate override command show system autoupdate override Command History Related Commands autoupdate push update autoupdate s...

Page 192: ...e unset keyword end get system autoupdate push update show system autoupdate push update autoupdate push update command keywords and variables Keywords Variables Description Default address server add...

Page 193: ...hedule set keyword variable end config system autoupdate schedule unset keyword end get system autoupdate schedule show system autoupdate schedule autoupdate schedule command keywords and variables Ke...

Page 194: ...time 03 00 set status enable end This example shows how to display the settings for the system autoupdate schedule command get system autoupdate schedule This example shows how to display the configu...

Page 195: ...port Command syntax pattern config system autoupdate tunneling set keyword variable end config system autoupdate tunneling unset keyword end get system autoupdate tunneling show system autoupdate tun...

Page 196: ...autoupdate schedule 10 8 bug report Use this command to configure a custom email relay for sending problem reports to Freedom9 customer support For more information on sending problem reports see the...

Page 197: ...system bug report set auth yes set password 123456 set server 10 0 0 1 set username User1 end This example shows how to display the settings for the bug report command get system bug report This exam...

Page 198: ...s per page to 25 config system console set baudrate 38400 set page 25 end This example shows how to display the settings for the console command get system console This example shows how to display th...

Page 199: ...st be in the same subnet 0 0 0 0 Example Use the following command to add an exclusion range from 192 168 20 22 to 192 168 20 25 config system dhcp exclude_range edit 1 set start ip 192 168 20 22 set...

Page 200: ...erver mode using the dhcpserver mode keyword in the config system interface command Command syntax pattern config system dhcp ipmacbinding edit name_str set keyword variable end config system dhcp ipm...

Page 201: ...interface 10 12 dhcp server Use this command to add one or more DHCP servers for any freeGuard 100 interface As a DHCP server the interface dynamically assigns IP addresses to hosts on a network conne...

Page 202: ...r Domain name suffix for the IP addresses that the DHCP server assigns to DHCP clients No default end ip address_ipv4 The ending IP for the range of IP addresses that this DHCP server assigns to DHCP...

Page 203: ...nge is defined by the start ip and the end ip 0 0 0 0 wins server1 address_ipv4 The IP address of the first WINS server that the DHCP server assigns to DHCP clients 0 0 0 0 wins server2 address_ipv4 T...

Page 204: ...rver This example shows how to display the configuration for the new_dhcp DHCP server show system dhcp server new_dhcp Command History Related Commands dhcp exclude_range dhcp ipmacbinding interface 1...

Page 205: ...Example This example shows how to set the primary FreeGuard 100 DNS server IP address to 45 37 121 76 and the secondary freeGuard 100 DNS server IP address to 45 37 121 77 config system dns set prima...

Page 206: ...ard 100 to be managed by a Server config system fm set id FMServer_Gateway set ip 192 20 120 100 end Command History Related Commands config vpn ipsec manualkey config vpn ipsec phase1 config vpn ipse...

Page 207: ...s 480 minutes 8 hours To improve security keep the idletimeout at the default value 5 allow interface subnetoverlap disable enable Enable or disable limited support for interface and VLAN subinterface...

Page 208: ...interval Enter a number in seconds to specify how often the freeGuard 100 pingsthe target 0 disables dead gateway detection 0 ip_signature disable enable disable only TCP UDP and ICMP packets are pro...

Page 209: ...you can use see http www ntp org disable opmode nat transparent Change the freeGuard 100 operation mode to NAT Route or Transparent mode nat phase1 rekey enable disable Enable or disable automatic rek...

Page 210: ...ist and enter the correct number 00 Example This example shows how to change to Transparent mode config system global set opmode transparent end This example shows how to display the settings for the...

Page 211: ...tion disable enable Enable disable HA heartbeat messageencryption Enabling HA heartbeat messageencryption prevents an attacker from sniffing HA packets to get HA cluster information disable groupid id...

Page 212: ...ou want to remove an interface from the list or add an interface to the list you must retype the list with the interface and its priority removed or added The cluster units use the ethernet interfaces...

Page 213: ...le monitoring freeGuard 100 interfacesand setting monitor priorities You can enter one or more interface names followed by a space and a monitor priority Use a space to separate each interface name an...

Page 214: ...3600 seconds The time to live controls how long routes remain active in a cluster unit routing table after the cluster unit becomes a primary unit To maintain communication sessions after a cluster un...

Page 215: ...stributed to cluster units based on the Source IP and Destination IP of the packet leastconnection least connection load balancing If the cluster units are connected using switches use leastconnection...

Page 216: ...ht assigned to the clustet units according to their priority in the cluster Increase the weight to increase the number of connections processed by the cluster unit with that priority 1 for all 32 unit...

Page 217: ...y Weight 0 1 1 3 2 3 config system ha set schedule weight round robin set weight 0 1 set weight 1 3 set weight 2 3 end These commands have the following results The first connection is processed by th...

Page 218: ...cept that you can only configure VLAN subinterfaces with static IP addresses Use the edit command to add a VLAN subinterface Command syntax pattern Entering a name string for the edit keyword that is...

Page 219: ...dress you can arrange with a DDNS service provider to use a domain name to provideredirection of traffic to your network whenever the IP address changes disable ddns domain domain name_str Enter the d...

Page 220: ...t both In a DHCP relay configuration the freeGuard 100 forwards DHCP requests from DHCP clients through the freeGuard 100 to a DHCP server The FreeGuard 100 also returns responses from the DHCP server...

Page 221: ...ter advertisements sent from the interface The valid range is 0 to 9000 1800 ip6 hop limit hops_integer Enter the number to be added to the Cur HopLimit field in the router advertisements sent out thi...

Page 222: ...ission unit MTU size in bytes Ideally mtu should be the same as the smallest MTU of all the networks between this freeGuard 100 and the destination of the packets For static mode the mtu_integer range...

Page 223: ...stinationaddres s_hex Substitute the destination MAC address in a packet No default Username Enter the user name to connect to the PPPoE server No default vdom name_str Enter the name of the virtual d...

Page 224: ...ariable end config ip6 prefix list delete address_ipv6mask end get system interface name_str show system interface name_str ip6 prefix list command keywords and variables Keywords Variables Descriptio...

Page 225: ...ondary IP address A ping server is usually the next hop router on the network connected to the interface If gwdetect is enabled the freeGuard 100 confirms connectivity with the server at this IP addre...

Page 226: ...This example shows how to display the configuration for the system interface command show system interface This example shows how to display the settings for the internal interface get system interfac...

Page 227: ...0 interface name_str The interface used to send and receive traffic for this tunnel No default ip6 address_ipv6mask The network prefix IPv6 address and netmask assigned to the interface to enable IPv6...

Page 228: ...example shows how to display the configuration for the ipv6_tunnel named test_tunnel show system ipv6_tunnel test_tunnel Command History Related Commands interface 10 21 mac address table Use this co...

Page 229: ...splay the configuration for the mac address table command show system mac address table This example shows how to display the settings for the MAC address 11 22 33 00 ff aa get system mac address tabl...

Page 230: ...55 0 end This example shows how to display the settings for the manageip command get system manageip This example shows how to display the configuration for the manageip command show system manageip C...

Page 231: ...tching from the modem interface to the primary interface after the primary interface has been restored 60 idle_timer minutes_integer Set the number of minutes the modem connection can be idle before i...

Page 232: ...e ISP to restore an active connection on the modem interface Select none to allow the modem to redial without a limit No default status disable enable Enable or disable modem support disable username1...

Page 233: ...the email and replaced with a replacement message The same applies to pages blocked by web filtering and emails blocked by spam filtering Command syntax pattern config system replacemsg alertmail cat...

Page 234: ...s a web page text none Messages added to FTP sessions when the antivirus engine blocks a file either because of a matching file pattern or because a virus is detected ftp_dl_infected Antivirus system...

Page 235: ...etes a file from an email messages that contains a virus text 8bit email_filesize The antivirus system blocks an email message that is too large to be virus scanned text 8bit partial The freeGuard 100...

Page 236: ...is blocked by web filter content or URL blocking URL can also be used in http virus and file block messages to be the URL of the web page from which a user attempted to download a file that isblocked...

Page 237: ...se this command to configure a new session helper or to edit an existing one 1 pptp port 1723 protocol 6 2 h323 port 1720 protocol 6 3 ras port 1719 protocol 17 4 tns port 1521 protocol 6 5 ident port...

Page 238: ...t_integer A port number to use for this session helper No default protocol protocol_integer The protocol number for this session helper No default Example Use the following commands to change the ftp...

Page 239: ...to increase the default session timeout config system session_ttl set default 62000 end This example shows how to display the settings for the session_ttl command get system session_ttl This example s...

Page 240: ...set 3600 end end 10 27 snmp community Use this command to configure SNMP communities Add SNMP communities so that SNMP managers can connect to the freeGuard 100 to view system information and receive...

Page 241: ...aced with a new HA unit intf_ip The IP address of a freeGuard 100 interface changes log_full On a freeGuard 100 with a hard drive hard drive usage exceeds 90 mem_low Memory usage exceeds 90 nids_ports...

Page 242: ...dded to this SNMP community 162 trap_v2c_status disable enable Enable or disable SNMP v2c traps for this SNMP community enable Example This example shows how to add a new SNMP community named SNMP_Com...

Page 243: ...s command to add SNMP manager IP addresses to an SNMP community and to specify the freeGuard 100 interface that each SNMP manager connects to Command syntax pattern config hosts edit id_integer set ke...

Page 244: ...the freeGuard 100 so that when your SNMP manager receives configuration information or traps from the freeGuard 100 you can identify the freeGuard 100 that sent the information Command syntax pattern...

Page 245: ...o command get system snmp sysinfo This example shows how to display the configuration for the system snmp sysinfo command show system snmp sysinfo Command History Related Commands snmp community 10 29...

Page 246: ...ou cannot delete the default root virtual domain and you cannot delete a virtual domain that is used for system management Note A virtual domain cannot have the same name as a VLAN Command syntax patt...

Page 247: ...s zone You cannot add an interface if it belongs to another zone or if firewall policies are defined for it No default intrazone allow deny Allow or deny traffic routing between different interfaces i...

Page 248: ...e 1 configurations Only users in the selected user group can be authenticated using XAuth The freeGuard 100 PPTP configuration Only users in the selected user group can use PPTP The freeGuard 100 L2TP...

Page 249: ...ons required No default profile profilename_str Enter the name of the firewall protection profile to associate with this user group No default Example This example shows how to add a group named User_...

Page 250: ...henticate the user the connection is refused by the FreeGuard 100 The freeGuard 100 supports LDAP protocol functionality defined in RFC2251 for looking up and validating user names and passwords freeG...

Page 251: ...the Common Name Identifier The FreeGuard 100 passes this distinguished name unchanged to the server No default port port_integer Enter the port number for communication with the LDAP server 389 server...

Page 252: ...ple shows how to display the configuration for the LDAP server LDAP1 show user ldap LDAP1 Command History Related Commands config user group config user local config user peer config user peergrp conf...

Page 253: ...server with which the user must authenticate You can only select a RADIUS server that has been added to the list of RADIUS servers See radius No default status disable enable Enter enable to allow the...

Page 254: ...n7 Command History Related Commands config user group config user ldap config user peer config user peergrp config user radius 11 4 peer Use this command to add or edit peer digital certificate holder...

Page 255: ...n certificate ca list No default cn Enter the peer certificate common name No default cn type FDQN email ipv4 string Enter the peer certificate common name type string subject Optionally enter any of...

Page 256: ...ed Commands config user peergrp config vpn ipsec phase1 execute vpn certificate ca execute vpn certificate key execute vpn certificate local 11 5 peergrp Use this command to add or edit a peer group P...

Page 257: ...w to add peers to the peergrp EU_branches config user peergrp edit EU_branches set member Sophia_branch Valencia_branch Cardiff_branch end This example shows how to display the list of configured peer...

Page 258: ...et keyword end config user radius delete name_str end get user radius name_str show user radius name_str radius command keywords and variables Keywords Variables Description Default secret password_st...

Page 259: ...is example shows how to display the configuration for all the RADIUS servers show user radius This example shows how to display the configuration for the RADIUS server RAD1 show user radius RAD1 Comma...

Page 260: ...VPN traffic to pass from one tunnel to the other through the freeGuard 100 The freeGuard 100 functions as a concentrator or hub in a hub and spoke network Note VPN concentrators are not available in T...

Page 261: ...VPN concentrator named Concen_1 config vpn ipsec concentrator unset member end This example shows how to display the settings for the Concen_1 concentrator get vpn ipsec concentrator Concen_1 This ex...

Page 262: ...r ipsec manualkey command keywords and variables Keywords Variables Description Default authentication md5 null sha1 Select an authentication algorithm from the list Make sure you use the same algorit...

Page 263: ...IP address of the remote gateway external interface 0 0 0 0 localspi spi_hex Local Security Parameter Index Enter a hexadecimal number of up to eight digits digits can be 0 to 9 a to f in the rangebb8...

Page 264: ...ations When you add a phase 1 configuration you define how the freeGuard 100 and a remote VPN peer gateway or client authenticate themselves to each other as part of establishing an IPSec VPN tunnel T...

Page 265: ...Enter the XAuth client password for the freeGuard 100 when xauthtype is set to client No default authusr name_str Enter the XAuth client user name for the freeGuard 100 when xauthtype is set to clien...

Page 266: ...worry setting 300 seconds dpd idleworry seconds_integer The DPD short idle setting when dpd is set to enable Set the time in seconds that a link must remain unused before the local VPN peer considers...

Page 267: ...e enable Enable NAT traversal if you expect the IPSec VPN traffic to go through a gateway that performs NAT If no NAT device is detected enabling NAT traversal has no effect Both ends of the VPN must...

Page 268: ...mmetric key encryption algorithms null Do not use an encryption algorithm des Digital Encryption Standard a 64 bit block algorithm that uses a 56 bit key 3des Triple DES in which plain text is encrypt...

Page 269: ...the domain name of the remote VPN peer Static usrgrp name_str Enter the name of the group of dialup VPN clients to authenticate when peer type is set to dialup The user group must be added to the free...

Page 270: ...ommands config vpn ipsec phase2 config user group config user local config user peer config user peergrp config user radius vpn certificate local vpn certificate ca 12 4 ipsec phase2 Use this command...

Page 271: ...a hub and spoke VPN configuration that has already been added to the freeGuard 100 No default dhcp ipsec disable enable If the tunnel will service remote dialup clients that broadcast a DHCP request...

Page 272: ...fekbs kb_integer Set the number of KBytes of data to transmit before the phase 2 key expires kbyte_integer can be 5120 to 99999 KBytes 5120 keylifeseconds seconds_integer Set the number of seconds to...

Page 273: ...received before If packets arrive out of sequence the freeGuard 100s discards them You can configure the freeGuard 100 to send an alert email when it detects a replay packet See config alert email Di...

Page 274: ...to add a phase 2 configuration with the following characteristics Name New_Tunnel Phase 1 name Simple_GW Encryption and authentication proposal 3des sha1 aes256 sha1 des md5 Keylife type seconds Keyl...

Page 275: ...ual IP VIP addresses at both ends of the IPSec VPN tunnel Adding an IPSec VIP entry to the VIP table enables a freeGuard 100 to respond to ARP requests destined for remote servers and route traffic to...

Page 276: ...ce to the destination network null Example The following commands add IPSec VIP entries for two remote hosts that can be accessed by a freeGuard 100 through an IPSec VPN tunnel on the external interfa...

Page 277: ...em to a user group For more information see config user group config user ldap config user local and config user radius You need to define a firewall policy to control services inside the L2TP tunnel...

Page 278: ...eGuard 100configuration before it can be specified here For more information see configuser group config user ldap config user local and config user radius null Example This example shows how to enabl...

Page 279: ...ource and destination addresses of IP packets that are to be transported through the VPN When source and destination addresses of 0 0 0 0 are specified no ping traffic is generated between the source...

Page 280: ...Related Commands config vpn ipsec phase2 12 8 pptp Use this command to enable PPTP and specify a local address range to reserve for remote PPTP clients When a remote PPTP client connects to the intern...

Page 281: ...ow vpn pptp pptp command keywords and variables Keywords Variables Description Default eip address_ipv4 The ending address of the PPTP address range 0 0 0 0 sip address_ipv4 The starting address of th...

Page 282: ...t eip 192 168 1 130 set status enable set usrgrp PPTP_users end This example shows how to display the settings for the vpn pptp command get vpn pptp This example shows how to display the configuration...

Page 283: ...ter a phrase the freeGuard 100 blocks all Web pages containing any word in the phrase You can add exact phrases by enclosing the phrases in quotation marks If you enclose the phrase in quotation marks...

Page 284: ...ing Perl regular expressions or wildcards wildcard status disable enable Enable or disable the banned word No default Example This example shows how to add the exact phrase free credit report to the W...

Page 285: ...e freeGuard 100 accesses the nearest freeGuard server to determine the category of a requested web page and then follows the firewall policy configured for that user or interface freeGuard servers are...

Page 286: ...he host name of the FreeGuard servers The FreeGuard 100 comes preconfigured with the host name Use this command only if you need to change the host name guard freedom9 com img_sink_ip image_ipv4 The I...

Page 287: ...ilter urlexm config webfilter urlpat 13 3 script Use this command to configure the freeGuard 100 to block Java applets cookies ActiveX controls or scripts from Web pages Note Blocking any of these ite...

Page 288: ...ss to specific URLs by adding them to the URL block list The freeGuard 100 blocks Web pages matching any specified URLs and displays a replacement message instead You can configure the freeGuard 100 t...

Page 289: ...webfilter urlblock url_str urlblock command keywords and variables Keywords Variables Description Default status disable enable Enable or disable URL blocking for each URL disable Example This exampl...

Page 290: ...m show webfilter urlblock www badsite com Related Commands webfilter bword webfilter catblock webfilter script webfilter urlexm webfilter urlpat 13 5 urlexm Use this command to configure specific URLs...

Page 291: ...ple shows how to display the webfilter URL exempt list get webfilter urlexm This example shows how to display the settings for the URL www freedom9 com get webfilter urlexm www freedom9 com This examp...

Page 292: ...100 web pattern blocking supports standard regular expressions You can add up to 20 patterns to the web pattern block list Command syntax pattern config webfilter urlpat edit url pattern_str set keyw...

Page 293: ...for the URL pattern www badsite get webfilter urlpat www badsite This example shows how to display the configuration for the entire URL pattern block list show webfilter urlpat If the show command re...

Page 294: ...aceful shutdown time traceroute update_now vpn certificate ca vpn certificate key vpn certificate local 14 1 backup Backup the freeGuard 100 configuration file or IPS user defined signatures file to a...

Page 295: ...tion file from the freeGuard 100 to a TFTP server The name to give the configuration file on the TFTP sever is fgt cfg The IP address of the TFTP server is 192 168 1 23 execute backup config fgt cfg 1...

Page 296: ...main called Client2 execute enter Client2 Related Commands config system vdom 14 5 factoryreset Reset the freeGuard 100 configuration to factory default settings Command syntax execute factoryreset Ca...

Page 297: ...mary unit Using this command you can synchronize the following Configuration changes made to the primary unit normal system configuration firewall configuration VPN configuration and so on stored in t...

Page 298: ...above start Start synchronizing the cluster configuration stop Stop the cluster from completing synchronizing its configuration Example From the CLI on a subordinate unit use the following commands t...

Page 299: ...10 ping Send an ICMP echo request ping to test the network connection between the freeGuard 100 and another network device Command syntax execute ping address_ipv4 host name_str Example This example s...

Page 300: ...e host name_str or host_ip Specifying the IP address of a freeGuard 100 interface tests connections to different network segments from the specified interface auto timeout seconds_integer Specify in s...

Page 301: ...an IPv6 capable network device Command syntax execute ping6 address_ipv6 host name_str Example This example shows how to ping a host with the IPv6 address 12AB 0 0 CD30 123 4567 89AB CDEF execute pin...

Page 302: ...Image Upload a firmware image from a TFTP server to the freeGuard 100 The freeGuard 100 reboots loading the new firmware Ipsuserdefsig Restore an IPS custom signature file The file will overwrite the...

Page 303: ...ghbors that it is restarting and requests a grace period RIP can still forward traffic during the restart period This reduces disruption of the network during the restart period The duration of the gr...

Page 304: ...example sets the system time to 15 31 03 execute time 15 31 03 14 19 traceroute Test the connection between the freeGuard 100 and another network device and display information about the network hops...

Page 305: ...o the X 509 standard Note Digital certificates are not required for configuring the freeGuard 100 VPNs Digital certificates are an advanced feature provided for the convenience of system administrator...

Page 306: ...Keyword Description delete certificate name_str Enter the name of the local certificate to delete Type for a list of certificates export name_str filename_str tftp_ip password_str Enter the name of t...

Page 307: ...ate to delete Type for a list of certificates export certificate name_str file name_str tftp_ip Export or save the local certificate from the freeGuard 100 to a file on the TFTP server Type for a list...

Page 308: ...re the freeGuard 100 is located city_name_str Enter the name of the city or town where the person or organization certifying the freeGuard 100 resides organization name_str Enter the name of the organ...

Page 309: ...302 100 from a TFTP server with the address 192 168 21 54 set vpn certificates local import branch_cert 192 168 21 54...

Page 310: ...ules Operation is subject to the following two conditions 1 This device may not cause harmful interference 2 This device must accept any interference received Including interference that may cause und...

Reviews:

No comments

Related manuals for freeGuard 100

2504W - FICHE TECHNIQUE

Brand: SMC Networks Pages: 2

Brand: Lanner Pages: 84

Brand: Arxceo Pages: 34

Brands by name

0 1 2 3 4 5 6 7 8 9 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Popular brands

Load more brands