advertisement
350 East Plumeria Drive
San Jose, CA 95134
USA
April 2012
202-10827-01 v1.0
ProSafe Wireless-N 8-Port
Gigabit VPN Firewall
FVS318N
CLI Reference Manual
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
© 2012 NETGEAR, Inc. All rights reserved.
No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language in any form or by any means without the written permission of NETGEAR, Inc.
NETGEAR, the NETGEAR logo, and Connect with Innovation are trademarks and/or registered trademarks of
NETGEAR, Inc. and/or its subsidiaries in the United States and/or other countries. Information is subject to change without notice. Other brand and product names are registered trademarks or trademarks of their respective holders. © 2012 All rights reserved.
Technical Support
Thank you for choosing NETGEAR. To register your product, get the latest product updates, get support online, or for more information about the topics covered in this manual, visit the Support website at
http://support.netgear.com
Phone (US & Canada only): 1-888-NETGEAR
Phone (Other Countries): Check the list of phone numbers at
http://support.netgear.com/app/answers/detail/a_id/984
Statement of Conditions
To improve internal design, operational function, and/or reliability, NETGEAR reserves the right to make changes to the products described in this document without notice. NETGEAR does not assume any liability that may occur due to the use, or application of, the product(s) or circuit layout(s) described herein.
Revision History
Publication Part Number
202-10827-01
Version
1.0
Publish Date
April 2012
Comments
First publication
2
Contents
Chapter 1 Introduction
Command Syntax and Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Command Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Description of a Command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Common Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
The Four Categories of Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
The Five Main Modes for Configuration Commands . . . . . . . . . . . . . . . . . 11
Save Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
The Three Basic Types of Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Command Autocompletion and Command Abbreviation . . . . . . . . . . . . . . 16
CLI Line-Editing Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Chapter 2 Overview of the Configuration Commands
Network Settings (Net Mode) Configuration Commands . . . . . . . . . . . . . . 18
Security Settings (Security Mode) Configuration Commands . . . . . . . . . . 21
Administrative and Monitoring Settings (System Mode)
Configuration Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Wireless Settings (Dot11 Mode) Configuration Commands . . . . . . . . . . . . 25
VPN Settings (VPN Mode) Configuration Commands . . . . . . . . . . . . . . . . 25
Chapter 3 Net Mode Configuration Commands
General WAN Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
IPv4 WAN Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
IPv6 WAN Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Dynamic DNS Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
IPv4 DMZ Setup Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
IPv6 DMZ Setup Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
IPv4 Routing Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
IPv6 Routing Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
Chapter 4 Security Mode Configuration Commands
Security Services Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
Security Schedules Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
3
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
IPv4 Add Firewall Rule and Edit Firewall Rule Commands . . . . . . . . . . . . 77
IPv4 General Firewall Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114
IPv6 Firewall Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115
Attack Check Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122
Session Limit, Time-Out, and Advanced Commands. . . . . . . . . . . . . . . . 125
Address Filter and IP/MAC Binding Commands . . . . . . . . . . . . . . . . . . . 128
Port Triggering Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132
Bandwidth Profile Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135
Content Filtering Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
Chapter 5 System Mode Configuration Commands
Remote Management Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144
Time Zone Command. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151
Firewall Logs and Email Alerts Commands . . . . . . . . . . . . . . . . . . . . . . . 157
Chapter 6 Dot11 Mode Configuration Commands
Wireless Radio Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163
Wireless Profile Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171
Chapter 7 VPN Mode Configuration Commands
IPSec VPN Wizard Command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178
IPSec IKE Policy Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180
IPSec VPN Policy Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186
IPSec VPN Mode Config Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . 198
SSL VPN Portal Layout Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201
SSL VPN Authentication Domain Commands . . . . . . . . . . . . . . . . . . . . . 204
SSL VPN Authentication Group Commands . . . . . . . . . . . . . . . . . . . . . . 208
SSL VPN User Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209
SSL VPN Port Forwarding Commands . . . . . . . . . . . . . . . . . . . . . . . . . . 216
SSL VPN Client Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218
SSL VPN Resource Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222
SSL VPN Policy Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225
RADIUS Server Command. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236
L2TP Server Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 238
Chapter 8 Overview of the Show Commands
Network Settings (Net Mode) Show Commands . . . . . . . . . . . . . . . . . . . 239
Security Settings (Security Mode) Show Commands. . . . . . . . . . . . . . . . 241
Administrative and Monitoring Settings (System Mode)
Wireless Settings (Dot11 Mode) Show Commands . . . . . . . . . . . . . . . . . 243
VPN Settings (VPN Mode) Show Commands . . . . . . . . . . . . . . . . . . . . . 243
4
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Chapter 9 Show Commands
Network Settings (Net Mode) Show Commands . . . . . . . . . . . . . . . . . . . 245
WAN (IPv4 and IPv6) Show Commands . . . . . . . . . . . . . . . . . . . . . . . 245
IPv6 Mode and IPv6 Tunnel Show Commands . . . . . . . . . . . . . . . . . . 248
LAN DHCP Show Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 248
Dynamic DNS Show Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249
IPv4 LAN Show Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249
IPv6 LAN Show Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252
DMZ Show Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254
Routing Show Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255
Network Statistics Show Commands . . . . . . . . . . . . . . . . . . . . . . . . . . 256
Security Settings (Security Mode) Show Commands. . . . . . . . . . . . . . . . 257
Services Show Command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257
Schedules Show Command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 258
Firewall Rules Show Command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 258
Attack Checks Show Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 260
Session Limits Show Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 262
Advanced Firewall Show Commands . . . . . . . . . . . . . . . . . . . . . . . . . . 262
Address Filter Show Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263
Port Triggering Show Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 264
UPnP Show Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 264
Bandwidth Profiles Show Command . . . . . . . . . . . . . . . . . . . . . . . . . . 265
Content Filtering Show Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . 265
Administrative and Monitoring Settings (System Mode)
Remote Management Show Command . . . . . . . . . . . . . . . . . . . . . . . . 267
SNMP Show Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 268
Time Show Command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 268
Firmware Version Show Command . . . . . . . . . . . . . . . . . . . . . . . . . . . 269
Status Show Command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269
Traffic Meter Show Command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 272
Logging Configuration Show Commands . . . . . . . . . . . . . . . . . . . . . . . 273
Logs Show Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 275
Wireless Settings (Dot11 Mode) Show Commands . . . . . . . . . . . . . . . . . 277
Radio Show Command. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 277
Profile Show Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 278
Wireless Statistics Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 280
VPN Settings (VPN Mode) Show Commands . . . . . . . . . . . . . . . . . . . . . 280
IPSec VPN Show Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 280
SSL VPN Show Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 282
SSL VPN User Show Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 285
RADIUS Server Show Command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 288
L2TP Server Show Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 289
Chapter 10 Utility Commands
Overview Util Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290
Firmware Backup, Restore, and Upgrade Commands . . . . . . . . . . . . . . . 291
5
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
CLI Command Index
6
1.
Introduction
This document describes the command-line interface (CLI) for the NETGEAR ProSafe
Wireless-N 8-Port Gigabit VPN Firewall FVS318N.
This chapter introduces the CLI interface. It includes the following sections:
• Command Syntax and Conventions
• The Four Categories of Commands
• The Five Main Modes for Configuration Commands
• The Three Basic Types of Commands
• Command Autocompletion and Command Abbreviation
Note:
For more information about the topics covered in this manual, visit the support website at
http://support.netgear.com
.
Note:
For more information about the features that you can configure using the CLI, see the ProSafe Wireless-N 8-port Gigabit VPN
Firewall FVS318N Reference Manual.
Note:
You cannot generate and upload a certificate through the CLI. You need to access the web management interface to manage these tasks.
1
7
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Command Syntax and Conventions
A command is one or more words that can be followed by one or more keywords and parameters. Keywords and parameters can be required or optional:
•
A keyword is a predefined string (word) that narrows down the scope of a command. A keyword can be followed by an associated parameter or by associated keywords. In many cases, these associated keywords are mutually exclusive, so you need to select one of them. In some cases, this manual refers to a group of words as a keyword.
•
A parameter is a variable for which you need to type a value. You need to replace the parameter name with the appropriate value, which might be a name or number. A parameter can be associated with a command or with a keyword.
This manual lists each command by its full command name and provides a brief description of the command. In addition, for each command, the following information is provided:
•
Format. Shows the command keywords and the required and optional parameters.
•
Mode. Identifies the command mode you need to be in to access the command. (With
some minor exceptions, the mode is always described using lower-case letters.)
•
Related show command or commands. Identifies and links to the show command or
commands that can display the configured information.
For more complicated commands, in addition to the format, mode, and related show command or commands, the following information is provided:
•
Table. Explains the keywords and parameters that you can use for the command.
•
Example. Shows a CLI example for the command.
Command Conventions
In this manual, the following type font conventions are used:
•
A command name is stated in bold font.
•
A keyword name is stated in bold font.
•
A parameter name is stated in italic font.
The keywords and parameters for a command might include mandatory values, optional values, or choices. The following table describes the conventions that this manual uses to distinguish between value types:
Table 1. Command conventions
Symbol Example
< > angle brackets
<value>
[ ] square brackets
[value]
Description
Indicate that you need to enter a value in place of the brackets and text inside them. (value is the parameter.)
Indicate an optional parameter that you can enter in place of the brackets and text inside them. (value is the parameter.)
Introduction
8
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Table 1. Command conventions (continued)
Symbol
{ } curly braces
Example
{choice1 | choice2}
Description
Indicate that you need to select a keyword from the list of choices. (choice1 and choice1 are keywords.)
| vertical bars
choice1 | choice2
Separate the mutually exclusive choices. (choice1 and
choice1
are keywords.)
[ { } ] braces within square brackets
[{choice1 | choice2}]
Indicate a choice within an optional element. (choice1 and
choice1
are keywords.)
Description of a Command
The following example describes the net radvd pool lan edit <row id> command:
net radvd pool lan edit
is the command name.
<row id>
is the required parameter for which you need to enter a value after you type the command words.
The command lets you enter the net-config [radvd-pool-lan] mode, from which you can issue the following keywords and parameters:
prefix_type {6To4 {sla_id <id number>} | {Global-Local-ISATAP}
{prefix_address <ipv6-address>} {prefix_length
<prefix length>}}
prefix_life_time <seconds>
Explanation of the keywords and parameters:
prefix_type
is a keyword. The required associated keyword that you need to select is either 6To4 or Global-Local-ISATAP.
•
If you select 6To4, you also need to issue the sla_id keyword and enter a value for the <id number> parameter.
•
If you select Global-Local-ISATAP, you also need to issue the
prefix_address
keyword and enter a value for the <ipv6-address> parameter, and you need to issue the prefix_length keyword and enter a value for the <prefix length> parameter.
prefix_life_time
is a keyword. <seconds> is the required parameter for which you need to enter a value.
Command example:
FVS318N> net radvd pool lan edit 12 net-config[radvd-pool-lan]> prefix_type Global-Local-ISATAP net-config[radvd-pool-lan]> prefix_address 10FA:2203:6145:4201:: net-config[radvd-pool-lan]> prefix_length 10 net-config[radvd-pool-lan]> prefix_life_time 3600 net-config[radvd-pool-lan]> save
Introduction
9
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Common Parameters
Parameter values might be names (strings) or numbers. To use spaces as part of a name parameter, enclose the name value in double quotes. For example, the expression “System
Name with Spaces” forces the system to accept the spaces. Empty strings (“”) are not valid user-defined strings. The following table describes common parameter values and value formatting:
Table 2. Common parameters
Parameter
ipaddr ipv6-address
Character strings
Description
This parameter is a valid IP address. You can enter the IP address in the following formats:
• a (32 bits)
• a.b (8.24 bits)
• a.b.c (8.8.16 bits)
• a.b.c.d (8.8.8.8)
In addition to these formats, the CLI accepts decimal, hexadecimal, and octal formats through the following input formats (where n is any valid decimal, hexadecimal, or octal number):
• 0xn (CLI assumes hexadecimal format)
• 0n (CLI assumes octal format with leading zeros)
• n (CLI assumes decimal format)
FE80:0000:0000:0000:020F:24FF:FEBF:DBCB, or
FE80:0:0:0:20F:24FF:FEBF:DBCB, or
FE80::20F24FF:FEBF:DBCB, or
FE80:0:0:0:20F:24FF:128:141:49:32
For additional information, see
RFC 3513
.
Use double quotation marks to identify character strings, for example, “System Name with
Spaces”. An empty string (“”) is not valid.
The Four Categories of Commands
There are four CLI command categories:
•
Configuration commands with five main configuration modes. For more information, see
The Five Main Modes for Configuration Commands
commands also fall into this category (see
•
Show commands that are available for the five main configuration modes (see
•
Utility commands (see
•
Introduction
10
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
The Five Main Modes for Configuration Commands
For the configuration commands, there are five main modes in the CLI: net, security, system, dot11, and vpn.
Chapter 2, Overview of the Configuration Commands
lists all commands in these modes, and each of these modes is described in detail in a separate chapter (see
The following table lists the main configuration modes, the configuration modes, the features that you can configure in each configuration mode, and, for orientation, the basic web management interface (GUI) path to the feature.
Table 3. Main configuration modes
__________________________CLI________________________ ___Web Management Interface (GUI)___
Main Mode Submode Feature That You Can Configure Basic Path
Network configuration commands
net ddns Dynamic DNS dmz DMZ for IPv4
DMZ for IPv6
Network Configuration > Dynamic DNS
Network Configuration > DMZ Setup ethernet ipv6
VLAN assignment to LAN interface Network Configuration > LAN Setup
IPv4 or IPv4/IPv6 mode Network Configuration > WAN Settings ipv6_tunnel IPv6 tunnels lan IPv4 LAN settings and VLANs
LAN groups for IPv4
Secondary IPv4 addresses
Advanced IPv4 LAN settings
IPv6 LAN settings
Secondary IPv6 addresses
IPv6 LAN DHCP address pools
Network Configuration > WAN Settings
Network Configuration > LAN Setup radvd IPv6 RADVD and pools for the LAN
IPv6 RADVD and pools for the DMZ
Network Configuration > LAN Setup
Network Configuration > DMZ Setup
Network Configuration > Routing routing wan
Dynamic IPv4 routes
Static IPv4 routes
Static IPv6 routes
IPv4 WAN (Internet) settings
IPv6 WAN (Internet) settings
MTU, port speed, and MAC address wan_settings NAT or Classical Routing
Network Configuration > WAN Settings
Network Configuration > WAN Settings
Introduction
11
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Table 3. Main configuration modes (continued)
__________________________CLI________________________ ___Web Management Interface (GUI)___
Main Mode Submode Feature That You Can Configure Basic Path
Security configuration commands
security address_filter Source MAC filters
IP/MAC bindings for IPv4
IP MAC bindings for IPv6
Security > Address Filter
Security > Bandwidth Profile
Security > Content Filtering bandwidth Bandwidth profiles content_filter Blocked keywords
Trusted domains
Group filtering firewall All IPv4 firewall rules
All IPv6 firewall rules
Attack checks
Session limits and time-outs
SIP ALG porttriggering_rules schedules services upnp
Security > Firewall
Security > Port Triggering
Security > Schedule
Security > Services
Security > UPnP
Administration and monitoring configuration commands
system logging remote_management snmp time traffic_meter
Wireless configuration commands
dot11 profile Wireless profiles radio Wireless radio
Monitoring > Firewall Logs & E-mail
Administration > Remote Management
Administration > SNMP
Administration > Time Zone
Monitoring > Traffic Meter
Network Configuration > Wireless Settings
Network Configuration > Wireless Settings
Introduction
12
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Table 3. Main configuration modes (continued)
__________________________CLI________________________ ___Web Management Interface (GUI)___
Main Mode Submode Feature That You Can Configure Basic Path
VPN configuration commands
vpn ipsec IKE policies
VPN policies
VPN IPSec Wizard
Mode Config records l2tp radius sslvpn
L2TP server
RADIUS servers for VPN
SSL policies
Resources
Portal layouts
SSL VPN Client
Client routes
Port forwarding
User accounts
User login and IP policies
Groups
Domains
VPN > IPSec VPN
VPN > L2TP Server
VPN > IPSec VPN > RADIUS Client
VPN > SSL VPN
Users
Save Commands
The following table describes the configuration commands that let you save or cancel configuration changes in the CLI. You can use these commands in any of the five main configuration modes. These commands are not preceded by a period.
Table 4. Save commands
Command
save exit cancel
Description
Save the configuration changes.
Save the configuration changes and exit the current configuration mode.
Roll back the configuration changes.
Commands That Require Saving
After you have issued a command that includes the word configure, add, or edit, you enter a configuration mode from which you can issue keywords and associated parameters.
Introduction
13
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
These are examples of commands for which you need to save your changes:
•
net lan ipv4 configure
<vlan id> lets you enter the net-config [lan-ipv4] configuration mode. After you made your changes, issue save or exit to save your changes.
•
security content_filter trusted_domain add
lets you enter the security-config [approved-urls] configuration mode. After you made your changes, issue
save
or exit to save your changes.
•
dot11 profile configure <profile name>
lets you enter the dot11-config
[profile] configuration mode. After you made your changes, issue save or exit to save your changes.
Commands That Do Not Require Saving
You do not need to save your changes after you have issued a command that deletes, disables, or enables a row ID, name, IP address, or MAC address, or that lets you make a configuration change without entering another configuration mode.
These are examples of commands that you do not need to save:
•
net lan dhcp reserved_ip delete <mac address>
•
dot11 profile disable <profile name>
•
security firewall ipv4 enable <row id>
•
security firewall ipv4 default_outbound_policy
{Allow | Block}
Global Commands
The following table describes the global commands that you can use anywhere in the CLI.
These commands need to be preceded by a period.
Table 5. Global CLI commands
Command
.exit
.help
.top
.reboot
.history
Description
Exit the current session.
Display an overview of the CLI syntax.
Return to the default command mode or root.
Reboot the system.
Display the command-line history of the current session.
Introduction
14
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
The Three Basic Types of Commands
You can encounter the following three basic types of commands in the CLI:
•
Entry commands to enter a configuration mode. Commands that let you enter a
configuration mode from which you can configure various keywords and associated parameters and keywords. For example, the net wan wan1 ipv4 configure command lets you enter the net-config [wan1-ipv4] mode, from which you can configure the IPv4 WAN settings.
This type of command is the most common in the CLI and is always indicated by two steps in this manual, each one showing the format and mode:
Step 1
Step 2
Format net wan wan1 ipv4 configure
Mode
net
Format
This section shows the keywords and associated parameters, for example:
isp_connection_type {STATIC | DHCPC | PPPoE | PPTP}
Mode
net-config [wan1-ipv4]
Sometimes, you need to enter a parameter to enter a configuration mode. For example,
security schedules edit
<row id> requires you to enter the row ID parameter to enter the security-config [schedules] mode, from which you can modify various keywords and associated parameters and keywords.
•
Commands with a single parameter. Commands that require you to supply one or more
parameters and that do not let you enter another configuration mode. The parameter is usually a row ID or a name. For example, security firewall ipv4 delete
<row id>
requires you to enter the row ID parameter to delete the firewall rule.
For this type of command, the format and mode are shown in this manual:
Format
Mode
security firewall ipv4 delete <row id> security
•
Commands without parameters. Commands that do not require you to supply a
parameter after the command and that do not let you enter another configuration mode.
For example, util restore_factory_defaults does not require parameters.
For this type of command also, the format and mode are shown in this manual:
Format
Mode
util restore_factory_defaults util
Introduction
15
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Command Autocompletion and Command Abbreviation
Command autocompletion finishes spelling the command when you type enough letters of a command to uniquely identify the command keyword. You need to type all of the required keywords and parameters before you can use autocompletion.
The following keys both perform autocompletion for the current command. If the command prefix is not unique, a subsequent repeat of the key displays possible completions.
•
Enter or Return key. Autocompletes, syntax-checks, and then executes the command. If
there is a syntax error, the offending part of the command is highlighted and explained.
•
Spacebar. Autocompletes, or if the command is already resolved, inserts a space.
CLI Line-Editing Conventions
The following table describes the key combinations that you can use to edit commands or increase the speed of command entry. Access this list from the CLI by issuing .help.
Table 6. CLI editing conventions
Key or Key Sequence Description
Invoking context-sensitive help
?
Displays context-sensitive help. The information that displays consists either of a list of possible command completions with summaries or of the full syntax of the current command. When a command has been resolved, a subsequent repeat of the help key displays a detailed reference.
Autocompleting
Note:
Command autocompletion finishes spelling the command when you type enough letters of a command to uniquely identify the command keyword. However, you need to type all of the required keywords and parameters before you use autocompletion.
Enter (or Return) Autocompletes, syntax-checks, and then executes a command. If there is a syntax error, the offending part of the command line is highlighted and explained. If the command prefix is not unique, a subsequent repeat of the key displays possible completions.
Spacebar Autocompletes, or if the command is already resolved, inserts a space. If the command prefix is not unique, a subsequent repeat of the key displays possible completions.
Moving around
Ctrl-A
Ctrl-E
Up arrow
Down arrow
Left arrow
Go to the beginning of the line.
Go to the end of the line.
Go to the previous line in the history buffer.
Go to the next line in the history buffer.
Go backward one character.
Introduction
16
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Table 6. CLI editing conventions (continued)
Key or Key Sequence Description
Go forward one character.
Right arrow
Deleting
Ctrl-C
Ctrl-D
Ctrl-K
Backspace
Delete the entire line.
Delete the next character.
Delete all characters to the end of the line from where the cursor is located.
Delete the previous character.
Invoking escape sequences
!!
Substitute the previous line.
!N
!-N
Substitute the Nth line, in which N is the absolute line number as displayed in the output of the history command.
Substitute the line that is located N lines before the current line, in which N is a relative number in relation to the current lint.
Access the CLI
You can access the CLI by logging in with the same user credentials (user name and password) that you use to access the web management interface. FVS318N> is the CLI prompt.
FVS318N login: admin
Password:
************************************************
Welcome to FVS318N Command Line Interface
************************************************
FVS318N>
Introduction
17
2.
Overview of the Configuration
Commands
2
This chapter provides an overview of all configuration commands in the five configuration command modes. The keywords and associated parameters that are available for these commands are explained in the following chapters. The chapter includes the following sections:
• Network Settings (Net Mode) Configuration Commands
• Security Settings (Security Mode) Configuration Commands
• Administrative and Monitoring Settings (System Mode) Configuration Commands
• Wireless Settings (Dot11 Mode) Configuration Commands
• VPN Settings (VPN Mode) Configuration Commands
Network Settings (Net Mode) Configuration Commands
Enter the net ? command at the CLI prompt to display the description of all the configuration commands in the net mode. The following table lists the commands in alphabetical order:
Table 7. Net mode configuration commands
Submode
ddns dmz ethernet ipv6
Command Name
Purpose
Enable, configure, or disable Dynamic
DNS (DDNS) service.
Enable, configure, or disable the IPv4
DMZ.
Enable, configure, or disable the IPv6
DMZ.
Configure a new or existing IPv6 DMZ
DHCP address pool.
net ethernet configure <interface name or number>
Configure a VLAN for a LAN interface.
Configure the IP mode (IPv4 only or
IPv4/IPv6).
18
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Table 7. Net mode configuration commands (continued)
Submode
ipv6_tunnel lan
Command Name
net ipv6_tunnel isatap delete <row id>
Purpose
Configure a new IPv6 ISATAP tunnel.
Delete an IPv6 ISATAP tunnel.
net ipv6_tunnel isatap edit <row id>
net ipv6_tunnel six_to_four configure
net lan dhcp reserved_ip configure <mac address>
Bind a MAC address to an IP address for
DHCP reservation or change an existing binding, and assign a LAN group.
net lan dhcp reserved_ip delete <mac address>
Delete the binding of a MAC address to an IP address.
net lan ipv4 advanced configure
Configure an existing IPv6 ISATAP tunnel.
Enable or disable automatic (6to4) tunneling.
net lan ipv4 configure <vlan id>
net lan ipv4 delete <vlan id> net lan ipv4 disable <vlan id> net lan ipv4 enable <vlan id>
net lan ipv4 multi_homing delete <row id> net lan ipv4 multi_homing edit
Configure advanced LAN settings such as the MAC address for VLANs and ARP broadcast.
Configure a new or existing VLAN.
Configure the default VLAN for each port.
Delete a VLAN.
Disable a VLAN.
Enable a VLAN.
Configure a new secondary IPv4 address.
Delete a secondary IPv4 address.
Configure an existing secondary IPv4 address.
net lan ipv6 multi_homing delete <row id>
net lan ipv6 multi_homing edit
Configure the IPv6 LAN address settings and DHCPv6.
Configure a new secondary IPv6 address.
Delete a secondary IPv6 address.
Configure an existing secondary IPv6 address.
Configure a new or existing IPv6 LAN
DHCP address pool.
net lan ipv6 pool delete <start ipv6-address>
Delete an IPv6 LAN DHCP address pool.
net lan lan_groups edit <row id> <new group name>
Change an existing LAN default group name.
Overview of the Configuration Commands
19
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Table 7. Net mode configuration commands (continued)
Submode Command Name
radvd routing wan
net radvd pool dmz delete <row id>
net radvd pool dmz edit <row id>
net radvd pool lan delete <row id>
net radvd pool lan edit <row id>
net routing static ipv4 configure <route name>
net routing static ipv4 delete <route name> net routing static ipv4 delete_all
net routing static ipv6 configure <route name>
net routing static ipv6 delete <route name> net routing static ipv6 delete_all
wan_settings
net wan_settings wanmode configure
Purpose
Configure the IPv6 RADVD for the DMZ.
Configure the IPv6 RADVD for the LAN.
Configure a new IPv6 RADVD pool for the
DMZ.
Delete an IPv6 RADVD pool from the
DMZ.
Configure an existing IPv6 RADVD pool for the DMZ.
Configure a new IPv6 RADVD pool for the
LAN.
Delete an IPv6 RADVD pool from the
LAN.
Configure an existing IPv6 RADVD pool for the LAN.
Configure RIP and the associated MD5 key information.
Configure a new or existing IPv4 static route.
Delete an IPv4 static route.
Delete all IPv4 routes.
Configure a new or existing IPv6 static route.
Delete an IPv6 static route.
Delete all IPv6 routes.
Configure the MTU, port speed, and MAC address of the wireless VPN firewall.
Configure the IPv4 settings of the WAN interface.
Configure the IPv6 settings of the WAN interface.
Configure the mode of IPv4 routing (NAT or classical routing) between the WAN interface and LAN interfaces.
Overview of the Configuration Commands
20
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Security Settings (Security Mode) Configuration
Commands
Enter the security ? command at the CLI prompt to display the description of all the configuration commands in the security mode. The following table lists the commands in alphabetical order:
Table 8. Security mode configuration commands
Submode
address_filter bandwidth content_filter
Command Name
security address_filter ip_or_mac_binding add
Purpose
Configure a new IP/MAC binding rule.
security address_filter ip_or_mac_binding delete <row id>
Delete an IP/MAC binding rule.
security address_filter ip_or_mac_binding edit <row id>
Configure an existing IP/MAC binding rule.
security address_filter ip_or_mac_binding enable_email_log <ip version>
security address_filter mac_filter configure security address_filter mac_filter source add
Configure the email log for
IP/MAC Binding violations.
Configure the source MAC address filter.
Configure a new MAC source address.
security address_filter mac_filter source delete <row id>
security bandwidth profile add
Delete a MAC source address.
Configure a new bandwidth profile.
Delete a bandwidth profile.
security bandwidth profile delete <row id>
security bandwidth profile edit <row id>
security content_filter block_group disable
security content_filter block_group enable
security content_filter blocked_keywords add
Configure an existing bandwidth profile.
Remove content filtering from groups.
Apply content filtering to groups.
Configure a new blocked keyword.
security content_filter blocked_keywords delete <row id>
Delete a blocked keyword.
security content_filter blocked_keywords edit <row id>
Configure an existing blocked keyword.
Overview of the Configuration Commands
21
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Table 8. Security mode configuration commands (continued)
Submode
content_filter
(continued) firewall
Command Name
security content_filter content_filtering configure
security content_filter trusted_domain add
security firewall advanced algs
security firewall attack_checks configure ipv4
Purpose
Configure web content filtering.
Configure a new trusted domain.
Delete a trusted domain.
Configure an existing trusted domain.
Configure SIP support for the
ALG.
Configure WAN and LAN security attack checks for IPv4 traffic.
security firewall attack_checks configure ipv6
security firewall attack_checks igmp setup
Configure VPN pass-through for IPv4 traffic.
security firewall ipv4 add_rule dmz_wan inbound
Configure a new IPv4 DMZ
WAN inbound firewall rule.
security firewall ipv4 add_rule dmz_wan outbound
Enable or disable jumbo frames for IPv4 traffic.
security firewall ipv4 add_rule lan_dmz inbound
security firewall ipv4 add_rule lan_dmz outbound
Configure a new IPv4 DMZ
WAN outbound firewall rule.
Configure a new IPv4 LAN
DMZ inbound firewall rule.
Configure a new IPv4 LAN
DMZ outbound firewall rule.
security firewall ipv4 add_rule lan_wan inbound
Configure WAN security attack checks for IPv6 traffic.
Enable or disable multicast pass-through for IPv4 traffic.
security firewall ipv4 add_rule lan_wan outbound
security firewall ipv4 default_outbound_policy {Allow |
Block} security firewall ipv4 delete <row id>
security firewall ipv4 disable <row id>
Configure a new IPv4 LAN
WAN inbound firewall rule.
Configure a new IPv4 LAN
WAN outbound firewall rule.
Configure the default outbound policy for IPv4 traffic.
Delete an IPv4 firewall rule.
Disable an IPv4 firewall rule.
Overview of the Configuration Commands
22
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Table 8. Security mode configuration commands (continued)
Submode
firewall
(continued) porttriggering_rules
Command Name Purpose
security firewall ipv4 edit_rule dmz_wan inbound <row id>
Configure an existing IPv4
DMZ WAN inbound firewall rule.
security firewall ipv4 edit_rule dmz_wan outbound <row id>
Configure an existing IPv4
DMZ WAN outbound firewall rule.
security firewall ipv4 edit_rule lan_dmz inbound <row id>
Configure an existing IPv4
LAN DMZ inbound firewall rule.
security firewall ipv4 edit_rule lan_dmz outbound <row id>
Configure an existing IPv4
LAN DMZ outbound firewall rule.
security firewall ipv4 edit_rule lan_wan inbound <row id>
Configure an existing IPv4
LAN WAN inbound firewall rule.
security firewall ipv4 edit_rule lan_wan outbound <row id>
Configure an existing IPv4
LAN WAN outbound firewall rule.
security firewall ipv4 enable <row id> security firewall ipv6 configure
Enable an IPv4 firewall rule.
Configure a new IPv6 firewall rule.
security firewall ipv6 default_outbound_policy {Allow |
security firewall ipv6 delete <row id>
security firewall ipv6 disable <row id>
security firewall ipv6 edit <row id>
Configure the default outbound policy for IPv6 traffic.
Delete an IPv6 firewall rule.
Disable an IPv6 firewall rule.
Configure an existing IPv6 firewall rule.
security firewall ipv6 enable <row id>
security firewall session_limit configure
security firewall session_settings configure
security porttriggering_rules add
security porttriggering_rules delete <row id>
security porttriggering_rules edit <row id>
Enable an IPv6 firewall rule.
Configure global session limits.
Configure global session time-outs.
Configure a new port triggering rule.
Delete a port triggering rule.
Configure an existing port triggering rule.
Overview of the Configuration Commands
23
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Table 8. Security mode configuration commands (continued)
Submode
schedules
Command Name
security schedules edit <1 | 2 | 3>
services
security services delete <row id> security services edit <row id>
Purpose
Configure one of the three security schedules.
Configure a new custom service.
Delete a custom service.
Configure an existing custom service.
Configure UPnP.
upnp
Administrative and Monitoring Settings (System Mode)
Configuration Commands
Enter the system ? command at the CLI prompt to display the description of all the configuration commands in the system mode. The following table lists the commands in alphabetical order:
Table 9. System mode configuration commands
Submode Command Name
Purpose
Configure routing logs for accepted and dropped IPv4 and IPv6 packets.
logging
system logging remote configure
Configure email logs and alerts, schedule email logs and alerts, and configure a syslog server.
remote_management
system remote_management https configure
Configure remote management over
HTTPS.
system remote_management telnet configure
Configure remote management over
Telnet.
snmp
system snmp trap configure <ip address>
time traffic_meter
system snmp trap delete <ipaddress>
system traffic_meter configure
Configure the SNMP system information.
Configure an SNMP agent and community.
Delete an SNMP agent.
Configure the system time, date, and
NTP servers.
Configure the traffic meter.
Overview of the Configuration Commands
24
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Wireless Settings (Dot11 Mode) Configuration
Commands
Enter the dot11 ? command at the CLI prompt to display the description of all the configuration commands in the dot11 mode. The following table lists the commands in alphabetical order:
Table 10. Dot11 mode configuration commands
Submode
profile radio
Command Name
dot11 profile acl configure <profile name>
dot11 profile configure <profile name>
dot11 radio advanced configure
Purpose
Configure an ACL for a specific profile.
Configure a profile.
Delete a profile.
Disable a profile.
Enable a profile.
Configure Wi-Fi Protected Setup™ (WPS).
Configure advanced radio settings.
Configure basic radio settings.
VPN Settings (VPN Mode) Configuration Commands
Enter the vpn ? command at the CLI prompt to display the description of all the configuration commands in the vpn mode. The following table lists the commands in alphabetical order:
Table 11. Configuration commands: vpn mode
Submode Command Name
vpn ipsec ikepolicy configure <ike policy name>
ipsec
vpn ipsec ikepolicy delete <ike policy name>
vpn ipsec mode_config configure <record name>
vpn ipsec modeConfig delete <record name>
vpn ipsec vpnpolicy configure <vpn policy name>
Purpose
Configure a new or existing manual IPSec
IKE policy.
Delete an IPSec policy.
Configure a new or existing Mode Config record.
Delete a Mode Config record.
Configure a new or existing auto IPSec
VPN policy or manual IPSec VPN policy.
Establish a VPN connection.
Delete an IPSec VPN policy.
Disable an IPSec VPN policy.
Overview of the Configuration Commands
25
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Table 11. Configuration commands: vpn mode (continued)
Submode Command Name
vpn ipsec vpnpolicy drop <vpn policy name>
ipsec
(continued)
vpn ipsec vpnpolicy enable <vpn policy name>
Enable an IPSec VPN policy.
vpn ipsec wizard configure <Gateway | VPN_Client>
Configure the IPSec VPN wizard for a gateway-to-gateway or gateway-to-VPN client connection.
l2tp radius
Configure the L2TP server.
Configure the RADIUS servers.
Purpose
Terminate an IPSec VPN connection.
vpn sslvpn policy delete <row id>
vpn sslvpn policy edit <row id>
Configure the SSL client IP address range.
Configure a new SSL VPN policy.
Delete an SSL VPN policy.
vpn sslvpn portal-layouts delete <row id>
vpn sslvpn portal-layouts edit <row id>
vpn sslvpn portforwarding appconfig add
Configure an existing SSL VPN policy.
Configure a new SSL VPN portal layout.
Delete an SSL VPN portal layout.
Configure an existing SSL VPN portal layout.
Configure a new SSL port forwarding application.
sslvpn
vpn sslvpn portforwarding appconfig delete <row id>
Delete an SSL VPN port forwarding application.
vpn sslvpn portforwarding hostconfig add
Configure a new host name for an SSL port forwarding application.
vpn sslvpn portforwarding hostconfig delete <row id>
Delete a host name for an SSL port forwarding application.
Add a new SSL VPN resource.
vpn sslvpn resource configure add <resource name>
Configure an existing SSL VPN resource.
vpn sslvpn resource delete <row id>
vpn sslvpn route delete <row id>
vpn sslvpn users domains delete <row id>
Delete an SSL VPN resource.
Add an SSL VPN client route.
Delete an SSL VPN client route.
Configure a new authentication domain.
Delete an authentication domain.
Overview of the Configuration Commands
26
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Table 11. Configuration commands: vpn mode (continued)
Submode
sslvpn
(continued)
Command Name
vpn sslvpn users domains edit <row id>
vpn sslvpn users groups delete <row id>
vpn sslvpn users groups edit <row id>
vpn sslvpn users users browser_policies <row id>
Purpose
Configure an existing authentication domain.
Configure a new authentication group.
Delete an authentication group.
Configure an existing authentication group.
Add a new user account.
Configure the client browsers from which a user is either allowed or denied access.
vpn sslvpn users users delete <row id>
vpn sslvpn users users edit <row id>
Delete a user account.
Configure an existing user account.
vpn sslvpn users users ip_policies configure <row id>
Configure source IP addresses from which a user is either allowed or denied access.
vpn sslvpn users users ip_policies delete <row id>
vpn sslvpn users users login_policies <row id>
Delete a source IP address for a user.
Configure the login policy for a user.
Overview of the Configuration Commands
27
3.
Net Mode Configuration Commands
3
This chapter explains the configuration commands, keywords, and associated parameters in the net mode. The chapter includes the following sections:
IMPORTANT:
After you have issued a command that includes the word configure
, add, or edit, you need to save (or cancel) your
changes. For more information, see
on page 13.
General WAN Commands
net wan port_setup configure
This command configures the MTU, port speed, and MAC address of the wireless VPN firewall. After you have issued the net wan port_setup configure command, you enter the net-config [port_setup] mode, and then you can configure the MTU, port speed, and MAC address.
Step 1 Format net wan port_setup configure
Mode
net
28
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Step 2 Format
def_mtu {Default | Custom {mtu_size <number>}}
port_speed {Auto_Sense | 10_BaseT_Half_Duplex |
10_BaseT_Full_Duplex | 100_BaseT_Half_Duplex |
100_BaseT_Full_Duplex | 1000_BaseT_Half_Duplex |
1000_BaseT_Full_Duplex}
mac_type {Use-Default-Mac | Use-This-Computers-Mac |
Use-This-Mac {mac_address <mac address>}}
Mode
net-config [port_setup]
Keyword def_mtu mtu_size port_speed
Associated Keyword to
Select or Parameter to Type
Default
or Custom
Description
number
Specifies whether the default MTU or a custom MTU is used. If you select Custom, you need to issue the
mtu_size
keyword and specify the size of the MTU.
The size of the default MTU in bytes for the WAN port:
• If you have configured IPv4 mode, type a number between
68 and 1500 bytes.
• If you have configured IPv4/IPv6 mode, type a number between 1280 and 1500 bytes.
Auto_Sense,
10_BaseT_Half_Duplex,
10_BaseT_Full_Duplex,
100_BaseT_Half_Duplex,
100_BaseT_Full_Duplex,
1000_BaseT_Half_Duplex, or
1000_BaseT_Full_Duplex
The port speed and duplex mode of the WAN port. The keywords are self-explanatory.
mac_type
mac_address
Use-Default-Mac
,
Use-This-Computers-Mac
, or Use-This-Mac
The source for the MAC address. The default setting is
Use-Default-Mac
.
If your ISP requires MAC authentication and another MAC address has been previously registered with your ISP, select either Use-This-Computers-Mac or select
Use-This-Mac
. If you select the latter keyword, you need to issue the mac_address keyword and specify the MAC address that is expected by your ISP.
mac address
The MAC address that the ISP requires for MAC authentication when the mac_type keyword is set to
Use-This-Mac
.
Command example:
FVS318N> net wan port_setup configure net-config[port_setup]> def_mtu Custom net-config[port_setup]> mtu_size 1498 net-config[port_setup]> port_speed 1000_BaseT_Full_Duplex net-config[port_setup]> mac_type Use-This-Computers-Mac net-config[port_setup]> save
Net Mode Configuration Commands
29
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
IPv4 WAN Commands
net wan_settings wanmode configure
This command configures the mode of IPv4 routing between the WAN interface and LAN interfaces. After you have issued the net wan_settings wanmode configure command, you enter the net-config [routing-mode] mode, and then you can configure NAT or classical routing.
WARNING!
Changing the mode of IPv4 routing causes all LAN–WAN and
DMZ–WAN inbound firewall settings to revert to default settings.
Step 1
Step 2
Format net wan_settings wanmode configure
Mode
net
Format
type {NAT | Classical_Routing}
Mode
net-config [routing-mode]
net wan wan1 ipv4 configure
This command configures the IPv4 settings of the WAN interface. After you have issued the
net wan wan1 ipv4 configure
command, you enter the net-config [wan1-ipv4] mode.
First, specify the ISP connection type (you can select only a single type). Then, for the selected ISP connection type, configure one keyword and associated parameter or associated keyword at a time in the order that you prefer. If you select a static ISP connection type, there is no further configuration required.
Step 1 Format net wan wan1 ipv4 configure
Mode
net
Net Mode Configuration Commands
30
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Step 2 Format
isp_connection_type {STATIC | DHCPC | PPPoE | PPTP} Yes
isp_login_required {Y | N}
static ip_address <ipaddress>
static subnet_mask <subnet mask>
static gateway_address <ipaddress>
static primary_dns <ipaddress>
static secondary_dns <ipaddress>
dhcpc account_name <account name>
dhcpc domain_name
<domain name>
dhcpc client_identifier {Y | N}
dhcpc vendor_identifier {Y | N}
dhcpc get_dns_from_isp {Y | N {dhcpc primary_dns <ipaddress>}
[dhcpc secondary_dns <ipaddress>]}
Mode
pppoe username <user name>
pppoe password <password>
pppoe AccountName <account name>
pppoe DomainName
<domain name>
pppoe connectivity_type {keepalive | idletimeout {idletime
<minutes>}}
pppoe connection_reset
{N | Y {reset_hour <hour>}
{reset_min <minutes>} {delay_in_reset <seconds>}}
pppoe get_ip_dynamically {Y | N {static_ip <ipaddress>}
{subnet_mask <subnet mask>}}
pppoe get_dns_from_isp {Y | N {primary_dns <ipaddress>}
[secondary_dns <ipaddress>]}
pptp username <user name>
pptp password <password>
pptp AccountName <account name>
pptp DomainName
<domain name>
pptp connectivity_type {keepalive | idletimeout
{pptp idle_time <seconds>}}
pptp my_address <ipaddress>
pptp server_address <ipaddress>
pptp get_dns_from_isp {Y | N {pptp primary_dns <ipaddress>}
[pptp secondary_dns <ipaddress>]} net-config [wan1-ipv4]
Net Mode Configuration Commands
31
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Keyword isp_connection_type isp_login_required
Associated Keyword to
Select or Parameter to Type
Description
STATIC, DHCPC, PPPoE
, or
PPTP
Yes
Specifies the type of ISP connection. You can specify only one type of connection:
• STATIC. Configure the keywords and parameters in the STATIC section of this table.
• DHCPC. Configure the keywords and parameters in the DHCPC section of this table.
• PPPoE. Configure the keywords and parameters in the PPPoE section of this table.
• PPTP. Configure the keywords and parameters in the PPTP section of this table.
You need to confirm your selection by typing
Yes
(that is, Yes, and not just Y).
Y
or N Specifies whether or not your ISP requires login if the type of ISP connection is PPPoE or PPTP.
Static static ip_address static subnet_mask static gateway_address static primary_dns static secondary_dns
ipaddress subnet mask ipaddress ipaddress ipaddress
The static IP address.
The subnet mask that is associated with the static IP address.
The IP address of the ISP gateway.
The IP address of the primary DNS server.
The IP address of the optional secondary
DNS server.
DHCPC (These keywords consist of two separate words) dhcpc account_name
account name
dhcpc domain_name dhcpc client_identifier dhcpc vendor_identifier
domain name
Y
Y
or N
or N
The ISP account name (alphanumeric string).
The ISP domain name (alphanumeric string).
Specifies whether or not the DHCP client-identifier option is sent to the ISP server. By default, the option is not sent.
Specifies whether or not the DHCP vendor-class-identifier option is sent to the
ISP server. By default, the option is not sent.
Net Mode Configuration Commands
32
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Keyword dhcpc get_dns_from_isp dhcpc primary_dns dhcpc secondary_dns
Associated Keyword to
Select or Parameter to Type
Description
Y
or N Specifies whether or not the IP address is dynamically received from the ISP. If you select N, you need to issue the dhcpc
primary_dns
keyword and enter the IP address of the primary DNS server. For a secondary DNS server, issue the dhcpc
secondary_dns
keyword, and enter the IP address.
ipaddress
ipaddress
The IP address of the primary DNS server if your IP address is not dynamically received from the ISP.
The IP address of the optional secondary
DNS server if your IP address is not dynamically received from the ISP.
PPPoE (These keywords consist of two separate words) pppoe username pppoe password pppoe AccountName pppoe DomainName
user name password account name domain name
pppoe connectivity_type keepalive pppoe idle_time pppoe connection_reset pppoe reset_hour pppoe reset_min
or
idletimeout
minutes
Y
or N
hour minutes
The user name (alphanumeric string) to log in to the PPPoE service, if required.
The password (alphanumeric string) to log in to the PPPoE service, if required.
The PPPoE account name (alphanumeric string).
The PPPoE domain name (alphanumeric string).
The type of PPPoE connection. If you select
idletimeout
, you need to issue the
idle_time
keyword and enter the idle time-out in minutes.
The idle time-out period in minutes, from 5 to
999 minutes.
Specifies whether or not the PPPoE connection is automatically reset. If it is reset, you need to issue the reset_hour and reset_min keywords and enter the hour and minutes after which the connection is reset. You also need to issue the
delay_in_reset
keyword and enter the number of seconds of delay.
The hour at which the PPPoE connection is reset.
The minutes at which the PPPoE connection is reset.
Net Mode Configuration Commands
33
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Keyword pppoe delay_in_reset
Associated Keyword to
Select or Parameter to Type
Description
seconds
After the connection has been reset, the number of seconds of delay before an
PPPoE connection attempt is made.
pppoe get_ip_dynamically Y
or N Specifies whether or not the IP address is dynamically received from the ISP. If it is not, you need to issue the static_ip keyword and enter the static IP address, and issue the
subnet_mask
keyword and enter the subnet mask.
pppoe static_ip pppoe subnet_mask pppoe get_dns_from_isp pppoe primary_dns pppoe secondary_dns
ipaddress subnet mask
Y
or N
ipaddress ipaddress
The static IP address if your IP address is not dynamically received from the ISP.
The subnet mask if your IP address is not dynamically received from the ISP.
Specifies whether or not the IP address is dynamically received from the ISP. If you select N, you need to issue the pppoe
primary_dns
keyword and enter the IP address of the primary DNS server. For a secondary DNS server, issue the
pppoe secondary_dns
keyword, and enter the IP address.
The IP address of the primary DNS server if your IP address is not dynamically received from the ISP.
The IP address of the optional secondary
DNS server if your IP address is not dynamically received from the ISP.
PPTP (These keywords consist of two separate words) pptp username pptp password pptp AccountName pptp DomainName pptp connectivity_type
user name password account name domain name
keepalive
or
idletimeout
The user name (alphanumeric string) to log in to the PPTP service, if required.
The password (alphanumeric string) to log in to the PPTP service, if required.
The PPPoE account name (alphanumeric string).
The PPPoE domain name (alphanumeric string).
The type of PPTP connection. If you select idletimeout, you need to issue the
pptp idle_time
keyword and enter the idle time-out period.
Net Mode Configuration Commands
34
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Keyword pptp idle_time pptp my_address pptp server_address pptp get_dns_from_isp pptp primary_dns pptp secondary_dns
Associated Keyword to
Select or Parameter to Type
Description
minutes ipaddress ipaddress
Y
or N
The idle time-out period in minutes (5 to
999), if the PPTP connection is configured for idle time-out,
The IP address that was assigned by the ISP to make a connection with the ISP’s PPTP server.
The IP address of the PPTP server.
Specifies whether or not the IP address is dynamically received from the ISP. If you select N, you need to issue the
pptp primary_dns
keyword and enter the
IP address of the primary DNS server. For a secondary DNS server, issue the
pptp secondary_dns
keyword, and enter the IP address.
ipaddress ipaddress
The IP address of the primary DNS server if your IP address is not dynamically received from the ISP.
The IP address of the optional secondary
DNS server if your IP address is not dynamically received from the ISP.
Command example:
FVS318N> net wan wan1 ipv4 configure net-config[wan1-ipv4]> isp_connection_type DHCPC net-config[wan1-ipv4]> dhcpc client_identifier Y net-config[wan1-ipv4]> dhcpc get_dns_from_isp N net-config[wan1-ipv4]> dhcpc primary_dns 10.124.56.118 net-config[wan1-ipv4]> dhcpc secondary_dns 10.124.56.132 net-config[wan1-ipv4]> save
IPv6 WAN Commands
net wan wan1 ipv6 configure
This command configures the IPv6 settings of the WAN interface. After you have issued the
net wan wan1 ipv6 configure
command, you enter the net-config [wan1-ipv6] mode.
First, specify the ISP connection type (you can select only a single type). Then, for the
Net Mode Configuration Commands
35
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
selected ISP connection type, configure one keyword and associated parameter or associated keyword at a time in the order that you prefer.
Step 1
Step 2
Format
net wan wan1 ipv6 configure
Mode
net
Format
isp type {static | dhcpc}
static ip_address <ipv6-address>
static prefix <prefix-length>
static gateway_address <ipv6-address>
static primary_dns <ipv6-address>
static secondary_dns <ipv6-address>
dhcpc stateless_mode_enable {StatelessAddrAutoConfig
[prefix_delegation_enable {Y | N}] | StatefulAddrAutoConfig}
Mode
Keyword (consists of two separate words) isp type
net-config [wan1-ipv6]
Associated Keyword to
Select or Parameter to Type static
or dhcpc
Description
The type of ISP connection:
• static. Configure the keywords and parameters in the Static section of this table.
• dhcpc. Configure the keywords and parameters in the DHCPC section of this table.
Static static ip_address static prefix static gateway_address static primary_dns static secondary_dns
ipv6-address prefix-length ipv6-address ipv6-address ipv6-address
The IPv6 address of the WAN interface.
The prefix length (integer) for the static address.
The IPv6 address of the gateway.
The IPv6 address of the primary DNS server.
The IPv6 address of the secondary DNS server.
Net Mode Configuration Commands
36
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Keyword (consists of two separate words)
DHCPC
Associated Keyword to
Select or Parameter to Type
Description dhcpc stateless_mode_enable StatelessAddrAutoConfig
or
StatefulAddrAutoConfig
The type of DHCPv6 mode (stateless or stateful). If you set the dhcpc
stateless_mode_enable
keywords to StatelessAddrAutoConfig, you have the option to set the dhcpc
prefix_delegation_enable
keywords and associated parameter.
dhcpc prefix_delegation_enable
Y dhcpc stateless_mode_enable
keywords are set to
StatelessAddrAutoConfig
, enables or disables prefix delegation. Prefix delegation allows the ISP’s stateful
DHCPv6 server to assign a prefix.
Command example:
FVS318N> net wan wan1 ipv6 configure net-config[wan1-ipv6]> isp_connection_type DHCPC net-config[wan1-ipv6]> isp type dhcpc net-config[wan1-ipv6]> dhcpc stateless_mode_enable StatelessAddrAutoConfig net-config[wan1-ipv6]> save
net ipv6 ipmode configure
This command configures the IP mode. After you have issued the net ipv6 ipmode
configure
command, you enter the net-config [mode] mode, and then you can configure the IP mode. You can select support for IPv4 only or for both IPv4 and IPv6.
WARNING!
Changing the IP mode causes the wireless VPN firewall to reboot.
Step 1
Step 2
Format net ipv6 ipmode configure
Mode
net
Format
ip_type {IPv4_Only | IPv4/IPv6}
Mode
net-config [mode]
Net Mode Configuration Commands
37
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
IPv6 Tunnel Commands
net ipv6_tunnel isatap add
This command configures a new ISATAP tunnel. After you have issued the net
ipv6_tunnel isatap add
command, you enter the net-config [isatap-tunnel] mode, and then you can configure one keyword and associated parameter or associated keyword at a time in the order that you prefer.
Note:
To be able to configure an ISATAP tunnel, you first need to set the IP
Step 1
Step 2
Format
net ipv6_tunnel isatap add
Mode
net
Format
subnet_prefix <subnet prefix>
end_point_type {LAN | Other_IP {ipv4_address <address>}}
Mode
net-config [isatap-tunnel]
Keyword subnet_prefix end_point_type LAN ipv4_address
Associated Keyword to
Select or Parameter to Type
Description
subnet prefix
or Other_IP
ipaddress
The IPv6 64-bit subnet prefix (string) that is assigned to the logical ISATAP subnet for this intranet.
The local endpoint IP address for the tunnel that is initiated on the wireless VPN firewall. The endpoint can be the LAN interface or a specific LAN IPv4 address. If you select
Other_IP
, you also need to issue the ipv4_address keyword to specify an IPv4 address.
The IPv4 address of a local endpoint that is not a LAN IPv4 address.
Command example:
FVS318N> net ipv6_tunnel isatap add net-config[isatap-tunnel]> subnet_prefix FE80::DEFC net-config[isatap-tunnel]> end_point_type Other_IP net-config[isatap-tunnel]> ipv4_address 10.29.33.4 net-config[isatap-tunnel]> save
Net Mode Configuration Commands
38
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
net ipv6_tunnel isatap edit <row id>
This command configures an existing ISATAP tunnel. After you have issued the net
ipv6_tunnel isatap edit
command to specify the row to be edited, you enter the net-config [isatap-tunnel] mode, and then you can configure one keyword and associated parameter or associated keyword at a time in the order that you prefer.
Step 1
Step 2
Format
net ipv6_tunnel isatap edit <row id>
Mode
net
Format
subnet_prefix <subnet prefix>
end_point_type {LAN | Other_IP {ipv4_address <address>}}
Mode
net-config [isatap-tunnel]
Keyword subnet_prefix end_point_type LAN ipv4_address
Associated Keyword to
Select or Parameter to Type
Description
subnet prefix
or Other_IP
ipaddress
The IPv6 64-bit subnet prefix (string) that is assigned to the logical ISATAP subnet for this intranet.
The local endpoint IP address for the tunnel that is initiated on the wireless VPN firewall. The endpoint can be the LAN interface or a specific LAN IPv4 address. If you select
Other_IP
, you also need to issue the ipv4_address keyword to specify an IPv4 address.
The IPv4 address of a local endpoint that is not a LAN IPv4 address.
net ipv6_tunnel isatap delete <row id>
This command deletes an ISATAP tunnel by deleting its row ID.
Note:
To be able to delete an ISATAP tunnel, you first need to set the IP mode to IPv4/IPv6 (see
).
Format
Mode
net ipv6_tunnel isatap delete <row id> net
Net Mode Configuration Commands
39
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Related show commands:
net ipv6_tunnel six_to_four configure
This command enables or disables automatic tunneling, which allows traffic from an IPv6
LAN to be tunneled through an IPv4 WAN to reach an IPv6 network. After you have issued the net ipv6_tunnel six_to_four configure command, you enter the net-config [six-to-four-tunnel] mode, and then you can configure automatic tunneling.
Step 1
Step 2
Format
net ipv6_tunnel six_to_four configure
Mode
net
Format
automatic_tunneling_enable {Y | N}
Mode
net-config [six-to-four-tunnel]
Related show commands:
Dynamic DNS Commands
net ddns configure
This command enables, configures, or disables Dynamic DNS (DDNS) service. After you have issued the net ddns configure command, you enter the net-config [ddns] mode, and then you can configure one keyword and associated parameter or associated keyword at a time in the order that you prefer.
Step 1
Step 2
Format
net ddns configure
Mode
net
Format
enable {Disable | DynDNS | TZO | DNS_Oray | 3322_DDNS}
hostname <host name>
username <user name>
password <password>
wild_flag_enable {Y | N}
time_update_enable {Y | N}
Mode
net-config [ddns]
Net Mode Configuration Commands
40
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Keyword enable hostname username password wild_flag_enable
Associated Keyword to
Select or Parameter to Type
Description
Disable
, DynDNS, TZO,
DNS_Oray
, or 3322_DDNS
Enables or disables DDNS. Use the Disable keyword to disable DDNS after you had first enabled the service. The other keywords represent DDNS service providers and are self-explanatory.
host name user name password
Y time_update_enable Y
or N
or N
Configures a host name (string) for a DDNS server.
Configures a user name (string) for a DDNS server.
Configures a password (string) for a DDNS server.
Enables or disables the use of wildcards for DDNS.
Enables or disables the automatic update of the
DDNS service after 30 days.
Command example:
FVS318N> net ddns configure net-config[ddns]> enable DynDNS net-config[ddns]> hostname adminnetgear.dyndns.org net-config[ddns]> username jaybrown net-config[ddns]> password 4hg!RA278s net-config[ddns]> wild_flag_enable N net-config[ddns]> time_update_enable Y net-config[ddns]> save
Related show command:
IPv4 LAN Commands
net lan ipv4 configure <vlan id>
This command configures a new or existing VLAN, that is, a VLAN ID and a VLAN profile.
After you have issued the net lan ipv4 configure command to specify a new or existing VLAN ID, you enter the net-config [lan-ipv4] mode, and then you can configure one keyword and associated parameter or associated keyword at a time in the order that you prefer.
Step 1 Format
net lan ipv4 configure <vlan id>
Mode
net
Net Mode Configuration Commands
41
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Step 2 Format
profile_name <name>
port_membership {[port 1 {Y | N}] | [port 2 {Y | N}] |
[port 3 {Y | N}] | [port 4 {Y | N}] | [port 5 {Y | N}] |
[port 6 {Y | N}] | [port 7 {Y | N}] | [port 8 {Y | N}]}
static address <ipaddress>
static subnet_mask <subnet mask>
dhcp mode {None | DHCP-Server | DHCP-Relay}
proxy dns_enable {Y | N}
dhcp domain_name <domain name>
dhcp start_address <ipaddress>
dhcp end_address <ipaddress>
dhcp primary_dns <ipaddress>
dhcp secondary_dns <ipaddress>
dhcp wins_server <ipaddress>
dhcp lease_time <hours>
enable_ldap {Y | N}
ldap_serverip <ipaddress>
ldap_search_base <search base>
ldap_port <number>
dhcp relay_gateway <ipaddress>
inter_vlan_routing {Y | N}
Mode
net-config [lan-ipv4]
Keyword (might consist of two separate words)
Associated Keyword to
Select or Parameter to Type
Description profile_name
name
The name of the VLAN profile.
port_membership port1 port_membership port2 port_membership port3 port_membership port4
Y
or N
port_membership port5
Specifies the ports that should be members of the VLAN. You need to specify each port individually.
port_membership port6 port_membership port7 port_membership port8 static address
ipaddress
static subnet_mask
subnet mask
The static IPv4 address for the VLAN.
The IPv4 subnet mask for the VLAN profile.
Net Mode Configuration Commands
42
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Keyword (might consist of two separate words)
Associated Keyword to
Select or Parameter to Type
Description dhcp mode None
, DHCP-Server, or
DHCP-Relay
Specifies the DHCP mode for the devices that are connected to the VLAN:
• None. The DHCP server is disabled. No further
DHCP configuration is required.
• DHCP-Server. Configure the keywords and parameters in the DHCP server section of this table.
• DHCP-Relay. Configure the keywords and parameters in the DHCP relay section of this table.
proxy dns_enable Y
or N
Y
or N
Enables or disables the LAN DNS proxy.
Enables or disables inter-VLAN routing.
inter_vlan_routing
DHCP Server dhcp domain _name dhcp start_address dhcp end_address dhcp primary_dns
domain name ipaddress ipaddress ipaddress
The FQDN or domain name of the DHCP server.
The start IP address for the DHCP address range.
The end IP address for the DHCP address range.
The IP address of the primary DNS server for the
DHCP server.
dhcp secondary_dns wins_server dhcp lease_time enable_ldap ldap_serverip ldap_search_base
ipaddress ipaddress hours
Y
or N
ipaddress search base number
The IP address of the secondary DNS server for the DHCP server.
The IP address of the WINS server for the DHCP server.
The DHCP lease time in hours.
Enables or disables LDAP.
The IP address of the LDAP server.
The search base (string) for LDAP
The port number for the LDAP server.
ldap_port
DHCP Relay dhcp relay_gateway
ipaddress
The IP address of the DHCP relay gateway.
Command example:
FVS318N> net lan ipv4 configure 4 net-config[lan-ipv4]> profile_name Marketing net-config[lan-ipv4]> port_membership port 1 Y net-config[lan-ipv4]> port_membership port 4 Y net-config[lan-ipv4]> port_membership port 5 Y
Net Mode Configuration Commands
43
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
net-config[lan-ipv4]> static address 192.168.1.1 net-config[lan-ipv4]> static subnet_mask 255.255.255.0 net-config[lan-ipv4]> dhcp mode DHCP-Relay net-config[lan-ipv4]> dhcp relay_gateway 10.172.214.198 net-config[lan-ipv4]> proxy dns_enable N net-config[lan-ipv4]> inter_vlan_routing Y net-config[lan-ipv4]> save
net lan ipv4 delete <vlan id>
This command deletes a VLAN by deleting its ID. You cannot delete VLAN 1, the default
VLAN.
Format
Mode
net lan ipv4 delete <vlan id> net
net lan ipv4 disable <vlan id>
This command disables a VLAN by specifying its ID. You cannot disable VLAN 1, the default
VLAN.
Format
Mode
net lan ipv4 disable <vlan id> net
net lan ipv4 enable <vlan id>
This command enables a VLAN by specifying its ID. VLAN 1, the default VLAN, is always enabled.
Format
Mode
net lan ipv4 enable <vlan id> net
Net Mode Configuration Commands
44
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Related show command:
net ethernet configure <interface name or number>
This command configures a VLAN for a LAN interface. After you have issued the net
ethernet configure
command to specify a LAN interface, you enter net-config [ethernet] mode, and then you can configure one keyword and associated parameter or associated keyword at a time in the order that you prefer.
Step 1
Step 2
Format
net ethernet configure <interface name or number>
Mode
net
Format
vlanid <number>
vlan-enable {Y | N}
native-vlan {Y | N}
Mode
net-config [ethernet]
Keyword vlanid vlan-enable native-vlan
Associated Keyword to
Select or Parameter to Type
Description
number
Y
Y
or N
or N
The VLAN ID.
Enables or disables the VLAN for this interface.
Enables or disables the default (native) VLAN for this interface.
Command example:
FVS318N> net ethernet configure eth0 net-config[ethernet]> vlanid 12 net-config[ethernet]> vlan-enable Y net-config[ethernet]> native-vlan N net-config[ethernet]> save
Note:
To enter the net-config [ethernet] mode, you can issue the net
ethernet configure
command with either an interface name such as eth0 or an interface number such as 0.
Related show command:
show net ethernet {interface name | all}
Net Mode Configuration Commands
45
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N port1 port2 port3 port4 port5 port6 port7 port8 net lan ipv4 default_vlan
This command configures the default VLAN for each port. After you have issued the net
lan ipv4 default_vlan
command, you enter the net-config [lan-ipv4-defvlan] mode, and then you can configure one keyword and associated parameter or associated keyword at a time in the order that you prefer.
Step 1
Step 2
Format net lan ipv4 default_vlan
Mode
net
Format
port1 <vlan name>
port2 <vlan name>
port3 <vlan name>
port4 <vlan name>
port5 <vlan name>
port6 <vlan name>
port7 <vlan name>
port8 <vlan name>
Mode
net-config [lan-ipv4-defvlan]
Keyword Associated
Parameter to Type
Description
vlan name
Specifies the default VLAN name. You need to specify the name for each port individually.
Command example:
FVS318N> net lan ipv4 default_vlan net-config[lan-ipv4-defvlan]> port1 Default net-config[lan-ipv4-defvlan]> port2 Default net-config[lan-ipv4-defvlan]> port3 Management net-config[lan-ipv4-defvlan]> port4 Sales net-config[lan-ipv4-defvlan]> port5 Marketing net-config[lan-ipv4-defvlan]> port6 Sales net-config[lan-ipv4-defvlan]> port7 Remote net-config[lan-ipv4-defvlan]> port8 Default net-config[lan-ipv4-defvlan]> save
Net Mode Configuration Commands
46
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Related show command:
net lan ipv4 advanced configure
This command configures advanced LAN settings such as the MAC address for VLANs and
ARP broadcast. After you have issued the net lan ipv4 advanced configure command, you enter the net-config [lan-ipv4-adv] mode, and then you can configure one keyword and associated parameter or associated keyword at a time in the order that you prefer.
Step 1
Step 2
Format net lan ipv4 advanced configure
Mode
net
Format
vlan_mac_offset_type {Same | Unique}
enable_arp_broadcast {Y | N}
Mode
net-config [lan-ipv4-adv]
Keyword Associated
Keyword to Select
Description vlan_mac_offset_type Same
or Unique
enable_arp_broadcast Y
or N
Specifies the MAC address for VLANs:
• Same. All VLAN profiles use the same MAC address as the LAN ports. (All LAN ports share the same MAC address.)
• Unique. Each VLAN (up to 16 VLANs) is assigned a unique MAC address.
Enables or disables ARP broadcast.
Command example:
FVS318N> net lan ipv4 advanced configure net-config[lan-ipv4-adv]> vlan_mac_offset_type Same net-config[lan-ipv4-adv]> enable_arp_broadcast Y net-config[lan-ipv4-adv]> save
Related show command:
show net lan ipv4 advanced setup
net lan dhcp reserved_ip configure <mac address>
This command binds a MAC address to an IP address for DHCP reservation or lets you edit an existing binding. The command also assigns the device or computer to which the MAC address belongs to one of eight LAN groups. After you have issued the net lan dhcp
reserved_ip configure
command to configure the MAC address, you enter the
Net Mode Configuration Commands
47
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
net-config [dhcp-reserved-ip] mode, and then you can configure the IP address for the binding configuration.
Step 1
Step 2
Format
net lan dhcp reserved_ip configure <mac address>
Mode
net
Format
ip_mac_name <device name>
ip_addr_type {Fixed_set_on_PC | Dhcp_Reserved_IP}
ip_address <ipaddress>
group_name
{Group1 | Group2 | Group3 | Group4 | Group5 | Group6 |
Group7
| Group8}
Mode
net-config [dhcp-reserved-ip]
Keyword ip_mac_name ip_addr_type ip_address group_name
Associated Keyword to
Select or Parameter to Type
Description
device name
Fixed_set_on_PC
or
Dhcp_Reserved_IP
ipaddress
Group1
, Group2, Group3,
Group4
, Group5, Group6,
Group7
, or Group8
The name of the computer or device.
The IP address type:
• Fixed_set_on_PC. The IP address is statically assigned on the computer or device.
• Dhcp_Reserved_IP. The DHCP server of the wireless
VPN firewall always assigns the specified IP address to this client during the DHCP negotiation.
The IP address that needs to be bound to the specified
MAC address.
The group to which the computer or device needs to be assigned.
Note:
You cannot enter group names that you have specified with the net lan lan_groups edit command.
Command example:
FVS318N> net lan dhcp reserved_ip configure AA:BB:CC:1A:2B:3C net-config[dhcp-reserved-ip]> ip_addr_type Dhcp_Reserved_IP net-config[dhcp-reserved-ip]> ip_address 192.168.27.219 net-config[dhcp-reserved-ip]> group_name Group3 net-config[dhcp-reserved-ip]> save
Related show commands:
show net lan dhcp reserved_ip setup
show net lan dhcp leased_clients list
Net Mode Configuration Commands
48
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N net lan dhcp reserved_ip delete <mac address>
This command deletes the binding of a MAC address to an IP address.
Format
Mode
net lan dhcp reserved_ip delete <mac address> net
show net lan dhcp reserved_ip setup
show net lan dhcp leased_clients list
net lan lan_groups edit <row id> <new group name>
This command specified an IPv4 LAN group name, that is, it changes a default group name such as Group1, Group2, or Group3. You need to specify both the row id that represents the group (for example, 2 for Group2 or 5 for Group5) and the new name for the group.
Format
Mode
net lan lan_group edit <row id> <new group name> net
Related show command:
net lan ipv4 multi_homing add
This command configures a new IPv4 alias, that is, a secondary IPv4 address. After you have issued the net lan ipv4 multi_homing add command, you enter the net-config [lan-ipv4-multihoming] mode, and then you can configure the secondary address and subnet mask in the order that you prefer.
Step 1
Step 2
Format net lan ipv4 multi_homing add
Mode
net
Format
ip_address <ipaddress>
subnet_mask <subnet mask>
Mode
net-config [lan-ipv4-multihoming]
Command example:
FVS318N> net lan ipv4 multi_homing add net-config[lan-ipv4-multihoming]> ip_address 192.168.16.110 net-config[lan-ipv4-multihoming]> subnet_mask 255.255.255.248 net-config[lan-ipv4-multihoming]> save
Net Mode Configuration Commands
49
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
net lan ipv4 multi_homing edit
This command configures an existing IPv4 alias, that is, a secondary IPv4 address. After you have issued the net lan ipv4 multi_homing edit command, you enter the net-config [lan-ipv4-multihoming] mode, and then you can configure the secondary address and subnet mask in the order that you prefer.
Step 1
Step 2
Format net lan ipv4 multi_homing edit
Mode
net
Format
ip_address <ipaddress>
subnet_mask <subnet mask>
Mode
net-config [lan-ipv4-multihoming]
net lan ipv4 multi_homing delete <row id>
This command deletes a secondary IPv4 address by specifying its row ID.
Format
Mode
net lan ipv4 multi_homing delete <row id> net
IPv6 LAN Commands
net lan ipv6 configure
This command configures the IPv6 LAN address settings and DHCPv6. After you have issued the net lan ipv6 configure command, you enter the net-config [lan-ipv6] mode, and then you can configure one keyword and associated parameter or associated keyword at a time in the order that you prefer.
Step 1 Format
net lan ipv6 configure
Mode
net
Net Mode Configuration Commands
50
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Step 2 Format
static address <ipv6-address>
static prefix_length <prefix length>
dhcp server_enable {N | Y {dhcp mode {Stateless | Stateful}}}
dhcp domain name <domain name>
dhcp server_preference <number>
dhcp dns_type {useDnsProxy | useDnsFromISP | useEnteredDns
{dhcp primary_dns <ipv6-address>} [dhcp secondary_dns
<ipv6-address>]}
dhcp rebind_time <seconds>
Mode
net-config [lan-ipv6]
Keyword (consists of two separate words) static address static prefix_length dhcp server_enable dhcp mode dhcp domain_name
dhcp server_preference number
dhcp dns_type
Associated Keyword to
Select or Parameter to Type
Description
ipv6-address prefix length
Y
or N
The link-local IPv6 address.
The IPv6 prefix length (integer) of the link-local
IPv6 address.
Specifies whether or not DHCPv6 is enabled. If you enable DHCPv6, you also need to issue the
dhcp
mode keyword and its associated keyword.
Stateless
or Stateful
domain name
useDnsProxy, useDnsFromISP, or useEnteredDns
The DHCPv6 mode (stateless or stateful).
The server domain name (string) or FQDN for the DHCP server.
The preference number (integer) of the DHCP server.
The DNS server type. If you select
useEnteredDns
, you also need to issue the
dhcp primary_dns
keyword and associated parameter. The dhcp secondary_dns keyword and associated parameter are optional.
dhcp primary_dns dhcp secondary_dns dhcp rebind_time
ipv6-address ipv6-address seconds
The IPv6 address for the primary DNS server in the DHCP configuration.
The IPv6 address for the secondary DNS server in the DHCP configuration.
The lease time in seconds (integer), from 0 to
604800 seconds.
Command example:
FVS318N> net lan ipv6 configure net-config[lan-ipv6]> static address fec0::3 net-config[lan-ipv6]> static prefix_length 64 net-config[lan-ipv6]> dhcp server_enable Y net-config[lan-ipv6]> dhcp mode Stateless
Net Mode Configuration Commands
51
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
net-config[lan-ipv6]> dhcp domain name netgear.com net-config[lan-ipv6]> dhcp server_preference 236 net-config[lan-ipv6]> dhcp dns_type useDnsProxy net-config[lan-ipv6]> dhcp rebind_time 43200 net-config[lan-ipv6]> save
net lan ipv6 pool configure
This command configures a new or existing IPv6 DHCP address pool. After you have issued the net lan ipv6 pool configure command, you enter the net-config [lan-ipv6-pool] mode, and then you can configure the IPv6 start and end addresses and the IPv6 prefix length for the IPv6 pool in the order that you prefer.
Step 1
Step 2
Format
net lan ipv6 pool configure
Mode
net
Format
start_address <ipv6-address>
end_address <ipv6-address>
prefix_value <prefix length>
Mode
net-config [lan-ipv6-pool]
Command example:
FVS318N> net lan ipv6 pool configure net-config[lan-ipv6-pool]> start_address 2001::1025 net-config[lan-ipv6-pool]> end_address 2001::1030 net-config[lan-ipv6-pool]> prefix_value 56 net-config[lan-ipv6-pool]> save
net lan ipv6 pool delete <start ipv6-address>
This command deletes an IPv6 DHCP address pool by deleting its start address.
Format
Mode
net lan ipv6 pool delete <start ipv6-address> net
Net Mode Configuration Commands
52
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N net lan ipv6 multi_homing add
This command configures a new IPv6 alias, that is, a secondary IPv6 address. After you have issued the net lan ipv6 multi_homing add command, you enter the net-config [lan-ipv6-multihoming] mode, and then you can configure the secondary address and IPv6 prefix length in the order that you prefer.
Step 1
Step 2
Format net lan ipv6 multi_homing add
Mode
net
Format
ip_address <ipv6-address>
prefix_length <prefix length>
Mode
net-config [lan-ipv6-multihoming]
Command example:
FVS318N> net lan ipv6 multi_homing add net-config[lan-ipv6-multihoming]> ip_address 2002::1006 net-config[lan-ipv6-multihoming]> prefix_length 10 net-config[lan-ipv6-multihoming]> save
Related show command:
net lan ipv6 multi_homing edit
This command configures an existing IPv6 alias, that is, a secondary IPv6 address. After you have issued the net lan ipv6 multi_homing edit command, you enter the net-config [lan-ipv6-multihoming] mode, and then you can configure the secondary address and IPv6 prefix length in the order that you prefer.
Step 1
Step 2
Format net lan ipv6 multi_homing edit
Mode
net
Format
ip_address <ipv6-address>
prefix_length <prefix length>
Mode
net-config [lan-ipv6-multihoming]
Related show command:
Net Mode Configuration Commands
53
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N net lan ipv6 multi_homing delete <row id>
This command deletes a secondary IPv6 address by specifying its row ID.
Format
Mode
net lan ipv6 multi_homing delete <row id> net
net radvd configure lan
This command configures the Router Advertisement Daemon (RADVD) for the link-local advertisements of IPv6 router addresses and prefixes in the LAN. After you have issued the
net radvd configure lan
command, you enter the net-config [radvd] mode, and then you can configure one keyword and associated parameter or associated keyword at a time in the order that you prefer.
Step 1
Step 2
Format net radvd configure lan
Mode
net
Format
enable {Y | N}
mode {Unsolicited-Multicast | Unicast-Only}
interval
<seconds>
flags {Managed | Other}
preference {Low | Medium | High}
mtu <number>
life_time <seconds>
Mode
net-config [radvd]
Keyword (might consist of two separate words)
Associated Keyword to
Select or Parameter to Type
Description enable Y
or N Enables the RADVD process to allow stateless autoconfiguration of the IPv6 LAN.
mode Unsolicited-Multicast
or Unicast-Only
Sets the advertisement mode:
• Unsolicited-Multicast. Allows unsolicited multicast and unicast communication with the hosts. Router advertisements (RAs) are sent to all interfaces at the rate that is defined by the
interval
keyword and parameter.
• Unicast-Only. Responds to unicast packet requests only. No unsolicited packets are advertised.
Net Mode Configuration Commands
54
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Keyword (might consist of two separate words)
Associated Keyword to
Select or Parameter to Type
Description interval flags
seconds
Managed
flag:
• Managed. Specifies that the DHCPv6 stateful protocol is used for autoconfiguration of the address.
• Other. Specifies that the DHCPv6 stateful protocol is used for autoconfiguration of other
(that is, nonaddress) information.
preference Low
, Medium, or High
The interval in seconds (integer) between unsolicited multicast RAs. Enter a period from 10 to 1800 seconds. The default is 30 seconds.
mtu life_time
number seconds
The wireless VPN firewall’s preference in relation to other hosts and routers in the LAN.
The MTU size (integer) that is used in the RAs to ensure that all nodes in the network use the same
MTU size. The default is 1500 seconds.
The advertisement lifetime in seconds (integer) of the route. The default is 3600 seconds.
Command example:
FVS318N> net radvd configure lan net-config[radvd]> enable Y net-config[radvd]> mode Unsolicited-Multicast net-config[radvd]> interval 60 net-config[radvd]> flags Managed net-config[radvd]> preference Medium net-config[radvd]> mtu 1496 net-config[radvd]> life_time 7200 net-config[radvd]> save
Related show command:
net radvd pool lan add
This command configures the IPv6 RADVD pool of advertisement prefixes for the LAN. After you have issued the net radvd pool lan add command, you enter the net-config [radvd-pool-lan] mode, and then you can configure one keyword and associated parameter or associated keyword at a time in the order that you prefer.
Step 1 Format
net radvd pool lan add
Mode
net
Net Mode Configuration Commands
55
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Step 2 Format
prefix_type {6To4 {sla_id <ID number>} | Global-Local-ISATAP
{prefix_address <ipv6-address>} {prefix_length
<prefix length>}}
prefix_life_time <seconds>
Mode
net-config [radvd-pool-lan]
Keyword prefix_type sla_id prefix_address prefix_length
Associated Keyword to
Select or Parameter to Type
Description
6To4
or
Global-Local-ISATAP
The prefix type that specifies the type of communication between the interfaces:
• 6To4. The prefix is for a 6to4 address. You need to issue the sla_id keyword and specify the interface
ID.
• Global-Local-ISATAP. The prefix is for a global, local, or ISATAP address. This needs to be a global prefix, not the site-local or link-local prefix. You need to issue the prefix_address and prefix_length keywords and associated parameters.
ID number ipv6-address prefix length
prefix_life_time seconds
The site-level aggregation identifier (SLA ID) (integer) in the 6to4 address prefix is the ID of the interface from which the advertisements are sent.
The IPv6 address for a global, local, or ISATAP prefix.
The IPv6 prefix length (integer) for a global, local, or
ISATAP prefix. This is a decimal value that indicates the number of contiguous, higher-order bits of the address that make up the network portion of the address.
The period in seconds (integer) during which the requesting router is allowed to use the prefix.
Command example:
FVS318N> net radvd pool lan add net-config[radvd-pool-lan]> prefix_type 6To4 net-config[radvd-pool-lan]> sla_id 67 net-config[radvd-pool-lan]> prefix_life_time 3600 net-config[radvd-pool-lan]> save
net radvd pool lan edit <row id>
This command configures an existing IPv6 RADVD address pool for the LAN. After you have issued the net radvd pool lan edit command to specify the row to be edited, you
Net Mode Configuration Commands
56
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
enter the net-config [radvd-pool-lan] mode, and then you can configure one keyword and associated parameter or associated keyword at a time in the order that you prefer.
Step 1
Step 2
Format
net radvd pool lan edit <row id>
Mode
net
Format
prefix_type {6To4 {sla_id <ID number>} | Global-Local-ISATAP
{prefix_address <ipv6-address>} {prefix_length
<prefix length>}}
prefix_life_time <seconds>
Mode
net-config [radvd-pool-lan]
Keyword prefix_type sla_id prefix_address prefix_length
Associated Keyword to
Select or Parameter to Type
Description
6To4
or
Global-Local-ISATAP
The prefix type that specifies the type of communication between the interfaces:
• 6To4. The prefix is for a 6to4 address. You need to issue the sla_id keyword and specify the interface
ID.
• Global-Local-ISATAP. The prefix is for a global, local, or ISATAP address. This needs to be a global prefix, not the site-local or link-local prefix. You need to issue the prefix_address and prefix_length keywords and associated parameters.
ID number ipv6-address prefix length
prefix_life_time seconds
The site-level aggregation identifier (SLA ID) (integer) in the 6to4 address prefix is the ID of the interface from which the advertisements are sent.
The IPv6 address for a global, local, or ISATAP prefix.
The IPv6 prefix length (integer) for a global, local, or
ISATAP prefix. This is a decimal value that indicates the number of contiguous, higher-order bits of the address that make up the network portion of the address.
The period in seconds (integer) during which the requesting router is allowed to use the prefix.
Related show command:
net radvd pool lan delete <row id>
This command deletes a RADVD pool for the LAN by deleting its row ID.
Format
Mode
net radvd pool lan delete <row id> net
Net Mode Configuration Commands
57
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
IPv4 DMZ Setup Commands
net dmz ipv4 configure
This command enables, configures, or disables the IPv4 DMZ. After you have issued the net
dmz ipv4 configure
command, you enter the net ipv4-config [dmz] mode, and then you can configure one keyword and associated parameter or associated keyword at a time in the order that you prefer.
Step 1
Step 2
Format
net dmz ipv4 configure
Mode
net
Format
enable_dmz {Y | N}
ip_address <ipaddress>
subnet_mask <subnet mask>
dhcp_mode {None | DHCP-Server | DHCP-Relay}
dns_proxy_enable {Y | N}
domain_name <domain name>
starting_ip_address <ipaddress>
ending_ip_address <ipaddress>
primary_dns_server <ipaddress>
secondary_dns_server <ipaddress>
wins_server <ipaddress>
lease_time <hours>
enable_ldap {Y | N}
ldap_serverip <ipaddress>
ldap_search_base <search base>
ldap_port <number>
Keyword
Mode enable_dmz ip_address subnet_mask
relay_gateway <ipaddress> net-ip4-config [dmz]
Associated Keyword to
Select or Parameter to Type
Description
Y
or N
ipaddress
Enables or disables the DMZ.
The IP address of the DMZ port.
subnet mask
The subnet mask of the DMZ port.
Net Mode Configuration Commands
58
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Keyword dhcp_mode
Associated Keyword to
Select or Parameter to Type
Description
Non
e,
DHCP-Serves
or
DHCP-Relay
Specifies the DHCP mode:
• None. DHCP is disabled for the DMZ.
• DHCP-Server. DHCP is enabled for the DMZ.
You can configure all keywords and parameters except the relay_gateway keyword and associated parameter.
• DHCP-Relay. Addresses are assigned in the
DMZ by a DHCP Relay. Configure the
relay_gateway
keyword and associated parameter.
Enables or disables the DNS proxy.
dns_proxy_enable Y
or N
DHCP server domain_name starting_ip_address ending_ip_address
domain name ipaddress ipaddress
The server domain name (string) or FQDN for the
DHCP server.
The start IP address for the DHCP address pool.
The end IP address for the DHCP address pool.
primary_dns_server secondary_dns_server wins_server lease_time enable_ldap ldap_serverip ldap_search_base
ipaddress ipaddress ipaddress hours
Y
or N
ipaddress search base number
The IP address of the primary DNS server in the
DMZ DHCP configuration.
The IP address of the secondary DNS server in the DMZ DHCP configuration.
The IP address of the WINS server in the DMZ
DHCP configuration.
The duration in hours for which an IP address is leased.
Enables or disables LDAP.
The IP address of the LDAP server.
The search base (string) for LDAP
The port number for the LDAP server.
ldap_port
DHCP relay relay_gateway
ipaddress
Set DHCP relay gateway server.
Command example:
FVS318N> net dmz ipv4 configure net-ipv4-config[dmz]> enable_dmz net-ipv4-config[dmz]> ip_address 10.126.32.59 net-ipv4-config[dmz]> subnet_mask 2525.255.255.0 net-ipv4-config[dmz]> dhcp_mode None net-ipv4-config[dmz]> dns_proxy_enable Y net-ipv4-config[dmz]> save
Net Mode Configuration Commands
59
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
IPv6 DMZ Setup Commands
net dmz ipv6 configure
This command enables, configures, or disables the IPv6 DMZ. After you have issued the net
dmz ipv6 configure
command, you enter the net ipv6-config [dmz] mode, and then you can configure one keyword and associated parameter or associated keyword at a time in the order that you prefer.
Step 1
Step 2
Format
net dmz ipv6 configure
Mode
net
Format
enable_dmz {Y | N}
ip_address <ipv6-address>
prefix_length <prefix length>
dhcp_enable {N | Y {dhcp_mode {Stateless | Stateful}}}
domain name <domain-name>
server_preference <number>
dns_server_option {useDnsProxy | useDnsFromISP | useEnteredDns
{primary_dns_server <ipv6-address>} [secondary_dns_server
<ipv6-address>]}
lease_time <seconds>
Keyword
Mode enable_dmz ip_address prefix_length
DHCPv6 server dhcp_enable dhcp_mode domain_name server_preference
net-ipv6-config [dmz]
Associated Keyword to
Select or Parameter to Type
Description
Y
or N
ipv6-address
Enables or disables the DMZ.
The IPv6 address of the DMZ port.
prefix length
The prefix length (integer) for the DMZ port.
Y
or N
Stateless
domain name number
or Stateful
Enables or disables DHCP server for the DMZ.
The DHCPv6 mode (Stateless or Stateful).
The server domain name (string) for the DHCP server.
The preference number (integer) of the DHCP server.
Net Mode Configuration Commands
60
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Keyword dns_server_option primary_dns_server secondary_dns_server lease_time
Associated Keyword to
Select or Parameter to Type
Description useDnsProxy, useDnsFromISP
, or
useEnteredDns
The DNS server type. If you select
useEnteredDns
, you also need to issue the
primary_dns_server
keyword and associated parameter. The secondary_dns_server keyword and associated parameter are optional.
ipv6-address ipv6-address seconds
The IPv6 address for the primary DNS server in the DMZ configuration.
The IPv6 address of the secondary DNS server in the DMZ configuration.
The duration in seconds for which an IP address is leased.
Command example:
FVS318N> net dmz ipv6 configure net-ipv6-config[dmz]> enable_dmz Y net-ipv6-config[dmz]> ip_address 2001:176::1 net-ipv6-config[dmz]> prefix_length 64 net-ipv6-config[dmz]> dhcp_enable Y net-ipv6-config[dmz]> dhcp_mode Stateful net-ipv6-config[dmz]> domain_name netgear.com net-ipv6-config[dmz]> server_preference 210 net-ipv6-config[dmz]> dns_server_option useDnsProxy net-ipv6-config[dmz]> lease_time 43200 net-ipv6-config[dmz]> save
Related show command:
net dmz ipv6 pool configure
This command configures a new or existing IPv6 DMZ address pool. After you have issued the net lan ipv6 pool configure command, you enter the net ipv6-config-pool [dmz] mode, and then you can configure the IPv6 start and end addresses and the IPv6 prefix length for the IPv6 pool in the order that you prefer.
Step 1
Step 2
Format net dmz ipv6 pool configure
Mode
net
Format
starting_ip_address <ipv6-address>
ending_ip_address <ipv6-address>
prefix_value <prefix length>
Mode
net ipv6-config-pool [dmz]
Net Mode Configuration Commands
61
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Command example:
FVS318N> net dmz ipv6 pool configure net-ipv6-config-pool[dmz]> starting_ip_address 2001::1100 net-ipv6-config-pool[dmz]> ending_ip_address 2001::1120 net-ipv6-config-pool[dmz]> prefix_value 56 net-ipv6-config-pool[dmz]> save
net radvd configure dmz
This command configures the Router Advertisement Daemon (RADVD) process for the link-local advertisements of IPv6 router addresses and prefixes in the DMZ. After you have issued the net radvd configure dmz command, you enter the net-config [radvd] mode, and then you can configure one keyword and associated parameter or associated keyword at a time in the order that you prefer.
Step 1
Step 2
Format net radvd configure dmz
Mode
net
Format
enable {Y | N}
mode {Unsolicited-Multicast | Unicast-Only}
interval
<seconds>
flags {Managed | Other}
preference {Low | Medium | High}
mtu <number>
lifetime <seconds>
Mode
net-config [radvd]
Keyword (might consist of two separate words)
Associated Keyword to
Select or Parameter to Type enable Y
or N
Description
Enables the RADVD process to allow stateless autoconfiguration of the IPv6 DMZ.
mode Unsolicited-Multicast
or Unicast-Only
Sets the advertisement mode:
• Unsolicited-Multicast. Allows unsolicited multicast and unicast communication with the hosts. Router advertisements (RAs) are sent to all interfaces at the rate that is defined by the
interval
keyword and associated parameter.
• Unicast-Only. Responds to unicast packet requests only. No unsolicited packets are advertised.
interval
seconds
The interval in seconds (integer) between unsolicited multicast RAs. Enter a period from 10 to 1800 seconds. The default is 30 seconds.
Net Mode Configuration Commands
62
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Keyword (might consist of two separate words)
Associated Keyword to
Select or Parameter to Type
Description flags Managed
flag:
• Managed. Specifies that the DHCPv6 stateful protocol is used for autoconfiguration of the address.
• Other. Specifies that the DHCPv6 stateful protocol is used for autoconfiguration of other
(that is, nonaddress) information.
preference Low
, Medium, or High
mtu life_time
number seconds
The wireless VPN firewall’s preference in relation to other hosts and routers in the DMZ.
The MTU size (integer) that is used in the RAs to ensure that all nodes in the network use the same
MTU size. The default is 1500 seconds.
The advertisement lifetime in seconds (integer) of the route. The default is 3600 seconds.
Command example:
FVS318N> net radvd configure dmz net-config[radvd]> enable Y net-config[radvd]> mode Unicast-Only net-config[radvd]> flags Managed net-config[radvd]> preference High net-config[radvd]> mtu 1500 net-config[radvd]> life_time 7200 net-config[radvd]> save
Related show command:
net radvd pool dmz add
This command configures the IPv6 RADVD pool of advertisement prefixes for the DMZ. After you have issued the net radvd pool dmz add command, you enter the net-config [radvd-pool-dmz] mode, and then you can configure one keyword and associated parameter or associated keyword at a time in the order that you prefer.
Step 1
Step 2
Format
net radvd pool dmz add
Mode
net
Format
prefix_type {6To4 {sla_id <ID number>} | Global-Local-ISATAP
{prefix_address <ipv6-address>} {prefix_length
<prefix length>}}
prefix_life_time <seconds>
Mode
net-config [radvd-pool-dmz]
Net Mode Configuration Commands
63
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Keyword prefix_type sla_id prefix_address prefix_length prefix_life_time
Associated Keyword to
Select or Parameter to Type
Description
6To4
or
Global-Local-ISATAP
The prefix type that specifies the type of communication between the interfaces:
• 6To4. The prefix is for a 6to4 address. You need to issue the sla_id keyword and specify the interface
ID.
• Global-Local-ISATAP. The prefix is for a global, local, or ISATAP address. This needs to be a global prefix, not the site-local or link-local prefix. You need to issue the prefix_address and
prefix_length
keywords and associated parameters.
ID number ipv6-address
The site-level aggregation identifier (SLA ID) (integer) in the 6to4 address prefix is the ID of the interface from which the advertisements are sent.
The IPv6 address for a global, local, or ISATAP prefix.
prefix length seconds
The IPv6 prefix length (integer) for a global, local, or
ISATAP prefix. This is a decimal value that indicates the number of contiguous, higher-order bits of the address that make up the network portion of the address.
The period in seconds (integer) during which the requesting router is allowed to use the prefix.
Command example:
FVS318N> net radvd pool dmz add net-config[radvd-pool-dmz]> prefix_type Global-Local-ISATAP net-config[radvd-pool-dmz]> prefix_address 2002:3a2b net-config[radvd-pool-dmz]> prefix_length 64 net-config[radvd-pool-dmz]> prefix_life_time 3600 net-config[radvd-pool-dmz]> save
net radvd pool dmz edit <row id>
This command configures an existing IPv6 RADVD address pool for the DMZ. After you have issued the net radvd pool dmz edit command to specify the row to be edited, you enter the net-config [radvd-pool-dmz] mode, and then you can configure one keyword and associated parameter or associated keyword at a time in the order that you prefer.
Step 1 Format
net radvd pool dmz edit <row id>
Mode
net
Net Mode Configuration Commands
64
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Step 2 Format
prefix_type {6To4 {sla_id <ID number>} | Global-Local-ISATAP
{prefix_address <ipv6-address>} {prefix_length
<prefix length>}}
prefix_life_time <seconds>
Mode
net-config [radvd-pool-dmz]
Keyword prefix_type sla_id prefix_address prefix_length prefix_life_time
Associated Keyword to
Select or Parameter to Type
Description
6To4
or
Global-Local-ISATAP
The prefix type that specifies the type of communication between the interfaces:
• 6To4. The prefix is for a 6to4 address. You need to issue the sla_id keyword and specify the interface
ID.
• Global-Local-ISATAP. The prefix is for a global, local, or ISATAP address. This needs to be a global prefix, not the site-local or link-local prefix. You need to issue the prefix_address and
prefix_length
keywords and associated parameters.
ID number ipv6-address prefix length seconds
The site-level aggregation identifier (SLA ID) (integer) in the 6to4 address prefix is the ID of the interface from which the advertisements are sent.
The IPv6 address for a global, local, or ISATAP prefix.
The IPv6 prefix length (integer) for a global, local, or
ISATAP prefix. This is a decimal value that indicates the number of contiguous, higher-order bits of the address that make up the network portion of the address.
The period in seconds (integer) during which the requesting router is allowed to use the prefix.
Related show command:
net radvd pool dmz delete <row id>
This command deletes a RADVD pool for the DMZ by deleting its row ID.
Format
Mode
net radvd pool dmz delete <row id> net
Related show command:
Net Mode Configuration Commands
65
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
IPv4 Routing Commands
net routing static ipv4 configure <route name>
This command configures an IPv4 static route. After you have issued the net routing
static ipv4 configure
command to specify the name of the new route, you enter the net-config [static-routing-ipv4] mode, and then you can configure one keyword and associated parameter or associated keyword at a time in the order that you prefer.
Step 1
Step 2
Format
net routing static ipv4 configure <route name>
Mode
net
Format
active_flag {Y | N}
private_flag {Y | N}
destination_address <ipaddress>
subnet_mask <subnet mask>
interface {custom_vlan <VLAN name> | dmz | lan | wan}
gateway_address <ipaddress>
metric <number>
Mode
net-config [static-routing-ipv4]
Keyword Associated Keyword to
Select or Parameter to Type active_flag Y
or N
Description private_flag gateway_address metric
Y
or N
ipaddress number
Specifies whether or not the route is an active route.
Specifies whether or not the route can be shared with other gateways when RIP is enabled.
destination_address ipaddress
subnet_mask interface
The destination IP address.
The destination subnet mask.
subnet mask
custom_vlan <VLAN
name>, dmz, lan, or wan
The interface for which the route is applied. The
DMZ, LAN, and WAN interfaces are self-explanatory. If you select the custom_vlan keyword, you also need to specify the VLAN name.
The gateway IP address.
The metric (integer) for this route. The number can be from 2 to 15.
Command example:
FVS318N> net routing static ipv4 configure Orly net-config[static-routing-ipv4]> active_flag Y net-config[static-routing-ipv4]> private_flag Y net-config[static-routing-ipv4]> destination_address 10.118.215.178
Net Mode Configuration Commands
66
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
net-config[static-routing-ipv4]> subnet_mask 255.255.255.0 net-config[static-routing-ipv4]> interface wan net-config[static-routing-ipv4]> gateway_address 10.192.44.13 net-config[static-routing-ipv4]> metric 7 net-config[static-routing-ipv4]> save
Related show command:
show net routing static ipv4 setup
net routing static ipv4 delete <route name>
This command deletes a static IPv4 route by deleting its name.
Format
Mode
net routing static ipv4 delete <route name> net
Related show command:
show net routing static ipv4 setup
net routing static ipv4 delete_all
This command deletes all static IPv4 routes.
Format
Mode
net routing static ipv4 delete_all net
Related show command:
show net routing static ipv4 setup
net routing dynamic configure
This command configures RIP and the associated MD5 key information. After you have issued the net routing dynamic configure command, you enter the net-config [dynamic-routing] mode, and then you can configure one keyword and associated parameter or associated keyword at a time in the order that you prefer.
Step 1 Format net routing dynamic configure
Mode
net
Net Mode Configuration Commands
67
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Step 2 Format
authentication_enable {Y | N}
direction {None | In-only | Out-only | Both}
version {Disabled | Rip1 | Rip2B | Rip2M}
first_key authentication_id <authentication key>
first_key id_number <number>
first_key valid_from {day <day>}
first_key valid_from {month <month>}
first_key valid_from {year <year>}}
first_key valid_from {hour <hour> |
first_key valid_from {minute <minute>}
first_key valid_from {second <second>}
first_key valid_to {day <day>}
first_key valid_to {month <month>}
first_key valid_to {year <year>}}
first_key valid_to {hour <hour> |
first_key valid_to {minute <minute>}
first_key valid_to {second <second>}
second_key authentication_id <authentication key>
second_key id_number <number>
second_key valid_from {day <day>}
second_key valid_from {month <month>}
second_key valid_from {year <year>}}
second_key valid_from {hour <hour> |
second_key valid_from {minute <minute>}
second_key valid_from {second <second>}
second_key valid_to {day <day>}
second_key valid_to {month <month>}
second_key valid_to {year <year>}}
second_key valid_to {hour <hour> |
second_key valid_to {minute <minute>}
second_key valid_to {second <second>}
Mode
net-config [dynamic-routing]
Keyword (might consist of two separate words)
Associated Keyword to
Select or Parameter to Type
Description
General authentication_enable Y
or N
direction
Enable or disables authentication for
RIP-2B or RIP-2M.
None
, In-only, Out-only, or Both.
The RIP direction.
Net Mode Configuration Commands
68
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Keyword (might consist of two separate words) version
Associated Keyword to
Select or Parameter to Type
Description
Disabled
, Rip1, Rip2B, or
Rip2M
The RIP version.
First key
first_key authentication_id authentication key
first_key id_number first_key valid_from day first_key valid_from year first_key valid_from hour
number day
first_key valid_from month month
year hour
first_key valid_from minute minute
The first MD5 authentication key
(alphanumeric string).
The first MD5 key ID (integer).
The day in the format DD
(01 to 31).
The month in the format
MM (01 to 12).
The year in the format
YYYY (1970 to 2037).
The hour in the 24-hour format HH (00 to 23).
The day and time on which the validity of the first MD5 authentication key starts.
The minute in the format
MM (00 to 59).
first_key valid_from second second
first_key valid_to day first_key valid_to month first_key valid_to year first_key valid_to hour first_key valid_to minute
day month year hour minute
The second in the format
SS (00 to 59).
The day in the format DD
(01 to 31).
The month in the format
MM (01 to12).
The year in the format
YYYY (1970 to 2037).
The hour in the 24-hour format HH (00 to 23).
The day and time on which the validity of the first MD5 authentication key expires.
The minute in the format
MM (00 to 59).
first_key valid_to second
second
The second in the format
SS (00 to 59).
Second key
Note:
The keywords and parameters for the second key follow the same format as those for the first key.
Command example:
FVS318N> net routing dynamic configure net-config[dynamic-routing]> authentication_enable Y net-config[dynamic-routing]> direction Both net-config[dynamic-routing]> version Rip2M
Net Mode Configuration Commands
69
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
net-config[dynamic-routing]> first_key authentication_id 2rt!00jkl26ll7Oo0 net-config[dynamic-routing]> first_key id_number 1 net-config[dynamic-routing]> first_key valid_from day 01 net-config[dynamic-routing]> first_key valid_from month 12 net-config[dynamic-routing]> first_key valid_from year 2011 net-config[dynamic-routing]> first_key valid_from hour 07 net-config[dynamic-routing]> first_key valid_from minute 00 net-config[dynamic-routing]> first_key valid_from second 00 net-config[dynamic-routing]> first_key valid_to day 31 net-config[dynamic-routing]> first_key valid_to month 12 net-config[dynamic-routing]> first_key valid_to year 2011 net-config[dynamic-routing]> first_key valid_to hour 23 net-config[dynamic-routing]> first_key valid_to minute 59 net-config[dynamic-routing]> first_key valid_to second 59 net-config[dynamic-routing]> second_key authentication_id 3gry!!99OoiI net-config[dynamic-routing]> second_key id_number 2 net-config[dynamic-routing]> second_key valid_from day 31 net-config[dynamic-routing]> second_key valid_from month 12 net-config[dynamic-routing]> second_key valid_from year 2011 net-config[dynamic-routing]> second_key valid_from hour 24 net-config[dynamic-routing]> second_key valid_from minute 00 net-config[dynamic-routing]> second_key valid_from second 00 net-config[dynamic-routing]> second_key valid_to day 31 net-config[dynamic-routing]> second_key valid_to month 03 net-config[dynamic-routing]> second_key valid_to year 2012 net-config[dynamic-routing]> second_key valid_to hour 23 net-config[dynamic-routing]> second_key valid_to minute 59 net-config[dynamic-routing]> second_key valid_to second 59 net-config[dynamic-routing]> save
show net routing dynamic setup
IPv6 Routing Commands
net routing static ipv6 configure <route name>
This command configures an IPv6 static route. After you have issued the net routing
static ipv6 configure
command to specify the name of the new route, you enter the net-config [static-routing-ipv6] mode, and then you can configure one keyword and associated parameter or associated keyword at a time in the order that you prefer.
Step 1 Format
net routing static ipv6 configure <route name>
Mode
net
Net Mode Configuration Commands
70
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Step 2 Format
active_flag {Y | N}
destination_address <ipv6-address>
prefix <prefix length>
gateway_address <ipv6-address>
interface {Dedicated-WAN | LAN | Sit0-WAN1}
metric <number>
Mode
net-config [static-routing-ipv6]
Keyword Associated Keyword to
Select or Parameter to Type
Description active_flag Y
or N
destination_address ipv6-address
Specifies whether or not the route is an active route.
The destination IP address.
prefix interface gateway_address metric
prefix length
Dedicated-WAN
Sit0-WAN1
ipv6-address number
, LAN, or
The IPv6 prefix length (integer). This is a decimal value that indicates the number of contiguous, higher-order bits of the address that make up the network portion of the address.
The physical or virtual network interface through which the route is accessible:
• Dedicated-WAN. The dedicated WAN interface.
• LAN. A LAN interface.
• Sit0-WAN1. The 6to4-WAN interface.
The gateway IP address.
The metric (integer) for this route. The number can be from 2 to 15.
Command example:
FVS318N> net routing static ipv6 configure SFO2 net-config[static-routing-ipv6]> active_flag Y net-config[static-routing-ipv6]> destination_address 2002:201b:24e2::1001 net-config[static-routing-ipv6]> prefix 64 net-config[static-routing-ipv6]> interface Dedicated-WAN net-config[static-routing-ipv6]> gateway_address FE80::2001:5efe:ab23 net-config[static-routing-ipv6]> metric 2 net-config[static-routing-ipv6]> save
Related show command:
show net routing static ipv6 setup
Net Mode Configuration Commands
71
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N net routing static ipv6 delete <route name>
This command deletes a static IPv6 route by deleting its name.
Format
Mode
net routing static ipv6 delete <route name> net
show net routing static ipv6 setup
net routing static ipv6 delete_all
This command deletes all static IPv6 routes.
Format
Mode net routing static ipv6 delete_all
net
show net routing static ipv6 setup
Net Mode Configuration Commands
72
4.
Security Mode Configuration
Commands
4
This chapter explains the configuration commands, keywords, and associated parameters in the security mode. The chapter includes the following sections:
• IPv4 Add Firewall Rule and Edit Firewall Rule Commands
• IPv4 General Firewall Commands
• Session Limit, Time-Out, and Advanced Commands
• Address Filter and IP/MAC Binding Commands
IMPORTANT:
After you have issued a command that includes the word configure
, add, or edit, you need to save (or cancel) your
changes. For more information, see
on page 13.
Security Services Commands
security services add
This command configures a new firewall custom service. After you have issued the
security services add
command, you enter the security-config [custom-service] mode, and then you can configure one keyword and associated parameter or associated keyword at a time in the order that you prefer.
73
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Step 1
Step 2
Format
security services add
Mode
security
Format
name <service name>
protocol {TCP {start_port <number>} {finish_port <number>} |
UDP {start_port <number>} {finish_port <number>} |
ICMP {icmp_type <number> | ICMPv6 {icmp_type <number>}}
qos_priority {Normal-Service | Minimize-Cost |
Maximize-Reliability | Maximize-Throughput | Minimize-Delay}
Mode
security-config [custom-service]
Keyword name
Associated Keyword to
Select or Parameter to Type
Description
service name
TCP
, UDP, ICMP, or ICMPv6
Name (string) of the service.
The protocol type that applies to the service.
protocol start_port finish_port
number number
For TCP and UPD, the start port number (integer) of the range used by the destination user. Valid numbers are from 0 to 65535.
For TCP and UPD, the end port number (integer) of the range used by the destination user. Valid numbers are from 0 to 65535.
The port number (integer) used by the destination user.
icmp_type
number
qos_priority Normal-Service
,
Minimize-Cost
,
Maximize-Reliability
,
Maximize-Throughput
, or
Minimize-Delay
The type of QoS that applies to the service. The keywords are self-explanatory.
Command example:
FVS318N> security services add security-config[custom-service]> name Traceroute security-config[custom-service]> protocol ICMP security-config[custom-service]> icmp_type 20 security-config[custom-service]> qos_priority Minimize-Delay security-config[custom-service]> save
Security Mode Configuration Commands
74
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N security services edit <row id>
This command configures an existing firewall custom service. After you have issued the
security services edit
command to specify the row to be edited, you enter the security-config [custom-service] mode, and then you can edit the service.
Step 1
Step 2
Format
security services edit <row id>
Mode
security
Format
name <service name>
protocol {TCP {start_port <number>} {finish_port <number>} |
UDP {start_port <number>} {finish_port <number>} |
ICMP {icmp_type <number> | ICMPv6 {icmp_type <number>}}
qos_priority {Normal-Service | Minimize-Cost |
Maximize-Reliability | Maximize-Throughput | Minimize-Delay}
Mode
security-config [custom-service]
Keyword name
Associated Keyword to
Select or Parameter to Type
Description
service name
TCP
, UDP, ICMP, or ICMPv6
Name (string) of the service.
The protocol type that applies to the service.
protocol start_port finish_port
number number
For TCP and UPD, the start port number (integer) of the range used by the destination user. Valid numbers are from
0 to 65535.
For TCP and UPD, the end port number (integer) of the range used by the destination user. Valid numbers are from
0 to 65535.
The port number (integer) used by the destination user.
icmp_type
number
qos_priority Normal-Service
,
Minimize-Cost
,
Maximize-Reliability
,
Maximize-Throughput
, or
Minimize-Delay
The type of QoS that applies to the service. The keywords are self-explanatory.
Related show command:
security services delete <row id>
This command deletes a custom security service by deleting its row ID.
Format
Mode
security services delete <row id> security
Security Mode Configuration Commands
75
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Security Schedules Commands
security schedules edit <1 | 2 | 3>
This command configures one of the three security schedules. After you have issued the
security schedule edit
command to specify the row (that is, the schedule: 1, 2, or 3) to be edited, you enter the security-config [schedules] mode, and then you can configure one keyword and associated parameter or associated keyword at a time in the order that you prefer.
Step 1
Step 2
Format
security schedules edit
Mode
security
Format
days {all {Y | N {[days sunday {Y | N}] [days monday {Y | N}]
[days tuesday {Y | N}] [days wednesday {Y | N}] [days thursday
{Y | N}] [days friday {Y | N}] [days saturday {Y | N}]}}}
time_of-day {all_enable {Y | N {time_of_day start hours <hour>}
{time_of_day start mins <minute>} {time_of_day start meridiem
{AM | PM}} {time_of_day end hours <hour>} {time_of_day end
mins <minute>} {time_of_day end meridiem {AM | PM}}}}
Mode
security-config [schedules}
Keyword (consists of two separate words) days all days sunday days monday days tuesday days wednesday days thursday days friday days saturday
Associated Keyword to
Select or Parameter to Type
Description
Y
or N
Y
Y
Y
Y
Y
Y
Y
or N
or N
or N
or N
or N
or N
or N
Specifies whether or not the schedule is active on all days.
Specifies whether or not the schedule is active on Sundays.
Specifies whether or not the schedule is active on Mondays.
Specifies whether or not the schedule is active on Tuesdays.
Specifies whether or not the schedule is active on Wednesdays.
Specifies whether or not the schedule is active on Thursdays.
Specifies whether or not the schedule is active on Fridays.
Specifies whether or not the schedule is active on Saturdays.
Security Mode Configuration Commands
76
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Keyword (consists of two separate words) time_of_day all_enable time_of_day start hours time_of_day start mins time_of_day start meridiem time_of_day end hours time_of_day end mins time_of_day end meridiem
Associated Keyword to
Select or Parameter to Type
Description
Y
or N
hour
Specifies whether or not the schedule is active all day.
The schedule starts at the specified hour in the 12-hour format HH (00 to 12).
minute
AM
hour minute
AM
or PM
or PM
The schedule starts at the specified minute in the format MM (00 to 59).
The meridiem for the start time.
The schedule ends at the specified hour in the 12-hour format HH (00 to 12).
The schedule ends at the specified minute in the format MM (00 to 59).
Specifies the meridiem for the end time.
Command example:
FVS318N> security schedule edit 1 security-config[schedules]> days monday Y security-config[schedules]> days tuesday Y security-config[schedules]> days wednesday Y security-config[schedules]> days thursday Y security-config[schedules]> days friday Y security-config[schedules]> time_of_day start hours 07 security-config[schedules]> time_of_day start mins 30 security-config[schedules]> time_of_day start meridiem AM security-config[schedules]> time_of_day end hours 08 security-config[schedules]> time_of_day start mins 00 security-config[schedules]> time_of_day start meridiem PM security-config[schedules]> save
Related show command:
IPv4 Add Firewall Rule and Edit Firewall Rule Commands
security firewall ipv4 add_rule lan_wan outbound
This command configures a new IPv4 LAN WAN outbound firewall rule. After you have issued the security firewall ipv4 add_rule lan_wan outbound command, you enter the security-config [firewall-ipv4-lan-wan-outbound] mode, and then you can configure one keyword and associated parameter or associated keyword at a time in the order that you
Security Mode Configuration Commands
77
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
prefer. However, note that the setting of the action keyword determines which other keywords and parameters can you can apply to a rule.
Step 1
Step 2
Format
security firewall ipv4 add_rule lan_wan outbound
Mode
security
Format
service_name {default_services <default service name> |
{custom_services <custom service name>}
action {ALWAYS_BLOCK | ALWAYS_ALLOW |
BLOCK_BY_SCHEDULE_ELSE_ALLOW {schedule {Schedule1 |
Schedule2 | Schedule3}} | ALLOW_BY_SCHEDULE_ELSE_BLOCK
{schedule {Schedule1 | Schedule2 | Schedule3}}}
Mode
lan_users {address_wise {ANY | SINGLE_ADDRESS {lan_user_start_ip
<ipaddress>} | ADDRESS_RANGE {lan_user_start_ip <ipaddress>}
{lan_user_end_ip <ipaddress>}} | group_wise <group name>}
wan_users {ANY | SINGLE_ADDRESS {wan_user_start_ip <ipaddress>}
| ADDRESS_RANGE {wan_user_start_ip <ipaddress>}
{wan_user_end_ip <ipaddress>}}
qos_priority {Normal-Service | Minimize-Cost |
Maximize-Reliability | Maximize-Throughput | Minimize-Delay}
log {NEVER | ALWAYS}
bandwidth_profile <profile name>
nat_ip type {WAN_INTERFACE_ADDRESS | SINGLE_ADDRESS
{address <ipaddress>}} security-config [firewall-ipv4-lan-wan-outbound]
Security Mode Configuration Commands
78
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Keyword (might consist of two separate words)
Associated Keyword to Select or
Parameter to Type
Service name, action, and schedule lan_user_start_ip lan_user_end_ip
ipaddress ipaddress
Description service_name default_services
ANY
, AIM, BGP, BOOTP_CLIENT,
BOOTP_SERVER
, CU-SEEME:UDP,
CU-SEEME:TCP
, DNS:UDP, DNS:TCP,
FINGER
, FTP, HTTP, HTTPS,
ICMP-TYPE-3
, ICMP-TYPE-4,
ICMP-TYPE-5
, ICMP-TYPE-6,
ICMP-TYPE-7
, ICMP-TYPE-8,
ICMP-TYPE-9
, ICMP-TYPE-10,
ICMP-TYPE-11
, ICMP-TYPE-13,
ICQ
, IMAP2, IMAP3, IRC, NEWS, NFS,
NNTP
, PING, POP3, PPTP, RCMD,
REAL-AUDIO
, REXEC, RLOGIN,
RTELNET
, RTSP:TCP, RTSP:UDP,
SFTP
, SMTP, SNMP:TCP, SNMP:UDP,
SNMP-TRAPS:TCP
,
SNMP-TRAPS:UDP
, SQL-NET,
SSH:TCP
, SSH:UDP, STRMWORKS,
TACACS
, TELNET, TFTP, RIP, IKE,
SHTTPD
, IPSEC-UDP-ENCAP, IDENT,
VDOLIVE
, SSH, SIP-TCP, or SIP-UDP
The default service and protocol to which the firewall rule applies.
service_name custom_services action
custom service name
schedule Schedule1
, Schedule2, or
Schedule3
The custom service that you have configured with the
command.
ALWAYS_BLOCK
, ALWAYS_ALLOW,
BLOCK_BY_SCHEDULE_ELSE_ALLOW
, or
ALLOW_BY_SCHEDULE_ELSE_BLOCK
The type of action to be enforced by the rule.
The schedule, if any, that is applicable to the rule.
LAN user addresses or LAN group and WAN user addresses lan_users address_wise ANY
, SINGLE_ADDRESS, or
ADDRESS_RANGE
The type of LAN address.
There are two options:
• The IP address if the lan_users
address_wise
keywords are set to SINGLE_ADDRESS.
• The start IP address if the
lan_users
address_wise keywords are set to
ADDRESS_RANGE
.
The end IP address if the
lan_users address_wise
keywords are set to
ADDRESS_RANGE
.
Security Mode Configuration Commands
79
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Keyword (might consist of two separate words)
Associated Keyword to Select or
Parameter to Type
Description lan_users group_wise
group name
The name of the LAN group. The group name is either a default name (Group1, Group2, Group3, and so on) or a custom name that you specified with the
net lan lan_groups edit <row id> <new group name>
command.
The type of WAN address.
wan_users ANY
, SINGLE_ADDRESS, or
ADDRESS_RANGE wan_user_start_ip wan_user_end_ip
ipaddress ipaddress
There are two options:
• The IP address if the wan_users keyword is set to
SINGLE_ADDRESS
.
• The start IP address if the
wan_users
keyword is set to
ADDRESS_RANGE
.
The end IP address if the
wan_users
keyword is set to
ADDRESS_RANGE
.
QoS profile, logging, bandwidth profile, and NAT IP address qos_priority log
Normal-Service
, Minimize-Cost,
Maximize-Reliability
,
Maximize-Throughput
, or
Minimize-Delay
The type of QoS that applies to the rule.
NEVER
or ALWAYS
bandwidth_profile
profile name
Enables or disables logging.
The profile that you have configured with the
security bandwidth profile add
command.
nat_ip type WAN_INTERFACE_ADDRESS
or
SINGLE_ADDRESS nat_ip address
ipaddress
Specifies the type of NAT IP address:
• WAN_INTERFACE_ADDRESS.
The IP address of the WAN
(broadband) interface.
• SINGLE_ADDRESS. Another IP address, which you need to configure using the nat_ip
address
keywords.
The NAT IP address, if the nat_ip
type
keywords are set to
SINGLE_ADDRESS
.
Command example:
FVS318N> security firewall ipv4 add_rule lan_wan outbound security-config[firewall-ipv4-lan-wan-outbound]> service_name default_services PING
Security Mode Configuration Commands
80
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
security-config[firewall-ipv4-lan-wan-outbound]> action
ALWAYS_ALLOW
security-config[firewall-ipv4-lan-wan-outbound]> lan_users address_wise ANY security-config[firewall-ipv4-lan-wan-outbound]> wan_users ADDRESS_RANGE security-config[firewall-ipv4-lan-wan-outbound]> wan_user_start_ip 10.120.114.217 security-config[firewall-ipv4-lan-wan-outbound]> wan_user_end_ip 10.120.114.245 security-config[firewall-ipv4-lan-wan-outbound]> qos_profile Normal-Service security-config[firewall-ipv4-lan-wan-outbound]> log ALWAYS security-config[firewall-ipv4-lan-wan-outbound]> save
Related show command:
show security firewall ipv4 setup lan_wan
security firewall ipv4 edit_rule lan_wan outbound <row id>
This command configures an existing IPv4 LAN WAN outbound firewall rule. After you have issued the security firewall ipv4 edit_rule lan_wan outbound command to
specify the row to be edited (for row information, see the output of the
show security firewall ipv4 setup lan_wan
command), you enter the security-config [firewall-ipv4-lan-wan-outbound] mode. You can then edit one keyword and associated parameter or associated keyword at a time in the order that you prefer. However, note that the setting of the action keyword determines which other keywords and parameters you can apply to a rule.
Step 1
Step 2
Format
security firewall ipv4 edit_rule lan_wan outbound <row id>
Mode
security
Format
service_name {default_services <default service name> |
{custom_services <custom service name>}
action {ALWAYS_BLOCK | ALWAYS_ALLOW |
BLOCK_BY_SCHEDULE_ELSE_ALLOW {schedule {Schedule1 |
Schedule2 | Schedule3}} | ALLOW_BY_SCHEDULE_ELSE_BLOCK
{schedule {Schedule1 | Schedule2 | Schedule3}}}
Mode
lan_users {address_wise {ANY | SINGLE_ADDRESS {lan_user_start_ip
<ipaddress>} | ADDRESS_RANGE {lan_user_start_ip <ipaddress>}
{lan_user_end_ip <ipaddress>}} | group_wise <group name>}
wan_users {ANY | SINGLE_ADDRESS {wan_user_start_ip <ipaddress>}
| ADDRESS_RANGE {wan_user_start_ip <ipaddress>}
{wan_user_end_ip <ipaddress>}}
qos_priority {Normal-Service | Minimize-Cost |
Maximize-Reliability | Maximize-Throughput | Minimize-Delay}
log {NEVER | ALWAYS}
bandwidth_profile <profile name>
nat_ip type {WAN_INTERFACE_ADDRESS | SINGLE_ADDRESS
{address <ipaddress>}} security-config [firewall-ipv4-lan-wan-outbound]
Security Mode Configuration Commands
81
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Keyword (might consist of two separate words)
Associated Keyword to Select or
Parameter to Type
Service name, action, and schedule
Description service_name default_services lan_users address_wise
ANY
, AIM, BGP, BOOTP_CLIENT,
BOOTP_SERVER
, CU-SEEME:UDP,
CU-SEEME:TCP
, DNS:UDP, DNS:TCP,
FINGER
, FTP, HTTP, HTTPS,
ICMP-TYPE-3
, ICMP-TYPE-4,
ICMP-TYPE-5
, ICMP-TYPE-6,
ICMP-TYPE-7
, ICMP-TYPE-8,
ICMP-TYPE-9
, ICMP-TYPE-10,
ICMP-TYPE-11
, ICMP-TYPE-13,
ICQ
, IMAP2, IMAP3, IRC, NEWS, NFS,
NNTP
, PING, POP3, PPTP, RCMD,
REAL-AUDIO
, REXEC, RLOGIN,
RTELNET
, RTSP:TCP, RTSP:UDP,
SFTP
, SMTP, SNMP:TCP, SNMP:UDP,
SNMP-TRAPS:TCP
,
SNMP-TRAPS:UDP
, SQL-NET,
SSH:TCP
, SSH:UDP, STRMWORKS,
TACACS
, TELNET, TFTP, RIP, IKE,
SHTTPD
, IPSEC-UDP-ENCAP, IDENT,
VDOLIVE
, SSH, SIP-TCP, or SIP-UDP
The default service and protocol to which the firewall rule applies.
service_name custom_services action
custom service name
schedule Schedule1
Schedule3
, Schedule2, or
LAN user addresses or LAN group and WAN user addresses
The custom service that you have configured with the
ALWAYS_BLOCK
, ALWAYS_ALLOW,
BLOCK_BY_SCHEDULE_ELSE_ALLOW
, or
ALLOW_BY_SCHEDULE_ELSE_BLOCK
The type of action to be enforced by the rule.
The schedule, if any, that is applicable to the rule.
ANY
, SINGLE_ADDRESS, or
ADDRESS_RANGE
The type of LAN address.
lan_user_start_ip lan_user_end_ip
ipaddress ipaddress
There are two options:
• The IP address if the lan_users
address_wise
keywords are set to SINGLE_ADDRESS.
• The start IP address if the
lan_users address_wise
keywords are set to
ADDRESS_RANGE
.
The end IP address if the
lan_users address_wise
keywords are set to
ADDRESS_RANGE
.
Security Mode Configuration Commands
82
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Keyword (might consist of two separate words)
Associated Keyword to Select or
Parameter to Type
Description lan_users group_wise
group name
The name of the LAN group. The group name is either a default name (Group1, Group2, Group3, and so on) or a custom name that
net lan lan_groups edit <row id> <new group name>
The type of WAN address.
wan_users ANY
, SINGLE_ADDRESS, or
ADDRESS_RANGE wan_user_start_ip wan_user_end_ip
QoS profile, logging, bandwidth profile, and NAT IP address qos_priority log
Normal-Service
, Minimize-Cost,
Maximize-Reliability
,
Maximize-Throughput
, or
Minimize-Delay
The type of QoS that applies to the rule.
NEVER
or ALWAYS
bandwidth_profile
profile name
Enables or disables logging.
The profile that you have configured with the
security bandwidth profile add
nat_ip type nat_ip address
ipaddress ipaddress
WAN_INTERFACE_ADDRESS
or
SINGLE_ADDRESS
ipaddress
There are two options:
• The IP address if the wan_users keyword is set to
SINGLE_ADDRESS
.
• The start IP address if the
wan_users
keyword is set to
ADDRESS_RANGE
.
The end IP address if the
wan_users
keyword is set to
ADDRESS_RANGE
.
Specifies the type of NAT IP address:
• WAN_INTERFACE_ADDRESS.
The IP address of the WAN
(broadband) interface.
• SINGLE_ADDRESS. Another IP address, which you need to configure using the nat_ip
address
keywords.
The NAT IP address, if the nat_ip
type
keywords are set to
SINGLE_ADDRESS
.
Security Mode Configuration Commands
83
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Command example: See the command example for the
security firewall ipv4 add_rule lan_wan outbound
show security firewall ipv4 setup lan_wan
security firewall ipv4 add_rule lan_wan inbound
This command configures a new IPv4 LAN WAN outbound firewall rule. After you have issued the security firewall ipv4 add_rule lan_wan inbound command, you enter the security-config [firewall-ipv4-lan-wan-inbound] mode, and then you can configure one keyword and associated parameter or associated keyword at a time in the order that you prefer. However, note that the setting of the action keyword determines which other keywords and parameters can you can apply to a rule.
Step 1
Step 2
Format
security firewall ipv4 add_rule lan_wan inbound
Mode
security
Format
service_name {default_services <default service name> |
{custom_services <custom service name>}
action {ALWAYS_BLOCK | ALWAYS_ALLOW |
BLOCK_BY_SCHEDULE_ELSE_ALLOW {schedule {Schedule1 |
Schedule2 | Schedule3}} | ALLOW_BY_SCHEDULE_ELSE_BLOCK
{schedule {Schedule1 | Schedule2 | Schedule3}}}
Mode
send_to_lan_server {SINGLE_ADDRESS {send_to_lan_server_start_ip
<ipaddress>} | ADDRESS_RANGE {send_to_lan_server_start_ip
<ipaddress>} {send_to_lan_server_end_ip <ipaddress>}}
translate_to_port_number enable {N | Y
{translate_to_port_number port <number>}}
wan_destination_ip_address {WAN | OTHERS
{wan_destination_ip_address_start <ipaddress>} | RANGE
{wan_destination_ip_address_start <ipaddress>}
{wan_destination_ip_address_end <ipaddress>}}
lan_user {address_wise {ANY | SINGLE_ADDRESS {lan_user_start_ip
<ipaddress>} | ADDRESS_RANGE {lan_user_start_ip <ipaddress>}
{lan_user_end_ip <ipaddress>}} | group_wise <group name>}
wan_user {ANY | SINGLE_ADDRESS {wan_user_start_ip <ipaddress>}
| ADDRESS_RANGE {wan_user_start_ip <ipaddress>}
{wan_user_end_ip <ipaddress>}}
log {NEVER | ALWAYS}
bandwidth_profile <profile name> security-config [firewall-ipv4-lan-wan-inbound]
Security Mode Configuration Commands
84
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Keyword (might consist of two separate words)
Service name, action, and schedule
Associated Keyword to Select or
Parameter to Type
Description service_name default_services service_name custom_services
ANY
, AIM, BGP, BOOTP_CLIENT,
BOOTP_SERVER
, CU-SEEME:UDP,
CU-SEEME:TCP
, DNS:UDP,
DNS:TCP
, FINGER, FTP, HTTP,
HTTPS
, ICMP-TYPE-3,
ICMP-TYPE-4
, ICMP-TYPE-5,
ICMP-TYPE-6
, ICMP-TYPE-7,
ICMP-TYPE-8
, ICMP-TYPE-9,
ICMP-TYPE-10
, ICMP-TYPE-11,
ICMP-TYPE-13
, ICQ, IMAP2,
IMAP3
, IRC, NEWS, NFS, NNTP,
PING
, POP3, PPTP, RCMD,
REAL-AUDIO
, REXEC, RLOGIN,
RTELNET
, RTSP:TCP, RTSP:UDP,
SFTP
, SMTP, SNMP:TCP, SNMP:UDP,
SNMP-TRAPS:TCP
,
SNMP-TRAPS:UDP
, SQL-NET,
SSH:TCP
, SSH:UDP, STRMWORKS,
TACACS
, TELNET, TFTP, RIP, IKE,
SHTTPD
, IPSEC-UDP-ENCAP,
IDENT
, VDOLIVE, SSH, SIP-TCP, or
SIP-UDP
The default service and protocol to which the firewall rule applies.
custom service name
The custom service that you have configured with the
command.
action ALWAYS_BLOCK
, ALWAYS_ALLOW,
BLOCK_BY_SCHEDULE_ELSE_ALLOW
, or ALLOW_BY_SCHEDULE_ELSE_BLOCK
The type of action to be enforced by the rule.
schedule Schedule1
, Schedule2, or
Schedule3
The schedule, if any, that is applicable to the rule.
LAN server addresses, port number translation, and WAN destination addresses send_to_lan_server ANY
, SINGLE_ADDRESS, or
ADDRESS_RANGE
The type of LAN address.
send_to_lan_server_start_ip send_to_lan_server_end_ip
ipaddress ipaddress
There are two options:
• The IP address if the
send_to_lan_server
keyword is to SINGLE_ADDRESS.
• The start IP address if the
send_to_lan_server
keyword is set to
ADDRESS_RANGE
.
The end IP address if the
send_to_lan_server
keyword is set to ADDRESS_RANGE.
Security Mode Configuration Commands
85
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Keyword (might consist of two separate words) translate_to_port_number enable translate_to_port_number port wan_destination_ip_address wan_destination_ip_address_start wan_destination_ip_address_end
Associated Keyword to Select or
Parameter to Type
Description
Y
or N Enables or disables port forwarding.
number
WAN
, OTHERS, or RANGE
The port number (integer) if port forwarding is enabled. Valid numbers are 0 through 65535.
The type of destination WAN address for an inbound rule:
• WAN. The default IP address of the WAN (broadband) interface.
• OTHERS. Another public IP address, which you need to configure by issuing the
wan_destination_ip_address_start
keyword and specifying an IPv4 address.
• RANGE. A range of public IP addresses, which you need to configure by issuing the
wan_destination_ip_address_start
and
wan_destination_ip_address_end
keywords and specifying IPv4 addresses.
ipaddress ipaddress
There are two options:
• The IP address if the
wan_destination_ip_address
keyword is set to OTHERS.
• The start IP address if the
wan_destination_ip_address
keyword is set to RANGE.
The end IP address if the
wan_destination_ip_address
keyword is set to RANGE.
LAN user addresses or LAN group and WAN user addresses lan_user address_wise ANY
, SINGLE_ADDRESS, or
ADDRESS_RANGE lan_user_start_ip
ipaddress
The type of LAN address.
For an inbound rule, this option is available only when the WAN mode is Classical Routing.
There are two options:
• The IP address if the lan_user
address_wise
keywords are set to SINGLE_ADDRESS.
• The start IP address if the
lan_user address_wise
keywords are set to
ADDRESS_RANGE
.
Security Mode Configuration Commands
86
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Keyword (might consist of two separate words) lan_user_end_ip lan_user group_wise wan_user wan_user_start_ip wan_user_end_ip
Associated Keyword to Select or
Parameter to Type
Description
ipaddress group name
ANY
, SINGLE_ADDRESS, or
ADDRESS_RANGE
The end IP address if the
lan_user address_wise
keywords are set to
ADDRESS_RANGE
.
The name of the LAN group. The group name is either a default name (Group1, Group2, Group3, and so on) or a custom name that
net lan lan_groups edit <row id> <new group name>
command.
For an inbound rule, this option is available only when the WAN mode is Classical Routing.
The type of WAN address.
ipaddress ipaddress
There are two options:
• The IP address if the wan_user keyword is set to
SINGLE_ADDRESS
.
• The start IP address if the
wan_user
keyword is set to
ADDRESS_RANGE
.
The end IP address if the
wan_user
keyword is set to
ADDRESS_RANGE
.
Logging and bandwidth profile log bandwidth_profile
NEVER
or ALWAYS
profile name
Enables or disables logging.
The profile that you have configured with the
security bandwidth profile add
Command example:
FVS318N> security firewall ipv4 add_rule lan_wan inbound security-config[firewall-ipv4-lan-wan-inbound]> service_name default_services HTTP security-config[firewall-ipv4-lan-wan-inbound]> action
ALWAYS_ALLOW
security-config[firewall-ipv4-lan-wan-inbound]> send_to_lan_server SINGLE_ADDRESS security-config[firewall-ipv4-lan-wan-inbound]> send_to_lan_server_start_ip 192.168.5.69 security-config[firewall-ipv4-lan-wan-inbound]> wan_destination_ip_address WAN security-config[firewall-ipv4-lan-wan-inbound]> wan_user ANY security-config[firewall-ipv4-lan-wan-inbound]> log NEVER security-config[firewall-ipv4-lan-wan-inbound]> save
Related show command:
show security firewall ipv4 setup lan_wan
Security Mode Configuration Commands
87
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N security firewall ipv4 edit_rule lan_wan inbound <row id>
This command configures an existing IPv4 LAN WAN inbound firewall rule. After you have issued the security firewall ipv4 edit_rule lan_wan inbound command to specify the row to be edited (for row information, see the output of the
show security firewall ipv4 setup lan_wan
command), you enter the security-config [firewall-ipv4-lan-wan-outbound] mode. You can then edit one keyword and associated parameter or associated keyword at a time in the order that you prefer. However, note that the setting of the action keyword determines which other keywords and parameters you can apply to a rule.
Step 1
Step 2
Format
security firewall ipv4 edit_rule lan_wan inbound <row id>
Mode
security
Format
service_name {default_services <default service name> |
{custom_services <custom service name>}
action {ALWAYS_BLOCK | ALWAYS_ALLOW |
BLOCK_BY_SCHEDULE_ELSE_ALLOW {schedule {Schedule1 |
Schedule2 | Schedule3}} | ALLOW_BY_SCHEDULE_ELSE_BLOCK
{schedule {Schedule1 | Schedule2 | Schedule3}}}
Mode
send_to_lan_server {SINGLE_ADDRESS {send_to_lan_server_start_ip
<ipaddress>} | ADDRESS_RANGE {send_to_lan_server_start_ip
<ipaddress>} {send_to_lan_server_end_ip <ipaddress>}}
translate_to_port_number enable {N | Y
{translate_to_port_number port <number>}}
wan_destination_ip_address {WAN | OTHERS
{wan_destination_ip_address_start <ipaddress>} | RANGE
{wan_destination_ip_address_start <ipaddress>}
{wan_destination_ip_address_end <ipaddress>}}
lan_user {address_wise {ANY | SINGLE_ADDRESS {lan_user_start_ip
<ipaddress>} | ADDRESS_RANGE {lan_user_start_ip <ipaddress>}
{lan_user_end_ip <ipaddress>}} | group_wise <group name>}
wan_user {ANY | SINGLE_ADDRESS {wan_user_start_ip <ipaddress>}
| ADDRESS_RANGE {wan_user_start_ip <ipaddress>}
{wan_user_end_ip <ipaddress>}}
log {NEVER | ALWAYS}
bandwidth_profile <profile name> security-config [firewall-ipv4-lan-wan-inbound]
Security Mode Configuration Commands
88
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Keyword (might consist of two separate words)
Service name, action, and schedule
Associated Keyword to Select or
Parameter to Type
Description service_name default_services service_name custom_services
ANY
, AIM, BGP, BOOTP_CLIENT,
BOOTP_SERVER
, CU-SEEME:UDP,
CU-SEEME:TCP
, DNS:UDP,
DNS:TCP
, FINGER, FTP, HTTP,
HTTPS
, ICMP-TYPE-3,
ICMP-TYPE-4
, ICMP-TYPE-5,
ICMP-TYPE-6
, ICMP-TYPE-7,
ICMP-TYPE-8
, ICMP-TYPE-9,
ICMP-TYPE-10
, ICMP-TYPE-11,
ICMP-TYPE-13
, ICQ, IMAP2,
IMAP3
, IRC, NEWS, NFS, NNTP,
PING
, POP3, PPTP, RCMD,
REAL-AUDIO
, REXEC, RLOGIN,
RTELNET
, RTSP:TCP, RTSP:UDP,
SFTP
, SMTP, SNMP:TCP, SNMP:UDP,
SNMP-TRAPS:TCP
,
SNMP-TRAPS:UDP
, SQL-NET,
SSH:TCP
, SSH:UDP, STRMWORKS,
TACACS
, TELNET, TFTP, RIP, IKE,
SHTTPD
, IPSEC-UDP-ENCAP,
IDENT
, VDOLIVE, SSH, SIP-TCP, or
SIP-UDP
The default service and protocol to which the firewall rule applies.
custom service name
The custom service that you have configured with the
command.
action ALWAYS_BLOCK
, ALWAYS_ALLOW,
BLOCK_BY_SCHEDULE_ELSE_ALLOW
, or ALLOW_BY_SCHEDULE_ELSE_BLOCK
The type of action to be enforced by the rule.
schedule Schedule1
, Schedule2, or
Schedule3
The schedule, if any, that is applicable to the rule.
LAN server addresses, port number translation, and WAN destination addresses send_to_lan_server ANY
, SINGLE_ADDRESS, or
ADDRESS_RANGE
The type of LAN address.
send_to_lan_server_start_ip send_to_lan_server_end_ip
ipaddress ipaddress
There are two options:
• The IP address if the
send_to_lan_server
keyword is to SINGLE_ADDRESS.
• The start IP address if the
send_to_lan_server
keyword is set to
ADDRESS_RANGE
.
The end IP address if the
send_to_lan_server
keyword is set to ADDRESS_RANGE.
Security Mode Configuration Commands
89
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Keyword (might consist of two separate words) translate_to_port_number enable translate_to_port_number port wan_destination_ip_address wan_destination_ip_address_start wan_destination_ip_address_end
Associated Keyword to Select or
Parameter to Type
Description
Y
or N Enables or disables port forwarding.
number
WAN
, OTHERS, or RANGE
The port number (integer) if port forwarding is enabled. Valid numbers are 0 through 65535.
The type of destination WAN address for an inbound rule:
• WAN. The default IP address of the WAN (broadband) interface.
• OTHERS. Another public IP address, which you need to configure by issuing the
wan_destination_ip_address_start
keyword and specifying an IPv4 address.
• RANGE. A range of public IP addresses, which you need to configure by issuing the
wan_destination_ip_address_start
and
wan_destination_ip_address_end
keywords and specifying IPv4 addresses.
ipaddress ipaddress
There are two options:
• The IP address if the
wan_destination_ip_address
keyword is set to OTHERS.
• The start IP address if the
wan_destination_ip_address
keyword is set to RANGE.
The end IP address if the
wan_destination_ip_address
keyword is set to RANGE.
LAN user addresses or LAN group and WAN user addresses lan_user address_wise ANY
, SINGLE_ADDRESS, or
ADDRESS_RANGE lan_user_start_ip
ipaddress
The type of LAN address.
For an inbound rule, this option is available only when the WAN mode is Classical Routing.
There are two options:
• The IP address if the lan_users
address_wise
keywords are set to SINGLE_ADDRESS.
• The start IP address if the
lan_users address_wise
keywords are set to
ADDRESS_RANGE
.
Security Mode Configuration Commands
90
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Keyword (might consist of two separate words) lan_user_end_ip lan_users group_wise wan_user wan_user_start_ip wan_user_end_ip
Associated Keyword to Select or
Parameter to Type
Description
ipaddress group name
ANY
, SINGLE_ADDRESS, or
ADDRESS_RANGE
The end IP address if the
lan_users address_wise
keywords are set to
ADDRESS_RANGE
.
The name of the LAN group. The group name is either a default name (Group1, Group2, Group3, and so on) or a custom name that
net lan lan_groups edit <row id> <new group name>
command.
For an inbound rule, this option is available only when the WAN mode is Classical Routing.
The type of WAN address.
ipaddress ipaddress
There are two options:
• The IP address if the wan_user keyword is set to
SINGLE_ADDRESS
.
• The start IP address if the
wan_user
keyword is set to
ADDRESS_RANGE
.
The end IP address if the
wan_user
keyword is set to
ADDRESS_RANGE
.
Logging and bandwidth profile log bandwidth_profile
NEVER
or ALWAYS
profile name
Enables or disables logging.
The profile that you have configured with the
security bandwidth profile add
Command example: See the command example for the
security firewall ipv4 add_rule lan_wan inbound
command.
Related show command:
show security firewall ipv4 setup lan_wan
security firewall ipv4 add_rule dmz_wan outbound
This command configures a new IPv4 DMZ WAN outbound firewall rule. After you have issued the security firewall ipv4 add_rule dmz_wan outbound command, you enter the security-config [firewall-ipv4-dmz-wan-outbound] mode, and then you can configure
Security Mode Configuration Commands
91
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
one keyword and associated parameter or associated keyword at a time in the order that you prefer. However, note that the setting of the action keyword determines which other keywords and parameters can you can apply to a rule.
Step 1
Step 2
Format
security firewall ipv4 add_rule dmz_wan outbound
Mode
security
Format
service_name {default_services <default service name> |
{custom_services <custom service name>}
action {ALWAYS_BLOCK | ALWAYS_ALLOW |
BLOCK_BY_SCHEDULE_ELSE_ALLOW {schedule {Schedule1 |
Schedule2 | Schedule3}} | ALLOW_BY_SCHEDULE_ELSE_BLOCK
{schedule {Schedule1 | Schedule2 | Schedule3}}}
Mode
dmz_users {ANY | SINGLE_ADDRESS {dmz_user_start_ip <ipaddress>}
| ADDRESS_RANGE {dmz_user_start_ip <ipaddress>}
{dmz_user_end_ip <ipaddress>}}
wan_users {ANY | SINGLE_ADDRESS {wan_user_start_ip <ipaddress>}
| ADDRESS_RANGE {wan_user_start_ip <ipaddress>}
{wan_user_end_ip <ipaddress>}}
qos_priority {Normal-Service | Minimize-Cost |
Maximize-Reliability | Maximize-Throughput | Minimize-Delay}
log {NEVER | ALWAYS}
nat_ip type {WAN_INTERFACE_ADDRESS | SINGLE_ADDRESS
{address <ipaddress>}} security-config [firewall-ipv4-dmz-wan-outbound]
Security Mode Configuration Commands
92
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Keyword (might consist of two separate words)
Associated Keyword to Select or
Parameter to Type
Service name, action, and schedule dmz_user_start_ip dmz_user_end_ip wan_users
ipaddress ipaddress
ANY
, SINGLE_ADDRESS, or
ADDRESS_RANGE
Description service_name default_services
ANY
, AIM, BGP, BOOTP_CLIENT,
BOOTP_SERVER
, CU-SEEME:UDP,
CU-SEEME:TCP
, DNS:UDP, DNS:TCP,
FINGER
, FTP, HTTP, HTTPS,
ICMP-TYPE-3
, ICMP-TYPE-4,
ICMP-TYPE-5
, ICMP-TYPE-6,
ICMP-TYPE-7
, ICMP-TYPE-8,
ICMP-TYPE-9
, ICMP-TYPE-10,
ICMP-TYPE-11
, ICMP-TYPE-13,
ICQ
, IMAP2, IMAP3, IRC, NEWS, NFS,
NNTP
, PING, POP3, PPTP, RCMD,
REAL-AUDIO
, REXEC, RLOGIN,
RTELNET
, RTSP:TCP, RTSP:UDP,
SFTP
, SMTP, SNMP:TCP, SNMP:UDP,
SNMP-TRAPS:TCP
,
SNMP-TRAPS:UDP
, SQL-NET,
SSH:TCP
, SSH:UDP, STRMWORKS,
TACACS
, TELNET, TFTP, RIP, IKE,
SHTTPD
, IPSEC-UDP-ENCAP, IDENT,
VDOLIVE
, SSH, SIP-TCP, or SIP-UDP
The default service and protocol to which the firewall rule applies.
service_name custom_services action
custom service name
schedule Schedule1
, Schedule2, or
Schedule3
The custom service that you have configured with the
command.
ALWAYS_BLOCK
, ALWAYS_ALLOW,
BLOCK_BY_SCHEDULE_ELSE_ALLOW
, or
ALLOW_BY_SCHEDULE_ELSE_BLOCK
The type of action to be enforced by the rule.
The schedule, if any, that is applicable to the rule.
DMZ user addresses and WAN user addresses dmz_users ANY
, SINGLE_ADDRESS, or
ADDRESS_RANGE
The type of DMZ address.
There are two options:
• The IP address if the dmz_users keyword is set to
SINGLE_ADDRESS
.
• The start IP address if the
dan_users
keyword is set to
ADDRESS_RANGE
.
The end IP address if the
dan_users
keyword is set to
ADDRESS_RANGE
.
The type of WAN address.
Security Mode Configuration Commands
93
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Keyword (might consist of two separate words)
Associated Keyword to Select or
Parameter to Type
Description wan_user_start_ip wan_user_end_ip
ipaddress ipaddress
There are two options:
• The IP address if the wan_users keyword is set to
SINGLE_ADDRESS
.
• The start IP address if the
wan_users
keyword is set to
ADDRESS_RANGE
.
The end IP address if the
wan_users
keyword is set to
ADDRESS_RANGE
.
QoS profile, logging, and NAT IP address qos_priority log
Normal-Service
, Minimize-Cost,
Maximize-Reliability
,
Maximize-Throughput
, or
Minimize-Delay
The type of QoS that applies to the rule.
Enables or disables logging.
nat_ip type
NEVER
or ALWAYS
WAN_INTERFACE_ADDRESS
or
SINGLE_ADDRESS
Specifies the type of NAT IP address:
• WAN_INTERFACE_ADDRESS.
The IP address of the WAN
(broadband) interface.
• SINGLE_ADDRESS. Another IP address, which you need to configure using the nat_ip
address
keywords.
nat_ip address
ipaddress
The NAT IP address, if the nat_ip
type
keywords are set to
SINGLE_ADDRESS
.
Command example:
FVS318N> security firewall ipv4 add_rule dmz_wan outbound security-config[firewall-ipv4-dmz-wan-outbound]> service_name default_services FTP security-config[firewall-ipv4-dmz-wan-outbound]> action ALLOW_BY_SCHEDULE_ELSE_BLOCK security-config[firewall-ipv4-dmz-wan-outbound]> schedule Schedule2 security-config[firewall-ipv4-dmz-wan-outbound]> dmz_users ANY security-config[firewall-ipv4-dmz-wan-outbound]> wan_users ANY security-config[firewall-ipv4-dmz-wan-outbound]> qos_profile Maximize-Reliability security-config[firewall-ipv4-dmz-wan-outbound]> log Never security-config[firewall-ipv4-dmz-wan-outbound]> save
show security firewall ipv4 setup dmz_wan
Security Mode Configuration Commands
94
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N security firewall ipv4 edit_rule dmz_wan outbound <row id>
This command configures an existing IPv4 DMZ WAN outbound firewall rule. After you have issued the security firewall ipv4 edit_rule dmz_wan outbound command to
specify the row to be edited (for row information, see the output of the
show security firewall ipv4 setup dmz_wan
command), you enter the security-config
[firewall-ipv4-dmz-wan-outbound] mode. You can then edit one keyword and associated parameter or associated keyword at a time in the order that you prefer. However, note that the setting of the action keyword determines which other keywords and parameters you can apply to a rule.
Step 1
Step 2
Format
security firewall ipv4 edit_rule dmz_wan outbound <row id>
Mode
security
Format
service_name {default_services <default service name> |
{custom_services <custom service name>}
action {ALWAYS_BLOCK | ALWAYS_ALLOW |
BLOCK_BY_SCHEDULE_ELSE_ALLOW {schedule {Schedule1 |
Schedule2 | Schedule3}} | ALLOW_BY_SCHEDULE_ELSE_BLOCK
{schedule {Schedule1 | Schedule2 | Schedule3}}}
Mode
dmz_users {ANY | SINGLE_ADDRESS {dmz_user_start_ip <ipaddress>}
| ADDRESS_RANGE {dmz_user_start_ip <ipaddress>}
{dmz_user_end_ip <ipaddress>}}
wan_users {ANY | SINGLE_ADDRESS {wan_user_start_ip <ipaddress>}
| ADDRESS_RANGE {wan_user_start_ip <ipaddress>}
{wan_user_end_ip <ipaddress>}}
qos_priority {Normal-Service | Minimize-Cost |
Maximize-Reliability | Maximize-Throughput | Minimize-Delay}
log {NEVER | ALWAYS}
nat_ip type {WAN_INTERFACE_ADDRESS | SINGLE_ADDRESS
{address <ipaddress>}} security-config [firewall-ipv4-dmz-wan-outbound]
Security Mode Configuration Commands
95
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Keyword (might consist of two separate words)
Associated Keyword to Select or
Parameter to Type
Service name, action, and schedule
Description service_name default_services dmz_users
ANY
, AIM, BGP, BOOTP_CLIENT,
BOOTP_SERVER
, CU-SEEME:UDP,
CU-SEEME:TCP
, DNS:UDP, DNS:TCP,
FINGER
, FTP, HTTP, HTTPS,
ICMP-TYPE-3
, ICMP-TYPE-4,
ICMP-TYPE-5
, ICMP-TYPE-6,
ICMP-TYPE-7
, ICMP-TYPE-8,
ICMP-TYPE-9
, ICMP-TYPE-10,
ICMP-TYPE-11
, ICMP-TYPE-13,
ICQ
, IMAP2, IMAP3, IRC, NEWS, NFS,
NNTP
, PING, POP3, PPTP, RCMD,
REAL-AUDIO
, REXEC, RLOGIN,
RTELNET
, RTSP:TCP, RTSP:UDP,
SFTP
, SMTP, SNMP:TCP, SNMP:UDP,
SNMP-TRAPS:TCP
,
SNMP-TRAPS:UDP
, SQL-NET,
SSH:TCP
, SSH:UDP, STRMWORKS,
TACACS
, TELNET, TFTP, RIP, IKE,
SHTTPD
, IPSEC-UDP-ENCAP, IDENT,
VDOLIVE
, SSH, SIP-TCP, or SIP-UDP
The default service and protocol to which the firewall rule applies.
service_name custom_services action
custom service name
schedule Schedule1
Schedule3
, Schedule2, or
DMZ user addresses and WAN user addresses
The custom service that you have configured with the
ALWAYS_BLOCK
, ALWAYS_ALLOW,
BLOCK_BY_SCHEDULE_ELSE_ALLOW
, or
ALLOW_BY_SCHEDULE_ELSE_BLOCK
The type of action to be enforced by the rule.
The schedule, if any, that is applicable to the rule.
ANY
, SINGLE_ADDRESS, or
ADDRESS_RANGE
The type of DMZ address.
dmz_user_start_ip dmz_user_end_ip wan_users
ipaddress ipaddress
ANY
, SINGLE_ADDRESS, or
ADDRESS_RANGE
There are two options:
• The IP address if the dmz_users keyword is set to
SINGLE_ADDRESS
.
• The start IP address if the
dan_users
keyword is set to
ADDRESS_RANGE
.
The end IP address if the
dan_users
keyword is set to
ADDRESS_RANGE
.
The type of WAN address.
Security Mode Configuration Commands
96
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Keyword (might consist of two separate words)
Associated Keyword to Select or
Parameter to Type
Description wan_user_start_ip wan_user_end_ip
QoS profile, logging, and NAT IP address qos_priority Normal-Service
, Minimize-Cost,
Maximize-Reliability
,
Maximize-Throughput
, or
Minimize-Delay
The type of QoS that applies to the rule.
log nat_ip type nat_ip address
ipaddress ipaddress
NEVER
or ALWAYS
WAN_INTERFACE_ADDRESS
or
SINGLE_ADDRESS
ipaddress
There are two options:
• The IP address if the wan_users keyword is set to
SINGLE_ADDRESS
.
• The start IP address if the
wan_users
keyword is set to
ADDRESS_RANGE
.
The end IP address if the
wan_users
keyword is set to
ADDRESS_RANGE
.
Enables or disables logging.
Specifies the type of NAT IP address:
• WAN_INTERFACE_ADDRESS.
The IP address of the WAN
(broadband) interface.
• SINGLE_ADDRESS. Another IP address, which you need to configure using the nat_ip
address
keywords.
The NAT IP address, if the nat_ip
type
keywords are set to
SINGLE_ADDRESS
.
Command example: See the command example for the
security firewall ipv4 add_rule dmz_wan outbound
Related show command:
show security firewall ipv4 setup dmz_wan
security firewall ipv4 add_rule dmz_wan inbound
This command configures a new IPv4 DMZ WAN inbound firewall rule. After you have issued the security firewall ipv4 add_rule dmz_wan inbound command, you enter the security-config [firewall-ipv4-dmz-wan-inbound] mode, and then you can configure one keyword and associated parameter or associated keyword at a time in the order that you
Security Mode Configuration Commands
97
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
prefer. However, note that the setting of the action keyword determines which other keywords and parameters can you can apply to a rule.
Step 1
Step 2
Format
security firewall ipv4 add_rule dmz_wan inbound
Mode
security
Format
service_name {default_services <default service name> |
{custom_services <custom service name>}
action {ALWAYS_BLOCK | ALWAYS_ALLOW |
BLOCK_BY_SCHEDULE_ELSE_ALLOW {schedule {Schedule1 |
Schedule2 | Schedule3}} | ALLOW_BY_SCHEDULE_ELSE_BLOCK
{schedule {Schedule1 | Schedule2 | Schedule3}}}
Mode
send_to_dmz_server_ip <ipaddress>
translate_to_port_number enable {N | Y
{translate_to_port_number port <number>}}
wan_destination_ip_address {WAN | OTHERS
{wan_destination_ip_address_start <ipaddress>}
dmz_users {ANY | SINGLE_ADDRESS {dmz_user_start_ip <ipaddress>}
| ADDRESS_RANGE {dmz_user_start_ip <ipaddress>}
{dmz_user_end_ip <ipaddress>}}
wan_users {ANY | SINGLE_ADDRESS {wan_user_start_ip <ipaddress>}
| ADDRESS_RANGE {wan_user_start_ip <ipaddress>}
{wan_user_end_ip <ipaddress>}}
log {NEVER | ALWAYS} security-config [firewall-ipv4-dmz-wan-inbound]
Security Mode Configuration Commands
98
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Keyword (might consist of two separate words)
Service name, action, and schedule
Associated Keyword to Select or
Parameter to Type
Description service_name default_services service_name custom_services
ANY
, AIM, BGP, BOOTP_CLIENT,
BOOTP_SERVER
, CU-SEEME:UDP,
CU-SEEME:TCP
, DNS:UDP,
DNS:TCP
, FINGER, FTP, HTTP,
HTTPS
, ICMP-TYPE-3,
ICMP-TYPE-4
, ICMP-TYPE-5,
ICMP-TYPE-6
, ICMP-TYPE-7,
ICMP-TYPE-8
, ICMP-TYPE-9,
ICMP-TYPE-10
, ICMP-TYPE-11,
ICMP-TYPE-13
, ICQ, IMAP2,
IMAP3
, IRC, NEWS, NFS, NNTP,
PING
, POP3, PPTP, RCMD,
REAL-AUDIO
, REXEC, RLOGIN,
RTELNET
, RTSP:TCP, RTSP:UDP,
SFTP
, SMTP, SNMP:TCP, SNMP:UDP,
SNMP-TRAPS:TCP
,
SNMP-TRAPS:UDP
, SQL-NET,
SSH:TCP
, SSH:UDP, STRMWORKS,
TACACS
, TELNET, TFTP, RIP, IKE,
SHTTPD
, IPSEC-UDP-ENCAP,
IDENT
, VDOLIVE, SSH, SIP-TCP, or
SIP-UDP
The default service and protocol to which the firewall rule applies.
custom service name
The custom service that you have configured with the
command.
action ALWAYS_BLOCK
, ALWAYS_ALLOW,
BLOCK_BY_SCHEDULE_ELSE_ALLOW
, or ALLOW_BY_SCHEDULE_ELSE_BLOCK
The type of action to be enforced by the rule.
schedule Schedule1
, Schedule2, or
Schedule3
The schedule, if any, that is applicable to the rule.
DMZ server address, port number translation, and WAN destination address send_to_dmz_server_ip
ipaddress
The IP address of the DMZ server.
translate_to_port_number enable translate_to_port_number port
Y
or N
number
Enables or disables port forwarding.
The port number (integer) if port forwarding is enabled. Valid numbers are 0 through 65535.
Security Mode Configuration Commands
99
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Keyword (might consist of two separate words) wan_destination_ip_address wan_destination_ip_address_start
Associated Keyword to Select or
Parameter to Type
Description
WAN
or OTHERS The type of destination WAN address for an inbound rule:
• WAN. The default IP address of the WAN (broadband) interface.
• OTHERS. Another public IP address, which you need to configure by issuing the
wan_destination_ip_address_start
keyword and specifying an IPv4 address.
ipaddress
The IP address if the
wan_destination_ip_address
keyword is set to OTHERS.
DMZ user addresses and WAN user addresses dmz_users ANY
, SINGLE_ADDRESS, or
ADDRESS_RANGE dmz_user_start_ip dmz_user_end_ip wan_users
ipaddress ipaddress
ANY
, SINGLE_ADDRESS, or
ADDRESS_RANGE
The type of DMZ address.
For an inbound rule, this option is available only when the WAN mode is Classical Routing.
There are two options:
• The IP address if the dmz_users keyword is set to
SINGLE_ADDRESS
.
• The start IP address if the
dmz_users
keyword is set to
ADDRESS_RANGE
.
The end IP address if the
dmz_users
keyword is set to
ADDRESS_RANGE
.
The type of WAN address.
wan_user_start_ip wan_user_end_ip
ipaddress ipaddress
There are two options:
• The IP address if the wan_users keyword is set to
SINGLE_ADDRESS
.
• The start IP address if the
wan_users
keyword is set to
ADDRESS_RANGE
.
The end IP address if the
wan_users
keyword is set to
ADDRESS_RANGE
.
Logging log NEVER
or ALWAYS Enables or disables logging.
Security Mode Configuration Commands
100
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Command example:
FVS318N> security firewall ipv4 add_rule dmz_wan inbound security-config[firewall-ipv4-dmz-wan-inbound]> service_name custom_services Traceroute security-config[firewall-ipv4-lan-wan-inbound]> action ALWAYS_ALLOW security-config[firewall-ipv4-lan-wan-inbound]> send_to_dmz_server_ip 176.21.214.2 security-config[firewall-ipv4-lan-wan-inbound]> translate_to_port_number enable Y security-config[firewall-ipv4-lan-wan-inbound]> translate_to_port_number port 4500 security-config[firewall-ipv4-lan-wan-inbound]> wan_destination_ip_address OTHERS security-config[firewall-ipv4-lan-wan-inbound]> wan_destination_ip_address_start 10.115.97.174 security-config[firewall-ipv4-lan-wan-inbound]> wan_users ANY security-config[firewall-ipv4-lan-wan-inbound]> log Always security-config[firewall-ipv4-lan-wan-inbound]> save
Related show command:
show security firewall ipv4 setup dmz_wan
security firewall ipv4 edit_rule dmz_wan inbound <row id>
This command configures an existing IPv4 DMZ WAN inbound firewall rule. After you have issued the security firewall ipv4 edit_rule dmz_wan inbound command to
specify the row to be edited (for row information, see the output of the
show security firewall ipv4 setup dmz_wan
command), you enter the security-config [firewall-ipv4-dmz-wan-inbound] mode. You can then edit one keyword and associated parameter or associated keyword at a time in the order that you prefer. However, note that the setting of the action keyword determines which other keywords and parameters you can apply to a rule.
Step 1
Step 2
Format
security firewall ipv4 edit_rule dmz_wan inbound <row id>
Mode
security
Format
service_name {default_services <default service name> |
{custom_services <custom service name>}
action {ALWAYS_BLOCK | ALWAYS_ALLOW |
BLOCK_BY_SCHEDULE_ELSE_ALLOW {schedule {Schedule1 |
Schedule2 | Schedule3}} | ALLOW_BY_SCHEDULE_ELSE_BLOCK
{schedule {Schedule1 | Schedule2 | Schedule3}}}
send_to_dmz_server_ip <ipaddress>
translate_to_port_number enable {N | Y
{translate_to_port_number port <number>}}
wan_destination_ip_address {WAN | OTHERS
{wan_destination_ip_address_start <ipaddress>}
dmz_users {ANY | SINGLE_ADDRESS {dmz_user_start_ip <ipaddress>}
| ADDRESS_RANGE {dmz_user_start_ip <ipaddress>}
{dmz_user_end_ip <ipaddress>}}
wan_users {ANY | SINGLE_ADDRESS {wan_user_start_ip <ipaddress>}
| ADDRESS_RANGE {wan_user_start_ip <ipaddress>}
{wan_user_end_ip <ipaddress>}}
Security Mode Configuration Commands
101
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
log {NEVER | ALWAYS} security-config [firewall-ipv4-dmz-wan-inbound]
Mode
Keyword (might consist of two separate words)
Service name, action, and schedule
Associated Keyword to Select or
Parameter to Type
Description service_name default_services service_name custom_services
ANY
, AIM, BGP, BOOTP_CLIENT,
BOOTP_SERVER
, CU-SEEME:UDP,
CU-SEEME:TCP
, DNS:UDP,
DNS:TCP
, FINGER, FTP, HTTP,
HTTPS
, ICMP-TYPE-3,
ICMP-TYPE-4
, ICMP-TYPE-5,
ICMP-TYPE-6
, ICMP-TYPE-7,
ICMP-TYPE-8
, ICMP-TYPE-9,
ICMP-TYPE-10
, ICMP-TYPE-11,
ICMP-TYPE-13
, ICQ, IMAP2,
IMAP3
, IRC, NEWS, NFS, NNTP,
PING
, POP3, PPTP, RCMD,
REAL-AUDIO
, REXEC, RLOGIN,
RTELNET
, RTSP:TCP, RTSP:UDP,
SFTP
, SMTP, SNMP:TCP, SNMP:UDP,
SNMP-TRAPS:TCP
,
SNMP-TRAPS:UDP
, SQL-NET,
SSH:TCP
, SSH:UDP, STRMWORKS,
TACACS
, TELNET, TFTP, RIP, IKE,
SHTTPD
, IPSEC-UDP-ENCAP,
IDENT
, VDOLIVE, SSH, SIP-TCP, or
SIP-UDP
The default service and protocol to which the firewall rule applies.
custom service name
The custom service that you have configured with the
action ALWAYS_BLOCK
, ALWAYS_ALLOW,
BLOCK_BY_SCHEDULE_ELSE_ALLOW
, or ALLOW_BY_SCHEDULE_ELSE_BLOCK
The type of action to be enforced by the rule.
schedule Schedule1
, Schedule2, or
Schedule3
The schedule, if any, that is applicable to the rule.
DMZ server address, port number translation, and WAN destination address send_to_dmz_server_ip
ipaddress
The IP address of the DMZ server.
translate_to_port_number enable translate_to_port_number port
Y
or N
number
Enables or disables port forwarding.
The port number (integer) if port forwarding is enabled. Valid numbers are 0 through 65535.
Security Mode Configuration Commands
102
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Keyword (might consist of two separate words) wan_destination_ip_address wan_destination_ip_address_start
Associated Keyword to Select or
Parameter to Type
Description
WAN
or OTHERS
ipaddress
The type of destination WAN address for an inbound rule:
• WAN. The default IP address of the WAN (broadband) interface.
• OTHERS. Another public IP address, which you need to configure by issuing the
wan_destination_ip_address_start
keyword and specifying an IPv4 address.
The IP address if the
wan_destination_ip_address
keyword is set to OTHERS.
DMZ user addresses and WAN user addresses dmz_users ANY
, SINGLE_ADDRESS, or
ADDRESS_RANGE dmz_user_start_ip dmz_user_end_ip wan_users
ipaddress ipaddress
ANY
, SINGLE_ADDRESS, or
ADDRESS_RANGE
The type of DMZ address.
For an inbound rule, this option is available only when the WAN mode is Classical Routing.
There are two options:
• The IP address if the dmz_users keyword is set to
SINGLE_ADDRESS
.
• The start IP address if the
dmz_users
keyword is set to
ADDRESS_RANGE
.
The end IP address if the
dmz_users
keyword is set to
ADDRESS_RANGE
.
The type of WAN address.
wan_user_start_ip wan_user_end_ip
ipaddress ipaddress
There are two options:
• The IP address if the wan_users keyword is set to
SINGLE_ADDRESS
.
• The start IP address if the
wan_users
keyword is set to
ADDRESS_RANGE
.
The end IP address if the
wan_users
keyword is set to
ADDRESS_RANGE
.
Logging log NEVER
or ALWAYS Enables or disables logging.
Security Mode Configuration Commands
103
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Command example: See the command example for the
security firewall ipv4 add_rule dmz_wan inbound
show security firewall ipv4 setup dmz_wan
security firewall ipv4 add_rule lan_dmz outbound
This command configures a new IPv4 LAN DMZ outbound firewall rule. After you have issued the security firewall ipv4 add_rule lan_dmz outbound command, you enter the security-config [firewall-ipv4-lan-dmz-outbound] mode, and then you can configure one keyword and associated parameter or associated keyword at a time in the order that you prefer. However, note that the setting of the action keyword determines which other keywords and parameters can you can apply to a rule.
Step 1
Step 2
Format
security firewall ipv4 add_rule lan_dmz outbound
Mode
security
Format
service_name {default_services <default service name> |
{custom_services <custom service name>}
action {ALWAYS_BLOCK | ALWAYS_ALLOW |
BLOCK_BY_SCHEDULE_ELSE_ALLOW {schedule {Schedule1 |
Schedule2 | Schedule3}} | ALLOW_BY_SCHEDULE_ELSE_BLOCK
{schedule {Schedule1 | Schedule2 | Schedule3}}}
Mode
lan_users {address_wise {ANY | SINGLE_ADDRESS {lan_user_start_ip
<ipaddress>} | ADDRESS_RANGE {lan_user_start_ip <ipaddress>}
{lan_user_end_ip <ipaddress>}} | group_wise <group name>}
dmz_users {ANY | SINGLE_ADDRESS {dmz_user_start_ip <ipaddress>}
| ADDRESS_RANGE {dmz_user_start_ip <ipaddress>}
{dmz_user_end_ip <ipaddress>}}
log {NEVER | ALWAYS} security-config [firewall-ipv4-lan-dmz-outbound]
Security Mode Configuration Commands
104
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Keyword (might consist of two separate words)
Associated Keyword to Select or
Parameter to Type
Service name, action, and schedule lan_user_start_ip lan_user_end_ip
ipaddress ipaddress
Description service_name default_services
ANY
, AIM, BGP, BOOTP_CLIENT,
BOOTP_SERVER
, CU-SEEME:UDP,
CU-SEEME:TCP
, DNS:UDP, DNS:TCP,
FINGER
, FTP, HTTP, HTTPS,
ICMP-TYPE-3
, ICMP-TYPE-4,
ICMP-TYPE-5
, ICMP-TYPE-6,
ICMP-TYPE-7
, ICMP-TYPE-8,
ICMP-TYPE-9
, ICMP-TYPE-10,
ICMP-TYPE-11
, ICMP-TYPE-13,
ICQ
, IMAP2, IMAP3, IRC, NEWS, NFS,
NNTP
, PING, POP3, PPTP, RCMD,
REAL-AUDIO
, REXEC, RLOGIN,
RTELNET
, RTSP:TCP, RTSP:UDP,
SFTP
, SMTP, SNMP:TCP, SNMP:UDP,
SNMP-TRAPS:TCP
,
SNMP-TRAPS:UDP
, SQL-NET,
SSH:TCP
, SSH:UDP, STRMWORKS,
TACACS
, TELNET, TFTP, RIP, IKE,
SHTTPD
, IPSEC-UDP-ENCAP, IDENT,
VDOLIVE
, SSH, SIP-TCP, or SIP-UDP
The default service and protocol to which the firewall rule applies.
service_name custom_services action
custom service name
schedule Schedule1
, Schedule2, or
Schedule3
The custom service that you have configured with the
command.
ALWAYS_BLOCK
, ALWAYS_ALLOW,
BLOCK_BY_SCHEDULE_ELSE_ALLOW
, or
ALLOW_BY_SCHEDULE_ELSE_BLOCK
The type of action to be enforced by the rule.
The schedule, if any, that is applicable to the rule.
LAN user addresses or LAN group and DMZ user addresses lan_users address_wise ANY
, SINGLE_ADDRESS, or
ADDRESS_RANGE
The type of LAN address.
There are two options:
• The IP address if the lan_users
address_wise
keywords are set to SINGLE_ADDRESS.
• The start IP address if the
lan_users
address_wise keywords are set to
ADDRESS_RANGE
.
The end IP address if the
lan_users address_wise
keywords are set to
ADDRESS_RANGE
.
Security Mode Configuration Commands
105
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Keyword (might consist of two separate words)
Associated Keyword to Select or
Parameter to Type lan_users group_wise
group name
dmz_users
Description
The name of the LAN group. The group name is either a default name (Group1, Group2, Group3, and so on) or a custom name that you specified with the
net lan lan_groups edit <row id> <new group name>
command.
The type of DMZ address.
dmz_user_start_ip
ANY
, SINGLE_ADDRESS, or
ADDRESS_RANGE
ipaddress
dmz_user_end_ip
ipaddress
There are two options:
• The IP address if the dmz_users keyword is set to
SINGLE_ADDRESS
.
• The start IP address if the
dan_users
keyword is set to
ADDRESS_RANGE
.
The end IP address if the
dan_users
keyword is set to
ADDRESS_RANGE
.
Logging log NEVER
or ALWAYS Enables or disables logging.
Command example:
FVS318N> security firewall ipv4 add_rule lan_dmz outbound security-config[firewall-ipv4-lan-dmz-outbound]> service_name default_services FTP security-config[firewall-ipv4-lan-dmz-outbound]> action ALWAYS_ALLOW security-config[firewall-ipv4-lan-dmz-outbound]> lan_users group_wise GROUP3 security-config[firewall-ipv4-lan-dmz-outbound]> dmz_users ADDRESS_RANGE security-config[firewall-ipv4-lan-dmz-outbound]> dmz_user_start_ip 176.16.2.65 security-config[firewall-ipv4-lan-dmz-outbound]> dmz_user_end_ip 176.16.2.85 security-config[firewall-ipv4-lan-dmz-outbound]> log Never security-config[firewall-ipv4-lan-dmz-outbound]> save
show security firewall ipv4 setup lan_dmz
security firewall ipv4 edit_rule lan_dmz outbound <row id>
This command configures an existing IPv4 LAN DMZ outbound firewall rule. After you have issued the security firewall ipv4 edit_rule lan_dmz outbound command to specify the row to be edited (for row information, see the output of the
show security firewall ipv4 setup lan_dmz
command), you enter the security-config [firewall-ipv4-lan-dmz-outbound] mode. You can then edit one keyword and associated parameter or associated keyword at a
Security Mode Configuration Commands
106
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
time in the order that you prefer. However, note that the setting of the action keyword determines which other keywords and parameters you can apply to a rule.
Step 1
Step 2
Format
security firewall ipv4 edit_rule lan_dmz outbound <row id>
Mode
security
Format
service_name {default_services <default service name> |
{custom_services <custom service name>}
action {ALWAYS_BLOCK | ALWAYS_ALLOW |
BLOCK_BY_SCHEDULE_ELSE_ALLOW {schedule {Schedule1 |
Schedule2 | Schedule3}} | ALLOW_BY_SCHEDULE_ELSE_BLOCK
{schedule {Schedule1 | Schedule2 | Schedule3}}}
lan_users {address_wise {ANY | SINGLE_ADDRESS {lan_user_start_ip
<ipaddress>} | ADDRESS_RANGE {lan_user_start_ip <ipaddress>}
{lan_user_end_ip <ipaddress>}} | group_wise <group name>}
dmz_users {ANY | SINGLE_ADDRESS {dmz_user_start_ip <ipaddress>}
| ADDRESS_RANGE {dmz_user_start_ip <ipaddress>}
{dmz_user_end_ip <ipaddress>}}
log {NEVER | ALWAYS} security-config [firewall-ipv4-lan-dmz-outbound]
Mode
Keyword (might consist of two separate words)
Associated Keyword to Select or
Parameter to Type
Service name, action, and schedule service_name default_services service_name custom_services
Description
ANY
, AIM, BGP, BOOTP_CLIENT,
BOOTP_SERVER
, CU-SEEME:UDP,
CU-SEEME:TCP
, DNS:UDP, DNS:TCP,
FINGER
, FTP, HTTP, HTTPS,
ICMP-TYPE-3
, ICMP-TYPE-4,
ICMP-TYPE-5
, ICMP-TYPE-6,
ICMP-TYPE-7
, ICMP-TYPE-8,
ICMP-TYPE-9
, ICMP-TYPE-10,
ICMP-TYPE-11
, ICMP-TYPE-13,
ICQ
, IMAP2, IMAP3, IRC, NEWS, NFS,
NNTP
, PING, POP3, PPTP, RCMD,
REAL-AUDIO
, REXEC, RLOGIN,
RTELNET
, RTSP:TCP, RTSP:UDP,
SFTP
, SMTP, SNMP:TCP, SNMP:UDP,
SNMP-TRAPS:TCP
,
SNMP-TRAPS:UDP
, SQL-NET,
SSH:TCP
, SSH:UDP, STRMWORKS,
TACACS
, TELNET, TFTP, RIP, IKE,
SHTTPD
, IPSEC-UDP-ENCAP, IDENT,
VDOLIVE
, SSH, SIP-TCP, or SIP-UDP
The default service and protocol to which the firewall rule applies.
custom service name
The custom service that you have configured with the
command.
Security Mode Configuration Commands
107
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Keyword (might consist of two separate words)
Associated Keyword to Select or
Parameter to Type action
Description
ALWAYS_BLOCK
, ALWAYS_ALLOW,
BLOCK_BY_SCHEDULE_ELSE_ALLOW
, or
ALLOW_BY_SCHEDULE_ELSE_BLOCK
The type of action to be enforced by the rule.
schedule Schedule1
, Schedule2, or
Schedule3
The schedule, if any, that is applicable to the rule.
LAN user addresses or LAN group and DMZ user addresses lan_users address_wise ANY
, SINGLE_ADDRESS, or
ADDRESS_RANGE
The type of LAN address.
lan_user_start_ip lan_user_end_ip lan_users group_wise dmz_users
ipaddress ipaddress group name
ANY
, SINGLE_ADDRESS, or
ADDRESS_RANGE
There are two options:
• The IP address if the lan_users
address_wise
keywords are set to SINGLE_ADDRESS.
• The start IP address if the
lan_users
address_wise keywords are set to
ADDRESS_RANGE
.
The end IP address if the
lan_users address_wise
keywords are set to
ADDRESS_RANGE
.
The name of the LAN group. The group name is either a default name (Group1, Group2, Group3, and so on) or a custom name that you specified with the
net lan lan_groups edit <row id> <new group name>
command.
The type of DMZ address.
dmz_user_start_ip dmz_user_end_ip
ipaddress ipaddress
There are two options:
• The IP address if the dmz_users keyword is set to
SINGLE_ADDRESS
.
• The start IP address if the
dan_users
keyword is set to
ADDRESS_RANGE
.
The end IP address if the
dan_users
keyword is set to
ADDRESS_RANGE
.
Logging log NEVER
or ALWAYS Enables or disables logging.
Security Mode Configuration Commands
108
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Command example: See the command example for the
security firewall ipv4 add_rule lan_dmz outbound
Related show command:
show security firewall ipv4 setup lan_dmz
security firewall ipv4 add_rule lan_dmz inbound
This command configures a new IPv4 LAN DMZ inbound firewall rule. After you have issued the security firewall ipv4 add_rule lan_dmz inbound command, you enter the security-config [firewall-ipv4-lan-dmz-outbound] mode, and then you can configure one keyword and associated parameter or associated keyword at a time in the order that you prefer. However, note that the setting of the action keyword determines which other keywords and parameters can you can apply to a rule.
Step 1
Step 2
Format
security firewall ipv4 add_rule lan_dmz inbound
Mode
security
Format
service_name {default_services <default service name> |
{custom_services <custom service name>}
action {ALWAYS_BLOCK | ALWAYS_ALLOW |
BLOCK_BY_SCHEDULE_ELSE_ALLOW {schedule {Schedule1 |
Schedule2 | Schedule3}} | ALLOW_BY_SCHEDULE_ELSE_BLOCK
{schedule {Schedule1 | Schedule2 | Schedule3}}}
Mode
lan_users {address_wise {ANY | SINGLE_ADDRESS {lan_user_start_ip
<ipaddress>} | ADDRESS_RANGE {lan_user_start_ip <ipaddress>}
{lan_user_end_ip <ipaddress>}} | group_wise <group name>}
dmz_users {ANY | SINGLE_ADDRESS {dmz_user_start_ip <ipaddress>}
| ADDRESS_RANGE {dmz_user_start_ip <ipaddress>}
{dmz_user_end_ip <ipaddress>}}
log {NEVER | ALWAYS} security-config [firewall-ipv4-lan-dmz-inbound]
Security Mode Configuration Commands
109
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Keyword (might consist of two separate words)
Associated Keyword to Select or
Parameter to Type
Service name, action, and schedule
Description service_name default_services lan_users address_wise
ANY
, AIM, BGP, BOOTP_CLIENT,
BOOTP_SERVER
, CU-SEEME:UDP,
CU-SEEME:TCP
, DNS:UDP, DNS:TCP,
FINGER
, FTP, HTTP, HTTPS,
ICMP-TYPE-3
, ICMP-TYPE-4,
ICMP-TYPE-5
, ICMP-TYPE-6,
ICMP-TYPE-7
, ICMP-TYPE-8,
ICMP-TYPE-9
, ICMP-TYPE-10,
ICMP-TYPE-11
, ICMP-TYPE-13,
ICQ
, IMAP2, IMAP3, IRC, NEWS, NFS,
NNTP
, PING, POP3, PPTP, RCMD,
REAL-AUDIO
, REXEC, RLOGIN,
RTELNET
, RTSP:TCP, RTSP:UDP,
SFTP
, SMTP, SNMP:TCP, SNMP:UDP,
SNMP-TRAPS:TCP
,
SNMP-TRAPS:UDP
, SQL-NET,
SSH:TCP
, SSH:UDP, STRMWORKS,
TACACS
, TELNET, TFTP, RIP, IKE,
SHTTPD
, IPSEC-UDP-ENCAP, IDENT,
VDOLIVE
, SSH, SIP-TCP, or SIP-UDP
The default service and protocol to which the firewall rule applies.
service_name custom_services action
custom service name
schedule Schedule1
Schedule3
, Schedule2, or
LAN user addresses or LAN group and DMZ user addresses
The custom service that you have configured with the
ALWAYS_BLOCK
, ALWAYS_ALLOW,
BLOCK_BY_SCHEDULE_ELSE_ALLOW
, or
ALLOW_BY_SCHEDULE_ELSE_BLOCK
The type of action to be enforced by the rule.
The schedule, if any, that is applicable to the rule.
ANY
, SINGLE_ADDRESS, or
ADDRESS_RANGE
The type of LAN address.
lan_user_start_ip lan_user_end_ip
ipaddress ipaddress
There are two options:
• The IP address if the lan_users
address_wise
keywords are set to SINGLE_ADDRESS.
• The start IP address if the
lan_users
address_wise keywords are set to
ADDRESS_RANGE
.
The end IP address if the
lan_users address_wise
keywords are set to
ADDRESS_RANGE
.
Security Mode Configuration Commands
110
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Keyword (might consist of two separate words)
Associated Keyword to Select or
Parameter to Type lan_users group_wise
group name
dmz_users
Description
The name of the LAN group. The group name is either a default name (Group1, Group2, Group3, and so on) or a custom name that
net lan lan_groups edit <row id> <new group name>
The type of DMZ address.
dmz_user_start_ip
ANY
, SINGLE_ADDRESS, or
ADDRESS_RANGE
ipaddress
dmz_user_end_ip
ipaddress
There are two options:
• The IP address if the dmz_users keyword is set to
SINGLE_ADDRESS
.
• The start IP address if the
dan_users
keyword is set to
ADDRESS_RANGE
.
The end IP address if the
dan_users
keyword is set to
ADDRESS_RANGE
.
Logging log NEVER
or ALWAYS Enables or disables logging.
Command example:
FVS318N> security firewall ipv4 add_rule lan_dmz inbound security-config[firewall-ipv4-lan-dmz-inbound]> service_name default_services SSH:UDP security-config[firewall-ipv4-lan-dmz-inbound]> action BLOCK_BY_SCHEDULE_ELSE_ALLOW security-config[firewall-ipv4-lan-dmz-inbound]> schedule Schedule1 security-config[firewall-ipv4-lan-dmz-inbound]> lan_users address_wise SINGLE_ADDRESS security-config[firewall-ipv4-lan-dmz-inbound]> lan_user_start_ip 192.168.4.109 security-config[firewall-ipv4-lan-dmz-inbound]> dmz_users SINGLE_ADDRESS security-config[firewall-ipv4-lan-dmz-inbound]> dmz_user_start_ip 176.16.2.211 security-config[firewall-ipv4-lan-dmz-inbound]> log Always security-config[firewall-ipv4-lan-dmz-inbound]> save
Related show command:
show security firewall ipv4 setup lan_dmz
security firewall ipv4 edit_rule lan_dmz inbound <row id>
This command configures an existing IPv4 LAN DMZ inbound firewall rule. After you have issued the security firewall ipv4 edit_rule lan_dmz inbound command to
specify the row to be edited (for row information, see the output of the
show security firewall ipv4 setup lan_dmz
command), you enter the security-config [firewall-ipv4-lan-dmz-outbound]
Security Mode Configuration Commands
111
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
mode. You can then edit one keyword and associated parameter or associated keyword at a time in the order that you prefer. However, note that the setting of the action keyword determines which other keywords and parameters you can apply to a rule.
Step 1
Step 2
Format
security firewall ipv4 edit_rule lan_dmz inbound <row id>
Mode
security
Format
service_name {default_services <default service name> |
{custom_services <custom service name>}
action {ALWAYS_BLOCK | ALWAYS_ALLOW |
BLOCK_BY_SCHEDULE_ELSE_ALLOW {schedule {Schedule1 |
Schedule2 | Schedule3}} | ALLOW_BY_SCHEDULE_ELSE_BLOCK
{schedule {Schedule1 | Schedule2 | Schedule3}}}
lan_users {address_wise {ANY | SINGLE_ADDRESS {lan_user_start_ip
<ipaddress>} | ADDRESS_RANGE {lan_user_start_ip <ipaddress>}
{lan_user_end_ip <ipaddress>}} | group_wise <group name>}
dmz_users {ANY | SINGLE_ADDRESS {dmz_user_start_ip <ipaddress>}
| ADDRESS_RANGE {dmz_user_start_ip <ipaddress>}
{dmz_user_end_ip <ipaddress>}}
log {NEVER | ALWAYS} security-config [firewall-ipv4-lan-dmz-inbound]
Mode
Keyword (might consist of two separate words)
Associated Keyword to Select or
Parameter to Type
Description
Service name, action, and schedule service_name default_services
ANY
, AIM, BGP, BOOTP_CLIENT,
BOOTP_SERVER
, CU-SEEME:UDP,
CU-SEEME:TCP
, DNS:UDP, DNS:TCP,
FINGER
, FTP, HTTP, HTTPS,
ICMP-TYPE-3
, ICMP-TYPE-4,
ICMP-TYPE-5
, ICMP-TYPE-6,
ICMP-TYPE-7
, ICMP-TYPE-8,
ICMP-TYPE-9
, ICMP-TYPE-10,
ICMP-TYPE-11
, ICMP-TYPE-13,
ICQ
, IMAP2, IMAP3, IRC, NEWS, NFS,
NNTP
, PING, POP3, PPTP, RCMD,
REAL-AUDIO
, REXEC, RLOGIN,
RTELNET
, RTSP:TCP, RTSP:UDP,
SFTP
, SMTP, SNMP:TCP, SNMP:UDP,
SNMP-TRAPS:TCP
,
SNMP-TRAPS:UDP
, SQL-NET,
SSH:TCP
, SSH:UDP, STRMWORKS,
TACACS
, TELNET, TFTP, RIP, IKE,
SHTTPD
, IPSEC-UDP-ENCAP, IDENT,
VDOLIVE
, SSH, SIP-TCP, or SIP-UDP
The default service and protocol to which the firewall rule applies.
Security Mode Configuration Commands
112
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Keyword (might consist of two separate words)
Associated Keyword to Select or
Parameter to Type
Description service_name custom_services action
custom service name
schedule Schedule1
Schedule3
, Schedule2, or
LAN user addresses or LAN group and DMZ user addresses
The custom service that you have configured with the
command.
ALWAYS_BLOCK
, ALWAYS_ALLOW,
BLOCK_BY_SCHEDULE_ELSE_ALLOW
, or
ALLOW_BY_SCHEDULE_ELSE_BLOCK
The type of action to be enforced by the rule.
The schedule, if any, that is applicable to the rule.
lan_users address_wise ANY
, SINGLE_ADDRESS, or
ADDRESS_RANGE
The type of LAN address.
lan_user_start_ip lan_user_end_ip lan_users group_wise dmz_users
ipaddress ipaddress group name
ANY
, SINGLE_ADDRESS, or
ADDRESS_RANGE
There are two options:
• The IP address if the lan_users
address_wise
keywords are set to SINGLE_ADDRESS.
• The start IP address if the
lan_users
address_wise keywords are set to
ADDRESS_RANGE
.
The end IP address if the
lan_users address_wise
keywords are set to
ADDRESS_RANGE
.
The name of the LAN group. The group name is either a default name (Group1, Group2, Group3, and so on) or a custom name that
net lan lan_groups edit <row id> <new group name>
The type of DMZ address.
dmz_user_start_ip dmz_user_end_ip
ipaddress ipaddress
There are two options:
• The IP address if the dmz_users keyword is set to
SINGLE_ADDRESS
.
• The start IP address if the
dan_users
keyword is set to
ADDRESS_RANGE
.
The end IP address if the
dan_users
keyword is set to
ADDRESS_RANGE
.
Security Mode Configuration Commands
113
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Keyword (might consist of two separate words)
Associated Keyword to Select or
Parameter to Type
Logging log NEVER
or ALWAYS
Description
Enables or disables logging.
Command example: See the command example for the
security firewall ipv4 add_rule lan_dmz inbound
show security firewall ipv4 setup lan_dmz
IPv4 General Firewall Commands
security firewall ipv4 default_outbound_policy {Allow | Block}
This command allows or blocks the IPv4 firewall default outbound policy.
Format
Mode
security firewall ipv4 default_outbound_policy {Allow | Block} security
Related show command:
show security firewall ipv4 setup lan_wan
show security firewall ipv4 setup dmz_wan
show security firewall ipv4 setup lan_dmz
security firewall ipv4 delete <row id>
This command deletes an IPv4 firewall rule by deleting its row ID.
Format
Mode
security firewall ipv4 delete <row id> security
Related show command:
show security firewall ipv4 setup lan_wan
show security firewall ipv4 setup dmz_wan
show security firewall ipv4 setup lan_dmz
Security Mode Configuration Commands
114
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N security firewall ipv4 disable <row id>
This command disables an IPv4 firewall rule by specifying its row ID.
Format
Mode
security firewall ipv4 disable <row id> security
show security firewall ipv4 setup lan_wan
show security firewall ipv4 setup dmz_wan
show security firewall ipv4 setup lan_dmz
security firewall ipv4 enable <row id>
This command enables an IPv4 firewall rule by specifying its row ID.
Format
Mode
security firewall ipv4 enable <row id> security
show security firewall ipv4 setup lan_wan
show security firewall ipv4 setup dmz_wan
show security firewall ipv4 setup lan_dmz
IPv6 Firewall Commands
security firewall ipv6 default_outbound_policy {Allow | Block}
This command allows or blocks the IPv6 firewall default outbound policy.
Format
Mode
security firewall ipv6 default_outbound_policy {Allow | Block} security
Related show command:
show security firewall ipv6 setup
security firewall ipv6 configure
This command configures a new IPv6 firewall rule. After you have issued the security
firewall ipv6 configure
command, you enter the security-config [firewall-ipv6] mode, and then you can configure one keyword and associated parameter or associated keyword at a time in the order that you prefer. However, note that the setting of the action keyword determines which other keywords and parameters you can apply to a rule.
Security Mode Configuration Commands
115
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Step 1
Step 2
Format
security firewall ipv6 configure
Mode
security
Format
from_zone {LAN | WAN | DMZ}
to_zone {LAN | WAN | DMZ}
service_name {default_services <default service name> |
custom_services <custom service name>}
action {ALWAYS_BLOCK | ALWAYS_ALLOW |
BLOCK_BY_SCHEDULE_ELSE_ALLOW {schedule {Schedule1 |
Schedule2 | Schedule3}} | ALLOW_BY_SCHEDULE_ELSE_BLOCK
{schedule {Schedule1 | Schedule2 | Schedule3}}}
source_address_type {ANY | SINGLE_ADDRESS {source_start_address
<ipv6-address>} | ADDRESS_RANGE {source_start_address
<ipv6-address>} {source_end_address <ipv6-address>}}
destination_address_type {ANY | SINGLE_ADDRESS
{destination_start_address <ipv6-address>} | ADDRESS_RANGE
{destination_start_address <ipv6-address>}
{destination_end_address <ipv6-address>}}
qos_priority {Normal-Service | Minimize-Cost |
Maximize-Reliability | Maximize-Throughput | Minimize-Delay}
log {NEVER | ALWAYS} security-config [firewall-ipv6]
Mode
Keyword (might consist of two separate words)
Associated Keyword to Select or
Parameter to Type
Direction of service, service name, action, and schedule from_zone LAN
, WAN, or DMZ
to_zone LAN
, WAN, or DMZ
Description
Select the outbound direction:
• LAN. From the LAN.
• WAN. From the WAN.
• DMZ. From the DMZ.
Select the inbound direction:
• LAN. To the LAN.
• WAN. To the WAN.
• DMZ. To the DMZ.
Security Mode Configuration Commands
116
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Keyword (might consist of two separate words) service_name default_services
Associated Keyword to Select or
Parameter to Type
Description
ANY
, AIM, BGP, BOOTP_CLIENT,
BOOTP_SERVER
, CU-SEEME:UDP,
CU-SEEME:TCP
, DNS:UDP, DNS:TCP,
FINGER
, FTP, HTTP, HTTPS,
ICMP-TYPE-3
, ICMP-TYPE-4,
ICMP-TYPE-5
, ICMP-TYPE-6,
ICMP-TYPE-7
, ICMP-TYPE-8,
ICMP-TYPE-9
, ICMP-TYPE-10,
ICMP-TYPE-11
, ICMP-TYPE-13,
ICQ
, IMAP2, IMAP3, IRC, NEWS, NFS,
NNTP
, PING, POP3, PPTP, RCMD,
REAL-AUDIO
, REXEC, RLOGIN,
RTELNET
, RTSP:TCP, RTSP:UDP,
SFTP
, SMTP, SNMP:TCP, SNMP:UDP,
SNMP-TRAPS:TCP
,
SNMP-TRAPS:UDP
, SQL-NET,
SSH:TCP
, SSH:UDP, STRMWORKS,
TACACS
, TELNET, TFTP, RIP, IKE,
SHTTPD
, IPSEC-UDP-ENCAP, IDENT,
VDOLIVE
, SSH, SIP-TCP, or SIP-UDP
The default service and protocol to which the firewall rule applies.
service_name custom_services action
custom service name
schedule Schedule1
, Schedule2, or
Schedule3
The custom service that you have
command.
ALWAYS_BLOCK
, ALWAYS_ALLOW,
BLOCK_BY_SCHEDULE_ELSE_ALLOW
, or
ALLOW_BY_SCHEDULE_ELSE_BLOCK
The type of action to be taken by the rule.
The schedule, if any, that is applicable to the rule.
LAN, WAN, and DMZ source and destination IP addresses source_address_type ANY
, SINGLE_ADDRESS, or
ADDRESS_RANGE
The type of source address.
source_start_address source_end_address
ipv6-address ipv6-address
There are two options:
• The IPv6 address if the
source_address_type
keyword is set to
SINGLE_ADDRESS
.
• The start IPv6 address if the
source_address_type
keyword is set to
ADDRESS_RANGE
.
The end IPv6 address if the
source_address_type
keyword is set to
ADDRESS_RANGE
.
Security Mode Configuration Commands
117
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Keyword (might consist of two separate words) destination_address_type
Associated Keyword to Select or
Parameter to Type
ANY
, SINGLE_ADDRESS, or
ADDRESS_RANGE destination_start_address
ipv6-address
destination_end_address
ipv6-address
Description
The type of destination address.
There are two options:
• The IPv6 address if the
destination_address_type
keyword is set to
SINGLE_ADDRESS
.
• The start IPv6 address if the
destination_address_type
keyword is set to
ADDRESS_RANGE
.
The end IPv6 address if the
destination_address_type
keyword is set to
ADDRESS_RANGE
.
QoS profile and logging qos_priority log
Normal-Service
, Minimize-Cost,
Maximize-Reliability
,
Maximize-Throughput
, or
Minimize-Delay
The type of QoS that applies to the rule. You can apply QoS to
LAN WAN and DMZ WAN outbound rules only.
NEVER
or ALWAYS Enables or disables logging.
Command example:
FVS318N> security firewall ipv6 configure security-config[firewall-ipv6]> from_zone WAN security-config[firewall-ipv6]> to_zone LAN security-config[firewall-ipv6]> service_name default_services RTELNET security-config[firewall-ipv6]> action ALWAYS_ALLOW security-config[firewall-ipv6]> source_address_type SINGLE_ADDRESS security-config[firewall-ipv6]> source_start_address 2002::B32:AAB1:fD41 security-config[firewall-ipv6]> destination_address_type SINGLE_ADDRESS security-config[firewall-ipv6]> destination_start_address FEC0::db8:145 security-config[firewall-ipv6]> log ALWAYS security-config[firewall-ipv6]> save
show security firewall ipv6 setup
security firewall ipv6 edit <row id>
This command configures an existing IPv6 firewall rule. After you have issued the security
firewall ipv6 edit
command to specify the row to be edited (for row information, see
Security Mode Configuration Commands
118
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
the output of the
show security firewall ipv6 setup
command), you enter the security-config
[firewall-ipv6] mode.You can then edit one keyword and associated parameter or associated keyword at a time in the order that you prefer. However, note that the setting of the action keyword determines which other keywords and parameters you can apply to a rule.
Step 1
Step 2
Format
security firewall ipv6 edit <row id>
Mode
security
Format
from_zone {LAN | WAN | DMZ}
to_zone {LAN | WAN | DMZ}
service_name {default_services <default service name> |
custom_services <custom service name>}
action {ALWAYS_BLOCK | ALWAYS_ALLOW |
BLOCK_BY_SCHEDULE_ELSE_ALLOW {schedule {Schedule1 |
Schedule2 | Schedule3}} | ALLOW_BY_SCHEDULE_ELSE_BLOCK
{schedule {Schedule1 | Schedule2 | Schedule3}}}
source_address_type {ANY | SINGLE_ADDRESS {source_start_address
<ipv6-address>} | ADDRESS_RANGE {source_start_address
<ipv6-address>} {source_end_address <ipv6-address>}}
destination_address_type {ANY | SINGLE_ADDRESS
{destination_start_address <ipv6-address>} | ADDRESS_RANGE
{destination_start_address <ipv6-address>}
{destination_end_address <ipv6-address>}}
qos_priority {Normal-Service | Minimize-Cost |
Maximize-Reliability | Maximize-Throughput | Minimize-Delay}
log {NEVER | ALWAYS} security-config [firewall-ipv6]
Mode
Keyword (might consist of two separate words)
Associated Keyword to Select or
Parameter to Type
Direction of service, service name, action, and schedule from_zone LAN
, WAN, or DMZ
to_zone LAN
, WAN, or DMZ
Description
Select the outbound direction:
• LAN. From the LAN.
• WAN. From the WAN.
• DMZ. From the DMZ.
Select the inbound direction:
• LAN. To the LAN.
• WAN. To the WAN.
• DMZ. To the DMZ.
Security Mode Configuration Commands
119
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Keyword (might consist of two separate words) service_name default_services
Associated Keyword to Select or
Parameter to Type
Description
ANY
, AIM, BGP, BOOTP_CLIENT,
BOOTP_SERVER
, CU-SEEME:UDP,
CU-SEEME:TCP
, DNS:UDP, DNS:TCP,
FINGER
, FTP, HTTP, HTTPS,
ICMP-TYPE-3
, ICMP-TYPE-4,
ICMP-TYPE-5
, ICMP-TYPE-6,
ICMP-TYPE-7
, ICMP-TYPE-8,
ICMP-TYPE-9
, ICMP-TYPE-10,
ICMP-TYPE-11
, ICMP-TYPE-13,
ICQ
, IMAP2, IMAP3, IRC, NEWS, NFS,
NNTP
, PING, POP3, PPTP, RCMD,
REAL-AUDIO
, REXEC, RLOGIN,
RTELNET
, RTSP:TCP, RTSP:UDP,
SFTP
, SMTP, SNMP:TCP, SNMP:UDP,
SNMP-TRAPS:TCP
,
SNMP-TRAPS:UDP
, SQL-NET,
SSH:TCP
, SSH:UDP, STRMWORKS,
TACACS
, TELNET, TFTP, RIP, IKE,
SHTTPD
, IPSEC-UDP-ENCAP, IDENT,
VDOLIVE
, SSH, SIP-TCP, or SIP-UDP
The default service and protocol to which the firewall rule applies.
service_name custom_services action
custom service name
schedule Schedule1
Schedule3
, Schedule2, or
LAN, WAN, and DMZ source and destination IP addresses
The custom service that you have configured with the
ALWAYS_BLOCK
, ALWAYS_ALLOW,
BLOCK_BY_SCHEDULE_ELSE_ALLOW
, or
ALLOW_BY_SCHEDULE_ELSE_BLOCK
The type of action to be taken by the rule.
The schedule, if any, that is applicable to the rule.
source_address_type ANY
, SINGLE_ADDRESS, or
ADDRESS_RANGE
The type of source address.
source_start_address source_end_address
ipv6-address ipv6-address
There are two options:
• The IPv6 address if the
source_address_type
keyword is set to
SINGLE_ADDRESS
.
• The start IPv6 address if the
source_address_type
keyword is set to
ADDRESS_RANGE
.
The end IPv6 address if the
source_address_type
keyword is set to
ADDRESS_RANGE
.
Security Mode Configuration Commands
120
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Keyword (might consist of two separate words) destination_address_type
Associated Keyword to Select or
Parameter to Type
ANY
, SINGLE_ADDRESS, or
ADDRESS_RANGE destination_start_address
ipv6-address
destination_end_address
ipv6-address
Description
The type of destination address.
There are two options:
• The IPv6 address if the
destination_address_type
keyword is set to
SINGLE_ADDRESS
.
• The start IPv6 address if the
destination_address_type
keyword is set to
ADDRESS_RANGE
.
The end IPv6 address if the
destination_address_type
keyword is set to
ADDRESS_RANGE
.
QoS profile and logging qos_priority log
Normal-Service
, Minimize-Cost,
Maximize-Reliability
,
Maximize-Throughput
, or
Minimize-Delay
The type of QoS that applies to the rule. You can apply QoS to
LAN WAN and DMZ WAN outbound rules only.
NEVER
or ALWAYS Enables or disables logging.
Command example: See the command example for the
security firewall ipv6 configure
Related show command:
show security firewall ipv6 setup
security firewall ipv6 delete <row id>
This command deletes an IPv6 firewall rule by deleting its row ID.
Format
Mode
security firewall ipv6 delete <row id> security
Related show command:
show security firewall ipv6 setup
Security Mode Configuration Commands
121
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N security firewall ipv6 disable <row id>
This command disables an IPv6 firewall rule by specifying its row ID.
Format
Mode
security firewall ipv6 disable <row id> security
show security firewall ipv6 setup
security firewall ipv6 enable <row id>
This command enables an IPv6 firewall rule by specifying its row ID.
Format
Mode
security firewall ipv6 enable <row id> security
show security firewall ipv6 setup
Attack Check Commands
security firewall attack_checks configure ipv4
This command configures ipv4 WAN and LAN security attack checks. After you have issued the security firewall attack_checks configure ipv4 command, you enter the security-config [attack-checks-ipv4] mode, and then you can edit one keyword and associated parameter or associated keyword at a time in the order that you prefer.
Step 1
Step 2
Format security firewall attack_checks configure ipv4
Mode
security
Format
respond_to_ping_on_internet_ports {Y | N}
enable_stealth_mode {Y | N}
block_tcp_flood {Y | N}
block_udp_flood {Y | N}
disable_ping_reply_on_lan {Y | N}
Mode
security-config [attack-checks-ipv4]
Security Mode Configuration Commands
122
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Keyword Associated Keyword to Select
Description
WAN security checks respond_to_ping_on_internet_ports Y
or N Enables or disables the response to a ping from the WAN port.
enable_stealth_mode Y
or N
block_tcp_flood Y
or N
Enables or disables stealth mode.
Blocks or allows TCP floods on the WAN port.
LAN security checks block_udp_flood disable_ping_reply_on_lan
Y
or N
Y
or N
Blocks or allows UDP floods on LAN ports.
Enables or disables ping replies from
LAN ports.
Command example:
FVS318N> security firewall attack_checks configure ipv4 security-config[attack-checks-ipv4]> respond_to_ping_on_internet_ports N security-config[attack-checks-ipv4]> enable_stealth_mode Y security-config[attack-checks-ipv4]> block_tcp_flood Y security-config[attack-checks-ipv4]> block_udp_flood N security-config[attack-checks-ipv4]> disable_ping_reply_on_lan Y security-config[attack-checks-ipv4]> save
Related show command:
show security firewall attack_checks setup ipv4
security firewall attack_checks igmp setup
This command enables or disables multicast pass-through by enabling or disabling the IGMP proxy for IPv4 traffic. After you have issued the security firewall attack_checks
igmp setup
command, you enter the security-advanced-config [igmp] mode, and then you can enable or disable the IGMP proxy.
Step 1
Step 2
Format security firewall attack_checks igmp setup
Mode
security
Format
enable_igmp_proxy {Y | N}
Mode
security-advanced-config [igmp]
Related show command:
show security firewall attack_checks igmp
Security Mode Configuration Commands
123
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N security firewall attack_checks jumboframe setup
This command enables or disables jumbo frames for IPv4 traffic. After you have issued the
security firewall attack_checks jumboframe setup
command, you enter the security-advanced-config [jumbo-frame] mode, and then you can enable or disable jumbo frames.
Step 1
Step 2
Format security firewall attack_checks jumboframe setup
Mode
security
Format
enable_jumboframe {Y | N}
Mode
security-advanced-config [jumbo-frame]
show security firewall attack_checks jumboframe
security firewall attack_checks vpn_passthrough configure
This command configures VPN pass-through for IPv4 traffic. After you have issued the
security firewall attack_checks vpn_passthrough configure
command, you enter the security-config [vpn-passthrough] mode, and then you can configure one keyword and associated parameter or associated keyword at a time in the order that you prefer.
Step 1
Step 2
Format security firewall attack_checks vpn_passthrough configure
Mode
security
Format
ipsec_enable {Y | N}
l2tp_enable {Y | N}
pptp_enable {Y | N}
Mode
security-config [vpn-passthrough]
Keyword Associated Keyword to Select
Description ipsec_enable Y
or N
l2tp_enable Y
or N
pptp_enable Y
or N
Enables or disables IPSec pass-through.
Enables or disables L2TP pass-through.
Enables or disables PPTP pass-through.
Command example:
FVS318N> security firewall attack_checks vpn_passthrough configure security-config[vpn-passthrough]> ipsec_enable Y security-config[vpn-passthrough]> l2tp_enable Y security-config[vpn-passthrough]> pptp_enable N security-config[vpn-passthrough]> save
Security Mode Configuration Commands
124
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Related show command:
show security firewall attack_checks vpn_passthrough setup
security firewall attack_checks configure ipv6
This command configures ipv6 WAN security attack checks. After you have issued the
security firewall attack_checks configure ipv6
command, you enter the security-config [attack-checks-ipv6] mode, and then you can edit one keyword and associated parameter or associated keyword at a time in the order that you prefer.
Step 1
Step 2
Format security firewall attack_checks configure ipv6
Mode
security
Format
respond_to_ping_on_internet_ports {Y | N}
vpn_ipsec_passthrough {Y | N}
Mode
security-config [attack-checks-ipv6]
Keyword Associated Keyword to Select
Description respond_to_ping_on_internet_ports Y
or N
vpn_ipsec_passthrough Y
or N
Enables or disables the response to a ping from the WAN port.
Enables or disables IPSec VPN traffic that is initiated from the LAN to reach the
WAN, irrespective of the default firewall outbound policy and custom firewall rules.
Command example:
FVS318N> security firewall attack_checks configure ipv6 security-config[attack-checks-ipv6]> respond_to_ping_on_internet_ports N security-config[attack-checks-ipv6]> vpn_ipsec_passthrough Y security-config[attack-checks-ipv6]> save
Related show command:
show security firewall attack_checks setup ipv4
Session Limit, Time-Out, and Advanced Commands
security firewall session_limit configure
This command configures global session limits. After you have issued the security
firewall session_limit configure
command, you enter the security-config [session-limit] mode, and then you can configure one keyword and associated parameter or associated keyword at a time in the order that you prefer.
Security Mode Configuration Commands
125
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Step 1
Step 2
Format
security firewall session_limit configure
Mode
security
Format
enable {Y | N}
conn_limit_type {Percentage_Of_MaxSessions | Number_Of_Sessions}
user_limit <number>
Mode
security-config [session-limit]
Keyword Associated Keyword to Select or Parameter to Type
Description enable user_limit
Y
or N
number
Enables or disables session limits.
conn_limit_type Percentage_Of_MaxSessions
or Number_Of_Sessions
The type of session limits:
• Percentage_Of_MaxSessions. Specifies a percentage of the total session connection capacity on the wireless VPN firewall.
• Number_Of_Sessions. An absolute number of maximum sessions.
The percentage of the total session connection capacity on the wireless VPN firewall or an absolute number of maximum sessions.
Command example:
FVS318N> security firewall session_limit configure security-config[session-limit]> enable Y security-config[session-limit]> conn_limit_type Percentage_Of_MaxSessions security-config[session-limit]> user_limit 80 security-config[session-limit]> save
show security firewall session_limit
security firewall session_settings configure
This command configures global session time-outs. After you have issued the security
firewall session_settings configure
command, you enter the security-config [session-settings] mode, and then you can configure one keyword and associated parameter or associated keyword at a time in the order that you prefer.
Step 1 Format
security firewall session_settings configure
Mode
security
Security Mode Configuration Commands
126
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Step 2 Format
tcp_session_timeout <seconds>
udp_session_timeout <seconds>
icmp_session_timeout <seconds>
Mode
security-config [session-settings]
Keyword tcp_session_timeout udp_session_timeout icmp_session_timeout
Associated Parameter to Type
Description
seconds seconds seconds
Configures the TCP session timeout period (integer) in seconds.
Configures the UDP session timeout period (integer) in seconds.
Configures the ICMP session timeout period (integer) in seconds.
Command example:
FVS318N> security firewall session_settings configure security-config[session-settings]> tcp_session_timeout 3600 security-config[session-settings]> udp_session_timeout 180 security-config[session-settings]> icmp_session_timeout 120 security-config[session-settings]> save
Related show command:
show security firewall session_settings
security firewall advanced algs
This command configures Session Initiation Protocol (SIP) support for the application level gateway (ALG). After you have issued the security firewall advanced algs command, you enter the security-config [firewall-alg] mode, and then you can configure SIP support.
Step 1
Step 2
Format
security firewall advanced algs
Mode
security
Format
sip {Y | N}
Mode
security-config [firewall-alg]
Keyword
Sip
Associated Keyword to Select
Description
Y
or N Enables or disables SIP for the ALG.
Related show command:
show security firewall advanced algs
Security Mode Configuration Commands
127
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Address Filter and IP/MAC Binding Commands
security address_filter mac_filter configure
This command configures the source MAC address filter. After you have issued the
security address_filter mac_filter configure
command, you enter the
security-config [mac-filter] mode, and then you can configure one keyword and associated parameter or associated keyword at a time in the order that you prefer.
Step 1
Step 2
Format
security address_filter mac_filter configure
Mode
security
Format
enable {N | Y {policy {Permit-And-Block-Rest |
Block-And-Permit-Rest}}
Mode
security-config [mac-filter]
Keyword enable policy
Associated Keyword to
Select or Parameter to Type
Description
Y
or N Enables or disables the source MAC address filter.
Permit-And-Block-Rest
or
Block-And-Permit-Rest
Sets the policy of the source MAC address filter.
Command example:
FVS318N> security address_filter mac_filter configure security-config[mac-filter]> enable Y security-config[mac-filter]> policy Block-And-Permit-Rest security-config[mac-filter]> save
show security address_filter mac_filter setup
security address_filter mac_filter source add
This command adds a new MAC address to the MAC address table for the source MAC address filter. After you have issued the security address_filter mac_filter
source add
command, you enter the security-config [mac-filter-source] mode, and then you can add a MAC address.
Step 1
Step 2
Format
security address_filter mac_filter source add
Mode
security
Format
address <mac address>
Mode
security-config [mac-filter-source]
Security Mode Configuration Commands
128
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Related show command:
show security address_filter mac_filter setup
security address_filter mac_filter source delete <row id>
This command deletes a MAC address from the MAC address table by deleting its row ID.
Format
Mode
security address_filter mac_filter source delete <row id> security
Related show command:
show security address_filter mac_filter setup
security address_filter ip_or_mac_binding add
This command configures a new IP/MAC binding rule. After you have issued the security
address_filter ip_or_mac_binding add
command, you enter the security-config [ip-or-mac-binding] mode, and then you can configure one keyword and associated parameter or associated keyword at a time in the order that you prefer.
Step 1
Step 2
Format
security address_filter ip_or_mac_binding add
Mode
security
Format
name <rule name>
mac_address <mac address>
ip_version {IPv4 {ip_address <ipaddress>} | IPv6 {ip_address6
<ipv6-address>}}
log_dropped_packets {Y | N}
Mode
security-config [ip-or-mac-binding]
Keyword name mac_address ip_version ip_address
Associated Keyword to
Select or Parameter to Type
Description
rule name mac address
The name (alphanumeric string) of the IP/MAC binding rule.
The MAC address to which the IP/MAC binding rule is applied.
IPv4
or IPv6
ipaddress
Specifies the type of IP address to which the
IP/MAC binding rule is applied:
• IPv4. You need to issue the ip_address keyword and specify an IPv4 address.
• IPv6. You need to issue the ip_address6 keyword and specify an IPv6 address.
The IPv4 address to which the IP/MAC binding rule is applied.
Security Mode Configuration Commands
129
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Keyword ip_address6
Associated Keyword to
Select or Parameter to Type
Description
ipv6-address
The IPv6 address to which the IP/MAC binding rule is applied.
log_dropped_packets Y
or N Enables or disables logging for the IP/MAC binding rule.
Command example:
FVS318N> security address_filter ip_or_mac_binding add security-config[ip-or-mac-binding]> name Rule1 security-config[ip-or-mac-binding]> 00:aa:23:be:03:a1 security-config[ip-or-mac-binding]> ip_version IPv4 security-config[ip-or-mac-binding]> 192.168.10.153 security-config[ip-or-mac-binding]> log_dropped_packets Y security-config[ip-or-mac-binding]> save
show security address_filter ip_or_mac_binding setup
security address_filter ip_or_mac_binding edit <row id>
This command configures an existing IP/MAC binding rule. After you have issued the
security address_filter ip_or_mac_binding edit
command to specify the row to be edited, you enter the security-config [ip-or-mac-binding] mode, and then you can configure one keyword and associated parameter or associated keyword at a time in the order that you prefer.
Step 1
Step 2
Format
security address_filter ip_or_mac_binding edit <row id>
Mode
security
Format
name <rule name>
mac_address <mac address>
ip_version {IPv4 {ip_address <ipaddress>} | IPv6 {ip_address6
<ipv6-address>}}
log_dropped_packets {Y | N}
Mode
security-config [ip-or-mac-binding]
Keyword name mac_address
Associated Keyword to
Select or Parameter to Type
Description
rule name mac address
The name (alphanumeric string) of the IP/MAC binding rule.
The MAC address to which the IP/MAC binding rule is applied.
Security Mode Configuration Commands
130
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Keyword ip_version ip_address ip_address6 log_dropped_packets
Associated Keyword to
Select or Parameter to Type
Description
IPv4
or IPv6 Specifies the type of IP address to which the
IP/MAC binding rule is applied:
• IPv4. You need to issue the ip_address keyword and specify an IPv4 address.
• IPv6. You need to issue the ip_address6 keyword and specify an IPv6 address.
ipaddress ipv6-address
Y
or N
The IPv4 address to which the IP/MAC binding rule is applied.
The IPv6 address to which the IP/MAC binding rule is applied.
Enables or disables logging for the IP/MAC binding rule.
Related show command:
show security address_filter ip_or_mac_binding setup
security address_filter ip_or_mac_binding delete <row id>
This command deletes an IP/MAC binding rule by deleting its row ID.
Format
Mode
security address_filter ip_or_mac_binding delete <row id> security
Related show command:
show security address_filter ip_or_mac_binding setup
security address_filter ip_or_mac_binding enable_email_log <ip version>
This command configures the email log for IP/MAC binding violations. After you have issued the security address_filter ip_or_mac_binding enable_email_log command to specify the IP version (IPv4 or IPv6), you enter the security-config [ip-or-mac-binding] mode, and then you can configure the email log setting.
Step 1
Step 2
Format
security address_filter ip_or_mac_binding enable_email_log
Mode
security
Format
enable_email_logs {Y | N}
Mode
security-config [ip-or-mac-binding]
Security Mode Configuration Commands
131
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Keyword Associated Keyword to Select
Description enable_email_logs Y
or N Enables or disables the email log or IP/MAC Binding violations.
show security address_filter enable_email_log
Port Triggering Commands
security porttriggering_rules add
This command configures a new port triggering rule. After you have issued the security
porttriggering_rules add
command, you enter the security-config [porttriggering-rules] mode, and then you can configure one keyword and associated parameter or associated keyword at a time in the order that you prefer.
Step 1
Step 2
Format
security porttriggering_rules add
Mode
security
Format
name <rule name>
enable_rule {Y | N}
protocol {TCP | UDP}
outgoing_start_port <number>
outgoing_end_port <number>
incoming_start_port <number>
incoming_end_port <number>
Mode
security-config [porttriggering-rules]
Keyword name enable_rule protocol outgoing_start_port outgoing_end_port
Associated Keyword to
Select or Parameter to Type
Description
rule name
The name (alphanumeric string) of the port triggering rule.
Y
or N
TCP
or UDP
number number
Enables or disables the port triggering rule.
Specifies whether the port uses the TCP or UDP protocol.
The start port number (integer) of the outgoing traffic range. Valid numbers are from 0 to 65535.
The end port number (integer) of the outgoing traffic range. Valid numbers are from 0 to 65535.
Security Mode Configuration Commands
132
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Keyword incoming_start_port incoming_end_port
Associated Keyword to
Select or Parameter to Type
Description
number number
The start port number (integer) of the incoming traffic range. Valid numbers are from 0 to 65535.
The end port number (integer) of the incoming traffic range. Valid numbers are from 0 to 65535.
Command example:
FVS318N> security porttriggering_rules add security-config[porttriggering-rules]> name AccInq security-config[porttriggering-rules]> enable_rule Y security-config[porttriggering-rules]> protocol TCP security-config[porttriggering-rules]> outgoing_start_port 20020 security-config[porttriggering-rules]> outgoing_end_port 20022 security-config[porttriggering-rules]> incoming_start_port 30030 security-config[porttriggering-rules]> incoming_end_port 30040 security-config[porttriggering-rules]> save
Related show command:
show security porttriggering_rules setup
show security porttriggering_rules status
security porttriggering_rules edit <row id>
This command configures an existing port triggering rule. After you have issued the
security porttriggering_rules edit
command to specify the row to be edited, you enter the security-config [porttriggering-rules] mode, and then you can configure one keyword and associated parameter or associated keyword at a time in the order that you prefer.
Step 1
Step 2
Format
security porttriggering_rules edit <row id>
Mode
security
Format
name <rule name>
enable_rule {Y | N}
protocol {TCP | UDP}
outgoing_start_port <number>
outgoing_end_port <number>
incoming_start_port <number>
incoming_end_port <number>
Mode
security-config [porttriggering-rules]
Security Mode Configuration Commands
133
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Keyword name enable_rule protocol
Associated Keyword to
Select or Parameter to Type
Description
rule name
The name (alphanumeric string) of the port triggering rule.
Y
or N
TCP
or UDP
outgoing_start_port number
Enables or disables the port triggering rule.
Specifies whether the port uses the TCP or UDP protocol.
The start port number (integer) of the outgoing traffic range. Valid numbers are from 0 to 65535.
outgoing_end_port
incoming_start_port number
incoming_end_port
number number
The end port number (integer) of the outgoing traffic range. Valid numbers are from 0 to 65535.
The start port number (integer) of the incoming traffic range. Valid numbers are from 0 to 65535.
The end port number (integer) of the incoming traffic range. Valid numbers are from 0 to 65535.
show security porttriggering_rules setup
show security porttriggering_rules status
security porttriggering_rules delete <row id>
This command deletes a port triggering rule by deleting its row.
Format
Mode
security porttriggering_rules delete <row id> security
show security porttriggering_rules setup
show security porttriggering_rules status
UPnP Command
security upnp configure
This command configures Universal Plug and Play (UPnP). After you have issued the net
security upnp configure
command, you enter the security-config [upnp] mode, and then you can configure one keyword and associated parameter or associated keyword at a time in the order that you prefer.
Security Mode Configuration Commands
134
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Step 1
Step 2
Format security upnp configure
Mode
security
Format
enable {Y | N}
advertisement period <seconds>
advertisement time_to_live <seconds>
Mode
security-config [upnp]
Keyword (might consist of two separate words) enable advertisement period
Associated Keyword to
Select or Parameter to Type
Description
Y
or N seconds
Enables or disables UPnP.
The advertisement period in seconds, from 1 to 86400 seconds.
advertisement time_to_live
seconds The advertisement time-to-live period in seconds, from 1 to 255 seconds.
Command example:
FVS318N> security upnp configure security-config[upnp]> enable Y security-config[upnp]> advertisement period 60 security-config[upnp]> advertisement time_to_live 6 security-config[upnp]> save
Related show command:
Bandwidth Profile Commands
security bandwidth profile add
This command configures a new bandwidth profile. After you have issued the security
bandwidth profile add
command, you enter the security-config [bandwidth-profile] mode, and then you can configure one keyword and associated parameter or associated keyword at a time in the order that you prefer.
Step 1 Format
security bandwidth profile add
Mode
security
Security Mode Configuration Commands
135
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Step 2 Format
name <profile name>
direction {Inbound | Outbound | Both _Directions}
inbound_minimum_rate <kbps>
inbound_maximum_rate <kbps>
outbound_minimum_rate <kbps>
outbound_maximum_rate <kbps>
is_group {Individual | Group}
Mode
security-config [bandwidth-profile]
Keyword name direction inbound_minimum_rate inbound_maximum_rate outbound_minimum_rate outbound_maximum_rate is_group
Associated Keyword to
Select or Parameter to Type
Description
profile name
Inbound, Outbound
, or
Both_Directions
The profile name (alphanumeric string).
The direction to which the bandwidth profile applies.
kbps kbps kbps kbps
Individual
or Group
The minimum inbound bandwidth in kbps (0 to
100000) provided to the group or individual user.
The maximum inbound bandwidth in kbps (110 to
100000) provided to the group or individual user.
The minimum outbound bandwidth in kbps (0 to
100000) provided to the group or individual user.
The maximum outbound bandwidth in kbps (110 to 100000) provided to the group or individual user.
The type for the bandwidth profile:
• Individual. The profile applies to an individual user.
• Group. The profile applies to a group.
Command example:
FVS318N> security bandwidth profile add security-config[bandwidth-profile]> name BW_Sales security-config[bandwidth-profile]> direction Both _Directions security-config[bandwidth-profile]> inbound_minimum_rate 1000 security-config[bandwidth-profile]> inbound_maximum_rate 10000 security-config[bandwidth-profile]> outbound_minimum_rate 1000 security-config[bandwidth-profile]> outbound_maximum_rate 10000 security-config[bandwidth-profile]> is_group Group security-config[bandwidth-profile]> save
show security bandwidth profile setup
Security Mode Configuration Commands
136
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N security bandwidth profile edit <row id>
This command configures an existing bandwidth profile. After you have issued the security
bandwidth profile edit
command to specify the row to be edited, you enter the security-config [bandwidth-profile] mode, and then you can configure one keyword and associated parameter or associated keyword at a time in the order that you prefer.s
Step 1
Step 2
Format
security bandwidth profile edit <row id>
Mode
security
Format
name <profile name>
direction {Inbound | Outbound | Both _Directions}
inbound_minimum_rate <kbps>
inbound_maximum_rate <kbps>
outbound_minimum_rate <kbps>
outbound_maximum_rate <kbps>
is_group {Individual | Group}
Mode
security-config [bandwidth-profile]
Keyword name direction inbound_minimum_rate
Associated Keyword to
Select or Parameter to Type
Description
profile name
Inbound, Outbound
, or
Both_Directions
kbps
The profile name (alphanumeric string).
The direction to which the bandwidth profile applies.
The minimum inbound bandwidth in kbps (0 to
100000) provided to the group or individual user.
inbound_maximum_rate outbound_minimum_rate outbound_maximum_rate is_group
kbps kbps kbps
Individual
or Group
The maximum inbound bandwidth in kbps (110 to
100000) provided to the group or individual user.
The minimum outbound bandwidth in kbps (0 to
100000) provided to the group or individual user.
The maximum outbound bandwidth in kbps (110 to 100000) provided to the group or individual user.
The type for the bandwidth profile:
• Individual. The profile applies to an individual user.
• Group. The profile applies to a group.
Related show command:
show security bandwidth profile setup
Security Mode Configuration Commands
137
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N security bandwidth profile delete <row id>
This command deletes a bandwidth profile by deleting its row ID.
Format
Mode
net bandwidth profile delete <row id> security
show security bandwidth profile setup
Content Filtering Commands
security content_filter content_filtering configure
This command globally enables or disables content filtering and configures web components
After you have issued the security content_filter content_filtering configure command, you enter the security-config [content-filtering] mode, and then you can configure one keyword and associated parameter or associated keyword at a time in the order that you prefer. .
Step 1
Step 2
Format
security content_filter content_filtering configure
Mode
security
Format
content_filtering {Y | N}
activex_enable {Y | N}
cookies_enable {Y | N}
java_enable {Y | N}
proxy_enable {Y | N}
Mode
security-config [content-filtering]
Keyword Associated Keyword to Select
Description content_filtering Y
or N
activex_enable Y
or N
Enables or disables content filtering globally.
Enables or disables ActiveX.
cookies_enable Y
or N
java_enable Y
or N
proxy_enable Y
or N
Enables or disables cookies.
Enables or disables Java.
Enables or disables the proxy server.
Command example:
FVS318N> security content_filter content_filtering configure security-config[content-filtering]> content_filtering Y security-config[content-filtering]> activex_enable Y
Security Mode Configuration Commands
138
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
security-config[content-filtering]> cookies_enable Y security-config[content-filtering]> java_enable Y security-config[content-filtering]> proxy_enable N security-config[content-filtering]> save
Related show command:
show security content_filter content_filtering
security content_filter block_group enable
This command applies content filtering to selected groups or to all groups. After you have issued the security content_filter block_group enable command, you enter the security-config[block-group-enable] mode, and then you can select a group, several groups, or all groups.
Step 1
Step 2
Format
security content_filter block_group enable
Mode
security
Format
group all {Y}
group group1 {Y}
group group2 {Y}
group group3 {Y}
group group4 {Y}}
group group5 {Y}
group group6 {Y}
group group7 {Y}
group group8 {Y}
Mode
security-config[block-group-enable]
Keyword group all group group1 group group2 group group3 group group4 group group5 group group6 group group7 group group8
Y
Y
Y
Y
Y
Y
Y
Y
Associated Keyword to Select
Description
Y
Enables content filtering for all groups.
Enables content filtering for the selected group.
Security Mode Configuration Commands
139
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Command example:
FVS318N> security content_filter blocked_group enable security-config[block-group-enable]> group group1 Y security-config[block-group-enable]> group group2 Y security-config[block-group-enable]> group group3 Y security-config[block-group-enable]> group group8 Y security-config[block-group-enable]> save
show security content_filter block_group
security content_filter block_group disable
This command removes content filtering from selected groups or from all groups. After you have issued the security content_filter block_group disable command, you enter the security-config [block-group-disable] mode, and then you can select a group, several groups, or all groups.
Step 1
Step 2
Format
security content_filter block_group disable
Mode
security
Format
group all {Y}
group group1 {Y}
group group2 {Y}
group group3 {Y}
group group4 {Y}}
group group5 {Y}
group group6 {Y}
group group7 {Y}
group group8 {Y}
Mode
security-config [block-group-disable]
Keyword group all
Associated Keyword to Select
Description
Y
Disables content filtering for all groups.
Security Mode Configuration Commands
140
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Keyword group group1 group group2 group group3 group group4 group group5 group group6 group group7 group group8
Y
Y
Y
Y
Y
Y
Y
Y
Associated Keyword to Select
Description
Disables content filtering for the selected group.
Command example:
FVS318N> security content_filter blocked_group disable security-config[block-group-disable]> group group3 Y security-config[block-group-disable]> group group8 Y security-config[block-group-disable]> save
Related show command:
show security content_filter block_group
security content_filter blocked_keywords add
This command configures a new blocked keyword for content filtering. After you have issued the security content_filter blocked_keywords add command, you enter the security-config [blocked-keywords] mode, and then you can configure one keyword a time.
Step 1
Step 2
Format
security content_filter blocked_keywords add
Mode
security
Format
blocked_keyword <keyword>
Mode
security-config [blocked-keywords]
Keyword blocked_keyword
Associated
Parameter to Type
Description
keyword
The keyword (string) that needs to be blocked.
Related show command:
show security content_filter blocked_keywords
Security Mode Configuration Commands
141
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N security content_filter blocked_keywords edit <row id>
This command configures an existing blocked keyword for content filtering. After you have issued the security content_filter blocked_keywords edit command to specify the row to be edited, you enter the security-config [blocked-keywords] mode, and then you can edit the keyword.
Step 1
Step 2
Format
security content_filter blocked_keywords edit
Mode
security
Format
blocked_keyword <keyword>
Mode
security-config [blocked-keywords]
Keyword blocked_keyword
Assocated
Parameter to Type
Description
keyword
The keyword (string) that needs to be blocked.
show security content_filter blocked_keywords
security content_filter blocked_keywords delete <row id>
This command deletes a blocked keyword by deleting its row ID.
Format
Mode
security content_filter blocked_keywords delete <row id> security
show security content_filter blocked_keywords
security content_filter trusted_domain add
This command configures a new trusted domain for content filtering. After you have issued the security content_filter trusted_domain add command, you enter the security-config [approved-urls] mode, and then you can add a URL.
Step 1
Step 2
Format
security content_filter trusted_domain add
Mode
security
Format
url <url>
Mode
security-config [approved-urls]
Security Mode Configuration Commands
142
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Related show command:
show security content_filter trusted_domains
security content_filter trusted_domain edit <row id>
This command configures an existing trusted domain for content filtering. After you have issued the security content_filter trusted_domain edit command to specify the row to be edited, you enter the security-config [approved-urls] mode, and then you can edit the URL.
Step 1
Step 2
Format
security content_filter trusted_domain edit <row id>
Mode
security
Format
url <url>
Mode
security-config [approved-urls]
Related show command:
show security content_filter trusted_domains
security content_filter trusted_domain delete <row id>
This command deletes a trusted domain by deleting its row ID.
Format
Mode
security content_filter trusted_domain delete <row id> security
Related show command:
show security content_filter trusted_domains
Security Mode Configuration Commands
143
5.
System Mode Configuration Commands
5
This chapter explains the configuration commands, keywords, and associated parameters in the system mode. The chapter includes the following sections:
• Firewall Logs and Email Alerts Commands
IMPORTANT:
After you have issued a command that includes the word configure
, add, or edit, you need to save (or cancel) your
changes. For more information, see
on page 13.
Remote Management Commands
system remote_management https configure
This command configures remote management over HTTPS. After you have issued the
system remote_management https configure
command, you enter the system-config [https] mode, and then you can configure one keyword and associated parameter or associated keyword at a time in the order that you prefer.
Note:
You can configure remote management over HTTPS for both IPv4 and IPv6 connections because these connections are not mutually exclusive.
Step 1 Format
system remote_management https configure
Mode
system
144
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Step 2 Format
ip_version {IPv4 | IPv6}
enable_ipv4 {Y | N}
access_type {Everyone | IP_Range {from_address <ipaddress>}
{end_address <ipaddress>} | To_this_PC_only {only_this_pc_ip
<ipaddress>}}
port <number>
enable_ipv6 {Y | N}
access_type6 {Everyone | IP_Range {from_address6
<ipv6-address>} {end_address6 <ipv6-address>} |
To_this_PC_only {only_this_pc_ipv6 <ipv6-address>}}
port <number> system-config [https]
Mode
Keyword Associated Keyword to
Select or Parameter to Type
Description
Specifies the configuration of IPv4 or IPv6.
ip_version IPv4
or IPv6
HTTPS over an IPv4 connection enable_ipv4 access_type
Y
or N
Everyone
, IP_Range, or
To_this_PC_only
Enables or disables remote management over
HTTPS for an IPv4 connection.
Specifies the type of access:
• Everyone. Enables access to all IP addresses.
You do not need to configure any IP address.
• IP_Range. Enables access to a range of IP addresses. You also need to configure the
from_address
and end_address keywords and associated parameters.
• To_this_PC_only. Enables access to a single IP address. You also need to configure the
only_this_pc_ip
keyword and associated parameter.
from_address end_address only_this_pc_ip port
ipaddress ipaddress ipaddress number
The start IP address if you have set the
access_type
keyword to IP_Range.
The end IP address if you have set the
access_type
keyword to IP_Range.
The single IP address if you have set the
access_type
keyword to To_this_PC_only.
The number of the port through which access is allowed.
HTTPS over an IPv6 connection enable_ipv6 Y
or N Enables or disables remote management over
HTTPS for an IPv6 connection.
System Mode Configuration Commands
145
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Keyword access_type6 from_address6 end_address6 only_this_pc_ip6 port
Associated Keyword to
Select or Parameter to Type
Description
Everyone
, IP_Range, or
To_this_PC_only
Specifies the type of access:
• Everyone. Enables access to all IP addresses.
You do not need to configure any IP address.
• IP_Range. Enables access to a range of IP addresses. You also need to configure the
from_address6
and end_address6 keywords and associated parameters.
• To_this_PC_only. Enables access to a single IP address. You also need to configure the
only_this_pc_ip6
keyword and associated parameter.
ipv6-address ipv6-address ipaddress number
The start IP address if you have set the
access_type6
keyword to IP_Range.
The end IP address if you have set the
access_type6
keyword to IP_Range.
The single IP address if you have set the
access_type6
keyword to To_this_PC_only.
The number of the port through which access is allowed.
Command example:
FVS318N> system remote_management https configure system-config[https]> ip_version IPv4 system-config[https]> enable_ipv4 Y system-config[https]> access_type Everyone system-config[https]> port 445 system-config[https]> save
show system remote_management setup
system remote_management telnet configure
This command configures remote management over Telnet. After you have issued the
system remote_management telnet configure
command, you enter the system-config [telnet] mode, and then you can configure one keyword and associated parameter or associated keyword at a time in the order that you prefer.
System Mode Configuration Commands
146
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Note:
You can configure remote management over Telnet for both IPv4 and IPv6 connections because these connections are not mutually exclusive.
Step 1
Step 2
Format
system remote_management telnet configure
Mode
system
Format
ip_version {IPv4 | IPv6}
enable_ipv4 {Y | N}
access_type {Everyone | IP_Range {from_address <ipaddress>}
{end_address <ipaddress>} | To_this_PC_only {only_this_pc_ip
<ipaddress>}}
enable_ipv6 {Y | N}
access_type6 {Everyone | IP_Range {from_address6
<ipv6-address>} {end_address6 <ipv6-address>} |
To_this_PC_only {only_this_pc_ip6 <ipv6-address>}} system-config [telnet]
Mode
Keyword Associated Keyword to
Select or Parameter to Type
Description
Specifies the configuration of IPv4 or IPv6.
ip_version IPv4
or IPv6
Telnet over an IPv4 connection enable_ipv4 Y
or N
access_type from_address end_address
Everyone
, IP_Range, or
To_this_PC_only
ipaddress ipaddress
Enables or disables remote management over Telnet for an IPv4 connection.
Specifies the type of access:
• Everyone. Enables access to all IP addresses. You do not need to configure any IP address.
• IP_Range. Enables access to a range of IP addresses. You also need to configure the
from_address
and end_address keywords and associated parameters.
• To_this_PC_only. Enables access to a single IP address. You also need to configure the
only_this_pc_ip
keyword and associated parameter.
The start IP address if you have set the
access_type
keyword to IP_Range.
The end IP address if you have set the access_type keyword to IP_Range.
System Mode Configuration Commands
147
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Keyword only_this_pc_ip
Associated Keyword to
Select or Parameter to Type
Description
ipaddress
The single IP address if you have set the
access_type
keyword to To_this_PC_only.
Telnet over an IPv6 connection enable_ipv6 Y
or N
access_type6 Everyone
, IP_Range, or
To_this_PC_only
Enables or disables remote management over Telnet for an IPv6 connection.
Specifies the type of access:
• Everyone. Enables access to all IP addresses. You do not need to configure any IP address.
• IP_Range. Enables access to a range of IP addresses. You also need to configure the
from_address6
and end_address6 keywords and associated parameters.
• To_this_PC_only. Enables access to a single IP address. You also need to configure the
only_this_pc_ip6
keyword and associated parameter.
from_address6 end_address6 only_this_pc_ip6
ipv6-address ipv6-address ipaddress
The start IP address if you have set the
access_type6
keyword to IP_Range.
The end IP address if you have set the
access_type6
keyword to IP_Range.
The single IP address if you have set the
access_type6
keyword to To_this_PC_only.
Command example:
FVS318N> system remote_management telnet configure system-config[telnet]> ip_version IPv6 system-config[telnet]> enable_ipv6 Y system-config[telnet]> access_type6 IP_Range system-config[telnet]> from_address6 FEC0::3001 system-config[telnet]> end_address6 FEC0::3100 system-config[telnet]> save
show system remote_management setup
System Mode Configuration Commands
148
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
SNMP Commands
system snmp trap configure <ip address>
This command configures a new or existing SNMP agent to which trap information is forwarded. After you have issued the system snmp trap configure command to specify the IP address of the agent, you enter the system-config [snmp-trap] mode, and then you can configure one keyword and associated parameter or associated keyword at a time in the order that you prefer.
Step 1
Step 2
Format
system snmp trap configure <ipaddress>
Mode
system
Format
subnet_mask <subnet mask>
port <number>
community <community name>
agent <ipaddress>
Mode
system-config [snmp-trap]
Keyword subnet_mask port community agent
Associated
Parameter to Type
Description
subnet mask
The subnet mask used to determine the list of allowed SNMP agents that are part of the subnet. To allow any IP address on the network to manage the device, specify 255.255.255.0. For a specific host, specify 255.255.255.255. To allow global access, specify 0.0.0.0.
number
The SNMP port (integer) to which the trap messages are forwarded. Valid numbers are from 0 to 65535.
community name
The string that represents the community to which the agent belongs. Most agents are configured to listen for traps in the public community.
ipaddress
This keyword and parameter allow you change the existing agent
IP address that you issued to enter the system-config [snmp-trap] mode.
Command example:
FVS318N> system snmp trap configure 10.118.33.245 system-config[snmp-trap]> subnet_mask 255.255.255.0 system-config[snmp-trap]> port 162 system-config[snmp-trap]> community public system-config[snmp-trap]> save
Related show command:
show system snmp trap [agent ipaddress]
System Mode Configuration Commands
149
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N system snmp trap delete <ipaddress>
This command deletes an SNMP agent by deleting its IP address.
Format
Mode
system snmp trap delete <ipaddress> system
show system snmp trap [agent ipaddress]
system snmp sys configure
This command configures the SNMP system information. After you have issued the system
snmp sys configure
command, you enter the system-config [snmp-system] mode, and then you can configure one keyword and associated parameter or associated keyword at a time in the order that you prefer.
Step 1
Step 2
Format
system snmp sys configure
Mode
system
Format
sys-contact <contact name>
sys-location <location name>
sys-name <system name>
Mode
system-config [snmp-system]
Keyword sys-contact sys-location sys-name
Associated
Parameter to Type
Description
contact name
The system contact name (alphanumeric string).
location name
The system location name (alphanumeric string).
system name
The system name (alphanumeric string).
Command example:
FVS318N> system snmp sys configure system-config[snmp-system]> sys-contact [email protected] system-config[snmp-system]> sys-location San Jose system-config[snmp-system]> sys-name FVS318N-Bld3 system-config[snmp-system]> save
System Mode Configuration Commands
150
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Time Zone Command
system time configure
This command configures the system time, date, and NTP servers. After you have issued the
system time configure
command, you enter the system-config [time] mode, and then you can configure one keyword and associated parameter or associated keyword at a time in the order that you prefer.
Step 1
Step 2
Format
system time configure
Mode
system
Format
timezone <timezone>
auto_daylight {Y | N}
resolve_ipv6_address {Y | N}
use_default_servers {Y | N}
configure_ntp_servers {Y | N {ntp_server1 {<ipaddress> |
<domain name>}} {ntp_server2 {<ipaddress> | <domain name>}}}
Mode
system-config [time]
Keyword timezone auto_daylight
Associated Keyword to
Select or Parameter to Type
Description
timezone keyword
Y
or N
For a list of time zones that you can enter, see
.
Specifies whether or not the wireless VPN firewall automatically adjusts for daylight savings time.
resolve_ipv6_address use_default_servers configure_ntp_servers ntp_server1 ntp_server2
Y
Y
Y
or N
or N
or N
Specifies whether or not the wireless VPN firewall automatically resolves a domain name for an NTP server to an IPv6 address:
• Y. A domain name is resolved to an IPv6 address.
• N. A domain name is resolved to an IPv4 address.
Enables or disables the use of default NTP servers.
Enables or disables the use of custom NTP servers. If you enable the use of custom NTP servers, you need to specify the server IP addresses or domain names with the
ntp_server1
and ntp_server2 keywords.
ipaddress
or domain name The IP address of domain name of the first custom NTP server.
ipaddress
or domain name The IP address of domain name of the second custom NTP server.
System Mode Configuration Commands
151
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Table 12. Timezone keywords
GMT time and location
Note:
Enter the keywords exactly as stated (you can use autocompletion keys). If there are two locations for the same time zone, enter the location exactly as stated.
For example, either enter GMT-11:00::Samoa or enter GMT-10:00::Hawaii.
GMT::Edinburgh--London
GMT-12:00::Eniwetok--Kwajalein
GMT-11:00::Midway-Island
GMT-11:00::Samoa
GMT-10:00::Hawaii
GMT-09:30::Marquesas-Is
GMT-09:00::Alaska
GMT-08:00::Pitcairn-Is
GMT-08:00::Pacific-Time-Canada--Pacific-Time-US
GMT-08:00::Tijuana
GMT-07:00::Mountain-Time-Canada--Mountain-Time-US
GMT-06:00::Central-Time-Canada--Central-Time-US
GMT-05:00::Eastern-Time-Canada--Eastern-TimeUS
GMT-05:00::Eastern-Time-Lima
GMT-04:30::Caracas
GMT-04:00::Atlantic-Time-Canada
GMT-03:30::Newfoundland
GMT-03:00::Brasilia
GMT-03:00::Buenos-Aires
GMT-02:00::Mid-Atlantic
GMT-01:00::Azores--Cape-Verde-Is
GMT+01:00::Europe
GMT+02:00::Athens--Istanbul
GMT+02:00::Minsk
GMT+02:00::Cairo
GMT+03:00::Baghdad--Kuwait
System Mode Configuration Commands
152
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Table 12. Timezone keywords (continued)
GMT time and location
Note:
Enter the keywords exactly as stated (you can use autocompletion keys). If there are two locations for the same time zone, enter the location exactly as stated.
For example, either enter GMT-11:00::Samoa or enter GMT-10:00::Hawaii.
GMT+03:00::Moscow
GMT+03:30::Tehran
GMT+04:00::Abu-Dhabi--Muscat
GMT+04:00::Baku
GMT+04:30::Kabul
GMT+05:00::Ekaterinburg
GMT+05:00::Islamabad--Karachi
GMT+05:30::Bombay--Calcutta--Madras--Delhi
GMT+05:30::Colombo
GMT+06:00::Almaty
GMT+06:00::Dhaka
GMT+06:30::Burma
GMT+07:00::Bangkok--Hanoi--Jakarta
GMT+08:00::Beijing--Chongqing--Hong-Kong
GMT+08:00::AWST-Perth
GMT+09:00::Osaka--Sapporo--Tokyo--Seoul
GMT+09:30::ACST-Adelaide
GMT+09:30::ACST-Darwin
GMT+09:30::ACST-Broken-Hill--NSW
GMT+10:00::AEST-Brisbane--Guam--Port-Moresby
GMT+10:00::AEST-Canberra--Melbourne--Sydney--Hobart
GMT+10:30::Lord-Howe-Is.
GMT+11:00::Magadan
GMT+11:00::Solomon-Is.--New-Caledonia
GMT+11:30::Norfolk-I.
GMT+12:00::Auckland--Wellington--New-Zealand
GMT+12:00::Fiji
System Mode Configuration Commands
153
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Table 12. Timezone keywords (continued)
GMT time and location
Note:
Enter the keywords exactly as stated (you can use autocompletion keys). If there are two locations for the same time zone, enter the location exactly as stated.
For example, either enter GMT-11:00::Samoa or enter GMT-10:00::Hawaii.
GMT+13:00::Tonga
GMT+14:00::Kiribati
Command example:
FVS318N> system time configure system-config[time]> timezone GMT-08:00::Pacific-Time-Canada--Pacific-Time-US system-config[time]> auto_daylight Y system-config[time]> use_default_servers Y system-config[time]> save
Traffic Meter Command
system traffic_meter configure
This command configures the traffic meter. After you have issued the system
traffic_meter configure
command, you enter the system-config [traffic-meter] mode, and then you can configure one keyword and associated parameter or associated keyword at a time in the order that you prefer.
Step 1
Step 2
Format
system traffic_meter configure
Mode
system
Format
enable {Y | N}
limit_type {Nolimit | Downloadonly | BothDirections}
monthly_limit <number>
increase_limit_enable {N | Y {increase_limit_by <number>}}
counter {RestartCounter | SpecificTime {day_of_month <day>}
{time_hour <hour>} {AM | PM} {time_minute <minute>}}
send_email_report {Y | N}
System Mode Configuration Commands
154
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
block_type {Block-all-traffic | Block-all-traffic-except-email}
send_email_alert {Y | N} system-config [traffic-meter]
Mode
Keyword
Traffic meter configuration enable limit_type monthly_limit increase_limit_enable increase_limit_by
Associated Keyword to Select or
Parameter to Type
Y
Y
or N
Nolimit
, Downloadonly, or
BothDirections
number
or N
number
Description
Enables or disables the traffic meter.
The type of traffic limit, if any:
• Nolimit. There is no traffic limit.
• Downloadonly. The traffic limit applies to downloaded traffic only.
• BothDirections. The traffic limit applies to both downloaded and uploaded traffic.
The monthly limit for the traffic meter in MB.
Enables or disables automatic increase of the limit after the meter has exceeded the configured limit.
The number in MB to increase the configured limit of the traffic meter.
Traffic counter configuration counter SpecificTime
or RestartCounter
day_of_month
day
Specifies how the traffic counter is restarted:
• SpecificTime. Restarts the traffic counter on a specific day and time.
You need to set the
day_of_month
, time_hour,
time_meridian
, and
time_minute
keywords and associated parameters.
• RestartCounter. Restarts the traffic counter when you specify the
counter
keyword and the
RestartCounter
associated keyword.
The day in the format DD (01 to 31) that the traffic counter restarts. This keyword applies only when you have set the counter keyword to
SpecificTime
.
System Mode Configuration Commands
155
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Keyword Associated Keyword to Select or
Parameter to Type
Description time_hour time_meridian time_minute send_email_report
hour
AM
minutes
Y
or PM
or N
The hour in the format HH (00 to 12) that the traffic counter restarts. This keyword applies only when you have set the counter keyword to
SpecificTime
.
The meridiem for the hour that the traffic counter restarts. This keyword applies only when you have set the
counter
keyword to
SpecificTime
.
The minutes in the format MM (00 to
59) that the traffic counter restarts.
This keyword applies only when you have set the counter keyword to
SpecificTime
.
Specifies whether or not an email report is sent when the traffic counter restarts.
Action when limit is reached block_type Block-all-traffic
, or
Block-all-traffic-except-email
Specifies the type of traffic blocking after the meter has exceeded the configured limit.
send_email_alert Y
or N Specifies whether or not an email alert is sent when the traffic limit is reached.
Command example:
FVS318N> system traffic_meter configure system-config[traffic-meter]> enable Y system-config[traffic-meter]> limit_type Downloadonly system-config[traffic-meter]> monthly_limit 150000 system-config[traffic-meter]> increase_limit_enable Y system-config[traffic-meter]> increase_limit_by 50000 system-config[traffic-meter]> counter SpecificTime system-config[traffic-meter]> day_of_month 01 system-config[traffic-meter]> time_hour 00 system-config[traffic-meter]> time_minute 00 system-config[traffic-meter]> send_email_report Y system-config[traffic-meter]> block_type Block-all-traffic-except-email system-config[traffic-meter]> send_email_alert Y system-config[traffic-meter]> save
show system traffic_meter setup
System Mode Configuration Commands
156
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Firewall Logs and Email Alerts Commands
system logging configure
This command configures routing logs for accepted and dropped IPv4 and IPv6 packets, selected system logs, and logs for other events. After you have issued the system
logging configure
command, you enter the system-config [logging-ipv4-ipv6] mode, and then you can configure one keyword and associated parameter or associated keyword at a time in the order that you prefer.
Step 1
Step 2
Format
system logging configure
Mode
system
Format
lan_wan_accept_packet_logs {Y | N}
lan_wan_drop_packet_logs {Y | N}
lan_dmz_accept_packet_logs {Y | N}
lan_dmz_drop_packet_logs {Y | N}
dmz_wan_accept_packet_logs {Y | N}
dmz_wan_drop_packet_logs {Y | N}
wan_lan_accept_packet_logs {Y | N}
wan_lan_drop_packet_logs {Y | N}
dmz_lan_accept_packet_logs {Y | N}
dmz_lan_drop_packet_logs {Y | N}
wan_dmz_accept_packet_logs {Y | N}
wan_dmz_drop_packet_logs {Y | N}
Mode
change_of_time_by_NTP_logs {Y | N}
login_attempts_logs {Y | N}
secure_login_attempts_logs {Y | N}
reboot_logs {Y | N}
unicast_traffic_logs {Y | N}
broadcast_or_multicast_traffic_logs {Y | N}
WAN_status_logs {Y | N}
resolved_DNS_names_logs {Y | N}
vpn_logs {Y | N}
dhcp_server_logs {Y | N}
source_mac_filter_logs {Y | N}
session_limit_logs {Y | N}
bandwidth_limit_logs {Y | N} system-config [logging-ipv4-ipv6]
System Mode Configuration Commands
157
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Keyword Associated
Keyword to Select
Description
Routing logs lan_wan_accept_packet_logs lan_wan_drop_packet_logs
Y
or N
Y
or N
lan_dmz_accept_packet_logs Y
or N
lan_dmz_drop_packet_logs Y
or N
dmz_wan_accept_packet_logs dmz_wan_drop_packet_logs wan_lan_accept_packet_logs wan_lan_drop_packet_logs dmz_lan_accept_packet_logs Y
or N
Y
or N
dmz_lan_drop_packet_logs wan_dmz_accept_packet_logs Y
or N
Y
or N
wan_dmz_drop_packet_logs
System logs
Y
or N
Y
or N
Y
or N
Y
or N
change_of_time_by_NTP_logs Y
or N
Enables or disables packet logging for the traffic direction and type of packet
(accepted or dropped) that is defined in the keyword.
login_attempts_logs Y secure_login_attempts_logs Y reboot_logs Y unicast_traffic_logs Y broadcast_or_multicast_traffic_logs Y wan_status_logs Y resolved_DNS_names_logs Y vpn_logs Y dhcp_server_logs Y
or N
or N
or N
or N
or N
or N
or N
or N
or N
Enables or disables logging of time changes of the wireless VPN firewall.
Enables or disables logging of login attempts.
Enables or disables logging of secure login attempts.
Enables or disables logging of rebooting of the wireless VPN firewall.
Enables or disables logging of unicast traffic.
Enables or disables logging of broadcast and multicast traffic.
Enables or disables logging of WAN link–status-related events.
Enables or disables logging of resolved
DNS names.
Enables or disables logging of VPN negotiation messages.
Enables or disables logging of DHCP server events.
System Mode Configuration Commands
158
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Keyword Associated
Keyword to Select
Description
Other event logs source_mac_filter_logs Y
or N
session_limit_logs Y
or N
Enables or disables logging of packets from MAC addresses that match the source MAC address filter settings.
Enables or disables logging of packets that are dropped because the session limit has been exceeded.
bandwidth_limit_logs Y
or N Enables or disables logging of packets that are dropped because the bandwidth limit has been exceeded.
Command example:
FVS318N> system logging configure system-config[logging-ipv4-ipv6]> lan_wan_drop_packet_logs Y system-config[logging-ipv4-ipv6]> wan_lan_drop_packet_logs Y system-config[logging-ipv4-ipv6]> change_of_time_by_NTP_logs Y system-config[logging-ipv4-ipv6]> secure_login_attempts_logs Y system-config[logging-ipv4-ipv6]> reboot_logs Y system-config[logging-ipv4-ipv6]> unicast_traffic_logs Y system-config[logging-ipv4-ipv6]> bandwidth_limit_logs Y system-config[logging-ipv4-ipv6]> save
Related show command:
system logging remote configure
This command configures email logs and alerts, schedules email logs and alerts, and configures a syslog server. After you have issued the system logging remote
configure
command, you enter the system-config [logging-remote] mode, and then you can configure one keyword and associated parameter or associated keyword at a time in the order that you prefer.
Step 1
Step 2
Format
system logging remote configure
Mode
system
Format
log_identifier <identifier>
System Mode Configuration Commands
159
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
email_logs_enable {Y | N}
email_server {ipaddress | domain name}
return_email <email address>
send_to_email <email address>
smtp_custom_port <number>
smtp_auth type {None | Plain {smtp_auth username <user name>}
{smtp_auth password <password>} | CRAM-MD5 {smtp_auth
username <user name>} {smtp_auth password <password>}}
identd_from_smtp_server_enable {Y | N}
schedule unit {Never | Hourly | Daily {schedule time {0:00 |
1:00 | 2:00 | 3:00 | 4:00 | 5:00 | 6:00 | 7:00 | 8:00 |
9:00 | 10:00 | 11:00}} {schedule meridiem {AM | PM}} | Weekly
{schedule day {Sunday | Monday | Tuesday | Wednesday |
Thursday | Friday | Saturday}} {schedule time {0:00 | 1:00 |
2:00 | 3:00 | 4:00 | 5:00 | 6:00 | 7:00 | 8:00 | 9:00 |
10:00 | 11:00}} {schedule meridiem {AM | PM}}}
syslog_server {ipaddress | domain name}
syslog_severity {LOG_EMERG | LOG_ALERT | LOG_CRITICAL |
LOG_ERROR | LOG_WARNING | LOG_NOTICE | LOG_INFO | LOG_DEBUG} system-config [logging-remote]
Mode
Keyword (might consist of two separate words)
Log identifier
Associated Keyword to
Select or Parameter to Type
Description log_identifier
identifier
The log identifier (alphanumeric string).
Email log configuration email_logs_enable Y
or N
email_server
Enables or disables emailing of logs.
ipaddress
or domain name The IP address or domain name of the SMTP server.
return_email send_to_email smtp_custom_port
email address email address number
The email address (alphanumeric string) to which the SMTP server replies are sent.
The email address (alphanumeric string) to which the logs and alerts are sent.
The port number of the SMTP server for the outgoing email. The default port number is 25.
System Mode Configuration Commands
160
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Keyword (might consist of two separate words) smtp_auth type smtp_auth username smtp_auth password identd_from_smtp_server_enable
Associated Keyword to
Select or Parameter to Type
Description
None
, Plain, or CRAM-MD5 The type of authentication for the
SMTP server. If you select Plain or
CRAM-MD5
, you also need to configure the
smtp_auth username
and
smtp_auth password
keywords and associated parameters.
user name password
Y
or N
The user name for SMTP authentication if you have set the
smtp_auth type
keyword type to
Plain
or CRAM-MD5.
The password for SMTP authentication if you have set
smtp_auth typ
e keyword to
Plain
or CRAM-MD5.
Allows or rejects Identd protocol messages from the SMTP server.
Email log schedule schedule unit schedule day schedule time schedule meridiem
Never
Weekly
0:00
, Hourly, Daily, or
, 1:00, 2:00, 3:00,
4:00
, 5:00, 6:00, 7:00,
8:00
, 9:00, 10:00, or
11:00
AM
or PM
The type of schedule for the emailing of logs and alerts. Note the following:
• If you select Never or Hourly, you do not need to further configure the schedule.
• If you select Daily, you also need to configure the schedule time and schedule meridiem keywords and their associated keywords.
• If you select Weekly, you also need to configure the
schedule day
,
schedule time
, and
schedule meridiem
keywords and their associated keywords.
Sunday
, Monday, Tuesday,
Wednesday
, Thursday,
Friday
, or Saturday
The scheduled day if you have set the schedule unit keyword to
Weekly
.
The scheduled time if you have set the schedule unit keyword to
Daily
or Weekly.
The meridiem for the start time if you have set the schedule unit keyword to Daily or Weekly.
System Mode Configuration Commands
161
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Keyword (might consist of two separate words)
Syslog server syslog_server
Associated Keyword to
Select or Parameter to Type
Description syslog_severity
ipaddress
or domain name The IP address or domain name of the syslog server.
LOG_EMERG
, LOG_ALERT,
LOG_CRITICAL
,
LOG_ERROR
, LOG_WARNING,
LOG_NOTICE
, LOG_INFO, or
LOG_DEBUG
The syslog severity level. The keywords are self-explanatory.
Note:
All the logs with a severity that is equal to and above the severity that you specify are logged on the specified syslog server. For example, if you select
LOG_CRITICAL
as the severity, then the logs with the severities
LOG_CRITICAL
, LOG_ALERT, and
LOG_EMERG
are logged.
Command example:
FVS318N> system logging remote configure system-config[logging-remote]> log_identifier FVS318N-Bld3 system-config[logging-remote]> email_logs_enable Y system-config[logging-remote]> email_server SMTP.Netgear.com system-config[logging-remote]> return_email [email protected] system-config[logging-remote]> send_to_email [email protected] system-config[logging-remote]> smtp_custom_port 2025 system-config[logging-remote]> smtp_auth type None system-config[logging-remote]> schedule unit Weekly system-config[logging-remote]> schedule day Sunday system-config[logging-remote]> schedule time 00 system-config[logging-remote]> schedule meridiem AM system-config[logging-remote]> syslog_server fe80::a0ca:f072:127f:b028%21 system-config[logging-remote]> syslog_severity LOG_EMERG system-config[logging-remote]> save
show system logging remote setup
System Mode Configuration Commands
162
6.
Dot11 Mode Configuration Commands
6
This chapter explains the configuration commands, keywords, and associated parameters in the dot11 mode. The chapter includes the following sections:
IMPORTANT:
After you have issued a command that includes the word configure
, add, or edit, you need to save (or cancel) your
changes. For more information, see
on page 13.
Wireless Radio Commands
dot11 radio configure
This command configures the basic radio settings. After you have issued the dot11 radio
configure
command, you enter the dot11-config [radio] mode, and then you can configure one keyword and associated parameter or associated keyword at a time. You first need to configure the geographical area and country of operation.
Step 1
Step 2
Format
dot11 radio configure
Mode
dot11
Format
country {africa <country> | asia <country> | europe <country> |
middle_east <country> | oceania <country> | united_states
<country>}
Mode
mode {g_and_b | g_only | ng {channel_spacing {20-40MHz |
20MHz}} | n_only {channel_spacing {20-40MHz | 20MHz}}}
channel {Auto | <channel>}
default_transmit_power <number>
transmission_rate {Best_Automatic | <rate>} dot11-config [radio]
163
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Keyword country mode channel_spacing channel
Associated Keyword to Select or
Parameter to Type
Description africa
, asia,
europe
,
middle_east
,
oceania
, or
united_states
country keyword
After you have selected a geographical region, select a predefined country name within the selected region. For a list of countries that you can enter, see
.
g_and_b
, g_only, ng, or n_only The wireless mode in the 2.4-GHz band:
• g_and_b. In addition to 802.11b- and
802.11g-compliant devices,
802.11n-compliant devices can connect to the wireless access point because they are backward compatible.
• g_only. 802.11g- and 802.11n-compliant devices can connect to the wireless access point, but 802.11n-compliant devices function below their capacity in
802.11g mode. 802.11b-compliant devices cannot connect.
• ng. This is the default setting. 802.11g- and 802.11n-compliant devices can connect to the wireless access point.
802.11b-compliant devices cannot connect.
• n_only. Only 802.11n-compliant devices can connect to the wireless access point.
20-40MHz
or 20MHz For the ng and n_only modes, the channel spacing:
• 20-40MHz. Select this option to improve the performance. Some legacy devices can operate only at 20 MHz.
• 20MHz. Select this option if your network includes legacy devices.
Note:
The channel spacing is fixed at
20 MHz for the g_and_b and g_only modes.
auto
or the keyword for a specific channel.
The 2.4 GHz channel that is used by the radio. Either select auto to enable the wireless access point to select its own channel, or select a specific channel.
Note:
The available channels depend on the country selection and are displayed on the CLI screen.
Dot11 Mode Configuration Commands
164
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Keyword Associated Keyword to Select or
Parameter to Type
Description
default_transmit_power number
The default transmit power in dBm, which can range from 0 to 31.
transmission_rate
Note:
If the country regulation does not allow the transmit power that you configure, the power will be automatically adjusted to the legally allowed power.
Best_Automatic
,
MCS15-130[270]
,
MCS14-117[243]
,
MCS13-104[216]
,
MCS12-78[162]
,
MCS11-52[108]
, MCS10-39[81],
MCS9-26[54]
, MCS8-13[27],
MCS7-65[135]
,
MCS6-58.5[121.5]
,
MCS5-52[108]
, MCS4-39[81],
MCS3-26[54]
,
MCS2-19.5[40.5]
,
MCS1-13[27]
, MCS0-6.5[13.5],
54
, 48, 36, 24, 18, 12, 11, 9, 6,
5.5
, 2, or 1
The transmission data rate. Either select
Best_Automatic
to enable the wireless access point to select its own data rate, or select a specific data rate.
Note:
The available transmission data rates depend on the country selection and are displayed on the CLI screen.
Table 13. Region and country keywords
Region
Africa
Asia
Country
Algeria
Egypt
Kenya
Morocco
SouthAfrica
Tunisia
Zimbabwe
Azerbaijan
Bangladesh
BruneiDarussalam
China
HongKong
India
Dot11 Mode Configuration Commands
165
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Table 13. Region and country keywords (continued)
Region
Asia
(continued)
Europe
Country
Indonesia
Japan
Kazakhstan
KoreaRepublic
Macau
Malaysia
Nepal
NorthKorea
Pakistan
Philippines
Singapore
SriLanka
Taiwan
Thailand
Uzbekistan
Vietnam
Albania
Armenia
Austria
Belarus
Belgium
BosniaAndHerzegowina
Bulgaria
Croatia
Cyprus
CzechRepublic
Denmark
Estonia
Finland
Dot11 Mode Configuration Commands
166
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Table 13. Region and country keywords (continued)
Region
Europe
(continued)
Country
France
Georgia
Note:
This keyword might be located under another region.
The command syntax might change in a future release.
Germany
Greece
Hungary
Iceland
Ireland
Italy
Latvia
Liechtenstein
Lithuania
Luxembourg
Macedonia_TheFormerYugoslavRepublicOfMacedonia
Malta
Monaco
Netherlands
Norway
Poland
Portugal
Romania
RussianFederation_RU1
SerbiaAndMontenegro
Note:
This keyword might be located under another region.
The command syntax might change in a future release.
SlovakRepublic
Slovenia
Spain
Sweden
Dot11 Mode Configuration Commands
167
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Table 13. Region and country keywords (continued)
Region
Europe
(continued)
MiddleEast
Oceania
UnitedStates
Country
Switzerland
Turkey
Ukraine
UnitedKingdom
Iran_IslamicRepublicOf
Israel
Bahrain
Jordan
Kuwait
Lebanon
Oman
Qatar
SaudiArabia
Syria
UnitedArabEmirates
Yemen
Australia
NewZealand
PapuaNewGuinea
Argentina
Belize
Bolivia
Brazil
Canada
Chile
Colombia
CostaRica
DominicanRepublic
Ecuador
Dot11 Mode Configuration Commands
168
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Table 13. Region and country keywords (continued)
Region
UnitedStates
(continued)
Country
ElSalvador
Guatemala
Honduras
Jamaica
Mexico
Panama
Peru
PuertoRico
TrinidadAndTobago
UnitedStates_US
Uruguay
Venezuela
Command example:
FVS318N> dot11 radio configure dot11-config[radio]> country united_states UnitedStates_US dot11-config[radio]> 2.4mode ng dot11-config[radio]> channel_spacing 20-40MHz dot11-config[radio]> channel Auto dot11-config[radio]> default_transmit_power 25 dot11-config[radio]> transmission_rate dot11-config[radio]> transmission_rate Best_Automatic dot11-config[radio]> save
Related show command:
dot11 radio advanced configure
This command configures the advanced radio settings. After you have issued the dot11
radio advanced configure
command, you enter the dot11-config [radio-advance] mode, and then you can configure one keyword and associated parameter or associated keyword at a time in the order that you prefer.
Step 1 Format
dot11 radio advanced configure
Mode
dot11
Dot11 Mode Configuration Commands
169
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Step 2 Format
beacon_interval <milliseconds>
dtim_interval <milliseconds>
rts_threshold <bytes>
fragmentation_threshold <bytes>
preamble_mode <Long | Short>
protection_mode {CTS-to-Self_Protection | None}
power_save_enable {Y | N}
Mode
dot11-config [radio-advance]
Keyword beacon_interval dtim_interval
Associated Keyword to
Select or Parameter to Type
Description
milliseconds milliseconds
The time in milliseconds between the beacon transmissions.
The time in milliseconds between each delivery traffic indication message (DTIM).
rts_threshold fragmentation_threshold preamble_mode protection_mode power_save_enable
bytes bytes
Long
or Short
The Request to Send (RTS) threshold in bytes.
The maximum length of the frame in bytes.
The type of 802.11b preamble that is prepended to every frame:
• Long. A long transmit preamble might provide a more reliable connection or a slightly longer range.
• Short. A short transmit preamble gives better performance.
CTS-to-Self_Protection
or None
The Clear to Send (CTS)-to-self protection mode:
• CTS-to-Self_Protection. CTS-to-self protection mode is enabled. This mode increases the performance but reduces the throughput slightly.
• None. CTS-to-self protection mode is disabled.
Y
or N Enables or disables Wi-Fi Multimedia (WMM) power save.
Command example:
FVS318N> dot11 radio advanced configure dot11-config[radio-advance]> beacon_interval 120 dot11-config[radio-advance]> dtim_interval 4 dot11-config[radio-advance]> rts_threshold 1820 dot11-config[radio-advance]> fragmentation_threshold 1820 dot11-config[radio-advance]> preamble_mode Short dot11-config[radio-advance]> protection_mode CTS-to-Self_Protection
Dot11 Mode Configuration Commands
170
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
dot11-config[radio-advance]> power_save_enable Y dot11-config[radio-advance]> save
Related show command:
Wireless Profile Commands
dot11 profile configure <profile name>
This command configures a new or existing profile. After you have issued the dot11
profile configure
command to specify the name of a profile, you enter the dot11-config
[profile] mode, and then you can configure one keyword and associated parameter or associated keyword at a time in the order that you prefer.
Step 1
Step 2
Format
dot11 profile configure <profile name>
Mode
dot11
Format
ssid <ssid name>
broadcast-ssid {Y | N}
security_type {Open | WEP | WPA | WPA2 | WPA+WPA2}
vlan_profile <vlan name>
wep authentication {Automatic | Open-System | Shared-Key}
wep encryption {64-bit-WEP | 128-bit-WEP}
wep {passphrase {{1 | 2 | 3 | 4} <passphrase>} | wep key
{{1 | 2 | 3 | 4} <key>}}
wpa encryption {TKIP | CCMP | TKIP+CCMP}
wpa authentication {PSK {wpa wpa-password <password>} | RADIUS |
PSK+RADIUS {wpa wpa_password <password>}}
pre-authentication {Y | N}
enable_active_time {N | Y {start hour <hour>} {start meridiem
{AM | PM}} {start minute <minute>} {stop hour <hour>}
{stop meridiem {AM | PM}} {stop minute <minute>}}
wlan_partition {Y | N} dot11-config [profile]
Mode
Keyword (might consist of two separate words)
Associated Keyword to Select or Parameter to Type
Description ssid
ssid name
broadcast_ssid Y
or N
The name of the 802.11 profile SSID.
Enables or disables the SSID broadcast.
Dot11 Mode Configuration Commands
171
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Keyword (might consist of two separate words)
Associated Keyword to Select or Parameter to Type
Description security_type Open
, WEP, WPA, WPA2, or
WPA+WPA2
The type of security and associated encryption.
Your selection determines which other keywords and associated parameters and keywords you need to set.
vlan_profile
vlan name
The VLAN to which the wireless profile is allocated. If you do not specify a VLAN, the wireless profile is assigned to the default VLAN.
WEP wep authentication Automatic
,
Open-System
, or
Shared-Key
The type of WEP authentication:
• Automatic. A key is required to connect to this profile. You need to configure the wep
passphrase
keyword and its associated parameter and keyword for automatic generation of the WEP key. You also need to set the
wep encryption
keyword and its associated keyword.
• Open-System. Anyone can connect to this profile. You need to set the wep encryption keyword and its associated keyword.
• Shared-Key. A key is required to connect to this profile. You need to set the wep key keyword and its associated parameter and keyword for manual generation of the WEP key. You also need to set the wep encryption keyword and its associated keyword.
wep encryption wep passphrase wep key
64-bit-WEP
or 128-bit-WEP The type of WEP encryption.
1
, 2, 3, or 4 and passphrase Both the number of the WEP key (the index) and the passphrase to generate the WEP key from.
You have to set both.
1
, 2, 3, or 4 and key Both the number of the WEP key (the index) and the actual key.
Note:
If you have used the wep passphrase keyword and its associated parameter and keyword, you do not need to set the wep key keyword and its associated parameter and keyword.
WPA wpa encryption TKIP
, CCMP, or TKIP+CCMP The WPA encryption type. Note the following:
• WPA supports TKIP and TKIP+CCMP.
• WPA2 supports CCMP and TKIP+CCMP.
• WPA+WPA2 supports TKIP+CCMP.
Dot11 Mode Configuration Commands
172
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Keyword (might consist of two separate words)
Associated Keyword to Select or Parameter to Type
Description wpa authentication PSK
, RADIUS, or PSK+RADIUS The WPA authentication type. Note the following:
• PSK. Requires you to set the
wpa wpa_password
keyword and associated parameter.
• RADIUS. Requires you to configure the RADIUS settings.
• PSK_RADIUS. Requires you to set the wpa
wpa_password
keyword and associated parameter and to configure the RADIUS settings.
wpa wpa_password pre-authentication
password
Y
or N
The WPA password, which you need to set only if you have set the wpa authentication keyword to PSK or PSK_RADIUS.
Enables or disables RADIUS preauthentication, which is possible only if you have set the
security_type
keyword to WPA2 and the wpa
authentication
keywords to RADIUS.
Active timer and WLAN partition enable_active_time Y
or N
start hour start meridiem start minute stop hour stop meridiem stop minute wlan_partition
hour
AM
minute hour
AM
minute
Y
or PM
or PM
or N
Enables or disables the daily timer for the wireless profile. If you enable the timer, you need to set all
start
and stop keywords and associated parameters and keywords.
The hour in the format H or HH (1 through 12) that the timer starts, if you have enabled the timer.
The meridiem that the timer starts, if you have enabled the timer.
The minute in the format MM (00 to 59) that the timer starts, if you have enabled the timer.
The hour in the format H or HH (1 through 12) that the timer stops, if you have enabled the timer.
The meridiem that the timer stops, if you have enabled the timer.
The minute in the format MM (00 to 59) that the timer stops, if you have enabled the timer.
Enables or disables WLAN partition.
Command example:
FVS318N> dot11 profile add Employees dot11-config[profile]> ssid CompanyWide dot11-config[profile]> broadcast_ssid Y dot11-config[profile]> security_type WPA+WPA2 dot11-config[profile]> wpa encryption TKIP+CCMP
Dot11 Mode Configuration Commands
173
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
dot11-config[profile]> wpa authentication PSK dot11-config[profile]> wpa wpa_password Se36cu37re38! dot11-config[profile]> enable_active_time Y dot11-config[profile]> start hour 8 dot11-config[profile]> start meridiem AM dot11-config[profile]> start minute 00 dot11-config[profile]> stop hour 5 dot11-config[profile]> stop meridiem PM dot11-config[profile]> stop minute 00 dot11-config[profile]> wlan_partition N dot11-config[profile]> save
show dot11 profile [profile name]
show dot11 profile status <profile name>
dot11 profile delete <profile name>
This command deletes a profile by deleting its name. You cannot delete the default profile
(default1).
Format
Mode
dot11 profile delete <profile name> dot11
show dot11 profile [profile name]
dot11 profile disable <profile name>
This command disables a profile by specifying its name.
Format
Mode
dot11 profile disable <profile name> dot11
show dot11 profile [profile name]
dot11 profile enable <profile name>
This command enables a profile by specifying its name.
Format
Mode
dot11 profile enable <profile name> dot11
Dot11 Mode Configuration Commands
174
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Related show command:
show dot11 profile [profile name]
dot11 profile acl configure <profile name>
This command adds a MAC address to or deletes a MAC address from an access control list
(ACL) and configures the ACL setting for a selected profile. After you have issued the dot11
profile acl configure
command to specify a profile, you enter the dot11-config [ap-acl] mode, and then you can configure one keyword and associated parameter or associated keyword at a time in the order that you prefer. You can add multiple MAC addresses to the
ACL for a profile.
Step 1
Step 2
Format
dot11 profile acl configure <profile name>
Mode
dot11
Format
mac_address {add <mac address> | delete <mac address>}
acl_policy {Open | Allow | Deny}
Mode
dot11-config [ap-acl]
Keyword (might consist of two separate words)
Associated Keyword to
Select or Parameter to Type
Description mac_address add mac_address delete acl_policy
mac address mac address
Open
, Allow, or Deny
The mac address that is added to the ACL.
The mac address that is deleted from the ACL.
The default ACL policy for the profile:
• Open. All MAC addresses are allowed to connect to the profile.
• Allow. Only MAC addresses that you have added to the ACL are allowed to connect to the profile.
• Deny. MAC addresses that you have added to the
ACL are denied access to the profile.
Command example:
FVS318N> dot11 profile acl configure Employees dot11-config[ap-acl]> mac_address add a1:23:04:e6:de:bb dot11-config[ap-acl]> mac_address add c2:ee:d2:10:34:fe dot11-config[ap-acl]> acl_policy Allow dot11-config[ap-acl]> save
Related show command:
Dot11 Mode Configuration Commands
175
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N dot11 profile wps configure
This command configures Wi-Fi Protected Setup™ (WPS) for as SSID. After you have issued the dot11 profile wps configure command, you enter the dot11-config [ap-wps] mode, and then you can configure one keyword and associated parameter or associated keyword at a time in the order that you prefer.
Step 1
Step 2
Format
dot11 profile wps configure
Mode
dot11
Format
ap_ssid <ssid name>
wps_status {Enable | Disable}
configure_via_pbc {Y | N}
configure_via_pin {N | Y {station_pin <pin>}}
Mode
dot11-config [ap-wps]
Keyword ap_ssid wps_status
Associated Keyword to
Select or Parameter to Type
Description
ssid name
Enable configure_via_pbc Y
or N
or Disable
The name of the SSID for which you configure WPS.
Enables or disables WPS.
configure_via_pin station_pin
Y
or N
pin
Enables or disables the push button configuration
(PBC) method.
Enables or disables the PIN method. If you enable the PIN method, you also need to set the
station_pin
keyword and associated parameter.
The pin for the PIN method, if the PIN method is enabled.
Command example:
FVS318N> dot11 profile wps configure dot11-config[ap-wps]> ap_ssid CompanyWide dot11-config[ap-wps]> wps_status Enable dot11-config[ap-wps]> configure_via_pin Y dot11-config[ap-wps]> station_pin 3719 dot11-config[ap-wps]> save
Dot11 Mode Configuration Commands
176
7.
VPN Mode Configuration Commands
7
This chapter explains the configuration commands, keywords, and associated parameters in the vpn mode. The chapter includes the following sections:
• IPSec VPN Mode Config Commands
• SSL VPN Portal Layout Commands
• SSL VPN Authentication Domain Commands
• SSL VPN Authentication Group Commands
• SSL VPN Port Forwarding Commands
IMPORTANT:
After you have issued a command that includes the word configure
, add, or edit, you need to save (or cancel) your
changes. For more information, see
on page 13.
177
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
IPSec VPN Wizard Command
vpn ipsec wizard configure <Gateway | VPN_Client>
This command configures the IPSec VPN wizard for a gateway-to-gateway or gateway-to-VPN client connection. After you have issued the vpn ipsec wizard
configure
command to specify the type of peer for which you want to configure the wizard, you enter the vpn-config [wizard] mode, and then you can configure one keyword and associated parameter or associated keyword or associated keyword at a time in the order that you prefer.
Step 1
Step 2
Format
vpn ipsec wizard configure {Gateway | VPN_Client}
Mode
vpn
Format
ip_version {IPv4 | IPv6}
conn_name <name>
preshared_key <key>
remote_wan_ipaddress {<ipaddress> | <ipv6-address> |
<domain name>}
local_wan_ipaddress {<ipaddress> | <ipv6-address> |
<domain name>}
Keyword conn_name
Mode ip_version
remote_lan_ipaddress <ipaddress>
remote_lan_net_mask <subnet mask>
remote_lan_ipv6address <ipv6-address>
remote_lan_prefixLength <prefix length> vpn-config [wizard]
Associated Keyword to
Select or Parameter to Type
Description
IPv4 or IPv6
connection name
Specifies the IP address version for both the local and remote endpoints:
• IPv4. Both endpoints use IPv4 addresses.
For the remote LAN IP address, you need to issue the remote_lan_ipaddress and
remote_lan_netMask
keywords and specify the associated parameters.
• IPv6. Both endpoints use IPv6 addresses.
For the remote LAN IP address, you need to issue the remote_lan_ipv6address and
remote_lan_prefixLength
keywords and specify the associated parameters.
The unique connection name (alphanumeric string).
VPN Mode Configuration Commands
178
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Keyword preshared_key
Associated Keyword to
Select or Parameter to Type
Description
key
The key (alphanumeric string) that needs to be entered on both peers.
remote_wan_ipaddress local_wan_ipaddress ipaddress
,
ipv6-address
, or domain
name
Depending on the setting of the ip_version keyword, specifies an IPv4 or IPv6 local WAN address. You can also specify a domain name.
ipaddress
,
ipv6-address
, or domain
name
Depending on the setting of the ip_version keyword, specifies an IPv4 or IPv6 local WAN address. You can also specify a domain name.
Remote LAN IPv4 address information remote_lan_ipaddress remote_lan_net_mask
ipaddress subnet mask
The IPv4 remote LAN address when the
ip_version
keyword is set to IPv4.
The IPv4 remote LAN subnet mask when the
ip_version
keyword is set to IPv4.
Remote LAN IPv6 address information remote_lan_ipv6address remote_lan_prefixLength
ipv6-address prefix length
The IPv6 remote LAN address when the
ip_version
keyword is set to IPv6.
The IPv6 remote LAN prefix length when the
ip_version
keyword is set to IPv6.
Command example:
FVS318N> vpn ipsec wizard configure Gateway vpn-config[wizard]> ip_version IPv6 vpn-config[wizard]> conn_name FVS318N-to-Peer44 vpn-config[wizard]> preshared_key 2%sgd55%!@GH vpn-config[wizard]> remote_wan_ipaddress peer44.com vpn-config[wizard]> local_wan_ipaddress fe80::a8ab:bbff:fe00:2 vpn-config[wizard]> remote_lan_ipv6address fe80::a4bb:ffdd:fe01:2 vpn-config[wizard]> remote_lan_prefixLength 64 vpn-config[wizard]> save
show vpn ipsec vpnpolicy setup
show vpn ipsec ikepolicy setup
show vpn ipsec vpnpolicy status
To display the VPN policy configuration that the wizard created through the vpn ipsec
wizard configure
command, issue the show vpn ipsec vpnpolicy setup command:
FVS318N> show vpn ipsec vpnpolicy setup
Status Name Type IPSec Mode Local Remote Auth Encr
_______ _________________ ___________ ___________ ______________________________________ ______________________________ _____ ____
Enabled FVS318N-to-Peer44 Auto Policy Tunnel Mode 2002:408b:36e4:a:a8ab:bbff:fe00:1 / 64 fe80::a4bb:ffdd:fe01:2 / 64 SHA-1 3DES
Enabled FVS-to-Paris Auto Policy Tunnel Mode 192.168.1.0 / 255.255.255.0 192.168.50.0 / 255.255.255.255 SHA-1 3DES
VPN Mode Configuration Commands
179
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
To display the IKE policy configuration that the wizard created through the vpn ipsec
wizard configure
command, issue the show vpn ipsec ikepolicy setup command:
FVS318N> show vpn ipsec ikepolicy setup
List of IKE Policies
____________________
Name Mode Local ID Remote ID Encryption Authentication DH Group
_________________ __________ ______________________ _____________ __________ ______________ ____________
FVS318N-to-Peer44 main fe80::a8ab:bbff:fe00:2 peer44.com 3DES SHA-1 Group 2 (1024 bit)
FVS-to-Paris main 10.139.54.228 10.112.71.154 3DES SHA-1 Group 2 (1024 bit) iphone aggressive 10.139.54.228 0.0.0.0 AES-128 SHA-1 Group 2 (1024 bit)
IPSec IKE Policy Commands
vpn ipsec ikepolicy configure <ike policy name>
This command configures a new or existing manual IPSec IKE policy. After you have issued the vpn ipsec ikepolicy configure command to specify the name of a new or existing IKE policy, you enter the vpn-config [ike-policy] mode, and then you can configure one keyword and associated parameter or associated keyword or associated keyword at a time in the order that you prefer.
Step 1
Step 2
Format
vpn ipsec ikepolicy configure <ike policy name>
Mode
vpn
Format
enable_mode_config {N | Y {mode_config_record <record name>}}
direction_type {Initiator | Responder | Both}
exchange_mode {Main | Aggresive}
ip_version {IPv4 | IPv6}
local_identtype {Local_Wan_IP | FQDN | User-FQDN | DER_ASN1_DN}
{local_identifier <identifier>}
remote_identtype {Remote_Wan_IP | FQDN | User-FQDN | DER_ASN1_DN}
{remote_identifier <identifier>}
encryption_algorithm {DES | 3DES | AES_128 | AES_192 | AES_256}
auth_algorithm {MD5 | SHA-1}
auth_method {Pre_shared_key {pre_shared_key <key>} |
RSA_Signature}
dh_group {Group1_768_bit | Group2_1024_bit | Group5_1536_bit}
lifetime <seconds>
enable_dead_peer_detection {N | Y {detection_period <seconds>}
{reconnect_failure_count <number>}}
VPN Mode Configuration Commands
180
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
extended_authentication {None | IPSecHost {xauth_username
<user name>} {xauth_password <password>} | EdgeDevice
{extended_authentication_type {User-Database | RadiusPap |
RadiusChap}}} vpn-config [ike-policy]
Mode
Keyword Associated Keyword to
Select or Parameter to Type
Description
Mode Config record selection and general policy settings enable_mode_config Y
or N
mode_config_record
record name
Specifies whether or not the IKE policy uses a Mode Config record.
If the enable_mode_config keyword is set to Y, specifies the Mode Config record that should be used. For information about configuring Mode Config records,
vpn ipsec mode_config configure
direction_type Initiator
, Responder, or
Both
The IKE direction type:
• Initiator. The wireless VPN firewall initiates the connection to the remote endpoint.
• Responder. The wireless VPN firewall responds only to an IKE request from the remote endpoint.
• Both. The wireless VPN firewall can both initiate a connection to the remote endpoint and respond to an IKE request from the remote endpoint.
exchange_mode Main
or Aggresive The exchange mode:
• Main. This mode is slower than the
Aggressive mode but more secure.
• Aggressive. This mode is faster than the Main mode but less secure. When the IKE policy uses a Mode Config record, the exchange mode needs to be set to Aggresive.
VPN Mode Configuration Commands
181
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Keyword Associated Keyword to
Select or Parameter to Type
Description
Local and remote identifiers ip_version IPv4
or IPv6
local_identtype Local_Wan_IP local_identifier
User-FQDN
, or
DER_ASN1_DN
identifier
, FQDN,
If the local_identtype and
remote_identtype
keywords are set to
Local_Wan_IP
, specifies the IP address version for both the local and remote endpoints:
• IPv4. Both endpoints use IPv4 addresses. You need to specify IPv4 addresses for the local_identifier and remote_identifier keywords.
• IPv6. Both endpoints use IPv6 addresses. You need to specify IPv6 addresses for the local_identifier and remote_identifier keywords.
Specifies the ISAKMP identifier to be used by the wireless VPN firewall:
• Local_Wan_IP. The WAN IP address of the wireless VPN firewall. The setting of the ip_version keyword determines if you need to specify an IPv4 or IPv6 address for the local_identifier keyword.
• FQDN. The domain name for the wireless VPN firewall.
• User-FQDN. The email address for a local VPN client or the wireless VPN firewall.
• DER_ASN1_DN. A distinguished name
(DN) that identifies the wireless VPN firewall in the DER encoding and ASN.1 format.
The identifier of the wireless VPN firewall.
The setting of the local_identtype and ip_version keywords determines the type of identifier that you need to specify.
VPN Mode Configuration Commands
182
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Keyword remote_identtype Remote_Wan_IP
, FQDN,
User-FQDN
, or
DER_ASN1_DN remote_identifier
Associated Keyword to
Select or Parameter to Type
Description
identifier
Specifies the ISAKMP identifier to be used by the wireless VPN firewall:
• Remote_Wan_IP. The WAN IP address of the remote endpoint. The setting of the ip_version keyword determines if you need to specify an IPv4 or IPv6 address for the local_identifier keyword.
• FQDN. The domain name for the wireless VPN firewall.
• User-FQDN. The email address for a local VPN client or the wireless VPN firewall.
• DER_ASN1_DN. A distinguished name
(DN) that identifies the wireless VPN firewall in the DER encoding and ASN.1 format.
The identifier of the remote endpoint. The setting of the remote_identtype and
ip_version
keywords determines the type of identifier that you need to specify.
IKE SA settings encryption_algorithm DES
, 3DES, AES_128,
AES_192
, or AES_256
auth_algorithm MD5
or SHA-1
Specifies the algorithm to negotiate the security association (SA):
• DES. Data Encryption Standard (DES).
• 3DES. Triple DES.
• AES_128. Advanced Encryption
Standard (AES) with a 128-bit key size.
• AES_192. AES with a 192-bit key size.
• AES_256. AES with a 256-bit key size.
Specifies the algorithm to be used in the
VPN header for the authentication process:
• SHA-1. Hash algorithm that produces a
160-bit digest.
• MD5. Hash algorithm that produces a
128-bit digest.
VPN Mode Configuration Commands
183
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Keyword Associated Keyword to
Select or Parameter to Type
Description auth_method Pre_shared_key
or
RSA_Signature
Specifies the authentication method:
• Pre_shared_key. A secret that is shared between the wireless VPN firewall and the remote endpoint. You also need to issue the
pre_shared_key
keyword and specify the key.
• RSA_Signature. Uses the active self-signed certificate that you uploaded on the Certificates screen of the web management interface.
pre_shared_key
key
dh_group Group1_768_bit
,
lifetime enable_dead_peer_detection detection_period reconnect_failure_count
Group2_1024_bit
, or
Group5_1536_bit
seconds
Y
or N
seconds number
Note:
You cannot upload certificates by using the CLI.
If the auth_method keyword is set to
Pre_shared_key
, specifies a key with a minimum length of 8 characters and no more than 49 characters.
The DH Group sets the strength of the algorithm in bits. The higher the group, the more secure the exchange.
The period in seconds for which the IKE
SA is valid. When the period times out, the next rekeying occurs.
Enables or disables dead peer detection
(DPD). When DPD is enabled, you also need to issue the detection_period and reconnect_failure_count keywords and associated parameters.
The period in seconds between consecutive DPD R-U-THERE messages, which are sent only when the
IPSec traffic is idle.
The maximum number of DPD failures before the wireless VPN firewall tears down the connection and then attempts to reconnect to the peer.
VPN Mode Configuration Commands
184
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Keyword Associated Keyword to
Select or Parameter to Type
Description
Extended authentication settings extended_authentication None
, IPSecHost, or
EdgeDevice
Specifies whether or not Extended
Authentication (XAUTH) is enabled, and, if enabled, which device is used to verify user account information:
• None. XAUTH is disabled. This the default setting.
• IPSecHost. The wireless VPN firewall functions as a VPN client of the remote gateway. In this configuration the wireless VPN firewall is authenticated by a remote gateway. You need to issue the xauth_username and
xauth_password
keywords and specify the associated parameters.
• EdgeDevice. The wireless VPN firewall functions as a VPN concentrator on which one or more gateway tunnels terminate. You need to issue the
extended_authentication_type
keyword and select an associated keyword.
extended_authentication_type User-Database
,
RadiusPap
, or RadiusChap
If the extended_authentication keyword is set to EdgeDevice, specifies the authentication type:
• User-Database. XAUTH occurs through the wireless VPN firewall’s user database.
• RadiusPap. XAUTH occurs through
RADIUS Password Authentication
Protocol (PAP).
• RadiusChap. XAUTH occurs through
RADIUS Challenge Handshake
Authentication Protocol (CHAP).
xauth_username xauth_password
user name password
Note:
For information about how to configure a RADIUS server for authentication of VPN connections, see
If the extended_authentication keyword is set to IPSecHost, specifies a user name.
If the extended_authentication keyword is set to IPSecHost, specifies a password.
VPN Mode Configuration Commands
185
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Command example:
FVS318N> vpn ipsec ikepolicy configure FVS-to-Paris vpn-config[ike-policy]> enable_mode_config N vpn-config[ike-policy]> direction_type Both vpn-config[ike-policy]> exchange_mode Main vpn-config[ike-policy]> ip_version ipv4 vpn-config[ike-policy]> local_identtype Local_Wan_IP vpn-config[ike-policy]> local_identifier 10.139.54.228 vpn-config[ike-policy]> remote_identtype Remote_Wan_IP vpn-config[ike-policy]> remote_identifier 10.112.71.154 vpn-config[ike-policy]> encryption_algorithm 3DES vpn-config[ike-policy]> auth_algorithm SHA-1 vpn-config[ike-policy]> auth_method Pre_shared_key vpn-config[ike-policy]> pre_shared_key 3Tg67!JXL0Oo? vpn-config[ike-policy]> dh_group Group2_1024_bit vpn-config[ike-policy]> lifetime 28800 vpn-config[ike-policy]> enable_dead_peer_detection Y vpn-config[ike-policy]> detection_period 20 vpn-config[ike-policy]> reconnect_failure_count 3 vpn-config[ike-policy]> extended_authentication EdgeDevice vpn-config[ike-policy]> extended_authentication_type RadiusChap vpn-config[ike-policy]> save
show vpn ipsec ikepolicy setup
vpn ipsec ikepolicy delete <ike policy name>
This command deletes an IKE policy by specifying the name of the IKE policy.
Format
Mode
vpn ipsec ikepolicy delete <ike policy name> vpn
show vpn ipsec ikepolicy setup
IPSec VPN Policy Commands
vpn ipsec vpnpolicy configure <vpn policy name>
This command configures a new or existing auto IPSec VPN policy or manual IPSec VPN policy. After you have issued the vpn ipsec vpnpolicy configure command to specify the name of a new or existing VPN policy, you enter the vpn-config [vpn-policy] mode, and then you can configure one keyword and associated parameter or associated keyword or associated keyword at a time in the order that you prefer.
VPN Mode Configuration Commands
186
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Step 1
Step 2
Format
vpn ipsec vpnpolicy configure <vpn policy name>
Mode
vpn
Format
general_policy_type {Auto-Policy | Manual-Policy}
general_ip_version {IPv4 | IPv6}
general_remote_end_point_type {FQDN {general_remote_end_point
fqdn <domain name> | IP-Address {general_remote_end_point
ip_address <ipaddress> | {general_remote_end_point
ipv6_address <ipv6-address>}}
general_enable_netbios {N | Y}
auto_initiate_policy {N | Y}
general_enable_keep_alive {N | Y {general_ping_ipaddress
<ipaddress> | {general_ping_ipaddress6 <ipv6-address>}
{general_keep_alive_detection_period <seconds>}
{general_keep_alive_failureCount <number>}}
general_local_network_type {ANY | SINGLE
{general_local_start_address <ipaddress> |
general_local_start_address_ipv6 <ipv6-address>} | RANGE
{{general_local_start_address <ipaddress>}
{general_local_end_address <ipaddress>} |
{general_local_start_address_ipv6 <ipv6-address>}
{general_local_end_address_ipv6 <ipv6-address>}} | SUBNET
{{general_local_start_address <ipaddress>}
{general_local_subnet_mask <subnet mask>} |
{general_local_start_address_ipv6 <ipv6-address>}
{general_local_ipv6_prefix_length <prefix length>}}}
general_remote_network_type {ANY | SINGLE
{general_remote_start_address <ipaddress> |
general_remote_start_address_ipv6 <ipv6-address>} | RANGE
{{general_remote_start_address <ipaddress>}
{general_remote_end_address <ipaddress>} |
{general_remote_start_address_ipv6 <ipv6-address>}
{general_remote_end_address_ipv6 <ipv6-address>}} | SUBNET
{{general_remote_start_address <ipaddress>}
{general_remote_subnet_mask <subnet mask>} |
{general_remote_start_address_ipv6 <ipv6-address>}
{general_remote_ipv6_prefix_length <prefix length>}}}
manual_spi_in <number>
manual_encryption_algorithm {None | DES | 3DES | AES-128 |
AES-192 | AES-256}
manual_encryption_key_in <key>
manual_encryption_key_out <key>
VPN Mode Configuration Commands
187
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
manual_spi_out <number>
manual_authentication_algorithm {MD5 | SHA-1}
manual_authentication_key_in <key>
manual_authentication_key_out <key>
Mode
auto_sa_lifetime {bytes <number> | {seconds <seconds>}
auto_encryption_algorithm {None | DES | 3DES | AES-128 |
AES-192 | AES-256}
auto_authentication_algorithm {MD5 | SHA-1}
auto_enable_pfskeygroup {N | Y {auto_dh_group {Group1_768_bit |
Group2_1024_bit | Group5_1536_bit}}}
auto_select_ike_policy <ike policy name> vpn-config [vpn-policy]
Keyword (might consist of two separate words)
Associated
Keyword to Select or Parameter to
Type
Description
General policy settings general_policy_type Auto-Policy
or
Manual-Policy
Species whether the policy type is an auto or manual VPN policy:
• Auto-Policy. The inbound and outbound policy settings for the VPN tunnel are automatically generated after you have issued the keywords and associated parameters that are listed in the Auto policy settings section of this table. All other VPN policy settings need to be specified manually.
• Manual-Policy. All settings need to be specified manually, excluding the ones in the Auto policy settings section of this table.
VPN Mode Configuration Commands
188
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Keyword (might consist of two separate words)
Associated
Keyword to Select or Parameter to
Type
Description general_ip_version IPv4
or IPv6
general_remote_end_point_type IP-Address
FQDN
or
If the general_remote_end_point_type keyword is set to IP-Address, specifies the
IP address version for the remote endpoint, local address information, and remote address information:
• IPv4. The IPv4 selection requires you to specify IPv4 addresses for the following keywords:
-
general_remote_end_point ipaddress
- general_local_start_address
- general_local_end_address
- general_remote_start_address
- general_remote_end_address
• IPv6. The IPv6 selection requires you to specify IPv6 addresses for the following keywords:
- general_remote_end_point ipv6address
- general_local_start_address_ipv6
- general_local_end_address_ipv6
- general_remote_start_address_ipv6
- general_remote_end_address_ipv6
Specifies whether the remote endpoint is defined by an IP address or a domain name:
• IP-Address. Depending on the setting of the general_ip_version keyword, you need to either issue the
general_remote_end_point ip_address
keyword and specify an IPv4 address or issue the
general_remote_end_point ipv6_adress
keyword and specify an
IPv6 address.
• FQDN. You need to issue the
general_remote_end_point fqdn
keyword and specify a domain name.
general_remote_end_point fqdn general_remote_end_point ip_adress
domain name ipaddress
If the general_remote_end_point_type keyword is set to FQDN, the domain name
(FQDN) of the remote endpoint.
If the general_remote_end_point_type keyword is set to IP-Address, and if the
general_ip_version
keyword is set to
IPv4
, the IPv4 address of the remote endpoint.
VPN Mode Configuration Commands
189
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Keyword (might consist of two separate words)
Associated
Keyword to Select or Parameter to
Type
Description general_remote_end_point ipv6_adress general_enable_netbios
ipv6-address
Y
or N
If the general_remote_end_point_type keyword is set to IP-Address, and if the
general_ip_version
keyword is set to
IPv6
, the IPv6 address of the remote endpoint.
Enables or disables NetBIOS broadcasts to travel over the VPN tunnel.
auto_initiate_policy Y
or N
Note:
If you enable NetBIOS, you do not have to configure the remote address information for the traffic selector settings
(that is, you do not need to issue any keywords that start with general_remote).
Enables or disables the automatic establishment of the VPN tunnel when there is no traffic.
general_enable_keep_alive general_ping_ipaddress general_ping_ipaddress6 general_keep_alive_detection_period
Y
or N
ipaddress ipv6-address seconds
Note:
You cannot enable automatic establishment of the VPN tunnel if the
direction_type
keyword under the
vpn ipsec ikepolicy configure <ike policy name>
command is set to Responder.
Enables or disables the wireless VPN firewall to send keep-alive requests (ping packets) to the remote endpoint to keep the tunnel alive.
If you enable keep-alives, you also need to issue the following keywords:
• Either general_ping_ipaddress to specify an IPv4 address or
general_ping_ipaddress6
to specify an IPv6 address.
•
general_keep_alive_detection_period
to specify the detection period.
• general_keep_alive_failue_count to specify the failure count.
The IPv4 address to send keep-alive requests to.
The IPv6 address to send keep-alive requests to.
The period in seconds between consecutive keep-alive requests, which are sent only when the IPSec traffic is idle.
VPN Mode Configuration Commands
190
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Keyword (might consist of two separate words)
Associated
Keyword to Select or Parameter to
Type
Description general_keep_alive_failue_count
number
The maximum number of keep-alive request failures before the wireless VPN firewall tears down the connection and then attempts to reconnect to the peer.
Traffic selector settings—Local address information general_local_network_type ANY
, SINGLE,
RANGE
, or SUBNET
general_local_start_address
ipaddress
Specifies the address or addresses that are part of the VPN tunnel on the wireless VPN firewall:
• ANY. All computers and devices on the network.
• SINGLE. A single IP address on the network. Depending on the setting of the
general_ip_version
keyword, issue one of the following keywords:
- general_local_start_address to specify an IPv4 address.
-
general_local_start_address_ipv6
to specify an IPv6 address.
• RANGE. A range of IP addresses on the network. Depending on the setting of the
general_ip_version
keyword, issue one of the following sets of keywords:
- general_local_start_address and general_local_end_address to specify IPv4 addresses.
-
general_local_start_address_ipv6
and
general_local_end_address_ipv6
to specify IPv6 addresses.
• SUBNET. A subnet on the network.
Depending on the setting of the
general_ip_version
keyword, issue one of the following sets of keywords:
- general_local_start_address to specify an IPv4 address and
general_local_subnet_mask
to specify a subnet mask.
-
general_local_start_address_ipv6
to specify an IPv6 address and
general_local_ipv6_prefix_length
to specify a prefix length.
If the general_local_network_type keyword is set to SINGLE, RANGE, or SUBNET, and if the
general_ip_version
keyword is set to
IPv4
, specifies the local IPv4 (start) address.
VPN Mode Configuration Commands
191
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Keyword (might consist of two separate words)
Associated
Keyword to Select or Parameter to
Type
Description general_local_end_address general_local_subnet_mask
ipaddress subnet mask
If the general_local_network_type keyword is set to RANGE, and if the
general_ip_version
keyword is set to
IPv4
, specifies the local IPv4 end address.
If the general_local_network_type keyword is set to SUBNET, and if the
general_ip_version
keyword is set to
IPv4
, specifies the subnet mask.
general_local_start_address_ipv6 general_local_end_address_ipv6 general_local_ipv6_prefix_length
ipv6-address ipv6-address prefix length
If the general_local_network_type keyword is set to SINGLE, RANGE, or
SUBNET
, and if the general_ip_version keyword is set to IPv6, specifies the local
IPv6 (start) address.
If the general_local_network_type keyword is set to RANGE, and if the
general_ip_version
keyword is set to
IPv6
, specifies the local IPv6 end address.
If the general_local_network_type keyword is set to SUBNET, and if the
general_ip_version
keyword is set to
IPv6
, specifies the prefix length.
VPN Mode Configuration Commands
192
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Keyword (might consist of two separate words)
Associated
Keyword to Select or Parameter to
Type
Description
Traffic selector settings—Remote address information general_remote_network_type ANY
, SINGLE,
RANGE
, or SUBNET
Specifies the address or addresses that are part of the VPN tunnel on the remote end:
• ANY. All computers and devices on the network.
• SINGLE. A single IP address on the network. Depending on the setting of the
general_ip_version
keyword, issue one of the following keywords:
- general_remote_start_address to specify an IPv4 address.
-
general_remote_start_address_ipv6
to specify an IPv6 address.
• RANGE. A range of IP addresses on the network. Depending on the setting of the
general_ip_version
keyword, issue one of the following sets of keywords:
- general_remote_start_address and
general_remote_end_address
to specify IPv4 addresses.
-
general_remote_start_address_ipv6
and
general_remote_end_address_ipv6
to specify IPv6 addresses.
• SUBNET. A subnet on the network.
Depending on the setting of the
general_ip_version
keyword, issue one of the following sets of keywords:
- general_remote_start_address to specify an IPv4 address and
general_remote_subnet_mask
to specify a subnet mask.
-
general_remote_start_address_ipv6
to specify an IPv6 address and
general_remote_ipv6_prefix_length
to specify a prefix length.
general_remote_start_address general_remote_end_address
ipaddress ipaddress
If the general_remote_network_type keyword is set to SINGLE, RANGE, or
SUBNET
, and if the general_ip_version keyword is set to IPv4, specifies the remote
IPv4 (start) address.
If the general_remote_network_type keyword is set to RANGE, and if the
general_ip_version
keyword is set to
IPv4
, specifies the remote IPv4 end address.
VPN Mode Configuration Commands
193
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Keyword (might consist of two separate words)
Associated
Keyword to Select or Parameter to
Type
Description general_remote_subnet_mask general_remote_start_address_ipv6
subnet mask ipv6-address
If the general_remote_network_type keyword is set to SUBNET, and if the
general_ip_version keyword
is set to
IPv4
, specifies the subnet mask.
If the general_remote_network_type keyword is set to SINGLE, RANGE, or
SUBNET
, and if the general_ip_version keyword is set to IPv6, specifies the remote
IPv6 (start) address.
general_remote_end_address_ipv6 general_remote_ipv6_prefix_length
ipv6-address prefix length
If the general_remote_network_type keyword is set to RANGE, and if the
general_ip_version
keyword is set to
IPv6
, specifies the remote IPv6 end address.
If the general_remote_network_type keyword is set to SUBNET, and if the
general_ip_version
keyword is set to
IPv6
, specifies the prefix length.
Manual policy settings—Inbound policy manual_spi_in manual_encryption_algorithm manual_encryption_key_in manual_encryption_key_out
number
The Security Parameter Index (SPI) for the inbound policy as an hexadecimal value between 3 and 8 characters.
None
, DES, 3DES,
AES-128
, AES-192,
AES-256
Specifies the encryption algorithm, if any, to negotiate the security association (SA):
• None.
• DES. Data Encryption Standard (DES).
• 3DES. Triple DES.
• AES-128. Advanced Encryption Standard
(AES) with a 128-bit key size.
• AES-192. AES with a 192-bit key size.
• AES-256. AES with a 256-bit key size.
key key
The encryption key for the inbound policy.
The length of the key depends on setting of the manual_encryption_algorithm keyword.
The encryption key for the outbound policy.
The length of the key depends on setting of the manual_encryption_algorithm keyword.
VPN Mode Configuration Commands
194
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Keyword (might consist of two separate words)
Associated
Keyword to Select or Parameter to
Type
Description
Manual policy settings—Outbound policy manual_spi_out manual_authentication_algorithm manual_authentication_key_in manual_authentication_key_out
number
MD5
key
or SHA-1
key
The Security Parameters Index (SPI) for the outbound policy as an hexadecimal value between 3 and 8 characters.
Specifies the authentication algorithm to negotiate the security association (SA):
• SHA-1. Hash algorithm that produces a
160-bit digest.
• MD5. Hash algorithm that produces a
128-bit digest.
The encryption key for the inbound policy.
The length of the key depends on setting of the
manual_authentication_algorithm
keyword.
The encryption key for the outbound policy.
The length of the key depends on setting of the
manual_authentication_algorithm
keyword.
Auto policy settings auto_sa_lifetime bytes auto_sa_lifetime seconds auto_encryption_algorithm
number seconds
The lifetime of the security association (SA) is the period or the amount of transmitted data after which the SA becomes invalid and needs to be renegotiated. Either issue the
auto_sa_lifetime bytes
keyword and specify the number of bytes, or issue the
auto_sa_lifetime seconds
keyword and specify the period in seconds.
None
, DES, 3DES,
AES-128
, AES-192,
AES-256
Specifies the encryption algorithm, if any, to negotiate the security association (SA):
• None.
• DES. Data Encryption Standard (DES).
• 3DES. Triple DES.
• AES-128. Advanced Encryption Standard
(AES) with a 128-bit key size.
• AES-192. AES with a 192-bit key size.
• AES-256. AES with a 256-bit key size.
VPN Mode Configuration Commands
195
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Keyword (might consist of two separate words)
Associated
Keyword to Select or Parameter to
Type
Description auto_authentication_algorithm MD5
or SHA-1 Specifies the authentication algorithm to negotiate the security association (SA):
• SHA-1. Hash algorithm that produces a
160-bit digest.
• MD5. Hash algorithm that produces a
128-bit digest.
auto_enable_pfskeygroup auto_dh_group auto_select_ike_policy
Y
or N Enables or disables Perfect Forward Secrecy
(PFS). If you enable PFS, you need to issue the auto_dh_group keyword to specify a group.
Group1_768_bit
,
Group2_1024_bit
, or
Group5_1536_bit
Specifies a Diffie-Hellman (DH) group, which sets the strength of the algorithm in bits. The higher the group, the more secure the exchange.
ike policy name
Select an existing IKE policy that defines the authentication negotiation.
Command example:
FVS318N> vpn ipsec vpnpolicy configure FVS-to-Paris vpn-config[vpn-policy]> general_policy_type Auto-Policy vpn-config[vpn-policy]> general_ip_version IPv4 vpn-config[vpn-policy]> general_remote_end_point_type IP-Address vpn-config[vpn-policy]> general_remote_end_point ip_address 10.112.71.154 vpn-config[vpn-policy]> general_local_network_type SUBNET vpn-config[vpn-policy]> general_local_start_address 192.168.1.0 vpn-config[vpn-policy]> general_local_subnet_mask 255.255.255.0 vpn-config[vpn-policy]> general_remote_network_type SUBNET vpn-config[vpn-policy]> general_remote_start_address 192.168.50.0 vpn-config[vpn-policy]> general_remote_subnet_mask 255.255.255.255 vpn-config[vpn-policy]> auto_sa_lifetime seconds 3600 vpn-config[vpn-policy]> auto_encryption_algorithm 3DES vpn-config[vpn-policy]> auto_authentication_algorithm SHA-1 vpn-config[vpn-policy]> auto_select_ike_policy FVS-to-Paris vpn-config[vpn-policy]> save
show vpn ipsec vpnpolicy setup
and
show vpn ipsec vpnpolicy status
VPN Mode Configuration Commands
196
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N vpn ipsec vpnpolicy delete <vpn policy name>
This command deletes a VPN policy by specifying the name of the VPN policy.
Format
Mode
vpn ipsec vpnpolicy delete <vpn policy name> vpn
Related show command:
show vpn ipsec vpnpolicy setup
vpn ipsec vpnpolicy disable <vpn policy name>
This command disables a VPN connection by specifying the name of the VPN policy.
Format
Mode
vpn ipsec vpnpolicy disable <vpn policy name> vpn
Related show command:
show vpn ipsec vpnpolicy setup
vpn ipsec vpnpolicy enable <vpn policy name>
This command enables a VPN connection by specifying the name of the VPN policy.
Format
Mode
vpn ipsec vpnpolicy enable <vpn policy name> vpn
Related show command:
show vpn ipsec vpnpolicy setup
vpn ipsec vpnpolicy connect <vpn policy name>
This command establishes a VPN connection by specifying the name of the VPN policy.
Format
Mode
vpn ipsec vpnpolicy connect <vpn policy name> vpn
Related show command:
show vpn ipsec vpnpolicy setup
show vpn ipsec vpnpolicy status
VPN Mode Configuration Commands
197
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N vpn ipsec vpnpolicy drop <vpn policy name>
This command terminates an active VPN connection by specifying the name of the VPN policy.
Format
Mode
vpn ipsec vpnpolicy drop <vpn policy name> vpn
show vpn ipsec vpnpolicy setup
and
show vpn ipsec vpnpolicy status
IPSec VPN Mode Config Commands
vpn ipsec mode_config configure <record name>
This command configures a Mode Config record. After you have issued the vpn ipsec
mode_config configure
command to specify a record name, you enter the vpn-config [modeConfig] mode, and then you can configure one keyword and associated parameter or associated keyword or associated keyword at a time in the order that you prefer.
Step 1
Step 2
Format
vpn ipsec mode_config configure <record name>
Mode
vpn
Format
first_pool_start_ip <ipaddress>
first_pool_end_ip <ipaddress>
second_pool_start_ip <ipaddress>
second_pool_end_ip <ipaddress>
third_pool_start_ip <ipaddress>
third_pool_end_ip <ipaddress>
wins_server_primary_ip <ipaddress>
wins_server_secondary_ip <ipaddress>
dns_server_primary_ip <ipaddress>
dns_server_secondary_ip <ipaddress>
VPN Mode Configuration Commands
198
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Keyword
Mode
pfs_key_group {N | Y {dh_group {Group1_768_bit |
Group2_1024_bit | Group5_1536_bit}}}
sa_lifetime_type {Seconds {sa_lifetime <seconds>} | KBytes
{sa_lifetime <KBytes>})
encryption_algorithm {None | DES | 3DES | AES-128 |
AES-192 | AES-256}
integrity_algorithm {MD5 | SHA-1}
local_ip <ipaddress>
local_subnet_mask <subnet mask> vpn-config [modeConfig]
Associated Keyword to
Select or Parameter to Type
Description
Client pool first_pool_start_ip
ipaddress
first_pool_end_ip second_pool_start_ip second_pool_end_ip third_pool_start_ip third_pool_end_ip wins_server_primary_ip wins_server_secondary_ip dns_server_primary_ip dns_server_secondary_ip
ipaddress ipaddress ipaddress ipaddress ipaddress ipaddress ipaddress ipaddress ipaddress
The start IP address for the first Mode
Config pool.
The end IP address for the first Mode Config pool.
The start IP address for the second Mode
Config pool.
The end IP address for the second Mode
Config pool.
The start IP address for the third Mode
Config pool.
The end IP address for the third Mode
Config pool.
The IP address of the first WINS server.
The IP address of the second WINS server.
The IP address of the first DNS server that is used by remote VPN clients.
The IP address of the second DNS server that is used by remote VPN clients.
Traffic tunnel security level pfs_key_group Y
or N
dh_group Group1_768_bit
,
Group2_1024_bit
Group5_1536_bit
, or
Enables or disables Perfect Forward
Secrecy (PFS). If you enable PFS, you need to issue the dh_group keyword to specify a group.
Specifies a Diffie-Hellman (DH) group, which sets the strength of the algorithm in bits. The higher the group, the more secure the exchange.
VPN Mode Configuration Commands
199
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Keyword sa_lifetime_type sa_lifetime encryption_algorithm integrity_algorithm local_ip
Associated Keyword to
Select or Parameter to Type
Description
Seconds
or KBytes Specifies whether the sa_lifetime keyword is set in seconds or Kbytes.
seconds
or number
None
, DES, 3DES, AES-128,
AES-192
, or AES-256
Specifies the encryption algorithm, if any, to negotiate the security association (SA):
• None.
• DES. Data Encryption Standard (DES).
• 3DES. Triple DES.
• AES-128. Advanced Encryption Standard
(AES) with a 128-bit key size.
• AES-192. AES with a 192-bit key size.
• AES-256. AES with a 256-bit key size.
MD5
or SHA-1
Depending on the setting of the
sa_lifetime_type
keyword, the SA lifetime in seconds or in KBytes.
Specifies the authentication (integrity) algorithm to negotiate the security association (SA):
• SHA-1. Hash algorithm that produces a
160-bit digest.
• MD5. Hash algorithm that produces a
128-bit digest.
ipaddress subnet mask
The local IPv4 address to which remote VPN clients have access. If you do not specify a local IP address, the wireless VPN firewall’s default LAN IP address is used.
The local subnet mask.
local_subnet_mask
Command example:
FVS318N> vpn ipsec mode_config configure iphone vpn-config[modeConfig]> first_pool_start_ip 10.100.10.1 vpn-config[modeConfig]> first_pool_end_ip 10.100.10.12 vpn-config[modeConfig]> dns_server_primary_ip 192.168.1.1 vpn-config[modeConfig]> pfs_key_group Y vpn-config[modeConfig]> dh_group Group2_1024_bit vpn-config[modeConfig]> sa_lifetime_type Seconds vpn-config[modeConfig]> sa_lifetime 3600 vpn-config[modeConfig]> encryption_algorithm 3DES vpn-config[modeConfig]> integrity_algorithm SHA-1 vpn-config[modeConfig]> local_ip 192.168.1.0 vpn-config[modeConfig]> local_subnet_mask 255.255.255.0 vpn-config[modeConfig]> save
show vpn ipsec mode_config setup
VPN Mode Configuration Commands
200
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N vpn ipsec modeConfig delete <record name>
This command deletes a Mode Config record by specifying its record name.
Format
Mode
vpn ipsec modeConfig delete <record name> vpn
Related show command:
show vpn ipsec mode_config setup
SSL VPN Portal Layout Commands
vpn sslvpn portal-layouts add
This command configures a new SSL VPN portal layout. After you have issued the vpn
sslvpn portal-layouts add
command, you enter the [portal-settings] mode, and then you can configure one keyword and associated parameter or associated keyword or associated keyword at a time in the order that you prefer.
Step 1
Step 2
Format
vpn sslvpn portal-layouts add
Mode
vpn
Format
portal_name <portal name>
portal_title <portal title>
banner_title <banner title>
banner_message <message text>
display_banner {Y | N}
enable_httpmetatags {Y | N}
enable_activex_web_cache_cleaner {Y | N}
enable_vpntunnel {Y | N}
enable_portforwarding {Y | N}
Mode
[portal-settings]
Keyword portal_name portal_title
Associated Keyword to
Select or Parameter to Type
Description
portal name portal title
The portal name (alphanumeric string).
The portal title (alphanumeric string). Place text that consists of more than one word between quotes.
VPN Mode Configuration Commands
201
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Keyword banner_title banner_message display_banner enable_httpmetatags
Associated Keyword to
Select or Parameter to Type
Description
banner name
The banner title (alphanumeric string). Place text that consists of more than one word between quotes.
message text
The banner message
(alphanumeric string). Place text that consists of more than one word between quotes.
Y
or N
Y enable_activex_web_cache_cleaner Y
or N
or N
Specifies whether or not the banner message is displayed.
Specifies whether or not HTTP meta tags are enabled.
Specifies whether or not the
ActiveX web cache cleaner is enabled.
enable_vpntunnel enable_portforwarding
Y
or N
Y
or N
Specifies whether or not the VPN tunnel is enabled.
Specifies whether or not port forwarding is enabled.
Command example:
FVS318N> vpn sslvpn portal-layouts add
[portal-settings]> portal_name CSup
[portal-settings]> portal_title “Customer Support”
[portal-settings]> banner_title “Welcome to Customer Support”
[portal-settings]> banner_message “In case of login difficulty, call
123-456-7890.”
[portal-settings]> display_banner Y
[portal-settings]> enable_httpmetatags Y
[portal-settings]> enable_activex_web_cache_cleaner Y
[portal-settings]> enable_vpntunnel Y
[portal-settings]> save
show vpn sslvpn portal-layouts
vpn sslvpn portal-layouts edit <row id>
This command configures an existing SSL VPN portal layout. After you have issued the vpn
sslvpn portal-layouts edit
command to specify the row to be edited, you enter the
[portal-settings] mode, and then you can configure one keyword and associated parameter or associated keyword or associated keyword at a time in the order that you prefer.
VPN Mode Configuration Commands
202
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Step 1
Step 2
Format
vpn sslvpn portal-layouts edit <row id>
Mode
vpn
Format
portal_name <portal name>
portal_title <portal title>
banner_title <banner title>
banner_message <message text>
display_banner {Y | N}
enable_httpmetatags {Y | N}
enable_activex_web_cache_cleaner {Y | N}
enable_vpntunnel {Y | N}
enable_portforwarding {Y | N}
Mode
[portal-settings]
Keyword portal_name portal_title banner_title banner_message display_banner enable_httpmetatags
Associated Keyword to
Select or Parameter to Type
Description
portal name portal title
The portal name (alphanumeric string).
The portal title (alphanumeric string). Place text that consists of more than one word between quotes.
banner name message text
Y
Y enable_activex_web_cache_cleaner Y enable_vpntunnel enable_portforwarding
Y
Y
or N
or N
or N
or N
or N
The banner title (alphanumeric string). Place text that consists of more than one word between quotes.
The banner message
(alphanumeric string). Place text that consists of more than one word between quotes.
Specifies whether or not the banner message is displayed.
Specifies whether or not HTTP meta tags are enabled.
Specifies whether or not the
ActiveX web cache cleaner is enabled.
Specifies whether or not the VPN tunnel is enabled.
Specifies whether or not port forwarding is enabled.
Related show command:
show vpn sslvpn portal-layouts
VPN Mode Configuration Commands
203
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N vpn sslvpn portal-layouts delete <row id>
This command deletes an SSL VPN portal layout by specifying its row ID.
Format
Mode
vpn sslvpn portal-layouts delete <row id> vpn
show vpn sslvpn portal-layouts
SSL VPN Authentication Domain Commands
vpn sslvpn users domains add
This command configures a new authentication domain that is not limited to SSL VPN users.
After you have issued the vpn sslvpn users domains add command, you enter the users-config [domains] mode, and then you can configure one keyword and associated parameter or associated keyword at a time in the order that you prefer.
Step 1
Step 2
Format
vpn sslvpn users domains add
Mode
vpn
Format
domain_name <domain name>
portal <portal name>
authentication_type {LocalUserDatabase | Radius-PAP |
Radius-CHAP | Radius-MSCHAP | Radius-MSCHAPv2 | WIKID-PAP |
WIKID-CHAP | MIAS-PAP | MIAS-CHAP | NTDomain |
ActiveDirectory | LDAP}
authentication_server1 <ipaddress>
authentication_secret <secret>
workgroup <group name>
ldap_base_dn <distinguished name>
active_directory_domain <domain name>
Mode
users-config [domains]
Keyword domain_name portal
Associated Keyword to
Select or Parameter to Type
Description
domain name portal name
The domain name (alphanumeric string).
The portal name (alphanumeric string).
Note:
For information about how to configure
.
VPN Mode Configuration Commands
204
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Keyword authentication_type authentication_server1 authentication_secret workgroup ldap_base_dn active_directory_domain
Associated Keyword to
Select or Parameter to Type
Description
LocalUserDatabase
,
Radius-PAP
, Radius-CHAP,
Radius-MSCHAP
,
Radius-MSCHAPv2
,
WIKID-PAP
, WIKID-CHAP,
MIAS-PAP
, MIAS-CHAP,
NTDomain
,
ActiveDirectory
, or LDAP
The authentication method that is applied to the domain:
• For all selections with the exception of
LocalUserDatabase
, you need to issue the authentication_server1 keyword and specify an IP address.
• For all PAP and CHAP selections, you need to issue the authentication_secret keyword and specify a secret.
• For the NTDomain selection, you need to issue the workgroup keyword and specify the workgroup.
• For the ActiveDirectory selection, you need to issue the
active_directory_domain
keyword and specify the Active Directory.
• For the LDAP selection, you need to issue the ldap_base_dn keyword and specify a
DN.
ipaddress secret group name distinguished name domain name
The IP address of the authentication server.
The authentication secret (alphanumeric string).
The NT domain workgroup name
(alphanumeric string).
The LDAP base distinguished name (DN; alphanumeric string). Do not include spaces.
The Active Directory domain name
(alphanumeric string).
Command example:
FVS318N> vpn sslvpn users domains add users-config[domains]> active_directory_domain Headquarter users-config[domains]> portal CSup users-config[domains]> authentication_type LDAP users-config[domains]> authentication_server1 192.168.24.118 users-config[domains]> ldap_base_dn dc=netgear,dc=com users-config[domains]> save
Related show command:
VPN Mode Configuration Commands
205
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N vpn sslvpn users domains edit <row id>
This command configures an existing authentication domain that is not limited to SSL VPN users. After you have issued the vpn sslvpn users domains edit command to specify the row to be edited, you enter the users-config [domains] mode, and then you can configure one keyword and associated parameter or associated keyword at a time in the order that you prefer.
Step 1
Step 2
Format
vpn sslvpn users domains edit <row id>
Mode
vpn
Format
domain_name <domain name>
portal <portal name>
authentication_type {LocalUserDatabase | Radius-PAP |
Radius-CHAP | Radius-MSCHAP | Radius-MSCHAPv2 | WIKID-PAP |
WIKID-CHAP | MIAS-PAP | MIAS-CHAP | NTDomain |
ActiveDirectory | LDAP}
authentication_server1 <ipaddress>
authentication_secret <secret>
workgroup <group name>
ldap_base_dn <distinguished name>
active_directory_domain <domain name>
Mode
users-config [domains]
Keyword domain_name portal
Associated Keyword to
Select or Parameter to Type
Description
domain name portal name
The domain name (alphanumeric string).
The portal name (alphanumeric string).
Note:
For information about how to configure
.
VPN Mode Configuration Commands
206
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Keyword authentication_type authentication_server1 authentication_secret workgroup ldap_base_dn active_directory_domain
Associated Keyword to
Select or Parameter to Type
Description
LocalUserDatabase
,
Radius-PAP
, Radius-CHAP,
Radius-MSCHAP
,
Radius-MSCHAPv2
,
WIKID-PAP
, WIKID-CHAP,
MIAS-PAP
, MIAS-CHAP,
NTDomain
,
ActiveDirectory
, or LDAP
The authentication method that is applied to the domain:
• For all selections with the exception of
LocalUserDatabase
, you need to issue the authentication_server1 keyword and specify an IP address.
• For all PAP and CHAP selections, you need to issue the authentication_secret keyword and specify a secret.
• For the NTDomain selection, you need to issue the workgroup keyword and specify the workgroup.
• For the ActiveDirectory selection, you need to issue the
active_directory_domain
keyword and specify the Active Directory.
• For the LDAP selection, you need to issue the ldap_base_dn keyword and specify a
DN.
ipaddress secret group name distinguished name domain name
The IP address of the authentication server.
The authentication secret (alphanumeric string).
The NT domain workgroup name
(alphanumeric string).
The LDAP base distinguished name (DN; alphanumeric string). Do not include spaces.
The Active Directory domain name
(alphanumeric string).
Related show command:
vpn sslvpn users domains delete <row id>
This command deletes an SSL VPN authentication domain by specifying its row ID.
Format
Mode
vpn sslvpn users domains delete <row id> vpn
Related show command:
VPN Mode Configuration Commands
207
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
SSL VPN Authentication Group Commands
vpn sslvpn users groups add
This command configures a new authentication group that is not limited to SSL VPN users.
After you have issued the vpn sslvpn users groups add command, you enter the users-config [groups] mode, and then you can configure one keyword and associated parameter or associated keyword at a time in the order that you prefer.
Step 1
Step 2
Format
vpn sslvpn users groups add
Mode
vpn
Format
domain_name <domain name>
group_name <group name>
idle_timeout <minutes>
Mode
users-config [groups]
Keyword domain_name group_name idle_timeout
Associated
Parameter to Type
Description
domain name
The domain name (alphanumeric string) to which the group belongs.
group name minutes
Note:
For information about configuring domains, see
Authentication Domain Commands
The group name (alphanumeric string).
The idle time-out in minutes.
Command example:
FVS318N> vpn sslvpn users groups add users-config[groups]> domain_name Headquarter users-config[groups]> group_name Sales users-config[groups]> idle_timeout 15 users-config[groups]> save
vpn sslvpn users groups edit <row id>
This command configures an existing authentication group that is not limited to SSL VPN users. After you have issued the vpn sslvpn users groups edit command to specify the row to be edited, you enter the users-config [groups] mode, and then you can configure one keyword and associated parameter or associated keyword at a time in the order that you prefer.
VPN Mode Configuration Commands
208
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Step 1
Step 2
Format
vpn sslvpn users groups edit <row id>
Mode
vpn
Format
domain_name <domain name>
group_name <group name>
idle_timeout <minutes>
Mode
users-config [groups]
Keyword domain_name group_name idle_timeout
Associated
Parameter to Type
Description
domain name
The domain name (alphanumeric string) to which the group belongs.
group name minutes
Note:
For information about configuring domains, see
Authentication Domain Commands
The group name (alphanumeric string).
The idle time-out in minutes.
Related show command:
vpn sslvpn users groups delete <row id>
This command deletes an authentication group by specifying its row ID.
Format
Mode
vpn sslvpn users groups delete <row id> vpn
Related show command:
SSL VPN User Commands
vpn sslvpn users users add
This command configures a new user account. The command is not limited to SSL VPN users. After you have issued the vpn sslvpn users users add command, you enter the users-config [users] mode, and then you can configure one keyword and associated parameter or associated keyword at a time in the order that you prefer.
VPN Mode Configuration Commands
209
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Step 1
Step 2
Format
vpn sslvpn users users add
Mode
vpn
Format
user_name <user name>
user_type {SSLVPNUser | Administrator | Guest | IPSECVPNUser |
L2TPUser}
group <group name>
password <password>
confirm_password <password>
idle_timeout <minutes>
Mode
users-config [users]
Keyword user_name user_type group password confirm_password idle_timeout
Associated Keyword to Select or Parameter to Type
Description
user name group name
The user name (alphanumeric string)
SSLVPNUser
, Administrator,
Guest
, IPSECVPNUser, and
L2TPUser
The user type.
The group name (alphanumeric string) to which the user belongs.
password password minutes
Note:
For information about how to configure groups, see
The password (alphanumeric string) that is assigned to the user. You need to issue the
confirm_password
keyword and confirm the password.
The confirmation of the password.
The idle time-out in minutes.
Command example:
FVS318N> vpn sslvpn users users add users-config[users]> user_name PeterBrown users-config[users]> user_type SSLVPNUser users-config[users]> group Sales users-config[users]> password 3goTY5!Of6hh users-config[users]> confirm_password 3goTY5!Of6hh users-config[users]> idle_timeout 10 users-config[users]> save
VPN Mode Configuration Commands
210
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N vpn sslvpn users users edit <row id>
This command configures an existing user account. The command is not limited to SSL VPN users. After you have issued the vpn sslvpn users users edit command to specify the row to be edited, you enter the users-config [users] mode, and then you can configure one keyword and associated parameter or associated keyword at a time in the order that you prefer.
Step 1
Step 2
Format
vpn sslvpn users users edit <row id>
Mode
vpn
Format
user_name <user name>
user_type {SSLVPNUser | Administrator | Guest | IPSECVPNUser |
L2TPUser}
group <group name>
password <password>
confirm_password <password>
idle_timeout <minutes>
Mode
users-config [users]
Keyword user_name user_type group password confirm_password idle_timeout
Associated Keyword to Select or Parameter to Type
Description
user name group name
The user name (alphanumeric string)
SSLVPNUser
, Administrator,
Guest
, IPSECVPNUser, and
L2TPUser
The user type.
The group name (alphanumeric string) to which the user belongs.
password password minutes
Note:
For information about how to configure
.
The password (alphanumeric string) that is assigned to the user. You need to issue the
confirm_password
keyword and confirm the password.
The confirmation of the password.
The idle time-out in minutes.
Related show command:
VPN Mode Configuration Commands
211
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N vpn sslvpn users users delete <row id>
This command deletes a user account by specifying its row ID.
Format
Mode
vpn sslvpn users users delete <row id> vpn
vpn sslvpn users users login_policies <row id>
This command configures the login policy for a user. The command is not limited to SSL VPN users. After you have issued the vpn sslvpn users users login_policies command to specify the row ID that represents the user, you enter the users-config [login-policy] mode, and then you can configure one keyword and associated parameter or associated keyword at a time in the order that you prefer.
Step 1
Step 2
Format
vpn sslvpn users users login_policies <row id>
Mode
vpn
Format
deny_login_from_wan_interface {Y | N}
disable_login {Y | N}
Mode
users-config [login-policy]
Keyword Associated Keyword to Select
Description deny_login_from_wan_interface Y
or N
disable_login Y
or N
Enables or disables login from the WAN interface.
Enables or disables login from any interface.
Command example:
FVS318N> vpn sslvpn users users login_policies 5 users-config[login-policy]> disable_login Y users-config[login-policy]> save
show vpn sslvpn users login_policies
VPN Mode Configuration Commands
212
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N vpn sslvpn users users ip_policies configure <row id>
This command configures source IP addresses from which a user is either allowed or denied access. The command is not limited to SSL VPN users. After you have issued the vpn
sslvpn users users ip_policies configure
command to specify the row ID that represents the user, you enter the users-config [ip-policy] mode, and then you can configure one keyword and associated parameter or associated keyword at a time in the order that you prefer.
Step 1
Step 2
Format
vpn sslvpn users users ip_policies configure <row id>
Mode
vpn
Format
allow_login_from_defined_addresses {Y | N}
ip_version {IPv4 | IPv6}
source_address_type {IPAddress {{source_address <ipaddress>} |
{source_address6 <ipv6-address>}} | IPNetwork
{{source_address <ipaddress>} {mask_length <mask length>} |
{source_address6 <ipv6-address>} {prefix_length
<prefix length>}}}
Mode
users-config [ip-policy]
Keyword Associated Keyword to
Select or Parameter to Type
Description allow_login_from_defined_addresses Y
or N
ip_version IPv4
or IPv6
Allows or denies login from a single-source IP address or network IP addresses.
Specifies the IP version of the source
IP address:
• IPv4. The IP address or network address is defined by an IPv4 address. You need to issue the
source_address
keyword and specify an IPv4 address. For a network address, you also need to issue the mask_length keyword and specify a subnet mask length.
• IPv6. The IP address or network address is defined by an IPv6 address. You need to issue the
source_address6
keyword and specify an IPv6 address. For a network address, you also need to issue the prefix_length keyword and specify a prefix length.
VPN Mode Configuration Commands
213
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Keyword source_address_type source_address mask_length source_address6 prefix_length
Associated Keyword to
Select or Parameter to Type
Description
IPAddress
or IPNetwork The source address type:
• IPAddress. A single IP address. The setting of the ip_version keyword determines whether you need to issue the source_address keyword and specify an IPv4 address or issue the source_address6 keyword and specify an IPv6 address.
• IPNetwork. A subnet of IP addresses. The setting of the
ip_version
keyword determines whether you need to issue the
mask_length
keyword and specify an IPv4 subnet mask or issue the
prefix_length
keyword and specify an IPv6 prefix length.
ipaddress mask length
The IPv4 IP address or network address if the ip_version keyword is set to IPv4.
If the source_address_type keyword is set to IPNetwork and the
ip_version
keyword is set to IPv4, the mask length of the IPv4 network.
ipv6-address prefix length
The IPv6 IP address or network address if the ip_version keyword is set to IPv6.
If the source_address_type keyword is set to IPNetwork and the
ip_version
keyword is set to IPv6, the prefix length of the IPv6 network.
Command example:
FVS318N> vpn sslvpn users users ip_policies configure 5 users-config[ip-policy]> allow_login_from_defined_addresses Y users-config[ip-policy]> ip_version IPv4 users-config[ip-policy]> source_address_type IPAddress users-config[ip-policy]> source_address 10.156.127.39 users-config[ip-policy]> save
show vpn sslvpn users ip_policies <row id>
VPN Mode Configuration Commands
214
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N vpn sslvpn users users ip_policies delete <row id>
This command deletes a source IP address for a user by specifying the row ID of the table.
Format
Mode
vpn sslvpn users ip_policies delete <row id> vpn
Related show command:
show vpn sslvpn users ip_policies <row id>
vpn sslvpn users users browser_policies <row id>
This command configures the client browsers from which a user is either allowed or denied access. The command is not limited to SSL VPN users. After you have issued the vpn
sslvpn users users browser_policies
command to specify the row ID that represents the user, you enter the users-config [browser-policy] mode, and then you can configure one keyword and associated parameter or associated keyword at a time in the order that you prefer. You can add multiple browsers to the browser list.
Step 1
Step 2
Format
vpn sslvpn users users browser_policies <row id>
Mode
vpn
Format add browser
{InternetExplorer | NetscapeNavigator | Opera | Firefox |
Mozilla
}
delete_browser
{InternetExplorer | NetscapeNavigator | Opera | Firefox
Mozilla
}
enable_or_disable_login_from_defined_browsers
{Y | N}
Mode
users-config [browser-policy]
Keyword add_browser
Associated Keyword to
Select or Parameter to Type
Description
InternetExplorer
,
NetscapeNavigator
,
Opera
, Firefox, Mozilla
Adds a browser to the browser list. By default, there are no browsers on the browser list.
VPN Mode Configuration Commands
215
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Keyword delete_browser
Associated Keyword to
Select or Parameter to Type
Description
InternetExplorer
,
NetscapeNavigator
,
Opera
, Firefox, Mozilla
Removes a browser from the browser list (after you first have added the browser to the browser list).
enable_or_disable_login_from_defined_browsers Y
access through the browsers on the browser list is allowed or denied:
• Yes. Allows access through the browsers on the browser list.
• No. Denies access through the browsers on the browser list.
Command example:
FVS318N> vpn sslvpn users users browser_policies 5 users-config[browser-policy]> add_browser NetscapeNavigator users-config[browser-policy]> add_browser InternetExplorer users-config[browser-policy]> enable_or_disable_login_from_defined_browsers N users-config[browser-policy]> save
Related show command:
and
show vpn sslvpn users browser_policies
SSL VPN Port Forwarding Commands
vpn sslvpn portforwarding appconfig add
This command configures a new SSL port forwarding application. After you have issued the
vpn sslvpn portforwarding appconfig add
command, you enter the
[portforwarding-settings] mode, and then you can configure one keyword and associated parameter or associated keyword at a time in the order that you prefer.
Step 1
Step 2
Format
vpn sslvpn portforwarding appconfig add
Mode
vpn
Format
server_ip <ipaddress>
port <number>
Mode
[portforwarding-settings]
VPN Mode Configuration Commands
216
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Keyword server_ip port
Associated
Parameter to Type
Description
ipaddress number
The IP address of the local server that hosts the application.
The TCP port number of the local server that hosts the application.
Command example:
FVS318N> vpn sslvpn portforwarding appconfig add
[portforwarding-settings]> server_ip 192.168.51.227
[portforwarding-settings]> port 3389
[portforwarding-settings]> save
Related show command:
show vpn sslvpn portforwarding appconfig
vpn sslvpn portforwarding appconfig delete <row id>
This command deletes an SSL port forwarding application by specifying its row ID.
Format
Mode
vpn sslvpn portforwarding appconfig delete <row id> vpn
Related show command:
show vpn sslvpn portforwarding appconfig
vpn sslvpn portforwarding hostconfig add
This command configures a new host name for an SSL port forwarding application. After you have issued the vpn sslvpn portforwarding hostconfig add command, you enter the [portforwarding-settings] mode, and then you can configure one keyword and associated parameter or associated keyword at a time in the order that you prefer.
Step 1
Step 2
Format
vpn sslvpn portforwarding hostconfig add
Mode
vpn
Format
server_ip <ipaddress>
domain_name <domain name>
Mode
[portforwarding-settings]
VPN Mode Configuration Commands
217
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Keyword server_ip
Associated
Parameter to Type
Description
ipaddress
The IP address of the local server that hosts the application.
domain name
Note:
The IP address needs to be the same as the IP address
vpn sslvpn portforwarding appconfig add
command for the same application.
The domain name for the local server that hosts the application.
domain_name
Command example:
FVS318N> vpn sslvpn portforwarding hostconfig add
[portforwarding-settings]> server_ip 192.168.51.227
[portforwarding-settings]> domain_name RemoteDesktop
[portforwarding-settings]> save
show vpn sslvpn portforwarding hostconfig
vpn sslvpn portforwarding hostconfig delete <row id>
This command deletes a host name for an SSL port forwarding application by specifying the row ID of the host name.
Format
Mode
vpn sslvpn portforwarding hostconfig delete <row id> vpn
show vpn sslvpn portforwarding hostconfig
SSL VPN Client Commands
vpn sslvpn client ipv4
This command configures the SSL client IP address range. After you have issued the vpn
sslvpn client ipv4
command, you enter the [sslvpn-client-ipv4-settings] mode, and then you can configure one keyword and associated parameter or associated keyword at a time in the order that you prefer.
Step 1 Format vpn sslvpn client ipv4
Mode
vpn
VPN Mode Configuration Commands
218
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Step 2 Format
enable_full_tunnel {Y | N}
dns_suffix <suffix>
primary_dns <ipaddress>
secondary_dns <ipaddress>
begin_client_address <ipaddress>
end_client_address <ipaddress>
Mode
[sslvpn-client-ipv4-settings]
Keyword enable_full_tunnel dns_suffix primary_dns secondary_dns begin_client_address end_client_address
Associated Keyword to
Select or Parameter to Type
Description
Y
or N Enables or disables full-tunnel support:
• Yes. Enables full-tunnel support.
• No. Disables full-tunnel support and enables split-tunnel support. If you enable split-tunnel support and you assign an entirely different subnet to the VPN tunnel clients from the subnet that is used by the local network, you need to add a client route to ensure that a VPN tunnel client connects to the local network over
command).
suffix ipaddress
The DNS suffix to be appended to incomplete
DNS search strings. This setting is optional.
The IP address of the primary DNS server. This setting is optional.
ipaddress ipaddress ipaddress
Note:
If you do not assign a DNS server, the
DNS settings remain unchanged in the VPN client after a VPN tunnel has been established.
The IP address of the secondary DNS server.
This setting is optional.
The start IP address of the IPv4 client range. The default address is 192.168.251.1.
The end IP address of the IPv4 client range. The default address is 192.168.251.254.
Command example:
FVS318N> vpn sslvpn client ipv4
[sslvpn-client-ipv4-settings]> enable_full_tunnel N
[sslvpn-client-ipv4-settings]> primary_dns 192.168.10.5
[sslvpn-client-ipv4-settings]> secondary_dns 192.168.10.6
[sslvpn-client-ipv4-settings]> begin_client_address 192.168.200.50
[sslvpn-client-ipv4-settings]> end_client_address 192.168.200.99
[sslvpn-client-ipv4-settings]> save
Related show command:
VPN Mode Configuration Commands
219
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N vpn sslvpn client ipv6
This command configures the SSL client IP address range. After you have issued the vpn
sslvpn client ipv6
command, you enter the [sslvpn-client-ipv6-settings] mode, and then you can configure one keyword and associated parameter or associated keyword at a time in the order that you prefer.
Step 1
Step 2
Format vpn sslvpn client ipv6
Mode
vpn
Format
enable_full_tunnel {Y | N}
begin_client_address <ipaddress>
end_client_address <ipaddress>
Mode
[sslvpn-client-ipv6-settings]
Keyword enable_full_tunnel begin_client_address end_client_address
Associated Keyword to
Select or Parameter to Type
Description
Y
or N Enables or disables full-tunnel support:
• Yes. Enables full-tunnel support.
• No. Disables full-tunnel support and enables split-tunnel support. If you enable split-tunnel support and you assign an entirely different subnet to the VPN tunnel clients from the subnet that is used by the local network, you need to add a client route to ensure that a VPN tunnel client connects to the local network over
command).
ipaddress ipaddress
The start IP address of the IPv6 client range. The default address is 4000::1.
The end IP address of the IPv6 client range. The default address is 4000::200.
Command example:
FVS318N> vpn sslvpn client ipv6
[sslvpn-client-ipv6-settings]> enable_full_tunnel N
[sslvpn-client-ipv6-settings]> begin_client_address 4000::1000:2
[sslvpn-client-ipv6-settings]> end_client_address 4000::1000:50
[sslvpn-client-ipv6-settings]> save
VPN Mode Configuration Commands
220
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N vpn sslvpn route add
This command configures a static client route to a destination network. After you have issued the vpn sslvpn route add command, you enter the [sslvpn-route-settings] mode, and then you can configure one keyword and associated parameter or associated keyword at a time in the order that you prefer.
Note:
When full-tunnel support is enabled, client routes are not operable.
For clients routes to be operable, split-tunnel support should be enabled.
Step 1
Step 2
Format vpn sslvpn route add
Mode
vpn
Format ip_version
{IPv4 {destination_network <ipaddress>} {subnet_mask
<subnet mask>}
| IPv6 {destination_network6 <ipv6-address>}
{prefix_length <prefix length>
}}
Mode
[sslvpn-route-settings]
Keyword ip_version
Associated
Parameter to Type
Description
IPv4
or IPv6 Specifies the IP version of the destination network for the route:
• IPv4. The network address is an IPv4 address. You need to issue the destination_network and subnet_mask keywords and specify an IPv4 address and subnet mask.
• IPv6. The network address is an IPv6 address. You need to issue the destination_network6 and prefix_length keywords and specify an IPv6 address and prefix length.
destination_network subnet_mask
ipaddress subnet mask
If the ip_version keyword is set to IPv4, the IPv4 address of the destination network for the route.
If the ip_version keyword is set to IPv4, the subnet mask of the destination network for the route.
destination_network6 ipv6-address
prefix_length
If the ip_version keyword is set to IPv6, the IPv6 address of the destination network for the route.
prefix length
If the ip_version keyword is set to IPv6, the prefix length of the destination network for the route.
Command example:
FVS318N> vpn sslvpn route add
[sslvpn-route-settings]> ip_version IPv4
[sslvpn-route-settings]> destination_network 192.168.4.20
VPN Mode Configuration Commands
221
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
[sslvpn-route-settings]> subnet_mask 255.255.255.254
[sslvpn-route-settings]> save
vpn sslvpn route delete <row id>
This command deletes a client route by specifying its row ID.
Format
Mode
vpn sslvpn route delete <row id> vpn
SSL VPN Resource Commands
vpn sslvpn resource add
This command adds a new resource. After you have issued the vpn sslvpn resource
add
command, you enter the [sslvpn-resource-settings] mode, and then you can configure one keyword and associated parameter or associated keyword at a time in the order that you prefer.
Step 1
Step 2
Format vpn sslvpn resource add
Mode
vpn
Format
resource_name <resource name>
service_type {VPNTunnel | PortForwarding | All}
Mode
[sslvpn-resource-settings]
Keyword resource_name service_type
Associated Keyword to
Select or Parameter to Type
Description
The resource name (alphanumeric string).
resource name
VPNTunnel
,
PortForwarding
, or All
The type of service to which the resource applies:
• VPNTunnel. The resource applies only to a VPN tunnel.
• PortForwarding. The resource applies only to port forwarding.
• All. The resource applies both to a VPN tunnel and to port forwarding.
VPN Mode Configuration Commands
222
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Command example:
FVS318N> vpn sslvpn resource add
[sslvpn-resource-settings]> resource_name TopSecure
[sslvpn-resource-settings]> service_type PortForwarding
[sslvpn-resource-settings]> save
Related show command:
vpn sslvpn resource delete <row id>
This command deletes a resource by specifying its row ID.
Format
Mode
vpn sslvpn resource delete <row id> vpn
Related show command:
vpn sslvpn resource configure add <resource name>
This command configures a resource. (You first need to a add a resource with the
command.) After you have issued the vpn sslvpn resource
configure add
command to specify the resource that you want to configure, you enter the
[sslvpn-resource-settings] mode, and then you can configure one keyword and associated parameter or associated keyword at a time in the order that you prefer.
Step 1
Step 2
Format vpn sslvpn resource configure add
<resource name
>
Mode
vpn
Format
object_type {IPAddress | IPNetwork}
For a single IP address:
ip_version {IPv4 {object_address <ipaddress>} | IPv6
{object_address6 <ipv6-address>}}
start_port <port number>
end_port <port number>
VPN Mode Configuration Commands
223
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
For an IP network:
ip_version {IPv4 {object_address <ipaddress>} {mask_length
<subnet mask length>} | IPv6 {object_address6
<ipv6-address>} {mask_length <prefix length>}}
start_port <port number>
end_port <port number>
[sslvpn-resource-settings]
Mode
Keyword object_type ip_version object_address object_address6
Associated Keyword to
Select or Parameter to Type
Description
IPAddress
or IPNetwork The source address type for the object:
• IPAddress. A single IP address. The setting of the
ip_version
keyword determines whether you need to issue the object_address keyword and specify an IPv4 address or the object_address6 keyword and specify an IPv6 address.
• IPNetwork. A subnet of IP addresses. The setting of the ip_version keyword determines whether you need to issue the object_address and
mask_length
keywords and specify an IPv4 network address and mask length or issue the
object_address6
and mask_length keywords and specify an IPv6 network address and prefix length.
IPv4
or IPv6 The IP version of the IP address or IP network:
• IPv4. The IP address or IP network is defined by an
IPv4 address. You need to issue the
object_address
keyword and specify an IPv4 address. For a network address, you also need to issue the mask_length keyword and specify a subnet mask length.
• IPv6. The IP address or network address is defined by an IPv6 address. You need to issue the
object_address6
keyword and specify an IPv6 address. For a network address, you also need to issue the mask_length keyword and specify a prefix length.
ipaddress ipv6-address
The IPv4 address, if the policy is for an IPv4 address or IPv4 network.
The IPv6 address, if the policy is for an IPv6 address or IPv6 network.
VPN Mode Configuration Commands
224
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Keyword mask_length start_port end_port
Associated Keyword to
Select or Parameter to Type
Description
subnet mask length
or
prefix length
The nature of this keyword and parameter depend on the setting of the ip_version and object_type keywords:
• If the ip_version keyword is set to IPv4 and the
object_type
keyword is set to IPNetwork, the subnet mask length of the IPv4 network.
• If the ip_version keyword is set to IPv6 and the
object_type
keyword is set to IPNetwork, the prefix length of the IPv6 network.
number number
The start port number for the port range that applies to the object.
The end port number for the port range that applies to the object.
Command example:
FVS318N> vpn sslvpn resource configure add TopSecure
[sslvpn-resource-settings]> object_type IPNetwork
[sslvpn-resource-settings]> ip_version IPv4
[sslvpn-resource-settings]> object_address 192.168.30.56
[sslvpn-resource-settings]> mask_length 24
[sslvpn-resource-settings]> start_port 3391
[sslvpn-resource-settings]> end_port 3393
[sslvpn-resource-settings]> save
Related show command:
show vpn sslvpn resource-object <resource name>
SSL VPN Policy Commands
vpn sslvpn policy add
This command configures a new SSL VPN policy. After you have issued the vpn sslvpn
policy add
command, you enter the [sslvpn-policy-settings] mode, and then you can configure one keyword and associated parameter or associated keyword at a time in the order that you prefer.
Step 1 Format vpn sslvpn policy add
Mode
vpn
VPN Mode Configuration Commands
225
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Step 2 Format
policy_name <policy name>
policy type {Global | Group {policy_owner <group name>} |
User {policy_owner <user name>}}
destination_object_type {NetworkResource | IPAddress |
IPNetwork | All}
In addition to a policy name, policy type, and destination object type, configure the following for a network resource:
ip_version {IPv4 | IPv6}
resource_name <resource name>
policy_permission {Permit | Deny}
In addition to a policy name, policy type, and destination object type, configure the following for an IP address:
ip_version {IPv4 {policy_address <ipaddress>} | IPv6
{policy_address6 <ipv6-address>}}
start_port <port number>
end_port <port number>
service_type {VPNTunnel | PortForwarding | All}
policy_permission {Permit | Deny}
Mode
In addition to a policy name, policy type, and destination object type, configure the following for an IP network:
ip_version {IPv4 {policy_address <ipaddress>}
{policy_mask_length <subnet mask>} | IPv6 {policy_address6
<ipv6-address>} {policy_ipv6_prefix_length <prefix length>}}
start_port <port number>
end_port <port number>
service_type {VPNTunnel | PortForwarding | All}
policy_permission {Permit | Deny}
In addition to a policy name, policy type, and destination object type, configure the following for all addresses (that is, the destination_object_type keyword is set to
All
):
ip_version {IPv4 | IPv6}
start_port <port number>
end_port <port number>
service_type {VPNTunnel | PortForwarding | All}
policy_permission {Permit | Deny}
[sslvpn-policy-settings]
VPN Mode Configuration Commands
226
Keyword policy_name policy_type policy_owner
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Associated Keyword to
Select or Parameter to Type
Description
policy name
Global
, Group, or User
The policy name (alphanumeric string).
The SSL VPN policy type:
• Global. The policy is global and includes all groups and users.
• Group. The policy is limited to a single group.
For information about how to create groups, see
policy_owner
keyword and specify the group name.
• User. The policy is limited to a single user.
For information about how to create user
You need to issue the policy_owner keyword and specify the user name.
group name
or user name The owner of the policy depends on the setting of the policy_type keyword:
• Group. Specify the group name to which the policy applies.
• User. Specify the user name to which the policy applies.
VPN Mode Configuration Commands
227
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Keyword destination_object_type
Associated Keyword to
Select or Parameter to Type
Description
NetworkResource
,
IPAddress
, IPNetwork, or
All
The policy destination type, which determines how the policy is applied, and, in turn, which keywords you need to issue to specify the policy:
• NetworkResource. The policy is applied to an existing IPv4 or IPv6 resource. For information about how to create and configure network resources, see
. You need to issue the following keywords and their associated parameters and keywords:
- policy_name
- ip_version
- resource_name
- policy_permission
- policy_owner if the policy_type keyword is set to Group or User.
• IPAddress. The policy is applied to a single
IPv4 or IPv6 address. You need to issue the following keywords and their associated parameters and keywords:
- policy_name
- ip_version
- policy_address or
policy_address6
(depending on the setting of the ip_version keyword)
- start_port and end_port
- service_type
- policy_permission
- policy_owner if the policy_type keyword is set to Group or User.
VPN Mode Configuration Commands
228
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Keyword destination_object_type
(continued)
resource_name policy_permission
Associated Keyword to
Select or Parameter to Type
Description
NetworkResource
,
IPAddress
, IPNetwork, or
All
(continued)
• IPNetwork. The policy is applied to an IPv4 or IPv6 network address. You need to issue the following keywords and their associated parameters and keywords:
- policy_name
- ip_version
- policy_address and
policy_mask_length
or
policy_address6
and
policy_ipv6_prefix_length
(depending on the setting of the
ip_version
keyword)
- start_port and end_port
- service_type
- policy_permission
- policy_owner if the policy_type keyword is set to Group or User.
• All. The policy is applied to all addresses.
You need to issue the following keywords and their associated parameters and keywords:
- policy_name
- ip_version
- start_port and end_port
- service_type
- policy_permission
- policy_owner if the policy_type keyword is set to Group or User.
resource name
Permit
or Deny
The name of a resource that you configured
command.
This keyword and parameter apply only if the policy is for a network resource.
Specifies whether the policy permits or denies access.
VPN Mode Configuration Commands
229
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Keyword ip_version policy_address policy_mask_length policy_address6 policy_ipv6_prefix_length start_port end_port service_type
Associated Keyword to
Select or Parameter to Type
Description
IPv4
or IPv6 The IP version that applies to the policy:
• IPv4. The policy is for an IPv4 network resource, IPv4 address, IPv4 network, or for all IPv4 addresses.
For an IP address or IP network, you need to issue the policy_address keyword and specify an IPv4 address. For a network address, you also need to issue the
policy_mask_length
keyword and specify a subnet mask.
• IPv6. The policy is for an IPv6 network resource, IPv6 address, IPv6 network, or for all IPv6 addresses.
For an IP address or IP network, you need to issue the policy_address6 keyword and specify an IPv6 address. For a network address, you also need to issue the
policy_ipv6_prefix_length
keyword and specify a prefix length.
ipaddress subnet mask ipv6-address
The IPv4 address, if the policy is for an IPv4 address or IPv4 network.
The subnet mask, if the policy is for an IPv4 network.
The IPv6 address, if the policy is for an IPv6 address or IPv6 network.
prefix length port number port number
VPNTunnel
,
PortForwarding
, or All
The prefix length, if the policy is for an IPv6 network.
The start port number for a policy port range.
(This does not apply if the policy is for a network resource.)
The end port number for a policy port range.
(This does not apply if the policy is for a network resource.)
The service type for the policy:
• VPNTunnel. The policy is applied only to a
VPN tunnel.
• PortForwarding. The policy is applied only to port forwarding.
• All. The policy is applied both to a VPN tunnel and to port forwarding.
Command example:
FVS318N> vpn sslvpn policy add
[sslvpn-policy-settings]> policy_name RemoteWorkers
[sslvpn-policy-settings]> ip_version IPv4
VPN Mode Configuration Commands
230
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
[sslvpn-policy-settings]> policy_type Global
[sslvpn-policy-settings]> destination_object_type NetworkResource
[sslvpn-policy-settings]> resource_name TopSecure
[sslvpn-policy-settings]> policy_permission Permit
[sslvpn-policy-settings]> save
[sslvpn-policy-settings]> policy_name Management
[sslvpn-policy-settings]> ip_version IPv4
[sslvpn-policy-settings]> policy_type Group
[sslvpn-policy-settings]> policy_owner Headquarter
[sslvpn-policy-settings]> destination_object_type All
[sslvpn-policy-settings]> start_port 15652
[sslvpn-policy-settings]> end_port 15658
[sslvpn-policy-settings]> service_type VPNTunnel
[sslvpn-policy-settings]> policy_permission Permit
[sslvpn-policy-settings]> save
Related show command:
vpn sslvpn policy edit <row id>
This command configures an existing SSL VPN policy. After you have issued the vpn
sslvpn policy edit
command to specify the row to be edited (for row information, see the output of the
command), you enter the [sslvpn-policy-settings] mode. You can then configure one keyword and associated parameter or associated keyword at a time in the order that you prefer.
Step 1
Step 2
Format
vpn sslvpn policy edit <row id>
Mode
vpn
Format
policy_name <policy name>
policy type {Global | Group {policy_owner <group name>} |
User {policy_owner <user name>}}
destination_object_type {NetworkResource | IPAddress |
IPNetwork | All}
In addition to a policy name, policy type, and destination object type, configure the following for a network resource:
ip_version {IPv4 | IPv6}
resource_name <resource name>
policy_permission {Permit | Deny}
VPN Mode Configuration Commands
231
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Mode
Keyword policy_name policy_type
In addition to a policy name, policy type, and destination object type, configure the following for an IP address:
ip_version {IPv4 {policy_address <ipaddress>} | IPv6
{policy_address6 <ipv6-address>}}
start_port <port number>
end_port <port number>
service_type {VPNTunnel | PortForwarding | All}
policy_permission {Permit | Deny}
In addition to a policy name, policy type, and destination object type, configure the following for an IP network:
ip_version {IPv4 {policy_address <ipaddress>}
{policy_mask_length <subnet mask>} | IPv6 {policy_address6
<ipv6-address>} {policy_ipv6_prefix_length <prefix length>}}
start_port <port number>
end_port <port number>
service_type {VPNTunnel | PortForwarding | All}
policy_permission {Permit | Deny}
In addition to a policy name, policy type, and destination object type, configure the following for all addresses (that is, the destination_object_type keyword is set to
All
):
ip_version {IPv4 | IPv6}
start_port <port number>
end_port <port number>
service_type {VPNTunnel | PortForwarding | All}
policy_permission {Permit | Deny}
[sslvpn-policy-settings]
Associated Keyword to
Select or Parameter to Type
Description
policy name
Global
, Group, or User
The policy name (alphanumeric string).
The SSL VPN policy type:
• Global. The policy is global and includes all groups and users.
• Group. The policy is limited to a single group.
For information about how to create groups, see
. You need to issue the
policy_owner
keyword and specify the group name.
• User. The policy is limited to a single user.
For information about how to create user accounts, see
.
You need to issue the policy_owner keyword and specify the user name.
VPN Mode Configuration Commands
232
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Keyword policy_owner destination_object_type
Associated Keyword to
Select or Parameter to Type
Description
group name
or user name The owner of the policy depends on the setting of the policy_type keyword:
• Group. Specify the group name to which the policy applies.
• User. Specify the user name to which the policy applies.
NetworkResource
IPAddress
All
,
, IPNetwork, or
Note:
You cannot change an existing destination object type.
The policy destination type, which determines how the policy is applied, and, in turn, which keywords you need to issue to specify the policy:
• NetworkResource. The policy is applied to an existing IPv4 or IPv6 resource. For information about how to create and configure network resources, see
following keywords and their associated parameters and keywords:
- policy_name
- ip_version
- resource_name
- policy_permission
- policy_owner if the policy_type keyword is set to Group or User.
• IPAddress. The policy is applied to a single
IPv4 or IPv6 address. You need to issue the following keywords and their associated parameters and keywords:
- policy_name
- ip_version
- policy_address or
policy_address6
(depending on the setting of the ip_version keyword)
- start_port and end_port
- service_type
- policy_permission
- policy_owner if the policy_type keyword is set to Group or User.
VPN Mode Configuration Commands
233
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Keyword destination_object_type
(continued)
resource_name policy_permission
Associated Keyword to
Select or Parameter to Type
Description
NetworkResource
,
IPAddress
, IPNetwork, or
All
(continued)
• IPNetwork. The policy is applied to an IPv4 or IPv6 network address. You need to issue the following keywords and their associated parameters and keywords:
- policy_name
- ip_version
- policy_address and
policy_mask_length
or
policy_address6
and
policy_ipv6_prefix_length
(depending on the setting of the
ip_version
keyword)
- start_port and end_port
- service_type
- policy_permission
- policy_owner if the policy_type keyword is set to Group or User.
• All. The policy is applied to all addresses.
You need to issue the following keywords and their associated parameters and keywords:
- policy_name
- ip_version
- start_port and end_port
- service_type
- policy_permission
- policy_owner if the policy_type keyword is set to Group or User.
resource name
Permit
or Deny
The name of a resource that you configured with the
This keyword and parameter apply only if the policy is for a network resource.
Specifies whether the policy permits or denies access.
VPN Mode Configuration Commands
234
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Keyword ip_version policy_address policy_mask_length policy_address6 policy_ipv6_prefix_length
Associated Keyword to
Select or Parameter to Type
Description
IPv4
or IPv6 The IP version that applies to the policy:
• IPv4. The policy is for an IPv4 network resource, IPv4 address, IPv4 network, or for all IPv4 addresses.
For an IP address or IP network, you need to issue the policy_address keyword and specify an IPv4 address. For a network address, you also need to issue the
policy_mask_length
keyword and specify a subnet mask.
• IPv6. The policy is for an IPv6 network resource, IPv6 address, IPv6 network, or for all IPv6 addresses.
For an IP address or IP network, you need to issue the policy_address6 keyword and specify an IPv6 address. For a network address, you also need to issue the
policy_ipv6_prefix_length
keyword and specify a prefix length.
ipaddress subnet mask ipv6-address prefix length
The IPv4 address, if the policy is for an IPv4 address or IPv4 network.
The subnet mask, if the policy is for an IPv4 network.
The IPv6 address, if the policy is for an IPv6 address or IPv6 network.
The prefix length, if the policy is for an IPv6 network.
start_port end_port service_type
port number port number
VPNTunnel
,
PortForwarding
, or All
The start port number for a policy port range.
(This does not apply if the policy is for a network resource.)
The end port number for a policy port range.
(This does not apply if the policy is for a network resource.)
The service type for the policy:
• VPNTunnel. The policy is applied only to a
VPN tunnel.
• PortForwarding. The policy is applied only to port forwarding.
• All. The policy is applied both to a VPN tunnel and to port forwarding.
VPN Mode Configuration Commands
235
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Command example: See the command example for the
vpn sslvpn policy delete <row id>
This command deletes an SSL VPN policy by specifying its row ID.
Format
Mode
vpn sslvpn policy delete <row id> vpn
RADIUS Server Command
vpn radius configure
This command configures a RADIUS server. After you have issued the vpn radius
configure
command, you enter the [radius-config] mode, and then you can configure one keyword and associated parameter or associated keyword at a time in the order that you prefer.
Step 1
Step 2
Format system radius configure
Mode
vpn
Format
enable {Y | N}
radius-server <ipaddress>
secret <secret>
nas_identifier <identifier>
Mode
backup_server_enable {Y | N}
backup-radius_server <ipaddress>
backup_server_secret <secret>
backup_server_nas_identifier <identifier>
timeout <seconds>
retries <number>
[radius-config]
VPN Mode Configuration Commands
236
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Keyword Associated Keyword to
Select or Parameter to Type
Description
Primary RADIUS server enable radius-server secret nas_identifier
Y
or N
ipaddress secret identifier
Specifies whether or not the primary
RADIUS server is enabled.
The IPv4 address of the primary
RADIUS server.
The secret phrase (alphanumeric string) for the primary RADIUS server.
The NAS ID for the primary RADIUS server.
Backup RADIUS server backup_server_enable backup_radius_server backup_server_secret
Y
or N
ipaddress secret
backup_server_nas_identifier
identifier
Specifies whether or not the backup
RADIUS server is enabled.
The IPv4 address of the backup
RADIUS server.
The secret phrase (alphanumeric string) for the backup RADIUS server.
The NAS ID for the backup RADIUS server.
Connection configuration timeout retries
seconds number
The connection time-out in seconds for the RADIUS server.
The number of connection retry attempts for the RADIUS server.
Command example:
FVS318N> vpn radius configure radius-config> enable Y radius-config> radius-server 192.168.1.2 radius-config> secret Hlo0ole1H12aaq43 radius-config> nas_identifier FVS318N-Bld3 radius-config> backup_server_enable Y radius-config> backup_radius-server 192.168.1.3 radius-config> backup_server_secret Hduo0oplH54bqX91 radius-config> backup_server_nas_identifier FVS318N-Bld3 radius-config> timeout 30 radius-config> retries 4 radius-config> save
Related show command:
VPN Mode Configuration Commands
237
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
L2TP Server Commands
vpn l2tp server configure
This command configures the L2TP server. After you have issued the vpn l2tp server
configure
command, you enter the l2tp-server-config [policy] mode, and then you can configure one keyword and associated parameter or associated keyword at a time in the order that you prefer.
Step 1
Step 2
Format
vpn l2tp server configure
Mode
vpn
Format
enable {Y | N}
start_address <ipaddress>
end_address <ipaddress>
idle_timeout <minutes>
Mode
l2tp-server-config [policy]
Keyword Associated Keyword to
Select or Parameter to Type
Description enable Y
or N
start_address
ipaddress
Enables or disables the L2TP server.
The start IPv4 address of the L2TP server range.
end_address idle_timeout
ipaddress minutes
The end IPv4 address of the L2TP server range.
The idle time-out after which the connection is terminated.
Command example:
FVS318N> vpn l2tp server configure l2tp-server-config[policy]> enable Y l2tp-server-config[policy]> start_address 192.168.112.1 l2tp-server-config[policy]> end_address 192.168.112.25 l2tp-server-config[policy]> idle_timeout 10 l2tp-server-config[policy]> save
show vpn l2tp server connections
VPN Mode Configuration Commands
238
8.
Overview of the Show Commands
This chapter provides an overview of all show commands for the five configuration command modes. The chapter includes the following sections:
• Network Settings (Net Mode) Show Commands
• Security Settings (Security Mode) Show Commands
• Administrative and Monitoring Settings (System Mode) Show Commands
• Wireless Settings (Dot11 Mode) Show Commands
• VPN Settings (VPN Mode) Show Commands
Network Settings (Net Mode) Show Commands
Enter the show net ? command at the CLI prompt to display the categories of show commands in the net mode. The following table lists the commands in alphabetical order:
Table 14. Show commands: show net mode
Submode
ddns dmz ethernet
Command Name
show net dmz ipv4 setup show net dmz ipv6 setup
show net ethernet {interface name | all}
ipv6 ipv6_tunnel lan
show net ipv6 ipmode setup show net ipv6_tunnel setup show net ipv6_tunnel status
show net lan available_lan_hosts list
show net lan dhcp leased_clients list
Purpose
Display the Dynamic DNS configuration.
Display the IPv4 DMZ configuration.
Display the IPv6 DMZ configuration.
Display the MAC address and VLAN status for a single or all Ethernet interfaces.
Display the IPv6 routing mode configuration.
Display the IPv6 tunnel configuration.
Display the status of the IPv6 tunnels.
Display the IPv4 hosts.
Display the LAN clients that received a leased
DHCP IP address.
Display the LAN DHCP log.
8
239
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Table 14. Show commands: show net mode (continued)
Submode
lan
(continued) radvd routing statistics
Command Name
show net lan dhcp reserved_ip setup
Purpose
Display information about the DHCP clients, including the assigned (reserved) IP addresses.
show net lan ipv4 advanced setup
Display the advanced IPv4 LAN configuration.
show net lan ipv4 detailed setup <vlan id>
Display the detailed configuration for a VLAN.
Display the IPv4 LAN configuration.
Display the IPv6 LAN configuration.
show net lan lan_groups show net lan ipv4 multiHoming
show net routing dynamic setup
Display the LAN groups.
Display the LAN secondary IPv4 addresses.
Display the LAN secondary IPv6 addresses.
Display the DMZ RADVD configuration.
Display the LAN RADVD configuration.
Display the dynamic routing configuration.
Display the IPv4 static routes configuration.
Display the IPv6 static routes configuration.
Display the network statistics for a single or all
Ethernet interfaces.
wan
show net wan mode show net wan port_setup show net wan wan1 ipv4 setup
show net wan wan1 ipv4 status show net wan wan1 ipv6 setup show net wan wan1 ipv6 status
wan_settings
Display the WAN mode configuration.
Display the configuration of the WAN port.
Display the IPv4 WAN configuration.
Display the IPv4 WAN connection status.
Display the IPv6 WAN configuration.
Display the IPv6 WAN connection status.
Display the IPv4 WAN routing mode.
Overview of the Show Commands
240
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Security Settings (Security Mode) Show Commands
Enter the show security ? command at the CLI prompt to display the categories of show commands in the security mode. The following table lists the commands in alphabetical order:
Table 15. Show commands: show security mode
Submode
address_filter bandwidth content_filter firewall
Command Name
show security address_filter enable_email_log show security address_filter ip_or_mac_binding setup
Purpose
Display the configuration of the IP/MAC binding log.
Display the IPv4 and IPv6 MAC bindings.
show security address_filter mac_filter setup
Display the MAC addresses for source
MAC filtering.
show security bandwidth profile setup
show security content_filter block_group
Display the configured bandwidth profiles.
Display the groups for which content filtering is enabled.
Display the keywords that are blocked.
show security content_filter blocked_keywords
show security content_filter content_filtering
Display the status of content filtering and the web components.
show security content_filter trusted_domains
Display the trusted domains.
show security firewall advanced algs
Display whether or not SIP ALG is enabled.
show security firewall attack_checks igmp
Display whether or not the IGMP proxy is enabled.
Display whether or not jumbo frames are enabled.
show security firewall attack_checks jumboframe
show security firewall attack_checks setup ipv4 show security firewall attack_checks setup ipv6
Display which WAN and LAN security checks are enabled for IPv4.
Display which WAN and LAN security checks are enabled for IPv6.
show security firewall attack_checks vpn_passthrough setup
Display which VPN pass-through features are enabled.
show security firewall ipv4 setup lan_wan
Display the IPv4 LAN WAN firewall rules.
show security firewall ipv4 setup dmz_wan
Display the IPv4 DMZ WAN firewall rules.
show security firewall ipv4 setup lan_dmz
show security firewall ipv6 setup
Display the IPv4 LAN DMZ firewall rules.
Display all IPv6 firewall rules.
Overview of the Show Commands
241
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Table 15. Show commands: show security mode (continued)
Submode
firewall
(continued)
Command Name
show security firewall session_limit show security firewall session_settings
porttriggering_rules
show security porttriggering_rules setup show security porttriggering_rules status
schedules services upnp
Purpose
Display the session limit settings.
Display the session time-out settings.
Display the port triggering rules.
Display the port triggering status.
Display the configured schedules.
Display the configured custom services.
Display the UPnP portmap table.
Display the UPnP configuration.
Administrative and Monitoring Settings (System Mode)
Show Commands
Enter the show system ? command at the CLI prompt to display the categories of show commands in the system mode. The following table lists the commands in alphabetical order:
Table 16. Show commands: show system mode
Submode
not applicable
Command Name
Purpose
Display system information, including MAC addresses, serial number, and firmware version.
Display the firmware version.
Display the configuration of the IPv4 and
IPv6 logs.
logging snmp
show system logging remote setup
Display the configuration and the schedule of the email logs.
Display the system logs.
logs
remote_management
show system remote_management setup
Display the configuration of remote management for Telnet and HTTPS access.
Display the SNMP system configuration of the SNMP agent and the SNMP system information of the wireless VPN firewall.
status
show system snmp trap [agent ipaddress]
Display the SNMP trap configuration of the
SNMP agent.
Display the system status information.
Overview of the Show Commands
242
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Table 16. Show commands: show system mode (continued)
Submode
time
Command Name
traffic_meter
show system traffic_meter setup
Purpose
Display the time configuration and the configuration of the NTP server.
Display the configuration of the traffic meter and the Internet traffic statistics.
Wireless Settings (Dot11 Mode) Show Commands
Enter the show dot11 ? command at the CLI prompt to display the categories of show commands in the dot11 mode. The following table lists the commands in alphabetical order:
Table 17. Show commands: show dot11 mode
Submode
acl profile radio statistics wps
Command Name
Purpose
Display the ACL policy and MAC addresses for a specified profile.
show dot11 profile [profile name] show dot11 profile status <profile name>
Display traffic statistics for a specified profile.
Display the basic and advanced radio configuration.
Display basic information for all profiles or basic and advanced information for a specified profile.
Display cumulative wireless traffic statistics for all profiles.
Display the WPS configuration.
VPN Settings (VPN Mode) Show Commands
Enter the show vpn ? command at the CLI prompt to display the categories of show commands in the vpn mode. The following table lists the commands in alphabetical order:
Table 18. Show commands: show vpn mode
Submode Command Name
show vpn ipsec ikepolicy setup
ipsec
show vpn ipsec logs show vpn ipsec mode_config setup
Purpose
Display the IKE policies.
Display the IPSec VPN logs.
Display the Mode Config records.
Overview of the Show Commands
243
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Table 18. Show commands: show vpn mode (continued)
Submode
ipsec
(continued) l2tp radius sslvpn
Command Name
show vpn ipsec vpnpolicy setup show vpn ipsec vpnpolicy status
Purpose
Display the IPSec VPN policies.
Display status information about the active and nonactive IPSec VPN policies.
show vpn l2tp server connections show vpn l2tp server setup
Display the users that are connected through the L2TP server.
Display the configuration of the L2TP server.
Display the configuration of a specific
RADIUS server.
Display the SSL VPN client range and configuration.
Display the SSL VPN logs.
Display the SSL VPN policies.
show vpn sslvpn policy show vpn sslvpn portal-layouts
show vpn sslvpn portforwarding appconfig
Display the SSL VPN portal layout.
Display the SSL VPN port forwarding application configuration.
show vpn sslvpn portforwarding hostconfig
Display the SSL VPN port forwarding host configuration.
Display the SSL VPN resource configuration.
show vpn sslvpn resource-object <resource name>
Display the detailed configuration for a specific resource object.
show vpn sslvpn users active_users
Display the SSL VPN client routes.
Display the active SSL VPN users.
show vpn sslvpn users browser_policies <row id>
Display the login restrictions based on web browsers for a specific user.
show vpn sslvpn users ip_policies <row id>
Display the domain configurations.
Display the group configurations.
Display the login restrictions based on IP addresses for a specific user.
show vpn sslvpn users login_policies <row id> show vpn sslvpn users users
Display the login restrictions based on login policies for a specific user.
Display the user account configurations.
Overview of the Show Commands
244
9.
Show Commands
9
This chapter explains the show commands and associated parameters for the five configuration command modes. The chapter includes the following sections:
• Network Settings (Net Mode) Show Commands
• Security Settings (Security Mode) Show Commands
• Administrative and Monitoring Settings (System Mode) Show Commands
• Wireless Settings (Dot11 Mode) Show Commands
• VPN Settings (VPN Mode) Show Commands
Network Settings (Net Mode) Show Commands
This section contains the following subsections:
• WAN (IPv4 and IPv6) Show Commands
• IPv6 Mode and IPv6 Tunnel Show Commands
• Network Statistics Show Commands
WAN (IPv4 and IPv6) Show Commands
show net wan_settings wanmode
This command displays the IPv4 WAN routing mode:
Routing Mode between WAN and LAN
__________________________________
NAT is Enabled
245
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N show net wan mode
This command displays the WAN mode configuration:
WAN MODE Setup
______________
Routing Mode: NAT
IP Mode: IPv4/IPv6 mode
show net wan port_setup
This command displays the configuration of the WAN port:
WAN Port Setup
______________
MTU Type: Default
Port Speed: Auto Sense
Router's MAC Address: Use Default Address
show net wan wan1 ipv4 setup
This command displays the IPv4 WAN configuration:
Broadband Setup
_______________
STATIC Configuration:
Internet (IP) Address Source: Use Static IP Address
IP Address: 10.139.54.228
IP Subnet Mask: 255.255.255.248
Gateway IP Address: 10.139.54.225
Domain Name Servers (DNS) Source: Use these DNS Servers
Primary DNS Server: 10.80.130.23
Secondary DNS Server: 10.80.130.24
Show Commands
246
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N show net wan wan1 ipv4 status
This command displays the IPv4 WAN connection status:
WAN Status
__________
MAC Address: AA:AB:BB:00:00:02
IPv4 Address: 10.139.54.228 / 255.255.255.248
Wan State: UP
NAT (IPv4 only): Enabled
IPv4 Connection Type: STATIC
IPv4 Connection State: Connected
Link State: LINK UP
Gateway: 10.139.54.225
Primary DNS: 10.80.130.23
Secondary DNS:
show net wan wan1 ipv6 setup
This command displays the IPv6 WAN configuration
IPv6 WAN1 Setup
_______________
Dynamic IPv6 (DHCP) Configuration:
Stateless Address Auto Configuration: Enabled
show net wan wan1 ipv6 status
This command displays the IPv6 WAN1 connection status:
IPv6 WAN1 Status
________________
IPv6 Connection Type: Dynamic IPv6 (DHCP)
IPv6 Connection State: Not Yet Available
IPv6 Address: fe80::a8ab:bbff:fe00:2
IPv6 Prefix Length: 64
Default IPv6 Gateway:
Primary DNS Server:
Secondary DNS Server:
Show Commands
247
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
IPv6 Mode and IPv6 Tunnel Show Commands
show net ipv6 ipmode setup
This command displays the IPv6 routing mode configuration:
IP MODE
_______
IPv4 only mode : Disabled
IPv4/IPv6 mode : Enabled
show net ipv6_tunnel setup
This command displays the IPv6 tunnel configuration:
IPv6 Tunnels
____________
6 to 4 Tunneling
Automatic Tunneling is Enabled
List of Available ISATAP Tunnels
ROW ID LocalEndpoint ISATAP Subnet Prefix
______ _____________ ____________________
1 192.168.1.1 FE80::2006
2 10.29.33.4 FE80::DEFC
show net ipv6_tunnel status
This command displays the status of the IPv6 tunnels:
Tunnel Name IPv6 Address(es)
___________ __________________________________________________ sit0-WAN1 2002:408b:36e4::408b:36e4/64, ::127.0.0.1/96, ::192.168.1.1/96,
::10.139.54.228/96 isatap1-LAN fe80::5efe:421:1d0a/64, fe80::5efe:a1d:2104/64, fe80::fe5e:0:a1d:2104/64
LAN DHCP Show Commands
show net lan dhcp leased_clients list
This command displays the LAN clients that received a leased DHCP IP address:
List of Available DHCP Leased Clients
_____________________________________
Show Commands
248
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N show net lan dhcp logs
This command displays the LAN DHCP log:
Jan 1 00:02:26 FVS318N local7.info dhcpd: Sending on
LPF/bdg1/aa:ab:bb:00:00:01/192.168.1.0/24
Jan 1 00:02:26 FVS318N local7.info dhcpd: Sending on
Socket/fallback/fallback-net
Jan 1 00:02:34 FVS318N local7.info dhcpd: Wrote 0 leases to leases file.
Jan 1 00:02:34 FVS318N local7.info dhcpd: Listening on
LPF/bdg1/aa:ab:bb:00:00:01/192.168.1.0/24
Jan 1 00:02:34 FVS318N local7.info dhcpd: Sending on
LPF/bdg1/aa:ab:bb:00:00:01/192.168.1.0/24
Jan 1 00:02:34 FVS318N local7.info dhcpd: Sending on
Socket/fallback/fallback-net
show net lan dhcp reserved_ip setup
This command displays information about the DHCP clients, including the assigned
(reserved) IP addresses:
List of DHCP Reserved Addresses
_______________________________
Name: IPAD_227
IP Address: 192.168.1.23
MAC Address: aa:11:bb:22:cc:33
Group: 1
Dynamic DNS Show Commands
show net ddns setup
This command displays the Dynamic DNS configuration:
Dynamic DNS service currently disabled
IPv4 LAN Show Commands
show net lan ipv4 setup
This command displays the IPv4 LAN configuration:
LAN Setup (IPv4)
________________
Show Commands
249
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
VLAN Profiles
_____________
Status Profile Name VLAN Id IPv4 Address Subnet Mask DHCP Status Server Address
_______ ____________ _______ ____________ _______________ ___________ _______________________________
Enabled Default 1 192.168.1.1 255.255.255.0 DHCP Server 192.168.1.100 - 192.168.1.254
Enabled Sales 20 192.168.70.1 255.255.255.0 DHCP Server 192.168.70.100 - 192.168.70.254
Enabled Marketing 40 192.168.90.5 255.255.255.128 Disabled Not Applicable
Default VLAN
____________
Port1: Default
Port2: Default
Port3: Marketing
Port4: Default
Port5: Sales
Port6: Sales
Port7: Sales
Port8: Default
show net lan ipv4 detailed setup <vlan id>
This command displays the detailed configuration for a VLAN:
Detailed Setup (IPv4) of VLAN :- Default
________________________________________
Status: : Enabled
Profile Name: : Default
VLAN Id: : 1
IPv4 Address: : 192.168.1.1
Subnet Mask: : 255.255.255.0
DHCP Status: : DHCP Server
Server Address: : 192.168.1.100 - 192.168.1.254
Primary DNS Server: :
Secondary DNS Server: :
WINS Server: :
Lease Time: : 24
LDAP Status: : Disabled
DNS Proxy: : Enabled
Inter VLAN Routing: : Disabled
Show Commands
250
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N show net ethernet {interface name | all}
This command displays the MAC address and VLAN status for a single or all Ethernet interfaces:
FVS318N> show net ethernet eth1
MAC Address: AA:AB:BB:00:00:02
VLAN ID: 1
Interface Name: eth1
VLAN Enabled: N
Native VLAN: N
FVS318N> show net ethernet all
Ethernet Interfaces
___________________
VLAN ID Interface Name VLAN Enabled Native VLAN
_______ ______________ ____________ ___________
1 eth0 N N
1 eth1 N N
show net lan ipv4 advanced setup
This command displays the advanced IPv4 LAN configuration:
LAN Advanced Setup
__________________
VLAN MAC Settings:
MAC Address for VLANs: Same
Advanced Settings:
ARP Broadcast: Enabled
show net lan available_lan_hosts list
This command displays the IPv4 hosts (that is, the known computers and devices in the
LAN):
List of Available Lan Hosts
___________________________
Show Commands
251
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N show net lan lan_groups
This command displays the LAN groups:
Row ID : Group Name
___________________
1 GROUP1
2 GROUP2
3 GROUP3
4 GROUP4
5 Management
6 SalesEMEA
7 SalesAmericas
8 GROUP8
show net lan ipv4 multiHoming
This command displays the LAN secondary IP addresses:
IPv4 LAN Multi-homing
_____________________
Available Secondary LAN IPs :-
______________________________
Row Id IP Address Subnet Mask
______ ______________ _______________
1 192.168.20.1 255.255.255.0
2 192.168.70.240 255.255.255.128
IPv6 LAN Show Commands
show net lan ipv6 setup
This command displays the IPv6 LAN configuration:
IPv6 LAN Configuration
______________________
LAN TCP/IP Setup:
IPv6 Address: FEC0::1
IPv6 Prefix Length: 64
DHCPv6:
Show Commands
252
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
DHCP Status: Enable DHCPv6 Server
DHCP Mode: Stateless
Domain Name: netgear.com
Server Preference: 255
DNS Servers: Use DNS from ISP
Lease/Rebind Time: 86400
List of IPv6 Address Pools
__________________________
Start Address End Address
__________________ __________________
FEC0::db8:2 FEC0::db8:199
FEC0::db8:10a1:100 FEC0::db8:10a1:300
show net radvd lan setup
This command displays the LAN RADVD configuration:
Router Advertisement Daemon ( RADVD )
_____________________________________
RADVD Status: Enabled
Advertise Mode: Unsolicited Multicast
Advertise Interval: 30
RA Flags
Managed: Disabled
Other: Enabled
Router Preference: High
MTU: 1500
Router Lifetime: 3600 Seconds
List of Available Prefixes to Advertise
_______________________________________
ROW ID IPv6 Prefix IPv6 Prefix Length Life Time
______ __________________ __________________ _________
1 2002:408b:36e4:a:: 64 43200
2 FE80:0:0:CC40:: 64 21600
Show Commands
253
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N show net lan ipv6 multiHoming
This command displays the LAN secondary IPv6 addresses:
IPv6 LAN Multi-homing
_____________________
Available Secondary LAN IPs :-
______________________________
Row Id: 1
IPv6 Address: 2001:db8:3000::2192
Prefix Length: 10
DMZ Show Commands
show net dmz ipv4 setup
This command displays the IPv4 DMZ configuration:
DMZ Setup
_________
DMZ Disabled.
show net dmz ipv6 setup
This command displays the IPv6 DMZ configuration:
DHCP Setup Configuration
________________________
IPv6 Address: 2001:176::1
Prefix Length: 64
DHCP Status: DHCP Server Enabled
Mode: Stateful
Domain Name: netgear.com
DNS Server: Use DNS Proxy
Lease Time in Sec : 43200
Starting IP Address : 2001::1100
Ending IP Address : 2001::1120
Pool Prefix Length : 56
Show Commands
254
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N show net radvd dmz setup
This command displays the DMZ RADVD configuration:
Router Advertisement Daemon ( RADVD )
_____________________________________
RADVD Status: Enabled
Advertise Mode: Unicast only
Advertise Interval: 30
RA Flags
Managed: Disabled
Other: Enabled
Router Preference: High
MTU: 1500
Router Lifetime: 7200 Seconds
List of Available Prefixes to Advertise
_______________________________________
ROW ID IPv6 Prefix IPv6 Prefix Length Life Time
______ ___________ __________________ _________
1 2002:3a2b 64 3600
2 2002:3a2b 64 3600
Routing Show Commands
show net routing dynamic setup
This command displays the dynamic routing configuration:
Dynamic Routing
_______________
RIP
___
RIP Direction Both
RIP Version RIP-2M
Authentication for RIP-2B/2M: Enabled
First Key Parameters
MD5 Key Id: 1
MD5 Auth Key: *****
Not Valid Before: 2011/12/01@07:00:00
Show Commands
255
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Not Valid After: 2011/12/31@23:59:59
Second Key Parameters
MD5 Key Id: 2
MD5 Auth Key: *****
Not Valid Before: 2011/12/31@24:00:00
Not Valid After: 2012/03/31@23:59:59
show net routing static ipv4 setup
This command displays the IPv4 static routes configuration:
Name Destination Gateway Interface Metric Active Private
---- ----------- ------- --------- ------ ------- -------
Orly 10.118.215.178 10.192.44.13 WAN1 7 1 1
show net routing static ipv6 setup
This command displays the IPv6 static routes configuration:
Name Destination Gateway Interface Metric Active
---- ----------- ------- --------- ------ -------
SFO2 2002:201b:24e2::1001 FE80::2001:5efe:ab23 WAN1 2 1
Network Statistics Show Commands
show net statistics {interface name | all}
This command displays the network statistics for a single or all Ethernet interfaces:
FVS318N> show net statistics eth0
Interface Statistics
____________________
IFACE: eth0
PktRx: 5688 ktTx: 5651
ByteRx: 654963
ByteTx: 4834187
ErrRx: 0
ErrTx: 0
DropRx: 0
DropTx: 0
Show Commands
256
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Mcast: 0
Coll: 0
FVS318N> show net statistics all
Interface Statistics
____________________
IFACE PktRx PktTx ByteRx ByteTx ErrRx ErrTx DropRx DropTx Mcast Coll
_____ ______ ______ ________ ________ _____ _____ ______ ______ _____ ____ eth0 20802 31569 2148358 38409384 0 0 0 0 0 0 eth1 359059 186965 61156441 28586367 0 0 0 0 0 0
Security Settings (Security Mode) Show Commands
This section contains the following subsections:
• Session Limits Show Commands
• Advanced Firewall Show Commands
• Address Filter Show Commands
• Port Triggering Show Commands
• Bandwidth Profiles Show Command
• Content Filtering Show Commands
Services Show Command
show security services setup
This command displays the configured custom services:
List of Available Custom Services
_________________________________
ROW ID Name Type ICMP Type / Port Range QoS
______ ________________ ______ ______________________ ___________________
74 Ixia TCP 10115-10117 Normal-Service
75 RemoteManagement TCP 8888-8888 Maximize-Throughput
Show Commands
257
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Schedules Show Command
show security schedules setup
This command displays the configured schedules:
Schedules
_________
List of Available Schedules
ROW ID Name Days Start Time End Time
______ _________ _________________________ __________ ________
1 schedule1 Monday, Wednesday, Friday 07:15 AM 06:30 PM
2 schedule2 All Days 12:00 AM 11:59 PM
3 schedule3 All Days 12:00 AM 12:00 AM
Firewall Rules Show Command
show security firewall ipv4 setup lan_wan
This command displays the configured IPv4 LAN WAN firewall rules:
Default Outbound Policy for IPv4 : Allow Always
LAN WAN Outbound Rules.
_______________________
ROWID Status Service Name Filter LAN User WAN User Priority Bandwidth Profile Log
_____ _______ ____________ ____________ ________ _______________________________ ______________ _________________ ______
103 Enabled CU-SEEME:TCP BLOCK Always Any Any Normal-Service NONE Never
104 Enabled PING ALLOW Always Any 10.120.114.217 - 10.120.114.245 Normal-Service NONE Always
LAN WAN Inbound Rules.
______________________
ROWID: 102
Status: Enabled
Service Name: HTTP
Filter: ALLOW Always
LAN Server IP Address: 192.168.5.69
LAN User:
WAN User: Any
Show Commands
258
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Destination: Broadband
Bandwidth Profile: NONE
Log: Never
show security firewall ipv4 setup dmz_wan
This command displays the configured IPv4 DMZ WAN firewall rules:
Default Outbound Policy for IPv4 : Allow Always
DMZ WAN Outbound Rules.
_______________________
ROWID: 105
Status: Enabled
Service Name: FTP
Filter: ALLOW by schedule,otherwise block
DMZ User: Any
WAN User: Any
Priority: Maximize-Reliability
Log: Never
DMZ WAN Inbound Rules.
______________________
ROWID Status Service Name Filter DMZ Server IP Address DMZ User WAN User Destination Log
_____ _______ ____________ ____________ _____________________ ________ ________ _____________ ______
106 Enabled Traceroute ALLOW Always 176.21.214.2 Any 10.115.97.174 Always
107 Enabled TELNET ALLOW Always 176.21.214.2 Any Broadband Always
show security firewall ipv4 setup lan_dmz
This command displays the configured IPv4 LAN DMZ firewall rules:
Default Outbound Policy for IPv4 : Allow Always
LAN DMZ Outbound Rules.
_______________________
ROWID: 100
Status: Enabled
Service Name: FTP
Filter: ALLOW Always
LAN User: GROUP3
Show Commands
259
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
DMZ User: 176.16.2.65 - 176.16.2.85
Log: Never
LAN DMZ Inbound Rules.
______________________
ROWID: 101
Status: Enabled
Service Name: SSH:UDP
Filter: BLOCK by schedule,otherwise allow
DMZ User: 176.16.2.211
LAN User: 192.168.4.109
Log: Always
show security firewall ipv6 setup
This command displays all configured IPv6 firewall rules:
Default Outbound Policy
_______________________
For IPv6 : Allow Always
List of Available IPv6 Firewall Rules
_____________________________________
ROW ID Status Rule Type Service Action Source Users Destination Users Log Qos Priority Schedule
______ _______ __________ _______________ _________________________________ _______________________________________ ________________________ ______ ______________ _________
130 Enabled WAN To LAN RTELNET ALLOW Always 2002::B32:AAB1:fD41 FEC0::db8:145 Always Normal-Service
131 Enabled WAN To LAN HTTP ALLOW Always Any
132 Enabled LAN To WAN HTTP ALLOW Always Any
Any Never Normal-Service
Any Never Normal-Service
133 Enabled LAN To WAN HTTPS ALLOW Always Any Any Never Normal-Service
134 Enabled DMZ To WAN FTP ALLOW by schedule,otherwise block FEC0::db8:10a1:201 - FEC0::db8:10a1:299 2001:db6::30f4:fbbf:ccbc Never Normal-Service schedule1
135 Enabled WAN To DMZ VDOLIVE BLOCK Always Any
136 Enabled DMZ To LAN RTSP:TCP BLOCK Always Any
137 Enabled DMZ To LAN RTSP:UDP BLOCK Always Any
138 Enabled LAN To DMZ ICMPv6-TYPE-134 BLOCK Always Any
176::1150 - 176::1200 Always Normal-Service
Any Always Normal-Service
Any Always Normal-Service
176::1121 - 176::1142 Always Normal-Service
Attack Checks Show Commands
show security firewall attack_checks igmp
This command displays whether or not the IGMP proxy is enabled:
IGMP Configuration
__________________
Igmp Proxy: Disabled
show security firewall attack_checks jumboframe
This command displays whether or not jumbo frames are enabled:
Jumbo Frame Configuration
_________________________
Jumbo Frame Support: Enabled
Show Commands
260
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N show security firewall attack_checks setup ipv4
This command displays which WAN and LAN security checks are enabled for IPv4:
Attack Checks
_____________
WAN Security Checks:
_____________________
Respond to ping on Wan : Yes
Enable Stealth mode : Yes
Block TCP Flood : Yes
LAN Security Checks:
_____________________
Block UDP Flood : Yes
Disable Ping Reply on LAN Ports : No
show security firewall attack_checks setup ipv6
This command displays which security checks are enabled for IPv6:
Attack Checks IPv6
__________________
WAN Security Checks:
Respond to ping on Wan
VPN IPSec Passthrough
: Yes
: Yes
show security firewall attack_checks vpn_passthrough setup
This command displays which VPN pass-through features are enabled:
Passthrough
___________
IPSec VPN Passthrough:
IPSec Passthrough : Enabled
PPTP Passthrough : Enabled
L2TP Passthrough : Enabled
Show Commands
261
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Session Limits Show Commands
show security firewall session_limit
This command displays the session limit settings:
Session Settings
________________
Session Limit Enable: Enabled
Connection Limit Type: 1
User Connection Limit: 6
TCP Session Timeout Duration: 1800(Secs)
UDP Session Timeout Duration: 120(Secs)
ICMP Session Timeout Duration: 60(Secs)
show security firewall session_settings
This command displays the session time-out settings:
Session Settings
________________
TCP Session Timeout Duration:1800(Secs)
UDP Session Timeout Duration:120(Secs)
ICMP Session Timeout Duration:60(Secs)
Advanced Firewall Show Commands
show security firewall advanced algs
This command displays whether or not SIP ALG is enabled:
ALGs
____
Sip: Disabled
Show Commands
262
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Address Filter Show Commands
show security address_filter enable_email_log
This command displays the configuration of the IP/MAC binding log:
Email logs for IP/MAC binding violation
_______________________________________
Email logs for IP/MAC binding violation: Enabled
Email logs for IP/MAC binding violation IPv6
____________________________________________
Email logs for IP/MAC binding violation: Disabled
show security address_filter ip_or_mac_binding setup
This command displays the IP/MAC bindings:
ROW ID Name MAC Address IP Address Log Dropped Packets IP Version
______ _____ _________________ _____________________ ___________________ __________
1 Rule1 00:aa:23:be:03:a1 192.168.10.153 Enabled IPv4
2 CFO a1:b2:c3:d4:ee:da 2001:3063:21a2:28e4:: Enabled IPv6
show security address_filter mac_filter setup
This command displays the configuration of the MAC filter and the MAC addresses for source MAC filtering:
Source MAC Filter
__________________
MAC Filtering: Enabled
Policy for MAC Addresses: Block and Permit the rest
List of Available MAC Addresses
________________________________
ROW ID MAC Address
______ _________________
1 AA:11:BB:22:CC:33
2 a1:b2:c3:de:11:22
3 a1:b2:c3:de:11:25
Show Commands
263
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Port Triggering Show Commands
show security porttriggering_rules setup
This command displays the port triggering rules:
Port Triggering
_______________
List of Available Port Triggering Rules
_______________________________________
ROW ID: 1
Name: AccInq
Enable: Yes
Type: TCP
Interface: LAN
Outgoing Start Port: 20020
Outgoing End Port: 20022
Incoming Start Port: 30030
Incoming End Port: 30040
show security porttriggering_rules status
This command displays the port triggering status:
PortTriggering Rules Status
___________________________
UPnP Show Commands
show security upnp portmap
This command displays the UPnP portmap table:
UPnP Portmap Table
__________________
Show Commands
264
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N show security upnp setup
This command displays the UPnP configuration:
UPnP configuration
__________________
Advertisement Period: 30
Advertisement Time To Live: 4
Bandwidth Profiles Show Command
show security bandwidth profile setup
This command displays the configured bandwidth profiles:
List of Available Bandwidth Profiles
____________________________________
ROW ID Name Direction Outbound Bandwidth Range Inbound Bandwidth Range Is Group
______ ________ _______________ ________________________ _______________________ ________
1 BW1 Outbound 500-1500 NA 0
2 BW_Sales Both Directions 1000-10000 1000-10000 1
Content Filtering Show Commands
show security content_filter content_filtering
This command displays the status of content filtering and the web components:
Content Filtering
_________________
WAN Security Checks
Content Filtering : Enabled
LAN Security Checks
-------------------
Proxy : Enabled
Java : Enabled
ActiveX : Enabled
Cookies : Disabled
Show Commands
265
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N show security content_filter block_group
This command displays the groups for which content filtering is enabled:
Blocked Groups
______________
List of Blocked Groups
Blocked Groups:
Unblocked Groups : GROUP1, GROUP2, GROUP3, GROUP4, Management, SalesEMEA,
SalesAmericas, GROUP8
show security content_filter blocked_keywords
This command displays the keywords that are blocked:
Blocked Keywords
________________
List of available Blocked Keywords
ROW ID Blocked Keyword Status
______ ________________ _______
2 casino Enabled
3 nude Enabled
4 gambl* Enabled
5 guns Enabled
show security content_filter trusted_domains
This command displays the trusted domains:
List of available Approved URLS
ROW ID Domain
______ __________
1 yahoo.com
2 google.com
3 irs.gov
Show Commands
266
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Administrative and Monitoring Settings (System Mode)
Show Commands
This section contains the following subsections:
• Remote Management Show Command
• Firmware Version Show Command
• Logging Configuration Show Commands
Note:
The VPN logs and RADIUS logs are part of the VPN Mode show commands (see
VPN Settings (VPN Mode) Show Commands
Remote Management Show Command
show system remote_management setup
This command displays the configuration of remote management for Telnet and HTTPS access:
Remote Mgmt Configuration for telnet
____________________________________
IPv4 access granted to everyone
IPv6 access granted to a range of IPs from : FEC0::3001 to FEC0::3100 port being used : 23
Remote Mgmt Configuration for https
___________________________________
IPv4 access granted to everyone
IPv6 access granted to everyone port being used : 445
Show Commands
267
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
SNMP Show Commands
show system snmp trap [agent ipaddress]
This command displays the SNMP trap configuration of an SNMP agent:
Trap Agent IP Address
_____________________
IP Address: 10.118.33.245
Subnet Mask: 255.255.255.255
Port: 162
Community: public
show system snmp sys
This command displays the SNMP system configuration of the wireless VPN firewall:
SNMP System Configuration
_________________________
SysContact: [email protected]
SysLocation: San Jose
SysName: FVS318N-Bld3
Time Show Command
show system time setup
This command displays the time configuration and the configuration of the NTP server:
Time Zone & NTP Servers Configuration
_____________________________________
Current Time: Friday, April 13, 2012, 01:22:40 (GMT -0700)
Timezone: (GMT-08:00) Pacific Time(Canada), Pacific Time(US)
Automatically Adjust for Daylight Savings Time: Yes
Default NTP servers used : Yes
Show Commands
268
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Firmware Version Show Command
show system firmware_version
This command displays the firmware version:
Firmware Version : 4.1.1-8
Status Show Command
show system status
This command displays the system status (also referred to as router status) information:
System Info
___________
System Name: FVS318N
Firmware Version: 4.1.1-8
Lan Port 1 Information
______________________
VLAN Profile: Default
VLAN ID: 1
MAC Address: E0:46:9A:1D:1A:9C
IP Address: 192.168.1.1
Subnet Mask: 255.255.255.0
DHCP Status: Enabled
Lan Port 2 Information
______________________
VLAN Profile: Default
VLAN ID: 1
MAC Address: E0:46:9A:1D:1A:9C
IP Address: 192.168.1.1
Subnet Mask: 255.255.255.0
DHCP Status: Enabled
Lan Port 3 Information
______________________
VLAN Profile: Marketing
VLAN ID: 40
MAC Address: E0:46:9A:1D:1A:9C
Show Commands
269
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
IP Address: 192.168.90.5
Subnet Mask: 255.255.255.128
DHCP Status: Disabled
Lan Port 4 Information
______________________
VLAN Profile: Default
VLAN ID: 1
MAC Address: E0:46:9A:1D:1A:9C
IP Address: 192.168.1.1
Subnet Mask: 255.255.255.0
DHCP Status: Enabled
Lan Port 5 Information
______________________
VLAN Profile: Sales
VLAN ID: 20
MAC Address: E0:46:9A:1D:1A:9C
IP Address: 192.168.70.1
Subnet Mask: 255.255.255.0
DHCP Status: Enabled
Lan Port 6 Information
______________________
VLAN Profile: Sales
VLAN ID: 20
MAC Address: E0:46:9A:1D:1A:9C
IP Address: 192.168.70.1
Subnet Mask: 255.255.255.0
DHCP Status: Enabled
Lan Port 7 Information
______________________
VLAN Profile: Sales
VLAN ID: 20
MAC Address: E0:46:9A:1D:1A:9C
IP Address: 192.168.70.1
Subnet Mask: 255.255.255.0
DHCP Status: Enabled
Lan Port 8/DMZ Information
___________________________
Show Commands
270
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
VLAN Profile: Default
VLAN ID: 1
MAC Address: E0:46:9A:1D:1A:9C
IP Address: 192.168.1.1
Subnet Mask: 255.255.255.0
DHCP Status: Enabled
Broadband Information
_____________________
MAC Address: AA:AB:BB:00:00:02
IPv4 Address: 10.139.54.228 / 255.255.255.248
IPv6 Address: fe80::a8ab:bbff:fe00:2 / 64
Wan State: UP
NAT (IPv4 only): Enabled
IPv4 Connection Type: STATIC
IPv6 Connection Type: Dynamic IP (DHCPv6)
IPv4 Connection State: Connected
IPv6 Connection State: Connected
Link State: LINK UP
Gateway: 10.139.54.225
Primary DNS: 10.80.130.23
Secondary DNS: 10.80.130.24
Gateway (IPv6):
Primary DNS(IPv6):
Secondary DNS(IPv6):
Wireless LAN Information
________________________
Wireless Status: Enable
SSID: FVS318N_1
Mode: N Only
Security Setting: WPA+WPA2
Region: North America
Channel: 1-2.452 GHz
AP MAC Address: E0:46:9A:1D:1A:AE
Show Commands
271
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Traffic Meter Show Command
show system traffic_meter setup
This command displays the configuration of the traffic meter and the Internet traffic statistics:
Enable Traffic Meter
____________________
Traffic Meter is Enabled
Limit Type Download only
Monthly Limit in (MB): 150000
Increase this month limit: Enabled
Increase limit by in (MB): 50000
This month limit:
Traffic Counter
________________
Traffic Counter: Specific Time
Restart Time (HH/MM-Day of Month): 12/0-1
Send e-mail before restarting: Enabled
When Limit is reached
______________________
Traffic Block Status: Block All Traffic Except Email
Send e-mail alert: Enabled
Internet Traffic Statistics
____________________________
Start Date / Time: Fri Dec 9 18:09:49 2011
Outgoing Traffic Volume: 2057
Incoming Traffic Volume: 2070
Average per day: 4127
% of Standard Limit: 0
% of this Month's Limit: 0
Show Commands
272
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Logging Configuration Show Commands
show system logging setup
This command displays the configuration of the IPv4 and IPv6 logs:
Logging Config
______________
Routing Logs
____________
LAN to WAN
__________
Accepted Packets: Disabled
Dropped Packets: Disabled
WAN to LAN
__________
Accepted Packets: Disabled
Dropped Packets: Disabled
DMZ to WAN
__________
Accepted Packets: Disabled
Dropped Packets: Disabled
WAN to DMZ
__________
Accepted Packets: Disabled
Dropped Packets: Disabled
LAN to DMZ
__________
Accepted Packets: Disabled
Dropped Packets: Disabled
DMZ to LAN
__________
Accepted Packets: Disabled
Dropped Packets: Disabled
System Logs
Show Commands
273
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
___________
Change of time by NTP: Disabled
Login attempts: Enabled
Secure Login attempts: Enabled
Reboots: Enabled
All Unicast Traffic: Disabled
All Broadcast/Multicast Traffic: Disabled
WAN Status: Disabled
Resolved DNS Names: Disabled
VPN Logs: Disabled
DHCP Server: Disabled
Other Event Logs
________________
Source MAC Filter: Disabled
Session Limit: Disabled
Bandwidth Limit: Disabled
show system logging remote setup
This command displays the configuration and the schedule of the email logs:
Log Identifier: FVS318N-BLD3
Enable E-Mail Logs
__________________
E-Mail Server Address: SMTP.Netgear.com
Return E-Mail Address: [email protected]
Send to E-Mail Address: [email protected]
Authentication: No Authentication
Respond to Identd from SMTP Server: N
Send E-mail logs by Schedule
____________________________
Unit: Weekly
Day: Sunday
Time: 03 AM
Syslog Configuration
____________________
Show Commands
274
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Syslog Server: Disabled
Logs Show Commands
show system logs
This command displays the system logs (the following example shows only part of the command output):
Wed Dec 7 14:06:23 2011(GMT) [FVS318N][System][NTP] Looking Up time-g.netgear.com
.netgear.com
time
-g.netgear.com
Wed Dec 7 14:06:26 2011(GMT) [FVS318N][System][NTP] Timezone difference :480 after
2 Hours time-g is
Logged-Out successfully from host 74.116.205.101
Wed Dec 7 15:31:00 2011(GMT) [FVS318N][Kernel][KERNEL] WAN_PING[DROP]IN=eth1
OUT= MAC=aa:ab:bb:00:00:02:00:22:10:9c:23:10:08:00 SRC=10.136.73.53 DST=
10.139.54. 228 LEN=92 TOS=0x00 PREC=0x20 TTL=108 ID=8004 PROTO=ICMP TYPE=8
CODE=0 ID=512 SEQ=5702
show sysinfo
This command displays system information, including MAC addresses, serial number, and firmware version:
System - Manufacturer Information
************************** hwver: 00:00:A0:03reginfo: 0x0005 numofimages : 1 currimage: 1 mac address : E0469A1D1A9C
Show Commands
275
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
wireless MAC[0] : e0469a1d1aae wireless MAC[1] : e0469a1d1aaf wireless MAC[2] : e0469a1d1ab0 wireless MAC[3] : e0469a1d1ab1 vlan[0] MAC : e0469a1d1a9f vlan[1] MAC : e0469a1d1aa0 vlan[2] MAC : e0469a1d1aa1 vlan[3] MAC : e0469a1d1aa2 vlan[4] MAC : e0469a1d1aa3 vlan[5] MAC : e0469a1d1aa4 vlan[6] MAC : e0469a1d1aa5 vlan[7] MAC : e0469a1d1aa6 vlan[8] MAC : e0469a1d1aa7 vlan[9] MAC : e0469a1d1aa8 vlan[10] MAC : e0469a1d1aa9 vlan[11] MAC : e0469a1d1aaa vlan[12] MAC : e0469a1d1aab vlan[13] MAC : e0469a1d1aac vlan[14] MAC : e0469a1d1aad
WAN MAC : e0469a1d1a9d pcbasn number : S.YX218U00E0
serial number : 2JF119BY001B0 image 0 : 4.1.1-8 image 1 : 0 productId : FVS318N maccnt0: 0x22 maccnt1: 0x0 maccnt2: 0x0 maccnt3: 0x0
**************************
Show Commands
276
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Wireless Settings (Dot11 Mode) Show Commands
This section contains the following subsections:
• Wireless Statistics Commands
Radio Show Command
show dot11 radio
This command displays the configuration information for the radio:
Radio Configuration
___________________
Region: North America
Country: US
Operating Frequency: 2.4 GHz
Mode: n only
Channel Spacing: 20/40 MHz
Current Channel: 9-2.452 GHz
Channel: 1-2.412GHz
Default Transmit Power: Half(dBm)
Transmit Power: 15 dBm
Transmit Rate: Best(Automatic)
Radio Advanced Configuration
____________________________
Beacon Interval: 100 (Milliseconds)
DTIM Interval: 2
RTS Threshold: 2346 (Bytes)
Frag Threshold: 2346 (Bytes)
Preamble Mode: Long
Protection Mode: None
Power save enable: N
Show Commands
277
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Profile Show Commands
show dot11 profile [profile name]
This command displays basic information for all profiles or basic and advanced information for a specified profile:
•
All profiles:
FVS318N> show dot11 profile
Status Profile Name SSID Broadcast Security Encryption Authentication Active Time Start Time Stop Time
________ ____________ _________ _________ ________ __________ ______________ ___________ __________ _________
Enabled default1 FVS318N_1 Y WPA+WPA2 TKIP+CCMP PSK Disabled - -
Disabled 1st_Floor WorkToDo Y WPA+WPA2 TKIP+CCMP PSK Enabled 7:0 AM 8:0 PM
•
A specified profile
FVS318N> show dot11 profile 1st_Floor
Profile Configuration
_____________________
Profile Name: 1st_Floor
SSID: WorkToDo
Broadcast SSID: Enabled
Security: WPA+WPA2
Authentication: PSK
Encryption: TKIP+CCMP
WPA Password: **********
Profile Advanced Configuration:
Association Timeout Interval (in Seconds): 10
Authentication Timeout Interval (in Seconds): 10
Group Key Refresh Interval (in Seconds): 3600
PMKSA LifeTime (in Seconds): 3600
802.1X Re-authentication Interval (in Seconds): 3600
show dot11 profile status <profile name>
This command displays traffic statistics for the specified profile (note that the profile is called an access point and that, in this example, it is indicated by ap2):
Access Point Status
___________________
AP Name: ap2
Radio: 1
PktRx: 0
Show Commands
278
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
PktTx: 0
ByteRx: 0
ByteTx: 0
ErrRx: 0
ErrTx: 0
DropRx: 0
DropTx: 11301
MCast: 0
#Coll: 0
Connected Clients
_________________
show dot11 acl <profile name>
This command displays the ACL policy and MAC addresses for the specified profile:
Default ACL Policy
__________________
ACL Policy Status: Allow
List of MAC Address
___________________
_________________ a1:23:04:e6:de:bb c2:ee:d2:10:34:fe
show dot11 wps
This command displays the WPS configuration:
Access Point Name: ap1
WPS Enabled: Y
Show Commands
279
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Wireless Statistics Commands
show dot11 statistics
This command displays the cumulative wireless traffic statistics for all wireless profiles (note that the profiles are indicated by ap1, ap2, ap3, and so on):
Wireless Statistics
___________________
AP Name Radio PktRx PktTx ByteRx ByteTx ErrRx ErrTx DropRx DropTx MCast #coll
_______ _____ _____ _____ ______ ______ _____ _____ ______ ______ _____ _____ ap1 1 0 0 0 0 0 0 0 83 0 0 ap2 1 0 0 0 0 0 0 0 0 0 0 ap3 1 0 0 0 0 0 0 0 80 0 0
VPN Settings (VPN Mode) Show Commands
This section contains the following subsections:
IPSec VPN Show Commands
show vpn ipsec ikepolicy setup
This command displays the IKE policies:
List of IKE Policies
____________________
Name Mode Local ID Remote ID Encryption Authentication DH Group
_________________ __________ ______________________ _____________ __________ ______________ ____________ iphone aggressive 10.139.54.228 0.0.0.0 AES-128 SHA-1 Group 2 (1024 bit)
FVS318N-to-Peer44 main fe80::a8ab:bbff:fe00:2 peer44.com 3DES SHA-1 Group 2 (1024 bit)
FVS-to-Paris main 10.139.54.228 10.112.71.154 3DES SHA-1 Group 2 (1024 bit)
Show Commands
280
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N show vpn ipsec vpnpolicy setup
This command displays the IPSec VPN policies:
Status Name Type IPSec Mode Local Remote Auth Encr
_______ _________________ ___________ ___________ ______________________________________ ______________________________ _____ ____
Enabled FVS318N-to-Peer44 Auto Policy Tunnel Mode 2002:408b:36e4:a:a8ab:bbff:fe00:1 / 64 fe80::a4bb:ffdd:fe01:2 / 64 SHA-1 3DES
Enabled FVS-to-Paris Auto Policy Tunnel Mode 192.168.1.0 / 255.255.255.0 192.168.50.0 / 255.255.255.255 SHA-1 3DES
show vpn ipsec vpnpolicy status
This command displays status information about the active and nonactive IPSec VPN policies (this example does not relate to the previous two examples):
Row Id Policy Name Endpoint tx ( KB ) tx ( Packets ) State Action
______ _______________ ______________________________ _________ ______________ ________________________ _______
1 GW1-to-GW2 10.144.28.226 0.00 0 IPsec SA Not Established Connect
2 FVS-to-IPv6Peer 2001::da21:1316:df17:dfee:e33c 0.00 0 IPsec SA Not Established Connect
3 100.10.10.1 100.153.46.20 7.01 31 IPsec SA Established Drop
4 100.10.10.2 100.153.46.20 6.68 29 IPsec SA Established Drop
show vpn ipsec mode_config setup
This command displays the Mode Config records:
List of Mode Config Records
___________________________
Record Name Pool Start IP Pool End IP
___________ ___________________ ___________________
Beijing 192.168.2.100 192.168.2.150
iphone 10.100.100.1 100.10.100.12
show vpn ipsec logs
This command displays the IPSec VPN logs (the following example shows only part of the command output):
Tue Apr 10 12:24:36 2012 (GMT -0700): [FVS318N] [IKE] INFO: Using IPsec SA configuration: anonymous
Tue Apr 10 12:24:36 2012 (GMT -0700): [FVS318N] [IKE] INFO: Re-using previously generated policy: 100.10.10.2/32[0] 0.0.0.0/0[0] proto=any dir=in
Tue Apr 10 12:24:36 2012 (GMT -0700): [FVS318N] [IKE] WARNING: less key length proposed, mine:128 peer:256. Use initiaotr's one.
Tue Apr 10 12:24:36 2012 (GMT -0700): [FVS318N] [IKE] INFO: IPsec-SA established: ESP/Tunnel 173.11.109.158->64.139.54.228 with spi=
73255174(0x45dc906)
Tue Apr 10 12:24:36 2012 (GMT -0700): [FVS318N] [IKE] INFO: IPsec-SA established: ESP/Tunnel 64.139.54.228->173.11.109.158 with spi=
7343706(0x700e5a)
Show Commands
281
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Tue Apr 10 12:27:25 2012 (GMT -0700): [FVS318N] [IKE] INFO: Sending
Informational Exchange: notify payload[10637]
SSL VPN Show Commands
show vpn sslvpn client
This command displays the SSL VPN client ranges and configurations:
SSL VPN Client(IPv4)
____________________
Enable Full Tunnel Support: No
DNS Suffix:
Primary DNS Server: 192.168.10.5
Secondary DNS Server: 192.168.10.6
Client Address Range Begin: 192.168.200.50
Client Address Range End: 192.168.200.99
SSL VPN Client(IPv6)
____________________
Enable Full Tunnel Support: No
DNS Suffix:
Primary DNS Server: 192.168.10.5
Secondary DNS Server: 192.168.10.6
Client Address Range Begin: 4000::1000:2
Client Address Range End: 4000::1000:50
show vpn sslvpn logs
This command displays the SSL VPN logs:
Fri Dec 9 20:19:03 2011(GMT) [FVS318N][System][SSLVPN] SSL_INFO :user admin2 is
Logged-Out successfully from host 10.116.205.103
Sat Dec 10 09:12:50 2011(GMT) [FVS318N][System][SSLVPN] SSL_INFO : Login
Successful for Local Admin user admin2 from host 10.116.205.103
Sat Dec 10 14:07:32 2011(GMT) [FVS318N][System][PLATFORM] platformHandleDBUpdate:SSLVPNUserLoginPolicyDefinedBrowser op=18 row=2
Sat Dec 10 14:12:10 2011(GMT) [FVS318N][System][PLATFORM] platformHandleDBUpdate:SSLVPNUserLoginPolicyDefinedAddress op=18 row=1
Sat Dec 10 14:12:26 2011(GMT) [FVS318N][System][SSLVPN] Edit operation done on user PeterBrown
Show Commands
282
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Sat Dec 10 14:20:10 2011(GMT) [FVS318N][System][SSLVPN] SSL_INFO :user admin2 is Logged-Out successfully from host 10.116.205.103
Sat Dec 10 18:04:50 2011(GMT) [FVS318N][System][SSLVPN] SSL_INFO : Login
Successful for Local Admin user admin2 from host 10.116.205.103
Sat Dec 10 18:09:50 2011(GMT) [FVS318N][System][PLATFORM] platformHandleDBUpdate:SSLVPNPortalLayout op=23 row=1
Sat Dec 10 18:09:51 2011(GMT) [FVS318N][System][SSLVPN] Portal 'SSL-VPN' is set as default
Sat Dec 10 18:09:53 2011(GMT) [FVS318N][System][SSLVPN] Domain Headquarter is successfully added. Authentication Type: ldapPortal Layout Name: SSL-VPN
Sat Dec 10 18:10:21 2011(GMT) [FVS318N][System][SSLVPN] Group Sales is successfully added. Domain Name:Headquarter
show vpn sslvpn policy
This command displays the SSL VPN policies:
SSL VPN Policies
________________
Row Id Policy Name Service Type Destination Object Permission
______ _____________ _______________ ___________________ __________
1 RemoteWorkers Port Forwarding TopSecure Permit
2 Management VPN Tunnel 0.0.0.0:15652-15658 Permit
show vpn sslvpn portal-layouts
This command displays the SSL VPN portal layouts:
List of Layouts
_______________
Row Id Layout Name Description Use Count Portal URL (IPv4) Portal URL (IPV6)
______ ___________ ______________________________ _________ ____________________________________ __________________________________________________
1 SSL-VPN* Welcome to Netgear Configur... 4 https://64.139.54.228/portal/SSL-VPN https://[fe80::e246:9aff:fe1d:1a9d]/portal/SSL-VPN
2 CSup In case of login difficulty... 1 https://64.139.54.228/portal/CSup https://[fe80::e246:9aff:fe1d:1a9d]/portal/CSup
Show Commands
283
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N show vpn sslvpn portforwarding appconfig
This command displays the SSL VPN port forwarding application configuration:
Port Forwarding Application Configuration
_________________________________________
Row Id Server IP Port
______ ______________ ____
1 192.168.51.227 3389
2 192.168.51.230 4009
show vpn sslvpn portforwarding hostconfig
This command displays the SSL VPN port forwarding host configuration:
Port Forwarding Host Configuration
__________________________________
Row Id: 1
Server IP: 192.168.51.227
FQDN Name: RemoteDesktop
show vpn sslvpn resource
This command displays the SSL VPN resource configuration:
RESOURCES
_________
Row Id Resource Name Service
______ _____________ _______________
1 TopSecure Port Forwarding
2 FTPServer Port Forwarding
3 RoadWarrior VPN Tunnel
Show Commands
284
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N show vpn sslvpn resource-object <resource name>
This command displays the detailed configuration for the specified resource object:
RESOURCE OBJECTS
________________
Row Id: 1
Object Type: IP Network
Object Address: 192.168.30.56
Mask Length: 24
Start Port: 3391
End Port: 3393
show vpn sslvpn route
This command displays the SSL VPN client routes:
Configured Client Routes
________________________
Row Id Destination Network Subnet Mask
______ _______________________ _______________
1 192.168.4.20 255.255.255.254
2 2001:abcf:1241:dffe::22 10
SSL VPN User Show Commands
show vpn sslvpn users domains
This command displays the domain configurations:
List of Domains
_______________
Row_Id Domain Name Authentication Type Portal Layout Name
______ ______________ ___________________ __________________
1 geardomain* Local User Database SSL-VPN
2 Headquarter LDAP CSup
3 LevelI_Support Local User Database SSL-VPN
4 TEST wikid_pap SSL-VPN
Show Commands
285
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N show vpn sslvpn users groups
This command displays the group configurations:
List of Groups
______________
Row_Id Name Domain
______ _______________ ______________
1 geardomain* geardomain
2 Headquarter Headquarter
3 Sales Headquarter
4 LevelI_Support LevelI_Support
5 TEST TEST
show vpn sslvpn users users
This command displays the user account configurations:
List of Users
_____________
Row_Id User Name Group Type Authentication Domain Login Status
______ ______________ ______________ ______________ _____________________ _____________________
1 admin* geardomain Administrator geardomain Enabled (LAN and WAN)
2 guest* geardomain Guest geardomain Enabled (LAN only)
3 admin2 geardomain Administrator geardomain Enabled (LAN and WAN)
4 PeterBrown Sales SSL VPN User Headquarter Enabled (LAN and WAN)
5 JohnD_Company LevelI_Support SSL VPN User LevelI_Support Enabled (LAN and WAN)
6 chin geardomain Administrator geardomain Enabled (LAN and WAN)
7 iphone IPSEC VPN User Enabled (LAN and WAN)
show vpn sslvpn users login_policies <row id>
Note:
The row ID refers to the List of Users table in the output of the show vpn
sslvpn users users
command.
This command displays the login restrictions based on login policies for the specified user:
User Login Policies
___________________
User Name: PeterBrown
Disable Login: No
Deny Login from Wan Interface: No
Show Commands
286
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N show vpn sslvpn users ip_policies <row id>
Note:
The row ID refers to the List of Users table in the output of the show vpn
sslvpn users users
command.
This command displays the login restrictions based on IP addresses for the specified user:
User Ip Policies
________________
User Name: PeterBrown
Allow Login from Defined Address: Yes
Ip Addresses
____________
Row_Id: 1
Source Address Type: IP Address
Network/IP Address: 10.156.127.39
Mask Length: 32
show vpn sslvpn users browser_policies <row id>
Note:
The row ID refers to the List of Users table in the output of the show vpn
sslvpn users users
command.
This command displays the login restrictions based on web browsers for the specified user:
User Browser Policies
_____________________
User Name: PeterBrown
Allow Login from Defined Browser: No
Defined Browsers
________________
Navigator
MSIE
Show Commands
287
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N show vpn sslvpn users active_users
This command displays the active SSL VPN users:
UserName: : admin
GroupName: : geardomain
LoginAddress: : 74.116.205.166
LoginTime: : Fri Apr 13 11:55:33 2012 (GMT -0700)
RADIUS Server Show Command
show vpn radius [ipaddress]
This command displays the configuration of all RADIUS servers or of a specified RADIUS server:
•
All RADIUS Servers:
FVS318N> show vpn radius
Configured RADIUS Client
________________________
Server IP Server Port Timeout Retries NAS Identifier
___________ ___________ _______ _______ ______________
192.168.1.2 1812 30 4 FVS318N
192.168.1.3 1812 30 4 FVS318N
•
A specified RADIUS server:
FVS318N> show vpn radius 192.168.1.2
RADIUS Configuration
____________________
Auth Server IP Address: 192.168.1.2
Auth Port: 1812
Timeout (in seconds): 30
Retries: 4
Secret: sharedsecret
NAS Identifier: FVS318N
Show Commands
288
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
L2TP Server Show Commands
show vpn l2tp server setup
This command displays the configuration of the L2TP server:
L2TP Server Configuration
_________________________
L2TP Server Status: Enabled
L2TP Starting IP Address: 192.168.112.1
L2TP server Ending IP Address: 192.168.112.25
L2TP server Idle Timeout: 10
show vpn l2tp server connections
This command displays the users that are connected through the L2TP server:
List of L2TP Active Users
_________________________
Show Commands
289
10.
Utility Commands
10
This chapter explains the configuration commands, keywords, and associated parameters in the
Util mode. The chapter includes the following sections:
• Firmware Backup, Restore, and Upgrade Commands
Overview Util Commands
Enter the util ? command at the CLI prompt to display the description of the utility commands in the util mode. The following table lists the commands in alphabetical order:
Table 19. Utility commands in the util mode
Command Name
util routing_table_ipv4 util routing_table_ipv6 util traceroute
Purpose
Back up the configuration file of the wireless VPN firewall to a
TFTP server.
Look up the IP address of a domain name.
Upgrade the firmware of the wireless VPN firewall from a TFTP server.
Ping an IP address.
Ping a VPN endpoint IP address.
Reboot the wireless VPN firewall.
Restore the wireless VPN firewall to factory default settings.
Display the IPv4 routing table.
Display the IPv6 routing table.
Trace a route to an IP address.
Upload a previously backed-up configuration file of the wireless
VPN firewall from a TFTP server
290
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Firmware Backup, Restore, and Upgrade Commands
util backup_configuration
This command backs up the configuration file of the wireless VPN firewall to a TFTP server.
Format
Mode util backup_configuration
<destination file name> <tftp server address> util
util upload_configuration
This command uploads a previously backed-up configuration file of the wireless VPN firewall from a TFTP server.
Format
Mode
util upload_configuration <source file name> <tftp server address> util
util firmware_upgrade
This command upgrades the firmware of the wireless VPN firewall from a TFTP server.
Format
Mode util firmware_upgrade
<source file name> <tftp server address> util
util reboot
This command reboots the wireless VPN firewall. It takes about 3 minutes for the wireless
VPN firewall to come back up.
Format
Mode util reboot
util
Utility Commands
291
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N util restore_factory_defaults
This command restores the wireless VPN firewall to factory default settings. It takes about
3 minutes for the wireless VPN firewall to come back up.
Format
Mode
util restore_factory_defaults util
Diagnostic Commands
util dns_lookup
This command looks up the IP address of a domain name.
Format
Mode
util dns_lookup <domain name> util
FVS318N> util dns_lookup netgear.com
Server: 66.80.130.23
Address 1: 66.80.130.23 ns1.megapath.net
Name: netgear.com
Address 1: 206.16.44.90
util ping
This command pings an IP address with 56 data bytes and displays the ping information.
Format
Mode
util ping <ipaddress> util
FVS318N> util ping 10.136.216.82
PING 10.136.216.82 (10.136.216.82): 56 data bytes
64 bytes from 10.136.216.82: seq=0 ttl=48 time=69.168 ms
64 bytes from 10.136.216.82: seq=1 ttl=48 time=112.606 ms
64 bytes from 10.136.216.82: seq=2 ttl=48 time=46.531 ms
64 bytes from 10.136.216.82: seq=3 ttl=48 time=49.804 ms
64 bytes from 10.136.216.82: seq=4 ttl=48 time=51.247 ms
--- 10.136.216.82 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss round-trip min/avg/max = 46.531/65.871/112.606 ms
Utility Commands
292
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N util ping_through_vpn_tunnel
This command pings a VPN endpoint IP address with 56 data bytes through a VPN tunnel and displays the ping information.
Format
Mode
util ping_through_vpn_tunnel <ipaddress> util
FVS318N> util ping_through_vpn_tunnel 10.136.24.128
Pinging 192.168.1.1 from 5
Ping passed
64 bytes from 10.136.24.128: icmp_seq=0 ttl=64
64 bytes from 10.136.24.128: icmp_seq=1 ttl=64
64 bytes from 10.136.24.128: icmp_seq=2 ttl=64
64 bytes from 10.136.24.128: icmp_seq=3 ttl=64
64 bytes from 10.136.24.128: icmp_seq=4 ttl=64
util traceroute
This command traces a route to an IP address.
Format
Mode
util traceroute <ipaddress> util
FVS318N> util traceroute 10.136.24.128 traceroute to 10.136.24.128 (10.136.24.128), 30 hops max, 40 byte packets|
1 (10.136.24.128) 0.516 ms 0.227 ms 0.218 ms
util routing_table_ipv4
This command displays the IPv4 routing table.
Format
Mode
util routing_table_ipv4 util
util routing_table_ipv6
This command displays the IPv6 routing table.
Format
Mode
util routing_table_ipv6 util
Utility Commands
293
CLI Command Index
D
dot11 profile acl configure
dot11 profile configure
dot11 profile delete
dot11 profile disable
dot11 profile enable
dot11 profile wps configure
dot11 radio advanced configure
dot11 radio configure
N
net ddns configure
net dmz ipv4 configure
net dmz ipv6 configure
net dmz ipv6 pool configure
net ethernet configure
net ipv6 ipmode configure
net ipv6_tunnel isatap add
net ipv6_tunnel isatap delete
net ipv6_tunnel isatap edit
net ipv6_tunnel six_to_four configure
net lan dhcp reserved_ip configure
net lan dhcp reserved_ip delete
net lan ipv4 advanced configure
net lan ipv4 configure
net lan ipv4 default_vlan
net lan ipv4 delete
net lan ipv4 disable
net lan ipv4 enable
net lan ipv4 multi_homing add
net lan ipv4 multi_homing delete
net lan ipv4 multi_homing edit
net lan ipv6 configure
net lan ipv6 multi_homing add
net lan ipv6 multi_homing delete
net lan ipv6 multi_homing edit
net lan ipv6 pool configure
net lan ipv6 pool delete
net lan lan_groups edit
net radvd configure dmz
294
net radvd configure lan
net radvd pool dmz delete
net radvd pool dmz edit
net radvd pool lan add
net radvd pool lan delete
net radvd pool lan edit
net routing dynamic configure
net routing static ipv4 configure
net routing static ipv4 delete
net routing static ipv4 delete_all
net routing static ipv6 configure
net routing static ipv6 delete
net routing static ipv6 delete_all
net wan port_setup configure
net wan wan1 ipv4 configure
net wan wan1 ipv6 configure
net wan_settings wanmode configure
S
security address_filter ip_or_mac_binding add
security address_filter ip_or_mac_binding delete
security address_filter ip_or_mac_binding edit
security address_filter ip_or_mac_binding enable_email_log
security address_filter mac_filter configure
security address_filter mac_filter source add
security address_filter mac_filter source delete
security bandwidth profile add
security bandwidth profile delete
security bandwidth profile edit
security content_filter blocked_keywords add
security content_filter blocked_keywords delete
security content_filter blocked_keywords edit
security content_filter block_group disable
security content_filter block_group enable
security content_filter content_filtering configure
security content_filter trusted_domain add
security content_filter trusted_domain delete
security content_filter trusted_domain edit
security firewall advanced algs
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
security firewall attack_checks configure ipv4
security firewall attack_checks configure ipv6
security firewall attack_checks igmp setup
security firewall attack_checks jumboframe setup
security firewall attack_checks vpn_passthrough configure
security firewall ipv4 add_rule dmz_wan inbound
security firewall ipv4 add_rule dmz_wan outbound
security firewall ipv4 add_rule lan_dmz inbound
security firewall ipv4 add_rule lan_dmz outbound
security firewall ipv4 add_rule lan_wan inbound
security firewall ipv4 add_rule lan_wan outbound
security firewall ipv4 default_outbound_policy
security firewall ipv4 delete
security firewall ipv4 disable
security firewall ipv4 edit_rule dmz_wan inbound
security firewall ipv4 edit_rule dmz_wan outbound
security firewall ipv4 edit_rule lan_dmz inbound
security firewall ipv4 edit_rule lan_dmz outbound
security firewall ipv4 edit_rule lan_wan inbound
security firewall ipv4 edit_rule lan_wan outbound
security firewall ipv4 enable
security firewall ipv6 configure
security firewall ipv6 default_outbound_policy
security firewall ipv6 delete
security firewall ipv6 disable
security firewall ipv6 edit
security firewall ipv6 enable
security firewall session_limit configure
security firewall session_settings configure
security porttriggering_rules add
security porttriggering_rules delete
security porttriggering_rules edit
security schedules edit
security services add
security services delete
security services edit
security upnp configure
show dot11 acl
show dot11 profile
show dot11 profile status
show dot11 radio
show dot11 statistics
show dot11 wps
show net ddns setup
show net dmz ipv4 setup
show net dmz ipv6 setup
show net ethernet
show net ipv6 ipmode setup
show net ipv6_tunnel setup
show net ipv6_tunnel status
show net lan available_lan_hosts list
show net lan dhcp leased_clients list
show net lan dhcp logs
show net lan dhcp reserved_ip setup
show net lan ipv4 advanced setup
show net lan ipv4 detailed setup
show net lan ipv4 multiHoming
show net lan ipv4 setup
show net lan ipv6 multiHoming
show net lan ipv6 setup
show net lan lan_groups
show net radvd dmz setup
show net radvd lan setup
show net routing dynamic setup
show net routing static ipv4 setup
show net routing static ipv6 setup
show net statistics
show net wan mode
show net wan port_setup
show net wan wan1 ipv4 setup
show net wan wan1 ipv4 status
show net wan wan1 ipv6 setup
show net wan wan1 ipv6 status
show net wan_settings wanmode
show security address_filter enable_email_log
show security address_filter ip_or_mac_binding setup
show security address_filter mac_filter setup
show security bandwidth profile setup
show security content_filter blocked_keywords
show security content_filter block_group
show security content_filter content_filtering
show security content_filter trusted_domains
show security firewall advanced algs
show security firewall attack_checks igmp
show security firewall attack_checks jumboframe
show security firewall attack_checks setup ipv4
show security firewall attack_checks setup ipv6
show security firewall attack_checks vpn_passthrough setup
show security firewall ipv4 setup dmz_wan
show security firewall ipv4 setup lan_dmz
show security firewall ipv4 setup lan_wan
show security firewall ipv6 setup
show security firewall session_limit
show security firewall session_settings
295
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
show security porttriggering_rules setup
show security porttriggering_rules status
show security schedules setup
show security services setup
show security upnp portmap
show security upnp setup
show sysinfo
show system firmware_version
show system logging remote setup
show system logging setup
show system logs
show system remote_management setup
show system snmp sys
show system snmp trap
show system status
show system time setup
show system traffic_meter setup
show vpn ipsec ikepolicy setup
show vpn ipsec logs
show vpn ipsec mode_config setup
show vpn ipsec vpnpolicy setup
show vpn ipsec vpnpolicy status
show vpn l2tp server connections
show vpn l2tp server setup
show vpn radius
show vpn sslvpn client
show vpn sslvpn logs
show vpn sslvpn policy
show vpn sslvpn portal-layouts
show vpn sslvpn portforwarding appconfig
show vpn sslvpn portforwarding hostconfig
show vpn sslvpn resource
show vpn sslvpn resource-object
show vpn sslvpn route
show vpn sslvpn users active_users
show vpn sslvpn users browser_policies
show vpn sslvpn users domains
show vpn sslvpn users groups
show vpn sslvpn users ip_policies
show vpn sslvpn users login_policies
show vpn sslvpn users users
system logging configure
system logging remote configure
system remote_management https configure
system remote_management telnet configure
system snmp sys configure
system snmp trap configure
system snmp trap delete
system time configure
system traffic_meter configure
U
util backup_configuration
util dns_lookup
util firmware_upgrade
util ping
util ping_through_vpn_tunnel
util reboot
util restore_factory_defaults
util routing_table_ipv4
util routing_table_ipv6
util traceroute
util upload_configuration
V
vpn ipsec ikepolicy configure
vpn ipsec ikepolicy delete
vpn ipsec mode_config configure
vpn ipsec modeConfig delete
vpn ipsec vpnpolicy configure
vpn ipsec vpnpolicy connect
vpn ipsec vpnpolicy delete
vpn ipsec vpnpolicy disable
vpn ipsec vpnpolicy drop
vpn ipsec vpnpolicy enable
vpn ipsec wizard configure
vpn l2tp server configure
vpn radius configure
vpn sslvpn client ipv4
vpn sslvpn client ipv6
vpn sslvpn policy add
vpn sslvpn policy delete
vpn sslvpn policy edit
vpn sslvpn portal-layouts add
vpn sslvpn portal-layouts delete
vpn sslvpn portal-layouts edit
vpn sslvpn portforwarding appconfig add
vpn sslvpn portforwarding appconfig delete
vpn sslvpn portforwarding hostconfig add
vpn sslvpn portforwarding hostconfig delete
vpn sslvpn resource add
vpn sslvpn resource configure add
vpn sslvpn resource delete
vpn sslvpn route add
vpn sslvpn route delete
296
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
vpn sslvpn users domains add
vpn sslvpn users domains delete
vpn sslvpn users domains edit
vpn sslvpn users groups add
vpn sslvpn users groups delete
vpn sslvpn users groups edit
vpn sslvpn users users add
vpn sslvpn users users browser_policies
vpn sslvpn users users delete
vpn sslvpn users users edit
vpn sslvpn users users ip_policies configure
vpn sslvpn users users ip_policies delete
vpn sslvpn users users login_policies
297
advertisement
Related manuals
advertisement
Table of contents
- 8 Command Conventions
- 9 Description of a Command
- 10 Common Parameters
- 13 Save Commands
- 16 CLI Line-Editing Conventions
- 245 WAN (IPv4 and IPv6) Show Commands
- 248 IPv6 Mode and IPv6 Tunnel Show Commands
- 248 LAN DHCP Show Commands
- 249 Dynamic DNS Show Commands
- 249 IPv4 LAN Show Commands
- 252 IPv6 LAN Show Commands
- 254 DMZ Show Commands
- 255 Routing Show Commands
- 256 Network Statistics Show Commands
- 257 Services Show Command
- 258 Schedules Show Command
- 258 Firewall Rules Show Command
- 260 Attack Checks Show Commands
- 262 Session Limits Show Commands
- 262 Advanced Firewall Show Commands
- 263 Address Filter Show Commands
- 264 Port Triggering Show Commands
- 264 UPnP Show Commands
- 265 Bandwidth Profiles Show Command
- 265 Content Filtering Show Commands
- 267 Remote Management Show Command
- 268 SNMP Show Commands
- 268 Time Show Command
- 269 Firmware Version Show Command
- 269 Status Show Command
- 272 Traffic Meter Show Command
- 273 Logging Configuration Show Commands
- 275 Logs Show Commands
- 277 Radio Show Command
- 278 Profile Show Commands
- 280 Wireless Statistics Commands
- 280 IPSec VPN Show Commands
- 282 SSL VPN Show Commands
- 285 SSL VPN User Show Commands
- 288 RADIUS Server Show Command
- 289 L2TP Server Show Commands