D-Link NetDefend DFL-260E, Reference Manual

Page 1: ...Network Security Solution http www dlink com NetDefendOS Ver 11 04 01 Network Security Firewall CLI Reference Guide Security Security...

Page 2: ...nce Guide DFL 260E 860E 870 1660 2560 2560G NetDefendOS version 11 04 01 D Link Corporation No 289 Sinhu 3rd Rd Neihu District Taipei City 114 Taiwan R O C http www DLink com Published 2016 10 03 Copy...

Page 3: ...a particular purpose D Link reserves the right to revise this publication and to make changes from time to time in the content hereof without any obligation to notify any person or parties of such rev...

Page 4: ...24 2 1 5 commit 25 2 1 6 delete 25 2 1 7 pskgen 26 2 1 8 reject 27 2 1 9 reset 28 2 1 10 set 29 2 1 11 show 30 2 1 12 undelete 31 2 2 Runtime 33 2 2 1 about 33 2 2 2 alarm 33 2 2 3 appcontrol 33 2 2...

Page 5: ...ut 65 2 2 55 lwhttp 66 2 2 56 macstorage 66 2 2 57 memory 66 2 2 58 natpool 67 2 2 59 nd 67 2 2 60 ndsnoop 68 2 2 61 netobjects 69 2 2 62 ospf 69 2 2 63 pcapdump 71 2 2 64 pipes 73 2 2 65 pptp 74 2 2...

Page 6: ...4 ALG 117 3 4 1 ALG_FTP 117 3 4 2 ALG_H323 118 3 4 3 ALG_HTTP 118 3 4 4 ALG_POP3 120 3 4 5 ALG_PPTP 121 3 4 6 ALG_SIP 121 3 4 7 ALG_SMTP 122 3 4 8 ALG_TFTP 124 3 4 9 ALG_TLS 125 3 5 AntiVirusPolicy 1...

Page 7: ...eControlPolicy 177 3 42 FragSettings 178 3 43 GeolocationFilter 180 3 44 GotoRule 181 3 45 GRETunnel 182 3 46 HighAvailability 183 3 47 HTTPALGBanners 184 3 48 HTTPAuthBanners 185 3 49 HTTPPoster 186...

Page 8: ...LoopbackInterface 249 3 86 MiscSettings 250 3 87 MulticastPolicy 251 3 88 MulticastSettings 252 3 89 NATPool 253 3 90 OSPFProcess 254 3 90 1 OSPFArea 255 3 91 Pipe 259 3 92 PipeRule 262 3 93 PPPoETun...

Page 9: ...StateSettings 304 3 124 TCPSettings 305 3 125 ThresholdRule 307 3 125 1 ThresholdAction 307 3 126 UpdateCenter 309 3 127 UserAuthRule 310 3 128 VLAN 313 3 129 VLANSettings 315 3 130 VoIPProfile 316 3...

Page 10: ...12 Show a range of rules 78 2 13 Interface ping test between all interfaces 79 2 14 Interface ping test between interfaces if1 and if2 80 2 15 Start 30 min burn in testing RAM storage media and crypt...

Page 11: ...s Used for specifying that more than one value can be specified for the option Example 1 Command option notation One of the usages for the help command looks like this help category COMMANDS TYPES Top...

Page 12: ...100 gw world routes flushl3cache Because the table name option is followed by ellipses it is possible to specify more than one routing table Since table name is optional as well the user can specify...

Page 13: ...nd line interface for NetDefendOS The CLI is case sensitive However the tab completion feature of the CLI does not require the correct case to perform completion and will alter the typed case if it is...

Page 14: ...vate gw world activate h Full help for activate gw world help activate Help for the arp command Arp is also the name of a configuration object type so it is necessary to specify that the help text for...

Page 15: ...one page of information is shown Ctrl D or Delete Delete the character to the right of the cursor Ctrl E or End Move the cursor to the end of the line Ctrl F or Right Arrow Move the cursor one charac...

Page 16: ...evious command lines up arrow for older command lines and down arrow to move back to a newer command line See also Section 2 4 3 history Example 1 3 Command line history Using the command line history...

Page 17: ...4a tab gw world add Address IP4Address Address was autocompleted gw world add Address IP4Address example_ip a tab gw world add Address IP4Address example_ip Address Address was autocompleted gw world...

Page 18: ...rs ip1 ip2 ip3 ip5 gw world set IP4Group examplegroup Members tab gw world set IP4Group examplegroup Members ip1 ip2 ip3 ip5 the value was inserted It is now possible to add or remove a member to the...

Page 19: ...Accessing an IP4Address object without the use of categories gw world show IP4Address example_ip Chapter 1 Introduction 19...

Page 20: ...commands and options cannot be used unless the logged in user has administrator privileges This is indicated in this guide by a note following the command or Admin only written next to an option Chapt...

Page 21: ...Chapter 1 Introduction 21...

Page 22: ...nges This will issue a reconfiguration using the new configuration If the reconfiguration is successful a commit command must be issued within the configured timeout interval in order to save the chan...

Page 23: ...new object Add objects with an identifier property not index gw world add Address IP4Address example_ip Address 1 2 3 4 Comments This is an example gw world add IP4Address example_ip2 Address 2 3 4 5...

Page 24: ...e g User objects lie in a sub context or child context of the root in this case in a LocalUserDatabase In order to add or modify users you have to be in the correct context e g a LocalUserDatabase ca...

Page 25: ...scription Save the new configuration to media This command can only be issued after a successful activate command Usage commit Note Requires Administrator privileges 2 1 6 delete Delete specified obje...

Page 26: ...cts or has children Category Category that groups object types Identifier The property that identifies the configuration object May not be applicable depending on the specified Type Type Type of confi...

Page 27: ...ndividual objects gw world set Address IP4Address example_ip Comments This comment will be rejected gw world reject Address IP4Address example_ip gw world add Address IP4Address example_ip2 Address 1...

Page 28: ...ration object May not be applicable depending on the specified Type Type Type of configuration object to perform operation on Note Requires Administrator privileges 2 1 9 reset Reset unit configuratio...

Page 29: ...2 5 Set property values Set properties for objects that have an identifier property gw world set Address IP4Address example_ip Address 1 2 3 4 Comments This is an example gw world set IP4Address examp...

Page 30: ...w what objects have been changed or have errors in the configuration When showing a table of all objects of a certain type the status of each object since the last time the configuration was committed...

Page 31: ...ed references Show an object or list a type or category show errors verbose Show all errors show changes Show all changes Options changes Show all changes in the current configuration disabled Show di...

Page 32: ...emove the error in examplerule gw world set IPRule examplerule SourceNetwork examplenet gw world delete Address IP4Address examplenet force gw world undelete Address IP4Address examplenet Usage undele...

Page 33: ...rrently active alarms Usage alarm history active Options active Show the currently active alarms history Show the 20 latest alarms 2 2 3 appcontrol Show application control status Description Browse t...

Page 34: ...g families tags risks and a matching expression for the applications names Options application String Exact application name delete_lists ALL Integer Free saved Strings family String Application famil...

Page 35: ...ion on hash table health hw pattern Show only hardware addresses matching pattern hwsender Ethernet Address Sender ethernet address ip pattern Show only IP addresses matching pattern notify ip Send gr...

Page 36: ...ame Note Requires Administrator privileges 2 2 6 ats Show active ARP Transaction States Description Show active ARP Transaction States Usage ats num n Options num n Limit list to n entries Default 20...

Page 37: ...ion with the Agent and attempst to reconnect Admin only version Show protocol version ALL AuthAgent Authentication Agent name 2 2 8 authagentsnoop Toggle snooping and displaying of Authentication Agen...

Page 38: ...s on the black and white list Note Static blacklist hosts cannot be unblocked If force is not specified only the exact host with the service protocol port and destiny specified is unblocked Example 2...

Page 39: ...r the host that matches to options info Show detailed information listtime Show time in list for dynamic hosts num ALL Integer Maximum number of entries to show default 20 port port number Number of t...

Page 40: ...w information about the CAM table s and their entries Usage cam num n Show CAM table information cam Interface num n Show interface specified CAM table information cam Interface flush Flush CAM table...

Page 41: ...ormation 2 2 14 cfglog Display configuration log Description Display the log of the last configuration read attempt Usage cfglog 2 2 15 connections List current state tracked connections Description L...

Page 42: ...erface Filter on destination interface destip ip address Filter on destination IP address destport port Filter on TCP UDP destination port ipver IPV6 IPV4 Filter on IP version num n Limit list to n co...

Page 43: ...nformation about crypto accelerators Description Show information about installed crypto accelerators Usage cryptostat hashinfo Options hashinfo Show information about the hardware fastpath hash 2 2 1...

Page 44: ...and forward flush Flush all diagnose entries to disk Admin only onlyhigh Only show entries with severity high Admin only 2 2 21 dhcp Display information about DHCP enabled interfaces or modify update...

Page 45: ...e currently relayed DHCP sessions dhcprelay show num ALL Integer rules routes display filter Show DHCP BOOTP relayer ruleset dhcprelay release ip address interface Interface Terminate relayed session...

Page 46: ...LACKLIST Release a specific types of IPs dhcpserver releaseip Interface IP address Release an active IP Options fromentry Integer Show entry list from offset n leases Show DHCP server leases mappings...

Page 47: ...face lease Options lease RENEW RELEASE Modify interface lease list List all DHCPv6 enabled interfaces show Show information about DHCPv6 enabled interface interface DHCPv6 Interface 2 2 25 dhcpv6serve...

Page 48: ...rver rules show Show ruleset display filter Display filters for leases based on interface mac ip eg if1 2001 DB8 interface Interface IPv6 address IPv6 address 2 2 26 dns DNS client and queries Descrip...

Page 49: ...2 2 27 dnsbl DNSBL Description Show status of DNSBL Usage dnsbl show SMTP ALG clean Options clean Clear DNSBL statistics for ALG show Show DNSBL statistics for ALG SMTP ALG Name of SMTP ALG 2 2 28 dy...

Page 50: ...e detailed information can optionally be obtained for specific reassemblies NEW Newest reassembly ALL All reassemblies 0 1023 Assembly N Example 2 9 frags frags NEW frags 254 Usage frags NEW ALL reass...

Page 51: ...ctive deactivate Go inactive 2 2 31 hostmon Show Host Monitor statistics Description Show active Host Monitor sessions Usage hostmon verbose num n Options num n Limit list to n entries Default 20 verb...

Page 52: ...20 override List hosts that have overridden the wcf filter server STATUS CONNECT DISCONNECT Web Content Filtering Server options Default status show Show Web Content Filtering cache data url String Li...

Page 53: ...mits 2 2 35 idppipes Show and remove hosts that are piped by IDP Description Show list of currently piped hosts Usage idppipes List all idppipes idppipes show host ip addr Lists hosts for which new co...

Page 54: ...erfaces maclist Show MAC addresses for all interfaces num n Limit list to n lines Default 20 pbr table name Only list members of given PBR table s restart Stop and restart the interface Admin only snm...

Page 55: ...sage Options join Simulate an incoming IGMP join message leave Simulate an incoming IGMP leave message query Simulate an incoming IGMP query message state Show the current IGMP state host address Host...

Page 56: ...that has been sent to the other cluster member when this node was active and receive statistics show how many packets failures it got as inactive ike Show current IKE SAs Options brief Show only heade...

Page 57: ...nooping Description Turn IKE on screen snooping on off Useful for troubleshooting IPsec connections Usage ikesnoop Show IKE snooping status ikesnoop on ip address verbose Enable IKE snooping ikesnoop...

Page 58: ...P pool information Options all Free or renew all IP addresses num n Limit list to n entries Default 100 release Forcibly free IP assigned to subsystem Admin only renew Try to renew IP leases through D...

Page 59: ...how SA information srcif Interface Interface used to reach the remote endpoint stat Show IPsec statistics usage Show detailed SA statistics information verbose Show verbose information IPsecTunnel IPs...

Page 60: ...eases 2 2 45 ipsechastat Show statistics about HA synchronization for IPsec Description Shows statistics about IKE IPsec SAs synchronized and how many that failed to import Sent statistics shows how m...

Page 61: ...to show default 40 8 usage Show detailed SA statistics information verbose Show verbose information tunnel Only show SAs matching pattern Deprecated 2014 05 27 Replaced by command ipsec show Deprecat...

Page 62: ...iption Kill all IPsec and IKE SAs associated with a given remote IKE peer IP or optional all SA s in the system IKE delete messages are sent Usage killsa ip address iface interface Delete SAs belongin...

Page 63: ...tate ALL ACTIVE LISTENING child num Integer List L2TP sessions l2tp l2tpv3client L2TPv3 Client l2tpclient PPTP L2TP Client state ALL ACTIVE LISTENING child num Integer List L2TP sessions Options child...

Page 64: ...2 2 51 ldap LDAP information Description Status and statistics for the configured LDAP databases Usage ldap List all LDAP databases ldap list List all LDAP databases ldap show LDAP Server Show LDAP da...

Page 65: ...w Show the contents of the current license Options show Show current status and credentials 2 2 53 linkmon Display link montitoring statistics Description If link monitor hosts have been configured li...

Page 66: ...management state e g full TCP stack interception Compared to the ordinary HTTP ALG the LW HTTP inspector provides better throughput performance without affecting network security Usage lwhttp 2 2 56 m...

Page 67: ...IP4 Address Translated IP pool name NAT Pool name 2 2 59 nd Show Neighbor Discovery entries for given interface Description List the Neighbor Discovery cache entries of specified interfaces If no int...

Page 68: ...on hash table health hw pattern Show only hardware addresses matching pattern ip pattern Show only IP addresses matching pattern num n Show only the first n entries per interface Default 20 query ip...

Page 69: ...ministrator privileges 2 2 61 netobjects Show runtime values of network objects Description Displays named network objects and their contents Example 2 10 List network objects which have names contain...

Page 70: ...A ALT process OSPF Router Process Show the internal OSPF process routingtable ospf database verbose process OSPF Router Process Show the LSA database ospf lsa lsaID process OSPF Router Process Show de...

Page 71: ...ooting messages on the console Admin only verbose Increase amount of information to display interface OSPF enabled interface interface OSPF enabled interface lsaID LSA ID OSPF Area OSPF Area OSPF Neig...

Page 72: ...of packets to capture destport 0 65535 Destination TCP UDP port filter eth Ethernet Address Ethernet address filter ethdest Ethernet Address Ethernet destination address filter ethsrc Ethernet Address...

Page 73: ...ipe Remove all captured packets from memory write Write the captured packets to disk interface s Name of interface s Note Requires Administrator privileges 2 2 64 pipes Show pipes information Descript...

Page 74: ...List PPTP sessions pptp pptpclient PPTP L2TP Client state ALL ACTIVE LISTENING CHILDONLY child num Integer List PPTP sessions Options child Include child sessions num Integer Number of entries to list...

Page 75: ...num Integer Number of entries to list services List all services attached to PPTP ALG sessions List all session using a PPTP tunnel verbose Verbose output PPTP ALG PPTP ALG 2 2 67 reconfigure Initiate...

Page 76: ...s Rekey IPsec SAs rekeysa ip address Rekey IPsec SAs Options ike Rekey IKE SAs ipsec Rekey IPsec SAs ip address IP address of remote peer Note Requires Administrator privileges 2 2 69 route Alias for...

Page 77: ...f the routing tables O Learned via OSPF X Route is Disabled M Route is Monitored A Published via Proxy ARP D Dynamic from e g DHCP relay IPsec L2TP PPP servers etc H HA synced from cluster peer Usage...

Page 78: ...objects that have an associated real time monitor alert are displayed Example 2 11 Show all monitored objects in the alg http category gw world rtmonitor alg http m Usage rtmonitor filter terse monito...

Page 79: ...disrupted during the test s The outcome of the throughput crypto accelerator tests are dependent on configuration values If the number of large buffers LocalReassSettings LocalReass_NumLarge too low i...

Page 80: ...e interfaces selftest ping interfaces Interface Run a ping test over the interfaces selftest throughput interfaces Interface Run a throughput test over the interfaces selftest traffic interfaces Inter...

Page 81: ...tes Default 0 num Integer Number of times to execute the test Default 1 ping Run a ping test over the interfaces size Integer Size of media space to utilize in the test Set in MB Default 1 throughput...

Page 82: ...ts subsystem Session does not use timeout Usage sessionmanager Show Session Manager status sessionmanager status Show Session Manager status sessionmanager list num n List active sessions sessionmanag...

Page 83: ...abase Name of user database IP Address IP address message text Message to send session name Name of session LOCAL SSH NETCON HTTP HTTPS Session type 2 2 77 settings Show settings Description Show the...

Page 84: ...SIP ALG Description List running SIP ALG configurations SIP registration and call information The flags option with snoop allows any combination of the following values 0x00000001 GENERAL 0x00000002 E...

Page 85: ...Show running ALG configuration parameters sipalg registration SHOW FLUSH alg Show or flush current registration table sipalg calls alg Show active calls table sipalg session alg Show active SIP sessi...

Page 86: ...Show or flush SIP counters Default show alg SIP ALG name alg SIP ALG name ipaddr IP Address to snoop 2 2 80 smtp List SMTP LogReceiver sessions and send test mail Description List SMTP sessions for c...

Page 87: ...s sshserver status verbose Show server status and list all connected clients sshserver keygen b bits t RSA DSA Generate SSH Server private keys sshserver restart ssh server Restart SSH Server Options...

Page 88: ...Options num n Limit display to n entries Default 20 2 2 83 stats Display various general firewall statistics Description Display general information about the firewall such as uptime CPU load resourc...

Page 89: ...ort 2 2 86 time Display current system time Description Display set the system date and time Usage time Display current system time time verbose Display current system time time set date time Set syst...

Page 90: ...Description Displays the contents of the user authentication ruleset Example 2 17 Show a range of rules uarules v 1 2 4 5 Usage uarules verbose Integer Range Options verbose Verbose output Integer Ra...

Page 91: ...VIRUS IDP ALL Show update status and database information Admin only Default all update ANTIVIRUS IDP ALL Force an update now for the specified service Admin only Default all verbose Show verbose stat...

Page 92: ...dmin only user Show all information for user s with this IP address verbose List all blocked users history Interface Interface user ip IP address for user s 2 2 90 vlan Show information about VLAN Des...

Page 93: ...p address blockenet ethernet address eraseip ip address eraseenet ethernet address status show Options blockenet ethernet address Block the specified ethernet address blockip ip address Block the spec...

Page 94: ...lay current active Geolocation Filters num n List n entries Default 20 query Resolve domain name status Display status for GeoIP database IPAddress IP address to resolve 2 3 2 ping Ping host Descripti...

Page 95: ...et through the rule set simulating that the packet was received by srcif srcip ip address Use this source IP tcp Send TCP ping tos 0 255 Type of service udp Send UDP ping verbose Verbose more informat...

Page 96: ...s fast as possible may look like Denial of Service attack noresolve Disable reverse DNS lookup of hosts pbr table Route using PBR Table size Integer Packet data size Default 32 srcip ip address Use th...

Page 97: ...ject types The fastest way to get help is to simply type help followed by the topic that you want help with A topic can be for example a command name e g set or the name of a configuration object type...

Page 98: ...me logs MemLog searching will only be functioning if a LogReceiverMemory object has been configured Since the system log rate may be high displaying real time logs must be done with some caution For t...

Page 99: ...tring logid Integer event String action NONE DROP ALLOW BLOCK REJECT String severity EMERGENCY ALERT CRITICAL ERROR WARNING NOTICE INFO DEBUG starttime DateTime endtime DateTime pattern String srcip I...

Page 100: ...gs sec Only applicable for real time logs severity EMERGENCY ALERT CRITICAL ERROR WARNING NOTICE INFO DEBUG Log severity to filter on Equal or higher severity matches source MEMLOG REALTIME BOTH Log s...

Page 101: ...icate cer user sgw ip certificate certificate_name scp certificate key user sgw ip certificate certificate_name Example 2 27 Upload ssh public key data scp sshkey pub user sgw ip sshclientkey sshclien...

Page 102: ...ipt show all name Name Show script in console window script store all name Name Store a script to persistent storage script remove all name Name Remove script script List script files Options all Appl...

Page 103: ...he configuration object May not be applicable depending on the specified Type Parameters List of input arguments Type Type of configuration object to perform operation on Note Requires Administrator p...

Page 104: ...Chapter 2 Command Reference 104...

Page 105: ...et page 128 ARPND page 130 ARPNDSettings page 131 AuthAgent page 134 AuthenticationSettings page 135 BlacklistWhiteHost page 136 Certificate page 137 COMPortDevice page 138 ConfigModePool page 139 Con...

Page 106: ...lientPeanutHull page 166 EmailControlProfile page 167 Ethernet page 171 EthernetDevice page 173 EthernetSettings page 174 EventReceiverSNMP2c page 176 FileControlPolicy page 177 FragSettings page 178...

Page 107: ...nt page 227 L2TPServer page 229 L2TPServerSettings page 231 L2TPv3Client page 232 L2TPv3Server page 234 LDAPDatabase page 235 LDAPServer page 236 LengthLimSettings page 237 LinkAggregation page 238 Li...

Page 108: ...page 273 RemoteMgmtSettings page 274 RemoteMgmtSNMP page 276 RemoteMgmtSSH page 277 RouteBalancingInstance page 279 RouteBalancingSpilloverSettings page 280 RouterAdvertisement page 281 RoutingRule pa...

Page 109: ...block specific source IP addresses on a specific interface Properties Index The index of the object starting at 1 Identifier Name Specifies a symbolic name for the object Action Accept Expect or Drop...

Page 110: ...te If no Index is specified when creating an instance of this type the object will be placed last in the list and the Index will be equal to the length of the list Chapter 3 Configuration Reference 11...

Page 111: ...fies a symbolic name for the network object Identifier Address FQDN e g www example com ActiveAddress The IP addresses resolved from the name server Optional Comments Text describing the current objec...

Page 112: ...d for combining several Ethernet Address objects for simplified management Properties Name Specifies a symbolic name for the network object Identifier Members Group members Comments Text describing th...

Page 113: ...dress The dynamically set address used by e g DHCP enabled Ethernet interfaces Optional UserAuthGroups Groups and user names that belong to this object Objects that filter on credentials can only be u...

Page 114: ...object Identifier Address An IP address with one instance for each node in the high availability cluster UserAuthGroups Groups and user names that belong to this object Objects that filter on credent...

Page 115: ...ame as in Section 3 2 1 9 IP4HAAddress 3 2 7 IP6Address The definitions here are the same as in Section 3 2 1 6 IP6Address 3 2 8 IP6Group The definitions here are the same as in Section 3 2 1 5 IP6Gro...

Page 116: ...e format HH MM For example 13 30 EndTime End Time of occurence in the format HH MM For example 14 15 Occurrence Specify type of occurrence Default Weekly Weekly Specifies days in week the schedule occ...

Page 117: ...andRate Maximum number of commands per second Default 20 Allow8BitStrings Allow 8 bit strings in control channel Default Yes AllowResumeTransfer Allow RESUME even in case of content scanning Default N...

Page 118: ...multimedia traffic Properties Name Specifies a symbolic name for the ALG Identifier AllowTCPDataChannels Allow TCP data channels T 120 Default Yes MaxTCPDataChannels Maximum number of TCP data channe...

Page 119: ...s Disabled Audit or Protect Default Disabled ScanExclude List of files to exclude from antivirus scanning Optional CompressionRatio A compression ratio higher than this value will trigger the action i...

Page 120: ...Default Blacklist URL Specifies the URL to blacklist or whitelist Comments Text describing the current object Optional Note If no Index is specified when creating an instance of this type the object...

Page 121: ...Default Drop AllowEncryptedZip Allow encrypted zip files even though the contents can not be scanned Default No MaxArchiveDepth The maximum number of archive layers that the antivirus engine will ext...

Page 122: ...um number of TCP data channels per call Default 5 Comments Text describing the current object Optional 3 4 7 ALG_SMTP Description Use an SMTP Application Layer Gateway to manage SMTP traffic through t...

Page 123: ...o MaxArchiveDepth The maximum number of archive layers that the antivirus engine will extract Default 5 ZDEnabled Enable ZoneDefense Block Default No ZDNetwork Hosts within this network will be blocke...

Page 124: ...en creating an instance of this type the object will be placed last in the list and the Index will be equal to the length of the list 3 4 8 ALG_TFTP Description Use an TFTP Application Layer Gateway t...

Page 125: ...Description TLS Alg Properties Name Specifies a symbolic name for the ALG Identifier HostCert Specifies the host certificate RootCert Specifies the root certificates Optional Comments Text describing...

Page 126: ...gger the action in Compression Ratio Action a value of zero will disable all compression checks Default 20 CompressionRatioAction The action to take when high compression threshold is violated all act...

Page 127: ...classifiedBytes Maximum number of bytes transfered in one direction on a connection before the application will be forced to unknown Default 7500 RestartOnFatalFailure Restart the device automatically...

Page 128: ...axUnclassifiedBytes Maximum number of bytes transfered in one direction on a connection before the application will be forced to unknown Default 7500 StrictHTTP Handle plain http more strictly to avoi...

Page 129: ...he packets before sent into a pipe Default FromPipe FixedPrecedence Specifies the fixed precedence Comments Text describing the current object Optional Note If no Index is specified when creating an i...

Page 130: ...he interface the address shall be published on IP The IP address to be published or statically bound to a hardware address MACAddress The hardware address associated with the IP address Default 00 00...

Page 131: ...be changed Default DropLog ARPExpire Lifetime of an ARP entry in seconds Default 900 ARPExpireUnknown Lifetime of an unknown ARP entry in seconds Default 3 ARPMulticast ARP packets claiming to be mul...

Page 132: ...giving up address resolution Default 3 NDMaxUnicastSolicit Number of Neighbor Solicitations before giving up a zombie during dead peer detection Default 3 NDBaseReachableTime Multiple of randomized t...

Page 133: ...Default 64 RALinkMTU The value to be placed in MTU options sent A value of zero indicates that no MTU options are sent Default 0 Default 0 RAValidLifetime The value to be placed in the Valid Lifetime...

Page 134: ...ult auth_agent_psk LogEnabled Enable logging Default Yes LogSeverity Specifies with what severity log events will be sent to the specified log receivers Default Default RoutingTable Specifies the rout...

Page 135: ...Specific attribute to the RADIUS server at Accounting Request messages Default No VendorSpecificAttributeAuthentication Enable sending Vendor Specific attribute to the RADIUS server at Access Request...

Page 136: ...hitelisted Service Specifies the service that will be whitelisted Schedule The schedule when the whitelist should be active Optional Comments Text describing the current object Optional Note If no Ind...

Page 137: ...cifies whether to check CRLs Certificate Revocation Lists when validating certificates Default Enforced CRLDistPointList Specifies the CRL distribution points to use when validating the certificate it...

Page 138: ...LI Properties Port Port Identifier BitsPerSecond Bits per second Default 9600 DataBits Data bits Default 8 Parity Parity Default None StopBits Stop bits Default 1 FlowControl Flow control Default None...

Page 139: ...IPPoolNetmask Specifies the netmask to assign to VPN clients DNS Specifies the IP address of a DNS server that a VPN client should be able to connect to Optional NBNSIP Specifies the IP address of a N...

Page 140: ...fault 80 ConnLife_UDP Connection idle lifetime for UDP Default 130 AllowBothSidesToKeepConnAlive_UDP Allow both sides to keep a UDP connection alive Default No ConnLife_Ping Connection timeout for Pin...

Page 141: ...stribution point list Identifier Comments Text describing the current object Optional 3 17 1 CRLDistPoint Description A CRL distribution point CDP specifies a location from where a certificate revocat...

Page 142: ...f month daylight saving time ends Default 1 TimeSynchronization Enable time synchronization Default Disable TimeSyncServerType Type of server for time synchronization UDPTime or SNTP Simple Network Ti...

Page 143: ...Note This object type does not have an identifier and is identified by the name of the type only There can only be one instance of this type Chapter 3 Configuration Reference 143...

Page 144: ...as well as an abstract any interface Properties Name Specifies a symbolic name for the interface Identifier SNMPIndex Interface index assigned by the system when persistent interface indexes are enab...

Page 145: ...ConfigSession Session type used when the current configuration was committed Default BaseConfiguration ConfigIP IP address of the user who committed the current configuration Optional ConfigDate Date...

Page 146: ...e interfaces where a route is added Optional AddRouteGatewayIP The IP used as gateway to reach hosts on this route Optional RoutingTable Specifies the routing table the clients host route should be ad...

Page 147: ...ogSeverity Specifies with what severity log events will be sent to the specified log receivers Default Default Comments Text describing the current object Optional Chapter 3 Configuration Reference 14...

Page 148: ...elays will not be relayed Default 5 MaxLeaseTime Maximum lease time seconds allowed from the DHCP server too high times will be lowered silently Default 10000 MaxAutoRoutes Maximum number of DHCP clie...

Page 149: ...ault gateway If unspecified or if 0 0 0 0 is specified the IP given to the client will be sent as gateway Optional Domain Domain name used for DNS resolution Optional LeaseTime The time in seconds tha...

Page 150: ...tIdent The client identifier for the host Comments Text describing the current object Optional Note If no Index is specified when creating an instance of this type the object will be placed last in th...

Page 151: ...te If no Index is specified when creating an instance of this type the object will be placed last in the list and the Index will be equal to the length of the list Chapter 3 Configuration Reference 15...

Page 152: ...the lease database to disk Default ReconfShut AutoSaveLeaseInterval Seconds between auto saving the lease database to disk Default 86400 Note This object type does not have an identifier and is identi...

Page 153: ...more and should acquire a new one Default 86400 PreferredLeaseTime The length of time in seconds that an address should be preferred to be used in new communications When expired unless renewed the a...

Page 154: ...Server host entry Properties Host IPv6 Address of the host MACAddress The hardware address of the host Comments Text describing the current object Optional Note If no Index is specified when creating...

Page 155: ...g the lease database to disk Default ReconfShut AutoSaveLeaseInterval Seconds between auto saving the lease database to disk Default 86400 Note This object type does not have an identifier and is iden...

Page 156: ...sent to D Link Default Yes IncludeUsageStatistics Include usage statistics e g CPU load connection count and memory usage to manufacturer The information will improve the quality of future products a...

Page 157: ...secondary IPv6 DNS Server Optional IP6DNSServer3 IP of the tertiary IPv6 DNS Server Optional MinTTL Overrides lower TTLs received from the DNS server when used in DNS cache Default 1 MinCacheTime Det...

Page 158: ...atch Optional DestinationNetworkExactly Specifies if the route needs to match a specific network exactly Optional DestinationNetworkIn Specifies if the route just needs to be within a specific network...

Page 159: ...and maximum value if a route has a higher or lower value then specified it will be set to the specified value Optional SetForward IP to route over Optional Comments Text describing the current object...

Page 160: ...ied value Optional ProxyARPAllInterfaces Always select all interfaces including new ones for publishing routes via Proxy ARP Default No ProxyARPInterfaces Specifies the interfaces on which the firewal...

Page 161: ...ame Username Password The password for the specified username Optional Comments Text describing the current object Optional Note If no Index is specified when creating an instance of this type the obj...

Page 162: ...linkddns com suffix Username Username Password The password for the specified username Optional Comments Text describing the current object Optional Note If no Index is specified when creating an inst...

Page 163: ...ng the dlinkddns com suffix Username Username Password The password for the specified username Optional Comments Text describing the current object Optional Note If no Index is specified when creating...

Page 164: ...the dyndns org suffix Username Username Password The password for the specified username Optional Comments Text describing the current object Optional Note If no Index is specified when creating an i...

Page 165: ...the dyns cx suffix Username Username Password The password for the specified username Optional Comments Text describing the current object Optional Note If no Index is specified when creating an inst...

Page 166: ...NS names separated by Username Username Password The password for the specified username Optional Comments Text describing the current object Optional Note If no Index is specified when creating an in...

Page 167: ...lds Default Yes DomainVerification Use DNS to verify reply to domains in emails If a domain appears to be forged the configured score value is added to the total score for that email Default Yes Domai...

Page 168: ...acklisting using an external database If the sender s IP address is blacklisted the configured score value is added to the total score for that email Default No DNSBL8 IP address blacklisting using an...

Page 169: ...BlacklistTag For IMAP and POP3 custom text string to tag subject of blacklisted emails For SMTP this has no effect blacklisted messages are rejected instead Default BLACK LISTED IMAP_HideUser Prevent...

Page 170: ...roperties Action A blacklisted message is treated as spam A whitelisted message will bypass all other anti spam mechanisms Default Blacklist SrcType Source can either be an IP address or an email addr...

Page 171: ...nnected network Optional EnableIPv6 Enable processing of IPv6 traffic on this interface Default No IPv6IP The IP address of the interface IPv6Network The network of the interface IPv6DefaultGateway Th...

Page 172: ...utomatically add a route for this interface using the given network Default Yes AutoDefaultGatewayRoute Automatically add a default route for this interface using the given default gateway Default Yes...

Page 173: ...the Ethernet adapter PCIPort Some Ethernet adapters have multiple ports that share the same bus and slot number This parameter specifies what port to be used Media Specifies if the link speed should...

Page 174: ...er interface Default 256 Ringsize_r8169_rx Size of r8169 receive ring per interface Default 256 Ringsize_r8169_tx Size of r8169 send ring per interface Default 256 IfaceMon_e1000 Enable interface moni...

Page 175: ...Note This object type does not have an identifier and is identified by the name of the type only There can only be one instance of this type Chapter 3 Configuration Reference 175...

Page 176: ...outing table the clients host route should be added to Default main Comments Text describing the current object Optional 3 40 1 LogReceiverMessageException Description A log message exception is used...

Page 177: ...s a symbolic name for the Profile Identifier FileListType Specifies if the file list contains files to allow or deny Default Block FailModeBehavior Standard behaviour on error Allow or Deny Default De...

Page 178: ...opLog MinimumFragLength Minimum allowed length of non last fragments Default 8 ReassTimeout Timeout of a reassembly since previous received fragment Default 65 ReassTimeLimit Maximum lifetime of a rea...

Page 179: ...fault 65 IP6ReassTimeLimit Maximum lifetime of a reassembly since first received fragment Default 90 IP6ReassDoneLinger How long to remember a completed reassembly watching for old dups Default 20 IP6...

Page 180: ...rule Identifier MatchPrivate Specify if filter should match private networks 10 0 0 0 8 172 16 0 0 12 192 168 0 0 16 fd00 8 Default No MatchUnknown Specify if filter should match unclassified networks...

Page 181: ...e compared to the received packet DestinationNetwork Specifies the span of IP addresses to be compared to the destination IP of the received packet Service Specifies a service that will be used as a f...

Page 182: ...iginator IP address to use as source IP in e g NAT Metric Specifies the metric for the auto created route Default 90 AutoInterfaceNetworkRoute Automatically add a route for this interface using the gi...

Page 183: ...e sync packets to send in a burst Default 20 HAInitialSilence The number of seconds to stay silent on startup or after reconfiguration Default 5 UseUniqueSharedMac Use a unique shared mac address for...

Page 184: ...pressionForbidden HTML for the CompressionForbidden html web page ContentForbidden HTML for the ContentForbidden html web page URLForbidden HTML for the URLForbidden html web page RestrictedSiteNotice...

Page 185: ...html web page LoginAlreadyDone HTML for the LoginAlreadyDone html web page LoginChallenge HTML for the LoginChallenge html web page LoginChallengeTimeout HTML for the LoginChallenge html Timeout web p...

Page 186: ...elay in seconds until the URL is refetched Default 1200 AlwaysRepost Repost on each reconfiguration Default No PostValues HTTP POST the values Default No Comments Text describing the current object Op...

Page 187: ...ndex MinLimit Lower limit Optional MaxLimit Upper limit Optional EnableMonitoring Enable disable monitoring Default No Comments Text describing the current object Optional Note If no Index is specifie...

Page 188: ...ch poll result that is in the Alert Critical or Warning level or should a log message only be sent when a new level is reached Default No MemoryAlertLevel Alert log message if free memory is below thi...

Page 189: ...arding statefully tracked open connections Default Yes ICMP6MaxOptND Total number of options allowed per ICMP6 ND header Default 32 ICMP6NDOnMaxOptND Validate the number of options per extension heade...

Page 190: ...ject Identifier Type IP DNS E Mail or Distinguished name IP IP address Hostname Host name CommonName Common name of the owner of the certificate Optional OrganizationName Organization name of the owne...

Page 191: ...ervice Specifies a service that will be used as a filter parameter when matching traffic with this rule Schedule By adding a schedule to a rule the firewall will only allow that rule to trigger at tho...

Page 192: ...xisting connection Default No PipeLimit Specifies the bandwidth limit in kbps for hosts triggered by this action PipeNetwork Traffic shaping will only apply to hosts that are within this network Defau...

Page 193: ...ceived packet MulticastSource Specifies the multicast source to be compared to the received packet RelayInterface Specifies the interface via which to relay IGMP messages TranslateMGroup Translate the...

Page 194: ...te If no Index is specified when creating an instance of this type the object will be placed last in the list and the Index will be equal to the length of the list Chapter 3 Configuration Reference 19...

Page 195: ...25000 QueryResponseInterval The maximum time until a host client has to send an answer to a query Default 10000 LastMemberQueryInterval The maximum time until a host client has to send an answer to a...

Page 196: ...he Blowfish preferred key size in bits Default 128 BlowfishMaxKeySize Specifies the maximum Blowfish key size in bits Default 448 TwofishMinKeySize Specifies the minimum Twofish key size in bits Defau...

Page 197: ...XCBCEnabled Enable AES XCBC integrity algorithm Default No Comments Text describing the current object Optional Chapter 3 Configuration Reference 197...

Page 198: ...ifies if the interfaces should be considered security equivalent that means that if enabled the interface group can be used as a destination interface in rules where connections might need to be moved...

Page 199: ...ckets Metric Specifies the metric for the auto created route Default 90 AutoInterfaceNetworkRoute Automatically add a route for this interface using the given remote network Default Yes MTU Specify th...

Page 200: ...P Specifies base address for sender address SourceNATPool Specifies NAT Pool to fetch sender address to be used SourcePortAction Specify method to determine which port action to use Default None Sourc...

Page 201: ...network will be blocked at switches if a virus is found WebControl Web Control Default No Web_Policy Selects preconfigured Web Profile FileControl File Control Default No FC_Mode File Control mode De...

Page 202: ...Transfer Allow RESUME even in case of content scanning Default No TFTPControl Enables TFTP protocol specific settings Default No TFTPAllowedCommands Specifies allowed commands Default ReadWrite TFTPRe...

Page 203: ...country filter to be compared against the sender Geolocation of the received packet Optional DestinationGeoFilter Specifies the country filter to be compared against the destination Geolocation of the...

Page 204: ...n with the DHCP server Default main ReceiveInterface Which interface to use when communicating with the DHCP server Optional PrefetchLeases Specifies the number of leases an IP Pool will keep prefetch...

Page 205: ...when matching traffic with this rule Schedule By adding a schedule to a rule the firewall will only allow that rule to trigger at those designated times Optional NATAction Specify sender address or Us...

Page 206: ...efault No SLBTCPPorts Specifies the ports that will be monitored SLBTCPPollingInterval Delay in milliseconds between each TCP handshake Default 10000 SLBTCPSamples Specifies the number of attempts to...

Page 207: ...ent Specifies how the traffic should be forwarded and translated MultiplexAllToOne Rewrite all destination IPs to a single IP Default No AppControl Application Control Default No AC_Mode Application C...

Page 208: ...Description Server Load Balancing using Static Address Translation Allows distribution of client requests over a number of servers Properties Index The index of the object starting at 1 Identifier Nam...

Page 209: ...CPSamples Specifies the number of attempts to use for statistical calculations Default 10 SLBTCPMaxPollFails Specifies the maximum number of failed TCP attempts until host is considered to be unreacha...

Page 210: ...try filter to be compared against the destination Geolocation of the received packet Optional Service Specifies a service that will be used as a filter parameter when matching traffic with this rule S...

Page 211: ...all destination IPs to a single IP Default No SourceInterface Specifies the name of the receiving interface to be compared to the received packet DestinationInterface Specifies the destination interfa...

Page 212: ...lt Yes LogSeverity Specifies with what severity log events will be sent to the specified log receivers Default Default Comments Text describing the current object Optional Note If no Index is specifie...

Page 213: ...to the received packet DestinationInterface Specifies the destination interface to be compared to the received packet SourceNetwork Specifies the sender span of IP addresses to be compared to the rece...

Page 214: ...es the destination interface to be compared to the received packet SourceNetwork Specifies the sender span of IP addresses to be compared to the received packet DestinationNetwork Specifies the span o...

Page 215: ...3 63 7 IPRule The definitions here are the same as in Section 3 62 IPRule Chapter 3 Configuration Reference 215...

Page 216: ...3 63 2 SLBPolicy 3 64 3 MulticastPolicy The definitions here are the same as in Section 3 63 3 MulticastPolicy 3 64 4 StatelessPolicy The definitions here are the same as in Section 3 63 4 StatelessP...

Page 217: ...size in bits Default 128 BlowfishKeySize Specifies the Blowfish preferred key size in bits Default 128 BlowfishMaxKeySize Specifies the maximum Blowfish key size in bits Default 448 TwofishMinKeySize...

Page 218: ...12Enabled Enable SHA512 integrity algorithm Default No XCBCEnabled Enable AES XCBC integrity algorithm Default No Comments Text describing the current object Optional Chapter 3 Configuration Reference...

Page 219: ...to use for the tunnel Optional IKEAlgorithms Specifies the IKE Proposal list used with the tunnel Default High IPsecAlgorithms Specifies the IPsec Proposal list used with the tunnel Default High IKELi...

Page 220: ...s to use as source IP in e g NAT Default LocalInterface OriginatorIP Manually specified originator IP address to use as source IP in e g NAT OriginatorHAIP Manually specified private originator IP add...

Page 221: ...ets in tunnel mode If unspecified the value of the inner IP header will be used instead Optional LocalEndpoint Specifies on which local address this tunnel should accept incoming IKE IPsec traffic Opt...

Page 222: ...ll directly to the IPsec engine without consulting the ruleset Default Yes IPsecGWNameCacheTime Amount of time to keep an IPsec tunnel open when the remote DNS name fails to resolve Default 14400 DPDM...

Page 223: ...t 3 IKEDisableDPD Disable Dead Peer Detection in IKEv2 Default No IPsecForceRequireCookie Force requirement of cookies Used for test purposes only Default No IPsecDisableCallingStationID Disable calli...

Page 224: ...ault DropLog DefaultHopLimit The default IP Hop Limit of packets originated by the firewall 32 255 Default 255 IP6Fl Validate IPV6 Flow label header field Default Ignore IP6TC Validate IPV6 Traffic cl...

Page 225: ...Default Yes LogOnForwardTTL0 Log any attempts of forwarding IPv4 packets with TTL 0 destined for outside the firewall this should never happen Default DropLog Log0000Src Log invalid 0 0 0 0 source add...

Page 226: ...t specified above Default DropLog DirectedBroadcasts How to handle directed broadcasts being passed from one interface to another Default DropLog TransparentBroadcastNAT How to handle Broadcast packet...

Page 227: ...t IP address to use as source IP in e g NAT Default LocalInterface OriginatorIP Manually specified originator IP address to use as source IP in e g NAT DNS1 IP of the primary DNS server Optional DNS2...

Page 228: ...r the auto created route Default 90 MTU Specifies the size in bytes of the largest packet that can be passed onward Default 1456 AutoInterfaceNetworkRoute Automatically add a route for this interface...

Page 229: ...440 Use an RC4 40 bit MPPE session key with MS CHAP or MS CHAP v2 authentication protocol Default Yes MPPERC456 Use an RC4 56 bit MPPE session key with MS CHAP or MS CHAP v2 authentication protocol De...

Page 230: ...fRoutingTable All or Specific Default All RoutingTable Specifies the PBR table to insert the interface IP route into It also means that the specified routing table will be used for all routing lookups...

Page 231: ...ine without consulting the ruleset Default Yes PPTPBeforeRules Pass PPTP connections sent to the firewall directly to the PPTP engine without consulting the ruleset Default Yes Note This object type d...

Page 232: ...Use this IPsec interface to encypt the traffic to the L2TPv3 server L2TP IPsec Optional AutoRouteMetric Specifies the metric for the auto created route used by the L2TPv3 Client Default 100 HostName T...

Page 233: ...Proxy ARP Default No ProxyARPInterfaces Specifies the interfaces on which the firewall should publish routes via Proxy ARP Optional Comments Text describing the current object Optional Chapter 3 Confi...

Page 234: ...Server Used in the Host Name AVP Optional RouterID Router ID Used in the Router ID AVP Optional DHCPPassthrough Allow DHCP to pass through transparently Default No NonIPPassthrough Allow non IP proto...

Page 235: ...group membership attribute used in the LDAP database Default memberOf GetGroups Retrieve group membership for users Default Yes DomainName The domain name of the server Optional CombinedUsername Combi...

Page 236: ...rname to use when accessing the LDAP server Optional Password Specifies the password to use when accessing the LDAP server Optional Port Specifies the LDAP service port number Default 389 Comments Tex...

Page 237: ...axAHLen IPsec AH Authenticated communication Default 2000 MaxSKIPLen SKIP Simple Key management for IP VPN protocol Default 2000 MaxOSPFLen OSPF Open Shortest Path First routing protocol Default 1480...

Page 238: ...ong LACPSystemPriority System priority value to be sent in LACP messages Default 1 MACAddress The hardware address for the interface Optional IP The IP address of the interface Network The network of...

Page 239: ...t No NonIPPassthrough Allow non IP protocols to pass through transparently Default No BroadcastFwd By default this traffic is dropped Default No AutoInterfaceNetworkRoute Automatically add a route for...

Page 240: ...Comments Text describing the current object Optional Chapter 3 Configuration Reference 240...

Page 241: ...Milliseconds between each monitor attempt Default 250 InitGracePeriod Do not allow triggering of the link monitor for this number of seconds after the last reconfiguration Default 45 RoutingTable Rou...

Page 242: ...s Default 256 LocalReass_MaxSize Maximum size of a locally reassembled packet Default 10000 LocalReass_NumLarge Number of large 2K local reassembly buffers of the above size Default 32 Note This objec...

Page 243: ...hentication etc Properties Name Specifies the username to add into the user database Identifier Password The password for this user Groups Specifies the user groups that this user is a member of e g A...

Page 244: ...ifier LogSeverity Specifies with what severity log events will be sent to the specified log receivers Optional Default Emergency Alert Critical Error Warning Notice Info Comments Text describing the c...

Page 245: ...IP address of the sending interface is used Optional XMailer Specifies a custom X Mailer email header string The X Mailer header field is typically used to identify the name and version number of the...

Page 246: ...es with what severity log events will be sent to the specified log receivers Optional Default Emergency Alert Critical Error Warning Notice Info RoutingTable Specifies the routing table the clients ho...

Page 247: ...e If not configured the IP address of the sending interface will be sent as hostname Optional RFC5424 Send Syslog messages according to RFC5424 Default No LogSeverity Specifies with what severity log...

Page 248: ...PerSecLimit Limits how many log packets the firewall may send out per second Default 2000 Note This object type does not have an identifier and is identified by the name of the type only There can onl...

Page 249: ...Automatically add a route for this virtual LAN interface using the given network Default Yes EnableIPv6 Enable processing of IPv6 traffic on this interface Default No IPv6IP IPv6 Interface address IP...

Page 250: ...etcon etc Default DropLog WCFPerfLog Enables periodical logging of Web Contentent Filtering resolving performance Default Disabled AllowIPRules Allow using IPRules in addition to IPPolicies Default Ye...

Page 251: ...3 87 MulticastPolicy The definitions here are the same as in Section 3 63 3 MulticastPolicy Chapter 3 Configuration Reference 251...

Page 252: ...aximum time ms until a host client has to send an answer to a query Default 10000 IGMPStartupQueryInterval The general query interval ms to use during the startup phase default 1 4 of the IGMP Query I...

Page 253: ...get from the IP Pool IPRange Specifies the range of IP addresses used for NAT translation StateKeepAlive The number of seconds that stateful NAT state will be kept in absence of new connections Defaul...

Page 254: ...gy change and when it starts a SPF calculation Default 5 LSAGroupPacing This specifies the time in seconds at which interval the OSPF LSAs are collected into a group and refreshed Default 10 RoutesHol...

Page 255: ...r authentication Optional AuthMD5ID Specifies the MD5 key ID used for MD5 digest authentication AuthMD5Key A 128 bit key used to produce the MD5 digest Optional LogEnabled Enable logging Default Yes L...

Page 256: ...OSPF interface Optional MetricType Metric value or Bandwidth Default MetricValue Metric Specifies the routing metric for this OSPF interface Default 10 BandwidthValue Specifies the bandwidth for this...

Page 257: ...gher than the hello interval Default 40 Passive Enable to make it possible to include networks into the OSPF routing process without running OSPF on the interface connected to that network Default No...

Page 258: ...t connection to the backbone must have at least one area border router with a virtual link to a backbone router or to another router with a link to the backbone Properties Name Specifies a symbolic na...

Page 259: ...imit for precedence 1 Optional LimitKbps2 Specifies the bandwidth limit in kbps for precedence 2 Optional LimitPPS2 Specifies the packet per second limit for precedence 2 Optional LimitKbps3 Specifies...

Page 260: ...onal UserLimitKbps3 Specifies the bandwidth limit per group in kbps for precedence 3 Optional UserLimitPPS3 Specifies the throughput limit per group in PPS for precedence 3 Optional UserLimitKbps4 Spe...

Page 261: ...this value Default 0 PrecedenceDefault Specifies the default precedence for the pipe If a packet enters this pipe without a set precedence it gets assigned this value Should be higher than or equal t...

Page 262: ...to the destination IP of the received packet Service Specifies a service that will be used as a filter parameter when matching traffic with this rule Schedule By adding a schedule to a rule the firew...

Page 263: ...erver service name used to distinguish between two or more PPPoE servers attached to the same network Optional PPPAuthNoAuth Allow no authentication for this tunnel Default No PPPAuthPAP Use PAP authe...

Page 264: ...ify IP Address object Default No MTU Specifies the size in bytes of the largest packet that can be passed onward Default 1492 SNMPIndex Interface index assigned by the system when persistent interface...

Page 265: ...al time in milliseconds to wait before sending a new configuration request if no server response is received Default 200 Note This object type does not have an identifier and is identified by the name...

Page 266: ...ties involved Properties Name Specifies a symbolic name for the pre shared key Identifier Type Specifies the type of the shared key PSKAscii Specifies the PSK as a passphrase PSKHex Specifies the PSK...

Page 267: ...ing server If no response has been given after for example 2 seconds the firewall will try again by sending a new AccountingRequest packet Default 2 SharedSecret The shared secret phrase for the Authe...

Page 268: ...P address from which the system sends requests to the remote Remote RADIUS server This parameter is optional and will use IP of routed destination interface if not set Optional IdleTimeout A successfu...

Page 269: ...t severity log events will be sent to the specified log receivers Default Default RoutingTable Specifies the routing table the clients host route should be added to Default main Comments Text describi...

Page 270: ...S server If no response has been given after for example 2 seconds the firewall will try again by sending a new Access Request packet Default 2 SharedSecret The shared secret phrase for the Authentica...

Page 271: ...hreshold Log if statistical value goes above this threshold Optional BackoffInterval The minimum number of seconds between consecutive log messages Default 60 Continuous If set generate event if the v...

Page 272: ...ast LocalUserDatabase Specifies the local user database to use for login AccessLevel Optionally restrict the access level of users authenticated by the local database Default Admin RadiusServers Speci...

Page 273: ...ent via HTTP Default No HTTPS Enable remote management via HTTPS Default No AccessLevel Restrict access level to the REST API Default ReadWrite BasicAUTH Require authentication using Basic AUTH Defaul...

Page 274: ...affic Only RSA certificates are supported Optional HTTPSRootCertificates Specifies eventual root certificates to use for HTTPS traffic Optional SNMPBeforeRules Enable SNMP traffic to the firewall rega...

Page 275: ...g will trigger a re numbering of all interfaces in the system Default No Note This object type does not have an identifier and is identified by the name of the type only There can only be one instance...

Page 276: ...version Default SNMPv1_SNMPv2c Snmp3SecurityLevel Enabled SNMPv3 security level Default noAuthNoPriv SNMPGetCommunity Specifies the name of the community to be granted rights to remotely monitor the...

Page 277: ...algorithm Default Yes AllowAES128 Allow AES 128 encryption algorithm Default Yes AllowAES192 Allow AES 192 encryption algorithm Default Yes AllowAES256 Allow AES 256 encryption algorithm Default Yes...

Page 278: ...sLevel Optionally restrict the access level of users authenticated by the local database Default Admin RadiusServers Specifies the authentication servers that will be used to authenticate users matchi...

Page 279: ...make use of multiple routes to the same destination Properties RoutingTable Specify routingtable to deploy route load balancing in Identifier Algorithm Specify which algorithm to use when balancing t...

Page 280: ...utive seconds over under the threshold limit to trigger state change for the affected routes Default 30 OutboundThreshold Outbound threshold limit Optional OutboundUnit The outbound units Default kbps...

Page 281: ...the following formula 3 MaxRtrAdvInterval Default Yes RADefaultLifetime The value to be placed in the Router Lifetime field of Router Advertisements sent from the SGW in seconds Default 1800s Default...

Page 282: ...value of 999999999 represents infinity Default 2592000s Default 2592000 RAPreferredLifetime The value to be placed in the Preferred Lifetime in the Prefix Information option The value of 999999999 re...

Page 283: ...Specifies the span of IP addresses to be compared to the destination IP of the received packet SourceInterface Specifies the name of the source interface to be compared to the received packet Destinat...

Page 284: ...CDestLearning Do L3 Cache learning based on destination IPs and MACs in combination with CAM table contents Default Yes Transp_DecrementTTL Decrement TTL on packets forwarded between transparent inter...

Page 285: ...ackets destined for this route shall be sent through Gateway Specifies the IP address of the next router hop used to reach the destination network If the network is directly connected to the firewall...

Page 286: ...elect all interfaces including new ones for publishing routes via Proxy ARP Default No ProxyARPInterfaces Specifies the interfaces on which the firewall should publish routes via Proxy ARP Optional Co...

Page 287: ...ription A route defines what interface and gateway to use in order to reach a specified network Properties Name Specifies a symbolic name for the object Optional Network Specifies the network address...

Page 288: ...a symbolic name for the object Optional Interface Specifies which interface packets destined for this route shall be sent through Network Specifies the network address for this route BroadcastFwd By...

Page 289: ...ofile is active on Wednesdays Optional Thu Specifies during which intervals the schedule profile is active on Thursdays Optional Fri Specifies during which intervals the schedule profile is active on...

Page 290: ...n of service objects which can then be used by different policies in the system Properties Name Specifies a symbolic name for the service Identifier Members Group members Comments Text describing the...

Page 291: ...ch Redirect message codes should be matched Default 0 255 ParameterProblem Enable matching of Parameter Problem messages Default No ParameterProblemCodes Specifies which Parameter Problem message code...

Page 292: ...ly used by IP Policies Optional MaxSessionsProtocol Specifies how many concurrent sessions that are permitted using this Protocol Default 200 ALG An Application Layer Gateway ALG capable of managing a...

Page 293: ...eachable message codes should be matched Default 0 255 PacketTooBig Enable matching of Packet Too Big messages Default No PacketTooBigCodes Specifies which Packet Too Big message codes should be match...

Page 294: ...t are permitted using this Protocol Default 200 ALG An Application Layer Gateway ALG capable of managing advanced protocols can be specified for this service Optional MaxSessions Specifies how many co...

Page 295: ...otiate optimal packet sizes This prevents fragmentation by network equipment between the endpoints Path MTU Discovery relies on ICMP message forwarding so ICMP forwarding must also be enabled Default...

Page 296: ...rough the system Default No EnableIPv4PathMTUDiscovery Path MTU Discovery allows communicating endpoints to negotiate optimal packet sizes This prevents fragmentation by network equipment between the...

Page 297: ...3 117 SLBPolicy The definitions here are the same as in Section 3 63 2 SLBPolicy Chapter 3 Configuration Reference 297...

Page 298: ...roperties Name Specifies a symbolic name for the key Identifier Type DSA or RSA Default DSA Subject Value of the Subject header tag of the public key file Optional PublicKey Specifies the public key C...

Page 299: ...S_128_CBC_SHA1 Default Yes TLS_RSA_WITH_3DES_168_SHA1 Enable cipher RSA_WITH_3DES_168_SHA1 Default Yes TLS_RSA_WITH_RC4_128_SHA1 Enable cipher RSA_WITH_RC4_128_SHA1 Default No TLS_RSA_WITH_RC4_128_MD5...

Page 300: ...Note This object type does not have an identifier and is identified by the name of the type only There can only be one instance of this type Chapter 3 Configuration Reference 300...

Page 301: ...NS Server Optional SecondaryDNS IP of the seconday DNS Server Optional Routing Describes how the traffic from the client should be routed Default All Nets ClientRoutes Networks to be routed through th...

Page 302: ...Pass SSL VPN connections sent to the firewall directly to the SSL VPN engine without consulting the ruleset Default Yes Note This object type does not have an identifier and is identified by the name...

Page 303: ...3 122 StatelessPolicy The definitions here are the same as in Section 3 63 4 StatelessPolicy Chapter 3 Configuration Reference 303...

Page 304: ...ions Log packets that violate stateful tracking rules for instance TCP connect sequences Default Yes LogConnections Log connections opening and closing Default Log LogConnectionUsage Log for every pac...

Page 305: ...rding to MTU of involved interfaces in addition to TCP MSS max Default Yes TCPZeroUnusedACK Force unused ACK fields to zero helps prevent connection spoofing Default Yes TCPZeroUnusedURG Force unused...

Page 306: ...with FIN normally invalid strip strip URG Default DropLog TCPUrg The TCP URG flag many operating systems cannot handle this correctly Default StripLog TCPECN The Explicit Congestion Notification ECN f...

Page 307: ...be compared to the destination IP of the received packet Service Specifies a service that will be used as a filter parameter when matching traffic with this rule Schedule By adding a schedule to a rul...

Page 308: ...he blacklisting Default No BlackListIgnoreEstablished Do not drop existing connection Default No LogEnabled Enable logging Default Yes LogSeverity Specifies with what severity log events will be sent...

Page 309: ...e automatic update is run UpdateWeekday Specifies the day of week when the automatic update is run Default mon Hourly Specifies the number of hours between periodical updates UpdateHour Specifies the...

Page 310: ...e RadiusServers Specifies the authentication servers that will be used to authenticate users matching this rule PrimaryRetryInterval How many seconds to wait before trying to use the primary server ag...

Page 311: ...efault 1800 SessionTimeout A successfully authenticated user will be logged out automatically after this many seconds even if traffic has been received from the user s IP address Optional UseServerTim...

Page 312: ...ccounting events should be sent Default Yes InterimValue The interval in seconds in which interim accounting events should be sent Default 600 LogEnabled Enable logging Default Yes LogSeverity Specifi...

Page 313: ...of the virtual LAN interface Optional DHCPEnabled Enable DHCP client on this interface Default No DHCPHostName Optional DHCP Host Name Leave blank to use default name Optional DHCPDNS1 IP of the prim...

Page 314: ...ng the given network Default Yes AutoDefaultGatewayRoute Automatically add a default route for this virtual LAN interface using the given default gateway Default Yes DHCPv6DNS1 IP of the primary IPv6...

Page 315: ...interfaces Properties UnknownVLANTags VLAN packets tagged with an unknown ID Default DropLog Note This object type does not have an identifier and is identified by the name of the type only There can...

Page 316: ...llow data channels to be established over TCP in addition to UDP Default Yes SIPMaxTCPDataChannels Maximum number of TCP data channels per call Default 5 H323 Enables automatic pinhole creation for H...

Page 317: ...Comments Text describing the current object Optional Chapter 3 Configuration Reference 317...

Page 318: ...ction to take for content that has not been classified Default Allow WCFAllowOverride Allows users to override the filter and gain access to blocked sites with a warning that their actions will be log...

Page 319: ...cklist or whitelist Comments Text describing the current object Optional Note If no Index is specified when creating an instance of this type the object will be placed last in the list and the Index w...

Page 320: ...UDP or ICMP Default All Port Specifies which UDP or TCP port to use Default 0 Schedule Specifies the schedule when the given addresses should be blocked Optional Comments Text describing the current...

Page 321: ...old rule violations Properties Addresses Specifies the addresses that should not be blocked Optional Comments Text describing the current object Optional Note This object type does not have an identif...

Page 322: ...es Name Specifies a symbolic name for the ZoneDefense switch Identifier SwitchModel Specifies the switch model type Default DES 3226S IP The IP address of the management interface of the switch Enable...

Page 323: ...e manually unblocked Default Yes ContraventionTolerance The maximum number of times ZoneDefense can unblock the host Once a host exceeds this value it remains blocked until it is manually unblocked De...

Page 324: ...Chapter 3 Configuration Reference 324...

Page 325: ...nroute 49 E echo 97 F frags 50 G geoip 94 H ha 51 help 97 history 98 hostmon 51 httpalg 51 httpposter 52 hwm 53 I idppipes 53 ifstat 54 igmp 54 ihs 55 see also ipsechastat ike 55 ikesnoop 57 ippool 57...

Page 326: ...ationSettings 135 B BlacklistWhiteHost 136 C Certificate 137 COMPortDevice 138 ConfigModePool 139 ConnTimeoutSettings 140 CRLDistPoint 141 CRLDistPointList 141 D DateTime 142 DefaultInterface 144 Devi...

Page 327: ...opbackInterface 249 M MiscSettings 250 MonitoredHost 286 MulticastPolicy 211 216 251 MulticastSettings 252 N NATPool 253 O OSPFAggregate 257 OSPFArea 255 OSPFInterface 256 OSPFNeighbor 257 OSPFProcess...

Page 328: ...V VLAN 313 VLANSettings 315 VoIPProfile 316 W WebProfile 318 Z ZoneDefenseBlock 320 ZoneDefenseExcludeList 321 ZoneDefenseSwitch 322 ZoneDefenseSwitchSettings 323 Index 328...