All the contents below are about SecBlade cards, so the views of the commands in this manual are the views corresponding to SecBlade cards instead of the other series switches.

1.1 AAA Configuration Commands

1.1.1 access-limit

Syntax

access-limit { disable | enable max-user-number }

undo access-limit

View

ISP domain view

Parameters

disable: Specifies not to limit the number of supplicants that the current ISP domain can accommodate.

enable max-user-number: Specifies the maximum number of supplicants that the current ISP domain can accommodate. max-user-number is in the range of 1 to 1048.

Description

Use the access-limit command to specify the maximum number of supplicants that the current ISP domain can accommodate.

Use the undo access-limit command to restore the default.

By default, there is no limit to the amount of supplicants in the current ISP domain.

An appropriate setting can bring in reliable performances for users in the current ISP domain for resource contention.

Examples

# Set a limit of 500 supplicants for the ISP domain test163.net.

[SecBlade_FW-isp-test163.net] access-limit enable 500

1.1.2 accounting

Syntax

accounting { hwtacacs-scheme hwtacacs-scheme-name | radius-scheme radius-scheme-name | none }

undo accounting

View

ISP domain view

Parameters

hwtacacs-scheme hwtacacs-scheme-name: Specifies to use the HWTACACS scheme for accounting.

radius-scheme radius-scheme-name: Specifies to use the RADIUS scheme for accounting.

none: Specifies no accounting scheme.

Description

Use the accounting command to configure an accounting scheme for the current ISP domain.

Use the undo accounting command to remove the configuration.

By default, no accounting scheme is configured.

The RADIUS or HWTACACS scheme which is specified by the accounting command for the current ISP domain must have been configured already.

If you configure the accounting command in domain view, the accounting scheme specified by this command will be adopted. Otherwise, the accounting scheme specified by the scheme command is adopted.

Related commands: scheme, radius scheme, hwtacacs scheme.

Examples

# Configure to use the RADIUS accounting scheme radius in the current ISP domain h3c163.net.

[SecBlade_FW-isp-h3c163.net] accounting radius-scheme radius

# Configure to use the HWTACACS accounting scheme radius in the current ISP domain h3c.

[SecBlade_FW-isp-h3c] accounting hwtacacs-scheme hwtac

1.1.3 accounting optional

Syntax

accounting optional

undo accounting optional

View

ISP domain view

Parameters

None

Description

Use the accounting optional command to enable optional accounting.

Use the undo accounting optional command to disable optional accounting.

By default, optional accounting is disabled.

With the accounting optional command, a user that will be disconnected otherwise can use network resources even when there is no available accounting server or the communication with the current accounting server fails. This command is normally used for authentication without accounting.

Examples

# Enable optional accounting for users in the domain test163.net.

[SecBlade_FW] domain test163.net

[SecBlade_FW-isp-test163.net] accounting optional

1.1.4 authentication

Syntax

authentication { hwtacacs-scheme hwtacacs-scheme-name [ local ] | radius-scheme radius-scheme-name [ local ] | local | none }

undo authentication

View

ISP domain view

Parameters

hwtacacs-scheme hwtacacs-scheme-name: Specifies to use the HWTACACS scheme for authentication.

radius-scheme radius-scheme-name: Specifies to use the RADIUS scheme for authentication.

local: Specifies to use the local authentication scheme for authentication.

none: Specifies no authentication scheme.

Description

Use the authentication command to configure an authentication scheme for the current ISP domain.

Use the undo authentication command to restore the default.

By default, the local authentication scheme is adopted.

The RADIUS or HWTACACS scheme which is specified by the authentication command for the current ISP domain must have been configured already.

When the authentication radius-scheme radius-scheme-name local command or the authentication hwtacacs-scheme hwtacacs-scheme-name local command is configured, the local authentication scheme applies as a backup scheme in case the RADIUS or TACACS server is not available. If the RADIUS or TACACS server is available, local authentication is not used.

If the local or none scheme applies as the first scheme, no RADIUS or HWTACACS scheme can be adopted.

If you configure the authentication command in domain view, the authentication scheme specified by this command will be adopted. Otherwise, the authentication scheme specified by the scheme command is adopted.

Related commands: scheme, radius scheme, hwtacacs scheme.

Examples

# Specify to adopt the RADIUS authentication scheme radius in the current ISP domain h3c163.net.

[SecBlade_FW-h3c163.net] authentication radius-scheme radius

# Specify to adopt the RADIUS authentication scheme rd and the local scheme to be the backup scheme in the ISP domain h3c.

[SecBlade_FW-isp-h3c] authentication radius-scheme rd local

# Specify to adopt the HWTACACS authentication scheme hwtac and the local scheme to be the backup scheme in the ISP domain h3c.

[SecBlade_FW-isp-h3c] authentication hwtacacs-scheme hwtac local

1.1.5 authentication super hwtacacs-scheme

Syntax

authentication super hwtacacs-scheme hwtacacs-scheme-name

undo authentication super hwtacacs-scheme

View

ISP domain view

Parameters

hwtacacs-scheme-name: Name of the HWTACACS scheme adopted for authentication.

Description

Use the authentication super hwtacacs-scheme command to configure a super authentication scheme for an ISP domain.

Use the undo authentication super hwtacacs-scheme command to remove the configuration.

By default, no super authentication scheme is configured.

Examples

# Configure the super authentication scheme of the system domain as sup.

[SecBlade_FW] domain system

[SecBlade_FW-isp-system] authentication super hwtacacs-scheme sup

1.1.6 authorization

Syntax

authorization { hwtacacs-scheme hwtacacs-scheme-name | none }

undo authorization

View

ISP domain view

Parameters

hwtacacs-scheme hwtacacs-scheme-name: Specifies to use the HWTACACS scheme for authorization.

none: Specifies no authorization scheme.

Description

Use the authorization command to configure an authorization scheme for the current ISP domain.

Use the undo authorization command to restore the default.

By default, the local authorization scheme is adopted.

The RADIUS or HWTACACS scheme which is specified by the authorization command for the current ISP domain must have been configured already.

If you configure the authorization command in domain view, the authorization scheme specified by this command will be adopted. Otherwise, the authorization scheme specified by the scheme command is adopted.

Related commands: scheme, radius scheme, hwtacacs scheme.

Examples

# Configure to adopt the HWTACACS authorization scheme hwtac in the ISP domain h3c.

[SecBlade_FW-isp-h3c] authorization hwtacacs-scheme hwtac

1.1.7 display connection

Syntax

View

Any view

Parameters

domain isp-name: Displays all the user connections associated with the ISP domain specified by isp-name, a string of up to 24 characters. The specified ISP domain must an existing one.

ip ip-address: Displays all the user connections associated with the specified IP address.

mac mac-address: Displays all the user connections associated with the specified hexadecimal MAC address in the format of x-x-x.

radius-scheme radius-scheme-name: Displays all the user connections associated with the RADIUS scheme specified by radius-scheme-name, a string of up to 32 characters.

hwtacacs-scheme hwtacacs-scheme-name: Displays all the user connections associated with the HWTACACS scheme specified by hwtacacs-scheme-name, a string of up to 32 characters.

ucibindex ucib-index: Displays the information of the connection index number specified by ucib-index. ucib-index is in the range of 0 to 7,071.

user-name user-name: Displays the connection information of the specified user name. User name is in the format of pure-username@domain. pure-username is the pure user name composed of up to 55 characters and domain is the domain name consisting of up to 24 characters.

Description

Use the display connection command to view information about the specified user connection or all the connections. The output can help you troubleshoot user connections.

By default, information about all user connections is displayed.

Examples

# Display information about all user connections associated with the domain system.

<SecBlade_FW> display connection domain system

Index=0 ,Username=hfx@system

IP=188.188.188.3

Total 1 connections matched, 1 listed.

Table 1-1 Description on the fields of the display connection command

Field	Description
Index	Connection index number
Username	User name
IP	IP address of the user

1.1.8 display domain

Syntax

display domain [ isp-name ]

View

Any view

Parameters

isp-name: Name of the ISP domain, a string of 1 to 24 characters. The specified ISP domain must be an existing one.

Description

Use the display domain command to view the configuration of the specified ISP domain or display the summary information of all ISP domains.

If the domain name is not specified, the summary information of all ISP domains is displayed.

The output information is helpful for troubleshooting ISP domain.

Related commands: access-limit, domain, scheme, state, display domain.

Examples

# Display the summary information of all ISP domains.

<SecBlade_FW> display domain

0 Domain = system

State = Active

Scheme = LOCAL

Access-limit = Disable

Domain User Template:

Default Domain Name: system

Total 1 domain(s).1 listed.

Table 1-2 Description on the fields of the display domain command

Field	Description
Domain	Domain name and sequence number
State	State of users in the domain (active or block)
Scheme	Authentication scheme for users in the domain (local or RADIUS or TACACS)
Access-limit	Whether to limit the number of users the domain can accommodate (disable or enable)

1.1.9 display local-user

Syntax

display local-user [ domain isp-name | service-type { telnet | ssh | terminal | dvpn | ftp | ppp } | state { active | block } | user-name user-name ]

View

Any view

Parameters

domain isp-name: Displays all the local users in the ISP domain specified by isp-name, a string of up to 24 characters. The specified ISP domain must be an existing one.

service-type: Displays local users by specifying service type, which can be telnet for Telnet users, ssh for SSH users, terminal for terminal users logging in through the Console or AUX port, ftp for FTP users, ppp for PPP users, or dvpn for DVPN users.

state { active | block }: Displays local users by specifying user state, where active represents users allowed to request for network services and block represents the opposite.

user-name user-name: Displays a local user by specifying its user-name, a string of 1 to 80 characters. It must exclude forward slashes (/), colons (:), asterisks (*), question marks (?), less-than signs (<), and greater-than signs (>). The @ sign can be present once in a user name. The user name without domain name (the part before @, namely the user ID) cannot exceed 55 characters.

Description

Use the display local-user command to view the relevant information on the specified local user or all the local users. The output can help you troubleshoot faults related to local users.

By default, information on all local users is displayed.

Related commands: local-user.

Examples

# Display the information of all local users.

<SecBlade_FW> display local-user

The contents of local user admin:

State: Active ServiceType Mask: T

Idle-cut: Disable

Access-limit: Disable Current AccessNum: 0

Bind location: Disable

Vlan ID: Disable

IP address: Disable

MAC address: Disable

User Privilege: 3

The contents of local user ftpuser:

State: Active ServiceType Mask: F

Idle-cut: Disable

Access-limit: Disable Current AccessNum: 0

Bind location: Disable

Vlan ID: Disable

IP address: Disable

MAC address: Disable

FTP Directory: flash:

Total 2 local user(s) Matched, 2 listed.

ServiceType Mask Meaning: A--PAD C--Terminal D--DVPN F--FTP P--PPP S--SSH

T—Telnet

Table 1-3 Description on the fields of the display local-user command

Field	Description
State	User state (active or block)
ServiceType Mask	Abbreviation for service type
Idle-cut	Idle-cut switch
Access-Limit	Limit of user connections
Current AccessNum	Number of the access users
Bind location	Whether it is bound with the port
VLAN ID	VLAN for the user
IP address	IP address of the user
MAC address	MAC address of the user
FTP Directory	Directory authorized to FTP users
User Privilege	User level

1.1.10 domain

Syntax

domain [ isp-name | default { disable | enable isp-name } ]

undo domain isp-name

View

System view

Parameters

isp-name: Name of the ISP domain, a string of 1 to 24 characters, excluding forward slashes (/), colons (:), asterisks (*), question marks (?), less-than signs (<), and greater-than signs (>).

default: Configures the default ISP domain. The default ISP domain is system. You can configure a default ISP domain manually.

disable: Disables the configured default ISP domain. It results in refusal of the usernames without domain names. If you configure to send user names without domain names to RADIUS servers, these user names will not be rejected.

enable: Enables the configured default ISP domain. It is to be appended to usernames without domain names before they are sent to the intended RADIUS servers. If you configure to send user names without domain names to RADIUS servers, these user names will not be appended with the default domain name.

Description

Use the domain command to configure an ISP domain or enter the view of an existing ISP domain.

Use the undo domain command to remove the specified ISP domain.

By default, the system uses the domain named system. You cannot delete it, but you are allowed to modify its configuration. In addition, you can view its settings using the display domain command.

An ISP domain is a group of users belonging to the same ISP. Generally, for a username in the userid@isp-name format, [email protected] for example, the isp-name (”test163.net” in the example) following the “@” is the ISP domain name. When an AAA server controls user access, for an ISP user whose username is in userid@isp-name format, the system takes the part "userid" as username for identification and takes the part "isp-name" as domain name.

The purpose of introducing ISP domain settings is to support the application environment with several ISP domains. In this case, an access device may have supplicants from different ISP domains. Because the attributes of ISP users, such as username and password structures, service types, may be different, it is necessary to separate them by setting ISP domains. In ISP domain view, you can configure a complete set of ISP domain attributes for each ISP domain, including an AAA scheme (the RADIUS scheme applied).

For a SecBlade, each supplicant belongs to an ISP domain. The system supports up to 16 ISP domains.

When this command is used, if the specified ISP domain does not exist, the system will create a new ISP domain. All the ISP domains are in the active state after they are created.

Related commands: access-limit, scheme, state, and display domain.

Examples

# Create a new ISP domain named test163.net and enters its view.

[SecBlade_FW] domain test163.net

New Domain added.

[SecBlade_FW-isp-test163.net]

1.1.11 ip pool

Syntax

ip pool pool-number low-ip-address [ high-ip-address ]

undo ip pool pool-number

View

System view, ISP domain view

Parameters

pool-number: Address pool number, ranging from 0 to 99.

low-ip-address and high-ip-address: The start and end IP addresses of the address pool. The number of in-between addresses cannot exceed 1024. If the end IP address is not specified, there will be only one IP address in the pool, namely the start IP address.

Description

Use the ip pool command to configure a local address pool for assigning IP addresses to PPP users.

Use the undo ip pool command to delete the specified local address pool.

By default, no local IP address pool is configured.

You can configure an IP address pool in system view and use the remote address command in interface view to assign IP addresses from the pool to PPP users.

You can also configure an IP address pool in ISP domain view for assigning IP addresses to PPP users in the current ISP domain. This applies to the case where an interface serves a great amount of PPP users but has inadequate address resources for allocation. For example, an Ethernet interface running PPPoE can accommodate 4095 users at most. However, only one address pool with up to 1024 addresses can be configured on its Virtual Template (VT). This is obviously far from what is required. To address the issue, you can configure address pools for ISP domains and assign addresses from them to PPP users.

Related commands: remote address.

Examples

# Configure the local IP address pool 0 in the range of 129.102.0.1 to 129.102.0.10.

[SecBlade_FW] domain test163.net

[SecBlade_FW-isp-test163.net] ip pool 0 129.102.0.1 129.102.0.10

1.1.12 level

Syntax

level level

undo level

View

Local user view

Parameters

level: Privilege level of the specified user, an integer ranging from 0 to 3.

Description

Use the level command to configure a privilege level for a user.

Use the undo level command to restore the default privilege level.

By default, the privilege level of a user is 0.

Related commands: local user.

& Note:

l If username and password are needed in the configured authentication mode, the command level that a user can access after login depends on the user privilege level.

l If none authentication or password authentication is adopted, the command level that a user can access after login depends on the user interface level.

l For SSH users, when they use RSA public key for authentication, the command level that they can access are defined by the level of user interface used when login.

Examples

# Set the privilege level of the test user to 3.

[SecBlade_FW-luser-test] level 3

1.1.13 local-user

Syntax

local-user user-name

undo local-user user-name [ service-type | level ]

undo local-user all [ service-type { ftp | ppp | ssh | telnet | terminal } ]

View

System view

Parameters

user-name: Name of a local user, a string of up to 80 characters, excluding forward slashes (/), colons (:), asterisks (*), question marks (?), less-than signs (<), and greater-than signs (>). The @ sign can be used only once in one username. The username without domain name (the part before @, namely the user ID) cannot exceed 55 characters. user-name is case-insensitive, so UserA and usera are the same.

service-type: Service type.

all: All the users.

ftp: FTP service type.

ppp: PPP service type.

ssh: SSH service type.

telnet: Telnet service type.

terminal: Terminal service type.

Description

Use the local-user command to add a local user and enter the local user view.

Use the undo local-user user-name command to remove the specified local user or the related attributes of the specified local user.

Use the undo local-user all command to remove all local users or local users of a specified service type.

By default, no local user is configured.

Related commands: display local-user.

Examples

# Add a local user named test1.

[SecBlade_FW] local-user test1

[SecBlade_FW-luser-test1]

1.1.14 local-user password-display-mode

Syntax

local-user password-display-mode { cipher-force | auto }

undo local-user password-display-mode

View

System view

Parameters

cipher-force: Specifies to display the passwords of all the accessed users in cipher text.

auto: Specifies that a user can use the password command to set a password display mode.

Description

Use the local-user password-display-mode command to configure the password display mode for all the local users.

Use the undo local-user password-d isplay-mode command to restore the default.

If you uses the password command and specifies to display passwords in simple text (the simple mode) before the cipher-force mode applies, the former does not take effect.

By default, auto applies.

Related commands: display local-user and password.

Examples

# Display the passwords of all local users in cipher text.

[SecBlade_FW] local-user password-display-mode cipher-force

1.1.15 password

Syntax

password { simple | cipher } password

undo password

View

Local user view

Parameters

simple: Specifies to display passwords in simple text.

cipher: Specifies to display passwords in cipher text.

password: Defines a password. For the simple keyword, the password is a string of 1 to 16 characters in simple text; for the cipher keyword, the password can be a string of 1 to 16 characters in simple text, 1234567 for example, or a string of 24 characters in cipher text, (TT8F]Y\5SQ=^Q`MAF4<1!! for example.

Description

Use the password command to configure a password for a local user.

Use the undo password command to remove the configuration

If you uses the password command and specifies to display passwords in simple text (the simple mode) before the local-user password-display-mode cipher-force command applies, the former does not take effect.

Related commands: display local-user.

Examples

# Display the password of the user test1 in simple text, with the password being 20030422.

[SecBlade_FW-luser-test1] password simple 20030422

1.1.16 scheme

Syntax

scheme { radius-scheme radius-scheme-name [ local ] | hwtacacs-scheme hwtacacs-scheme-name [ local ] | local | none }

undo scheme [ radius-scheme | hwtacacs-scheme | none ]

View

ISP domain view

Parameters

radius-scheme-name: Name of the RADIUS scheme, a string of 1 to 32 characters.

hwtacacs-scheme-name: Name of the HWTACACS scheme, a string of 1 to 32 characters.

local: Specifies to use local AAA scheme.

none: Specifies no AAA scheme.

Description

Use the scheme command to configure an AAA scheme for the current ISP domain.

Use the undo scheme command to restore the default AAA scheme.

The default AAA scheme in the system is local.

The RADIUS or HWTACACS scheme specified by the command for the current ISP domain use must be exist.

When the radius-scheme radius-scheme-name local command or the hwtacacs-scheme hwtacacs-scheme-name local command is configured, the local scheme applies as a backup scheme if the RADIUS or TACACS server is not available. If the RADIUS or TACACS server is available, local authentication is not used.

If the local scheme applies as the first scheme, only the local AAA scheme is adopted, and no RADIUS or HWTACACS scheme can be adopted.

If the none scheme applies as the first scheme, no AAA scheme is adopted, and no RADIUS or HWTACACS scheme can be adopted.

The none authentication mode is not applicable for authenticating FTP users because the CMW-enabled FTP server does not support anonymous login.

If the scheme none command is used, the privilege of a user is level 0 after login.

Related commands: radius scheme and hwtacacs scheme.

Examples

# Specify the current ISP domain, test163.net, to use the RADIUS scheme Test.

[SecBlade_FW-isp-test163.net] scheme radius Test

# Set the ISP domain to use the RADIUS scheme rd and use local scheme as backup scheme.

[SecBlade_FW-isp-test] scheme radius-scheme rd local

# Set the ISP domain to use the HWTACACS scheme hwtac and use local scheme as backup scheme.

[SecBlade_FW-isp-test] scheme hwtacacs-scheme hwtac local

1.1.17 service-type

Syntax

service-type { telnet | ssh | terminal }* [ level level ]

undo service-type { telnet | ssh | terminal }*

View

Local user view

Parameters

telnet: Authorizes the user to use Telnet service.

ssh: Authorizes the user to use SSH service.

terminal: Authorizes the user to use terminal service (that is, the user logs in through the Console, or AUX port).

level level: Specifies user privilege level. level is an integer in the range of 0 to 3.

Description

Use the service-type command to configure one or more service types for a user.

Use the undo service-type command to delete one or all service types configured for the user.

By default, no service is available for the user.

Related commands: service-type ppp and service-type ftp.

Examples

# Authorize the user to use Telnet service.

[SecBlade_FW-luser-test1] service-type telnet

1.1.18 service-type dvpn

Syntax

service-type dvpn

undo service-type dvpn

View

Local user view

Parameters

None

Description

Use the service-type dvpn command to authorize a user to use DVPN service.

Use the undo service-type dvpn command to cancel the authorization.

By default, DVPN service is not authorized to the user.

Examples

# Authorize the user to use DVPN service.

[SecBlade_FW-luser-test1] service-type dvpn

1.1.19 service-type ftp

Syntax

service-type ftp [ ftp-directory directory]

undo service-type ftp [ ftp-directory ]

View

Local user view

Parameters

ftp-directory directory: Specifies a directory accessible for the FTP user.

Description

Use the service-type ftp command to authorize a user to use FTP service and specify a directory accessible for the FTP user.

Use the undo service-type ftp command to cancel the authorization and restore the default directory accessible for the FTP user.

By default, no FTP services are authorized and access in anonymous mode is prohibited for FTP users. If a user is authorized to use FTP service, the user by default can access the root directory flash:/.

Examples

# Authorize the user to use FTP service.

[SecBlade_FW-luser-test1] service-type ftp

1.1.20 service-type ppp

Syntax

service-type ppp

undo service-type ppp

View

Local user view

Parameters

None

Description

Use the service-type ppp command to authorize a user to use PPP service.

Use the undo service-type ppp command to cancel the authorization.

By default, no PPP services are authorized to the user.

Examples

# Authorize the user to use PPP service.

[SecBlade_FW-luser-test1] service-type ppp

1.1.21 state

Syntax

state { active | block }

View

ISP domain view, local user view

Parameters

active: Specifies the current ISP domain (ISP domain view) or the current local user (local user view) in active state, that is, allows users in the current ISP domain or the current local user to request network services.

block: Specifies the current ISP domain (ISP domain view) or the current local user (local user view) in block state, that is, prohibits users in the current ISP domain or the current local user to request network services.

Description

Use the state command to configure the state of the current ISP domain or the current local user.

By default, an ISP domain (in ISP domain view) and a local user (in local user view) are in active state upon their creation.

Every ISP domain can be active or block in ISP domain view. If an ISP domain is configured to be active, users in the ISP domain can request network services; whereas in the block state, users in the ISP domain are prohibited to request network services, which does not affect the currently online users. This also applies to local users.

Related commands: domain.

Examples

# Set the state of the current ISP domain test163.net to block. The supplicants in this domain cannot request network services.

[SecBlade_FW-isp-test163.net] state block

# Set the state of the user test1 to block.

[SecBlade_FW-luser-test1] state block

1.1.22 super authentication-mode

Syntax

super authentication-mode { super-password | scheme }*

undo super authentication-mode

View

User interface view

Parameters

super-password: Specifies to use a super password for authentication.

scheme: Specifies to use a user configured scheme for authentication.

Description

Use the super authentication-mode command to configure the super authentication mode.

Use the undo super authentication-mode command to restore the default.

By default, the super-password authentication mode is adopted.

Examples

# Configure the scheme authentication mode for a user who logs in through the console port.

<SecBlade_FW> system-view

[SecBlade_FW] user-interface console 0

[SecBlade_FW-ui-con0] super authentication-mode scheme

1.2 RADIUS Protocol Configuration Commands

1.2.1 accounting optional

Syntax

accounting optional

undo accounting optional

View

RADIUS domain view

Parameters

None

Description

Use the accounting optional command to enable optional accounting.

Use the undo accounting optional command to disable it.

By default, the optional accounting is disabled.

Examples

# Enable the optional accounting of the RADIUS scheme test.

[SecBlade_FW-radius-test] accounting optional

1.2.2 data-flow-format

Syntax

data-flow-format data { byte | giga-byte | kilo-byte | mega-byte } packet { giga-packet | kilo-packet | mega-packet | one-packet }

undo data-flow-format

View

RADIUS view

Parameters

data: Specifies the unit for data flows, which can be byte, gigabyte, kilobyte, or megabyte.

packet: Specifies the unit for data packets, which can be giga-packet, kilo-packet, mega-packet, or one-packet.

Description

Use the data-flow-format command to configure the unit in which data flows are sent to a RADIUS Server.

Use the undo data-flow-format command to restore the default.

By default, data flows are sent in bytes and data packets are sent in one-packet.

Related commands: display radius.

Examples

# Send data flows and data packets to the RADIUS server Test in kilobytes and kilo-packets.

[SecBlade_FW-radius-test] data-flow-format data kilo-byte packet kilo-packet

1.2.3 debugging local-server

Syntax

debugging local-server { all | error | event | packet }

undo debugging local-server { all | error | event | packet }

View

User view

Parameters

all: All debugging.

error: Error debugging.

event: Event debugging.

packet: Packet debugging.

Description

Use the debugging local-server command to enable debugging for the local RADIUS authentication server.

Use the undo debugging local-server command to disable debugging for the local RADIUS authentication server.

By default, debugging for the local RADIUS authentication server is disabled.

Examples

# Enable debugging for the local RADIUS authentication server.

[SecBlade_FW] debugging local-server all

*0.9045238 SecBlade_FW LS/8/EVENT-MSG:Message received. MessageType = 1

*0.9045238 SecBlade_FW LS/8/PACKET:Packet Received,Code = 1

*0.9045239 SecBlade_FW LS/8/PACKET:Packet Send auth pkt ,Code = 2

1.2.4 debugging radius

Syntax

debugging radius packet

undo debugging radius packet

View

User view

Parameters

packet: Enables packet debugging.

Description

Use the debugging radius command to enable RADIUS debugging.

Use the undo debugging radius command to disable RADIUS debugging.

By default, RADIUS debugging is disabled.

Examples

# Enable RADIUS debugging.

<SecBlade_FW> debugging radius packet

1.2.5 display local-server statistics

Syntax

display local-server statistics

View

Any view

Parameters

None

Description

Use the display local-server statistics command to display statistics of the local RADIUS authentication server.

Related commands: local-server.

Examples

# Display statistics of the local RADIUS authentication server.

<SecBlade_FW> display local-server statistics

The localserver packet statistics:

Receive: 82 Send: 61

Discard: 21 Receive Packet Error: 0

Auth Receive: 82 Auth Send: 61

Acct Receive: 0 Acct Send: 0

1.2.6 display radius scheme

Syntax

display radius scheme [ radius-scheme-name ]

View

Any view

Parameters

radius-scheme-name: Name of the RADIUS scheme, a string of up to 32 characters. If no scheme is specified, all RADIUS schemes are displayed.

Description

Use the display radius scheme command to view the configuration information or statistics of the specified or all RADIUS schemes.

By default, the configuration information about all RADIUS schemes is displayed.

Related commands: radius scheme.

Examples

# Display the configurations of all RADIUS schemes.

<SecBlade_FW> display radius scheme

------------------------------------------------------------------

SchemeName = system Index=0 Type=extended

Primary Auth IP =127.0.0.1 Port=1645 State=active

Primary Acct IP =127.0.0.1 Port=1646 State=active

Second Auth IP =0.0.0.0 Port=1812 State=block

Second Acct IP =0.0.0.0 Port=1813 State=block

Auth Server Encryption Key= Not configured

Acct Server Encryption Key= Not configured

Accounting method = required

TimeOutValue(in second)=3 RetryTimes=3 RealtimeACCT(in minute)=12

Permitted send realtime PKT failed counts =5

Retry sending times of noresponse acct-stop-PKT =500

Quiet-interval(min) =5

Username format =without-domain

Data flow unit =Byte

Packet unit =one packet

------------------------------------------------------------------

Total 1 RADIUS scheme(s). 1 listed

Table 1-4 Description on the fields of the display radius scheme command

Field	Description
SchemeName	Name of the RADIUS scheme
Index	Index number of the RADIUS scheme
Type	Type of the RADIUS server
Primary Auth IP/ Port/ State	IP address, port number and state of the primary authentication server
Primary Acct IP/ Port/ State	IP address, port number and state of the primary accounting server
Second Auth IP/ Port/ State	IP address, port number and state of the secondary authentication server
Second Acct IP/ Port/ State	IP address, port number and state of the secondary accounting server
Auth Server Encryption Key	Shared key of the authentication server
Acct Server Encryption Key	Shared key of the accounting server
TimeOutValue (seconds)	Duration of the RADIUS server timeout timer
Permitted send realtime PKT failed counts	Maximum number of realtime accounting request attempts
Retry sending times of noresponse acct-stop-PKT	Maximum number of buffered stop accounting request attempts
Quiet-interval(min)	Interval for the primary server to resume the active state.
Username format	Format of username
Data flow unit	Unit of data flows
Packet unit	Unit of packets

1.2.7 display radius statistics

Syntax

display radius statistics

View

Any view

Parameters

None

Description

Use the display radius statistics command to view the statistics of RADIUS packets. The output can help you troubleshoot RADIUS faults.

Related commands: radius scheme.

Examples

# Display the statistics of RADIUS packets.

<SecBlade_FW> display radius statistics

state statistic(total=1048):

DEAD=1047 AuthProc=0 AuthSucc=0

AcctStart=0 RLTSend=0 RLTWait=1

AcctStop=0 OnLine=1 Stop=0

StateErr=0

Received and Sent packets statistic:

Sent PKT total :38 Received PKT total:2

Resend Times Resend total

1 12

2 12

Total 24

RADIUS received packets statistic:

Code= 2,Num=1 ,Err=0

Code= 3,Num=0 ,Err=0

Code= 5,Num=1 ,Err=0

Code=11,Num=0 ,Err=0

Running statistic:

RADIUS received messages statistic:

Normal auth request , Num=13 , Err=0 , Succ=13

EAP auth request , Num=0 , Err=0 , Succ=0

Account request , Num=1 , Err=0 , Succ=1

Account off request , Num=0 , Err=0 , Succ=0

PKT auth timeout , Num=36 , Err=12 , Succ=24

PKT acct_timeout , Num=0 , Err=0 , Succ=0

Realtime Account timer , Num=0 , Err=0 , Succ=0

PKT response , Num=2 , Err=0 , Succ=2

EAP reauth_request , Num=0 , Err=0 , Succ=0

PORTAL access , Num=0 , Err=0 , Succ=0

Update ack , Num=0 , Err=0 , Succ=0

PORTAL access ack , Num=0 , Err=0 , Succ=0

Session ctrl pkt , Num=0 , Err=0 , Succ=0

RADIUS sent messages statistic:

Auth accept , Num=0

Auth reject , Num=0

EAP auth replying , Num=0

Account success , Num=0

Account failure , Num=0

Cut req , Num=0

RecError_MSG_sum:0 SndMSG_Fail_sum :0

Timer_Err :0 Alloc_Mem_Err :0

State Mismatch :0 Other_Error :0

No-response-acct-stop packet =0

Discarded No-response-acct-stop packet for buffer overflow =0

Table 1-5 Description on the fields of the display radius statistics command

Field	Description
state statistic(total=1048) DEAD=1047 AuthProc=0 AuthSucc=0 AcctStart=0 RLTSend=0 RLTWait=1 AcctStop=0 OnLine=1 Stop=0 StateErr=0	State statistics Statistics of received & sent packets: Total outbound packets: 38 Total inbound packets: 2 Retransmission times: Total packets retransmitted: 1 12 2 12 Total 24 Statistics on RADIUS-received packets: Code = 2, Num = 1 ,Err = 0 One authentication response received, no error packet Code = 3, Num = 0 ,Err = 0 One rejected packet received, no error packet Code= 5, Num = 1 ,Err = 0 One accounting response received, no error packet Code = 11, Num = 0 ,Err = 0 One Access-Challenge (for EAP authentication) packet received, no error packet
Received and Sent packets statistic: Sent PKT total :38 Received PKT total:2 Resend Times Resend total 1 12 2 12 Total 24 RADIUS received packets statistic: Code= 2,Num=1 ,Err=0 Code= 3,Num=0 ,Err=0 Code= 5,Num=1 ,Err=0 Code=11,Num=0 ,Err=0	Statistics on RADIUS-received messages: Normal authentication request Count = 13, Error = 0, Success = 0 EAP authentication request Count = 0, Error = 0, Success = 0 Accounting request Count = 0, Error = 0, Success = 0 Accounting stop request Count = 0, Error = 0, Success = 0 Authentication timeout Count = 36, Error = 0, Success = 0 Accounting timeout Count = 0, Error = 0, Success = 0 Number of real-time accounting attempts Count = 0, Error = 0, Success = 0 Response Count = 2, Error = 0, Success = 2 EAP re-authentication request Count = 0, Error = 0, Success = 0 PORTAL access authentication request Count = 13, Error = 0, Success = 0 Upgrade packet Count = 0, Error = 0, Success = 0 Session control packet Authentication request Count = 0, Error = 0, Success = 0 Statistics on RADIUS-sent messages: Authentication succeeds, Count = 0 Authentication rejected, Count = 0 Accounting succeeds, Count = 0 Accounting fails, Count = 0 EAP authentication response, Count = 0 Accounting succeeds, Count = 0 Accounting fails, Count = 0 Deletion request, Count = 0 Number of error packets received: 0 Number of failed Send attempts: 0 Time error: 0 Memory allocation error: 0 State mismatch error: 0 Other error: 0
Running statistic: RADIUS received messages statistic: Normal auth request , Num=13 , Err=0 , Succ=13 EAP auth request , Num=0 , Err=0 , Succ=0 Account request , Num=1 , Err=0 , Succ=1 Account off request , Num=0 , Err=0 , Succ=0 PKT auth timeout , Num=36 , Err=12 , Succ=24 PKT acct_timeout , Num=0 , Err=0 , Succ=0 Realtime Account timer , Num=0 , Err=0 , Succ=0 PKT response , Num=2 , Err=0 , Succ=2 EAP reauth_request , Num=0 , Err=0 , Succ=0 PORTAL access , Num=0 , Err=0 , Succ=0 Update ack , Num=0 , Err=0 , Succ=0 PORTAL access ack , Num=0 , Err=0 , Succ=0 Session ctrl pkt , Num=0 , Err=0 , Succ=0 RADIUS sent messages statistic: Auth accept , Num=0 Auth reject , Num=0 EAP auth replying , Num=0 Account success , Num=0 Account failure , Num=0 Cut req , Num=0 RecError_MSG_sum:0 SndMSG_Fail_sum :0 Timer_Err :0 Alloc_Mem_Err :0 State Mismatch :0 Other_Error :0	—
No-response-acct-stop packet =0 Discarded No-response-acct-stop packet for buffer overflow =0	The number of unresponded accounting-stop packets is 1. The number of unresponded accounting-stop packets discarded due to buffer overflow is 0.

Field

Description

state statistic(total=1048)

DEAD=1047 AuthProc=0 AuthSucc=0

AcctStart=0 RLTSend=0 RLTWait=1

AcctStop=0 OnLine=1 Stop=0

StateErr=0

State statistics

Statistics of received & sent packets:

Total outbound packets: 38 Total inbound packets: 2

Retransmission times: Total packets retransmitted:

1 12

2 12

Total 24

Statistics on RADIUS-received packets:

Code = 2, Num = 1 ,Err = 0

One authentication response received, no error packet

Code = 3, Num = 0 ,Err = 0

One rejected packet received, no error packet

Code= 5, Num = 1 ,Err = 0

One accounting response received, no error packet

Code = 11, Num = 0 ,Err = 0

One Access-Challenge (for EAP authentication) packet received, no error packet

Received and Sent packets statistic:

Sent PKT total :38 Received PKT total:2

Resend Times Resend total

1 12

2 12

Total 24

RADIUS received packets statistic:

Code= 2,Num=1 ,Err=0

Code= 3,Num=0 ,Err=0

Code= 5,Num=1 ,Err=0

Code=11,Num=0 ,Err=0

Statistics on RADIUS-received messages:

Normal authentication request

Count = 13, Error = 0, Success = 0

EAP authentication request

Count = 0, Error = 0, Success = 0

Accounting request

Count = 0, Error = 0, Success = 0

Accounting stop request

Count = 0, Error = 0, Success = 0

Authentication timeout

Count = 36, Error = 0, Success = 0

Accounting timeout

Count = 0, Error = 0, Success = 0

Number of real-time accounting attempts

Count = 0, Error = 0, Success = 0

Response

Count = 2, Error = 0, Success = 2

EAP re-authentication request

Count = 0, Error = 0, Success = 0

PORTAL access authentication request

Count = 13, Error = 0, Success = 0

Upgrade packet

Count = 0, Error = 0, Success = 0

Session control packet

Authentication request

Count = 0, Error = 0, Success = 0

Statistics on RADIUS-sent messages:

Authentication succeeds, Count = 0

Authentication rejected, Count = 0

Accounting succeeds, Count = 0

Accounting fails, Count = 0

EAP authentication response, Count = 0

Accounting succeeds, Count = 0

Accounting fails, Count = 0

Deletion request, Count = 0

Number of error packets received: 0

Number of failed Send attempts: 0

Time error: 0 Memory allocation error: 0

State mismatch error: 0 Other error: 0

Running statistic:

RADIUS received messages statistic:

Normal auth request , Num=13 , Err=0 , Succ=13

EAP auth request , Num=0 , Err=0 , Succ=0

Account request , Num=1 , Err=0 , Succ=1

Account off request , Num=0 , Err=0 , Succ=0

PKT auth timeout , Num=36 , Err=12 , Succ=24

PKT acct_timeout , Num=0 , Err=0 , Succ=0

Realtime Account timer , Num=0 , Err=0 , Succ=0

PKT response , Num=2 , Err=0 , Succ=2

EAP reauth_request , Num=0 , Err=0 , Succ=0

PORTAL access , Num=0 , Err=0 , Succ=0

Update ack , Num=0 , Err=0 , Succ=0

PORTAL access ack , Num=0 , Err=0 , Succ=0

Session ctrl pkt , Num=0 , Err=0 , Succ=0

RADIUS sent messages statistic:

Auth accept , Num=0

Auth reject , Num=0

EAP auth replying , Num=0

Account success , Num=0

Account failure , Num=0

Cut req , Num=0

RecError_MSG_sum:0 SndMSG_Fail_sum :0

Timer_Err :0 Alloc_Mem_Err :0

State Mismatch :0 Other_Error :0

—

No-response-acct-stop packet =0

Discarded No-response-acct-stop packet for buffer overflow =0

The number of unresponded accounting-stop packets is 1.

The number of unresponded accounting-stop packets discarded due to buffer overflow is 0.

1.2.8 display stop-accounting-buffer

Syntax

display stop-accounting-buffer { radius-scheme radius-scheme-name | session-id session-id | time-range start-time stop-time | user-name user-name }

View

Any view

Parameters

radius-scheme radius-scheme-name: Displays information on the buffered stop accounting request packets associated with the RADIUS scheme specified by radius-scheme-name. radius-scheme-name is a string of 1 to 32 characters excluding forward slashes (/), colons (:), asterisks (*), question marks (?), less-than signs (<), and greater-than signs (>).

session-id session-id: Displays information on the buffered stop accounting request packets associated with the session ID specified by session-id. session-id is a string of 1 to 50 characters.

time-range start-time stop-time: Displays the buffered stop accounting request packets by the time range. It is specified by start-time and stop-time in the format of hh:mm:ss-mm/dd/yyyy or hh:mm:ss-yyyy/mm/dd, that is, hours:minutes:seconds-months/days/years or hours:minutes:seconds-years/months/days.

user-name user-name : Displays information on the buffered stop accounting request packets by user name.

Description

Use the display stop-accounting-buffer command to view information on stop accounting requests buffered on the SecBlade by RADIUS scheme, session ID, or time range. The displayed packet information can help you troubleshoot RADIUS faults.

When the SecBlade sends a stop accounting request to a RADIUS server but receives no response, it buffers and transmits the packet repeatedly until it receives a response from the RADIUS server. The request attempts can be set using the retry stop-accounting command.

Related commands: reset stop-accounting-buffer, stop-accounting-buffer enable, and retry stop-accounting.

Examples

# Display information on the buffered stop accounting requests between 0:0:0 and 23:59:59 on August 31, 2002.

<SecBlade_FW> display stop-accounting-buffer time-range 0:0:0-08/31/2002 23:59:59-08/31/2002

Total find 0 record

1.2.9 key

Syntax

key { accounting | authentication } string

undo key { accounting | authentication }

View

RADIUS view

Parameters

accounting: Sets/deletes the shared key for encrypting RADIUS accounting packets.

authentication: Sets/deletes the shared key for encrypting RADIUS authentication/authorization packets.

string: Shared key, a string of 1 to 16 characters.

Description

Use the key command to configure a shared key for encrypting RADIUS authentication, authorization or accounting packets.

Use the undo key command to restore the default shared key.

The RADIUS client (that is, the SecBlade) and the RADIUS server use the MD5 algorithm to encrypt the exchanged packets. The two ends verify packets using a shared key. Only when the same key is used can both ends accept the packets from each other and give responses. So, make sure that the same key is set on the SecBlade and the RADIUS server. If the authentication/authorization and accounting are performed on two server devices with different shared keys, you must set one shared key for each.

By default, the key for authentication/authorization packets and accounting packets is none.

Related commands: primary accounting, primary authentication, and radius scheme.

Examples

# In the RADIUS scheme test, set the shared key used for encrypting authentication/authorization packets to hello.

[SecBlade_FW-radius-test] key authentication hello

# In the RADIUS scheme test, set the shared key for encrypting accounting packets to ok.

[SecBlade_FW-radius-test] key accounting ok

1.2.10 local-server

Syntax

local-server nas-ip ip-address key password

undo local-server nas-ip ip-address

View

System view

Parameters

nas-ip ip-address: Specifies the NAS-IP address of the local server, in dotted decimal format.

key password: Specifies a shared key for the local server. Password is a string of 1 to 16 characters.

Description

Use the local-server command to configure a local RADIUS authentication server.

Use the undo local-server command to delete the configured local RADIUS authentication server.

By default, the system creates a local RADIUS authentication server with the NAS-IP address being 127.0.0.1 and the shared key being none.

Note the following:

l The device not only can serve as the RADIUS client to perform authentication management on users through the authentication/authorization server and the accounting server, but also can function as a simple RADIUS server (including authentication and authorization).

l If the local RADIUS authentication server function is adopted, the UDP port used for authentication/authorization must be 1645, and the UDP port used for accounting must be 1646.

l The key configured by this command must be consistent with the key used for authentication/authorization which is configured by the key authentication command in RADIUS scheme view.

l The device supports up to 16 network access servers, including the local RADIUS authentication server created by the system.

Related commands: radius scheme, state.

Examples

# Set the IP address to 10.110.1.2 and the login password to aabbcc for the local RADIUS authentication server.

[SecBlade_FW] local-server nas-ip 10.110.1.2 key aabbcc

1.2.11 nas-ip

Syntax

nas-ip ip-address

undo nas-ip

View

RADIUS view

Parameters

ip-address: IP address in dotted decimal format.

Description

Use the nas-ip command to set a source IP address for the NAS (the SecBlade) to use as the source IP address of the packets to be sent to the RADIUS server.

Use the undo nas-ip command to remove the configuration.

By specifying the source IP address of RADIUS packets, you can avoid the situation where the packets sent back by the RADIUS server cannot be received as the result of a physical interface failure. The loopback interface address is usually recommended.

By default, the source IP address of packets is the IP address of the interface where the packets are sent.

Related commands: display radius.

Examples

# Set the source IP address for the NAS (the SecBlade) to send RADIUS packets to 10.1.1.1.

[SecBlade_FW] radius scheme test1

[SecBlade_FW-radius-test1] nas-ip 10.1.1.1

1.2.12 primary accounting

Syntax

primary accounting ip-address [ port-number ]

undo primary accounting

View

RADIUS view

Parameters

ip-address: IP address in dotted decimal format. By default, in system scheme, the IP address of the primary accounting server is 127.0.0.1; in the newly created RADIUS scheme, the IP address of the primary accounting server is 0.0.0.0.

port-number: UDP port number, in the range of 1 to 65535. By default, in system scheme, the UDP port number of the primary accounting server is 1646; in the newly created RADIUS scheme, the UDP port number of the primary accounting server is 1813.

Description

Use the primary accounting command to configure IP address and port number for the primary RADIUS accounting server.

Use the undo primary accounting command to restore the default.

After creating a RADIUS scheme, you need to configure IP address and UDP port for each RADIUS server (including primary/secondary authentication/authorization or accounting server). The configuration of RADIUS servers is at your discretion except that there must be at least one authentication/authorization server and one accounting server. Besides, ensure that the RADIUS service port settings on the SecBlade are consistent with the port settings on the RADIUS servers.

After accounting is completed successfully, both update accounting and stop accounting packets will be sent to the server used when accounting. No primary-secondary switching will occur even if this server is not available. The switching occurs only in the initial authentication, authorization and accounting process.

Related commands: key, radius scheme, and state.

Examples

# Set the IP address of the primary accounting server in the RADIUS scheme test to 10.110.1.2 and use the UDP port 1813 to provide the RADIUS accounting service.

[SecBlade_FW-radius-test] primary accounting 10.110.1.2 1813

1.2.13 primary authentication

Syntax

primary authentication ip-address [ port-number ]

undo primary authentication

View

RADIUS view

Parameters

ip-address: IP address in dotted decimal format. By default, in system scheme, the IP address of the primary authentication/authorization server is 127.0.0.1; in the newly created RADIUS scheme, the IP address of the primary authentication/authorization server is 0.0.0.0.

port-number: UDP port number of the primary authentication/authorization server, in the range of 1 to 65535. By default, in system scheme, the UDP port of the primary authentication/authorization server is 1645; in the newly created RADIUS scheme, the UDP port of the primary authentication/authorization server is 1812.

Description

Use the primary authentication command to configure IP address and port number for the primary RADIUS authentication/authorization server.

Use the undo primary authentication command to restore the default.

Related commands: key, radius scheme, and state.

Examples

# Set the IP address of the primary authentication/authorization server in the RADIUS scheme test to 10.110.1.1 and use the UDP port 1812 to provide the RADIUS authentication/authorization service.

[SecBlade_FW-radius-test] primary authentication 10.110.1.1 1812

1.2.14 radius scheme

Syntax

radius scheme radius-scheme-name

undo radius scheme radius-scheme-name

View

System view

Parameters

radius-scheme-name: RADIUS scheme name, a string of 1 to 32 characters.

Description

Use the radius scheme command to configure a RADIUS scheme and enter its view.

Use the undo radius scheme command to delete the specified RADIUS scheme.

By default, the RADIUS scheme named system exists in the system, with all attributes being the defaults that are not configurable. You can use the display radius command to view the settings of the system scheme.

RADIUS protocol is configured on a per-scheme basis. Each RADIUS scheme must at least define IP addresses and UDP port numbers of RADIUS authentication/authorization/accounting servers and the parameters necessary for the RADIUS client (the SecBlade) to interact with these servers. You must first create a RADIUS scheme and enter its view to configure RADIUS protocol.

A RADIUS scheme can be referenced by several ISP domains at the same time.

The undo radius scheme command can be used to delete any RADIUS scheme except for the default one. Note that a RADIUS scheme currently being used by any online users cannot be removed.

Related commands: key, retry realtime-accounting, scheme, timer realtime-accounting, stop-accounting-buffer enable, retry stop-accounting, server-type, state, user-name-format, retry, display radius and display radius statistics.

Examples

# Create a RADIUS scheme named test and enter its view.

[SecBlade_FW] radius scheme test

[SecBlade_FW-radius-test]

1.2.15 radius nas-ip

Syntax

radius nas-ip ip-address

undo radius nas-ip

View

System view

Parameters

ip-address: A source IP address, which must be the address of this device. It cannot be the address of all zeros, or class D address, or network address, or an address starting with 127.

Description

Use the radius nas-ip command to specify a source address for the NAS to use as the source IP address of the packets to be sent to the RADIUS server.

Use the undo radius nas-ip command to restore the default.

By default, the source IP address of packets is the IP address of the interface where the packets are sent.

This command specifies only one source address; therefore, the newly configured source address will overwrite the original one.

Examples

# Set the IP address for the SecBlade to use as the source IP address of RADIUS packets to 129.10.10.1.

[SecBlade_FW] radius nas-ip 129.10.10.1

1.2.16 radius trap

Syntax

radius trap { authentication-server-down | accounting-server-down }

undo radius trap { authentication-server-down | accounting-server-down }

View

System view

Parameters

authentication-server-down: Specifies to send a trap packet when the RADIUS authentication server goes down.

accounting-server-down: Specifies to send a trap packet when the RADIUS accounting server goes down.

Description

Use the radius trap command to configure to send a trap packet when the RADIUS server goes down.

Use the undo radius trap command to configure not to send a trap packet when the RADIUS server goes down.

By default, no trap packet is sent when the RADIUS server goes down.

Examples

# Configure to send a trap packet when the RADIUS server goes down.

[SecBlade_FW] radius trap authentication-server-down

1.2.17 reset radius statistics

Syntax

reset radius statistics

View

User view

Parameters

None

Description

Use the reset radius statistics command to clear the statistics of the RADIUS protocol.

Related commands: display radius.

Examples

# Clear the RADIUS protocol statistics.

<SecBlade_FW> reset radius statistics

1.2.18 reset stop-accounting-buffer

Syntax

reset stop-accounting-buffer { radius-scheme radius-scheme-name | session-id session-id | time-range start-time stop-time | user-name user-name }

View

User view

Parameters

radius-scheme radius-scheme-name: Clears the buffered stop accounting request packets associated with the RADIUS scheme specified by radius-scheme-name. radius-scheme-name is a string of 1 to 32 characters.

session-id session-id: Clears the buffered stop accounting requests associated with the session ID specified by session-id, a string of up to 50 characters.

time-range start-time stop-time: Clears the buffered stop accounting requests by the time range. The time range is specified by start-time and stop-time in the format of hh:mm:ss-mm/dd/yyyy or hh:mm:ss-yyyy/mm/dd, that is, hours:minutes:seconds-months/days/years or hours:minutes:seconds-years/months/days.

user-name user-name: Clears the buffered stop accounting requests by user name.

Description

Use the reset stop-accounting-buffer command to clear the buffered stop accounting requests that are not responded.

When the SecBlade sends a stop accounting packet to a RADIUS server but receives no response, it buffers and transmits the packet repeatedly until it receives a response from the RADIUS server. The request attempts can be set using the retry stop-accounting command.

You can clear the buffered stop accounting requests by RADIUS scheme, session ID, username, or time range.

Related commands: stop-accounting-buffer enable, retry stop-accounting, and display stop-accounting-buffer.

Examples

# Clear the buffered stop accounting requests associated with the user [email protected].

<SecBlade_FW> reset stop-accounting-buffer user-name [email protected]

# Clear the buffered stop accounting requests in the time range 0:0:0 to 23:59:59 on August 31, 2002.

<SecBlade_FW> reset stop-accounting-buffer time-range 0:0:0-08/31/2002 23:59:59-08/31/2002

1.2.19 retry

Syntax

retry retry-times

undo retry

View

RADIUS view

Parameters

retry-times: Maximum number of request attempts, in the range of 1 to 20. By default, it is 3.

Description

Use the retry command to configure the maximum number of RADIUS request attempts.

Use the undo retry command to restore the default.

The RADIUS protocol carries data in UDP packet, so its communication is unreliable. If the NAS receives no response from the current RADIUS server when the response timeout timer expires, it has to retransmit the RADIUS request. Assume that the retry-times is N. If the NAS has not received any response from the active RADIUS server when the (N-[N/2]) attempts is reached, it considers that the current RADIUS server is disconnected and turns to another RADIUS server.

Appropriately setting the retry-times parameter as required can speed up system response.

Related commands: radius scheme.

Examples

# Set the maximum number of RADIUS request attempts to 5 in the RADIUS scheme Test.

[SecBlade_FW-radius-test] retry 5

1.2.20 retry realtime-accounting

Syntax

retry realtime-accounting retry-times

undo retry realtime-accounting

View

RADIUS view

Parameters

retry-times: Maximum number of real time accounting request attempts, in the range of 1 to 255.

Description

Use the retry realtime-accounting command to configure the maximum number of real time accounting request attempts.

Use the undo retry realtime-accounting command to restore the default.

A RADIUS server usually checks a user is online using a timeout timer. If the RADIUS server has not received real time accounting packet from NAS for a long period of time, it will consider that there is line or device failure and stop accounting against the user. Accordingly, it is necessary to disconnect the user on the NAS and on the RADIUS server synchronously when some unexpected failure occurs. The SecBlade supports the setting of the maximum number of real time accounting request attempts. The NAS will disconnect the user if it has not received real time accounting response from the RADIUS server when the predefined retry-times is reached.

Suppose the response timeout timer of the RADIUS server is T and the real-time accounting interval of NAS is t. Set T to 3 seconds, t to 12 minutes, and the maximum number of real time accounting request attempts of the NAS to 5. With these values being configured, the NAS generates an accounting request every 12 minutes. If no response is received within 3 seconds, the NAS retransmits the accounting request. This continues until the maximum number of attempts is reached. Normally, the result of retry-times multiple by T should be less than t.

The default realtime accounting request attempts is 5.

Related commands: radius scheme and timer realtime-accounting.

Examples

# Set the maximum number of real time accounting request attempts to 10 in the RADIUS scheme Test.

[SecBlade_FW-radius-test] retry realtime-accounting 10

1.2.21 retry stop-accounting

Syntax

retry stop-accounting retry-times

undo retry stop-accounting

View

RADIUS view

Parameters

retry-times: Maximum number of the buffered stop accounting request attempts, in the range of 10 to 65,535.

Description

Use the retry stop-accounting command to configure the maximum number of stop accounting request attempts.

Use the undo retry stop-accounting command to restore the default.

Given the influence of a stop accounting packet on billing and eventually charging, it has importance for both users and ISPs. Therefore, the NAS should make its best effort to send the stop accounting packet to the RADIUS accounting server. If the SecBlade receives no response from the RADIUS accounting server, it buffers locally and retransmits the packet until the RADIUS accounting server responds, or it discards the packet when the predefined retry-times is reached.

By default, the maximum number of stop accounting request attempts is 500.

Related commands: reset stop-accounting-buffer, radius scheme, display stop-accounting-buffer.

Examples

# Set the maximum number of stop accounting request attempts to 1000 in the RADIUS scheme Test.

[SecBlade_FW-radius-test] retry stop-accounting 1000

1.2.22 secondary accounting

Syntax

secondary accounting ip-address [ port-number ]

undo secondary accounting

View

RADIUS view

Parameters

ip-address: IP address, in dotted decimal format. By default, the IP address of the secondary accounting server is 0.0.0.0.

port-number: UDP port number, in the range of 1 to 65,535. By default, the secondary accounting server use the UDP port number 1813.

Description

Use the secondary accounting command to configure IP address and port number for the secondary RADIUS accounting server.

Use the undo secondary accounting command to restore the defaults.

For detailed information, refer to the description of the primary accounting command.

Related commands: key, radius scheme, and state.

Examples

# Set the IP address of the secondary accounting server in the RADIUS scheme test to 10.110.1.1 and use the UDP port 1813 to provide the RADIUS accounting service.

[SecBlade_FW-radius-test] secondary accounting 10.110.1.1 1813

1.2.23 secondary authentication

Syntax

secondary authentication ip-address [ port-number ]

undo secondary authentication

View

RADIUS view

Parameters

ip-address: IP address in dotted decimal format.

port-number: UDP port number, in the range of 1 to 65,535. By default, the secondary authentication server uses the UDP port 1812.

Description

Use the secondary authentication command to configure IP address and port number for the secondary RADIUS authentication/authorization server.

Use the undo secondary authentica tion command to restore the default.

For detailed information, refer to the description of the primary authentication command.

By default, the IP address of the secondary authentication/authorization server is 0.0.0.0.

Related commands: key, radius scheme, and state.

Examples

# Set the IP address of the secondary authentication/authorization server in the RADIUS scheme test to 10.110.1.2 and use the UDP port 1812 to provide the RADIUS authentication/authorization service.

[SecBlade_FW-radius-test] secondary authentication 10.110.1.2 1812

1.2.24 server-type

Syntax

server-type { extended | standard }

undo server-type

View

RADIUS view

Parameters

extended: Specifies to use the H3C RADIUS server (generally CAMS), which requires the RADIUS client (the SecBlade) and the RADIUS server to interact according to the regulation and packet format provisioned by the private RADIUS protocol of H3Ci Technologies.

standard: Specifies to use the standard RADIUS server, which requires the RADIUS client (the SecBlade) and the RADIUS server to interact according to the regulation and packet format of standard RADIUS protocol (RFC 2138/2139 or newer).

Description

Use the server-type command to configure the RADIUS server type supported by the SecBlade.

Use the undo server-type command to restore the default.

By default, in system scheme, the RADIUS server type is extended; in the newly created RADIUS scheme, the RADIUS server type is standard.

Related commands: radius scheme.

Examples

# Set the RADIUS server type of the RADIUS scheme test to extended.

[SecBlade_FW-radius-test] server-type extended

1.2.25 state

Syntax

state { primary | secondary } { accounting | authentication } { block | active }

View

RADIUS view

Parameters

primary: Sets the state for the primary RADIUS authentication/authorization or accounting server.

secondary: Sets the state for the secondary RADIUS authentication/authorization or accounting server.

accounting: Sets the state for the primary or secondary RADIUS accounting server.

authentication: Sets the state for the primary or secondary RADIUS authentication/authorization server.

block: Sets the state to block.

active: Sets the state to active, namely the normal operation state.

Description

Use the state command to configure the state a RADIUS server.

By default, in system scheme, the primary authentication/authorization and accounting servers are in active state, and the secondary authentication/authorization and accounting servers are in block state; in the newly created RADIUS scheme, all RADIUS servers are in block state..

When the primary server (accounting or authentication/authorization) in a RADIUS scheme becomes unavailable, the NAS automatically turns to the secondary server. After the primary one recovers, however, the NAS does not resume the communication with it at once. Instead, the NAS continues the communication with the secondary one and turns to the primary one again only after the secondary one fails. To have the NAS communicate with the primary server right after its recovery, you can manually set the state of the primary server to active.

When both the primary and secondary servers are active or block, the NAS only sends packets to the primary server.

Related commands: radius scheme, primary authentication, secondary authentication, primary accounting, secondary accounting.

Examples

# Set the state of the secondary authentication server in the RADIUS scheme test to active.

[SecBlade_FW-radius-test] state secondary authentication active

1.2.26 stop-accounting-buffer enable

Syntax

stop-accounting-buffer enable

undo stop-accounting-buffer enable

View

RADIUS view

Parameters

None

Description

Use the stop-accounting-buffer enable command to enable the SecBlade to buffer the stop accounting requests that are not responded.

Use the undo stop-accounting-buffer enable command to disable the function.

By default, the SecBlade is enabled to buffer the stop accounting requests that are not responded.

Given the influence of a stop accounting packet on billing and eventually charging, it has importance for both users and ISPs. Therefore, the NAS should make its best effort to send the stop accounting packet to the RADIUS accounting server. If the SecBlade receives no response from the RADIUS accounting server, it buffers the packet locally and sends repeatedly until the RADIUS accounting server responds, or it discards the packet when the predefined retry-times is reached.

Related commands: reset stop-accounting-buffer, radius scheme, display stop-accounting-buffer.

Examples

# In the RADIUS scheme Test, enable the SecBlade to buffer the stop accounting requests that are not responded.

[SecBlade_FW-radius-test] stop-accounting-buffer enable

1.2.27 timer quiet

Syntax

timer quiet minutes

undo timer quiet

View

RADIUS view

Parameters

minutes: Duration, in the range of 1 to 255.

Description

Use the timer quiet command to set the duration that the primary server must wait before it resumes the active state.

Use the undo timer quiet command to restore the default (five minutes).

By default, the primary server must wait five minutes before it resumes the active state.

Related commands: display radius.

Examples

# Set the quiet timer for the primary server to ten minutes.

[SecBlade_FW] radius scheme test1

[SecBlade_FW-radius-test1] timer quiet 10

1.2.28 timer realtime-accounting

Syntax

timer realtime-accounting minutes

undo timer realtime-accounting

View

RADIUS view

Parameters

minutes: Real time accounting interval, a multiple of 3 in the range of 3 to 60 minutes.

Description

Use the timer realtime-accounting command to configure a real time accounting interval.

Use the undo timer realtime-accounting command to restore the default interval.

The setting of real time accounting interval is indispensable to real time accounting. After an interval value is set, the NAS transmits the accounting information of online users to the RADIUS accounting server at intervals of this value.

The setting of real time accounting interval somewhat depends on the performance of the NAS and the RADIUS server: a shorter interval requires higher device performance. You are therefore recommended to adopt a longer interval when there are a large number of users (more than 1000, inclusive). The following table recommends the ratio of minutes to the number of users.

Table 1-6 Recommended ratio of minutes to the number of users

Number of users	Real time accounting interval (minute)
1 – 99	3
100 – 499	6
500 – 999	12
≥1000	≥15

By default, the interval of realtime accounting is 12 minutes.

Related commands: retry realtime-accounting and radius scheme.

Examples

# Set the real time accounting interval in the RADIUS scheme test to 51 minutes.

[SecBlade_FW-radius-test] timer realtime-accounting 51

1.2.29 timer response-timeout

Syntax

timer seconds

undo timer

timer response-timeout seconds

undo timer response-timeout

View

RADIUS view

Parameters

seconds: RADIUS server response timeout time, in the range of 1 to 10 seconds.

Description

Use the timer response-timeout command and the timer command to configure the RADIUS server response time out timer.

Use the undo timer command and the undo timer response-timeout command to restore the default.

If the NAS receives no response from the RADIUS server after sending a RADIUS request (authentication/authorization or accounting request) packet for a period, the NAS has to retransmit the packet, thus ensuring the user can obtain the RADIUS service. You can specify this period by setting the RADIUS server response timeout timer using the timer command and the timer response-timeout command.

By default, the response timeout timer of the RADIUS server is three seconds.

Related commands: radius scheme and retry.

Examples

# Set the response timeout timer in the RADIUS scheme test to 5 seconds.

[SecBlade_FW-radius-test] timer response-timeout 5

1.2.30 user-name-format

Syntax

user-name-format { with-domain | without-domain }

View

RADIUS view

Parameters

with-domain: Specifies to send a user name with domain name to the RADIUS server.

without-domain: Specifies to send a user name without domain name to the RADIUS server.

Description

Use the user-name-format command to configure the format of the username to be sent to the RADIUS server.

By default, in system scheme, the NAS sends user names without domain names to the RADIUS server; in the newly created RADIUS scheme, the NAS sends user names with domain names to the RADIUS server.

The supplicants are generally named in the userid@isp-name format, of which isp-name is used by the SecBlade to decide the ISP domain to which a supplicant belongs. Some earlier RADIUS servers, however, cannot recognize usernames with an ISP domain name. Before sending a username including a domain name to such a RADIUS server, the SecBlade must remove the domain name. This command is thus provided for you to decide whether to include a domain name in a username to be sent to a RADIUS server.

& Note:

If a RADIUS scheme defines that the username is sent without domain name, do not apply the RADIUS scheme to more than one ISP domain, avoiding the situation where the RADIUS server regards two users in different ISP domains but with the same userid as one.

Examples

# Send the username without domain name to the RADIUS servers in the RADIUS scheme test.

[SecBlade_FW-radius-test] user-name-format without-domain

1.3 HWTACACS Configuration Commands

1.3.1 data-flow-format

Syntax

data-flow-format data { byte | giga-byte | kilo-byte | mega-byte }

data-flow-format packet { giga-packet | kilo-packet | mega-packet | one-packet }

undo data-flow-format { data | packet }

View

HWTACACS view

Parameters

data: Specifies the unit for data flows, which can be byte, kilobyte, megabyte, or gigabyte.

packet: Specifies the unit for data packets, which can be giga-packet, kilo-packet, mega-packet, or one-packet.

Description

Use the data-flow-format command to specify the unit for data flows or packets to be sent to a TACACS server.

Use the undo data-flow-format command to restore the default.

By default, the unit for data flows is byte and that for data packets is one-packet.

Related commands: display hwtacacs.

Examples

# Send data flows and data packets to the TACACS server Test in kilobytes and kilopakets respectively.

[SecBlade_FW-hwtacacs-test] data-flow-format data kilo-byte packet kilo-packet

1.3.2 debugging hwtacacs

Syntax

debugging hwtacacs { all | error | event | message | receive-packet | send-packet }

undo debugging hwtacacs { all | error | event | message | receive-packet | send-packet }

View

User view

Parameters

all: Enables all HWTACACS debugging.

error: Enables error debugging.

event: Enables event debugging.

message: Enables message debugging.

receive-packet: Enables incoming packet debugging.

send-packet: Enables outgoing packet debugging.

Description

Use the debugging hwtacacs command to enable HWTACACS debugging.

Use the undo debugging hwtacacs command to disable HWTACACS debugging.

By default, HWTACACS debugging is disabled.

Examples

# Enable the event debugging of HWTACACS.

<SecBlade_FW> debugging hwtacacs event

1.3.3 display hwtacacs scheme

Syntax

display hwtacacs scheme [ hwtacacs-scheme-name [ statistics ] ]

View

Any view

Parameters

hwtacacs-scheme-name: HWTACACS scheme name, a string of 1 to 32 case-insensitive characters. If no HWTACACS scheme is specified, the system displays the configuration of all HWTACACS schemes.

statistics: Displays statistics about HWTACACS packets.

Description

Use the display hwtacacs scheme command to view the configuration information of a specified or all HWTACACS schemes.

Without any parameter specified, the command displays the configuration information of all HWTACACS schemes.

Related commands: hwtacacs scheme.

Examples

# View the configuration information of HWTACACS scheme gy.

<SecBlade_FW> display hwtacacs scheme gy

-------------------------------------------------------------------- HWTACACS-server template name : gy

Primary-authentication-server : 172.31.1.11:49

Primary-authorization-server : 172.31.1.11:49

Primary-accounting-server : 172.31.1.11:49

Secondary-authentication-server : 0.0.0.0:0

Secondary-authorization-server : 0.0.0.0:0

Secondary-accounting-server : 0.0.0.0:0

Current-authentication-server : 172.31.1.11:49

Current-authorization-server : 172.31.1.11:49

Current-accounting-server : 172.31.1.11:49

Source-IP-address : 0.0.0.0

key authentication : 790131

key authorization : 790131

key accounting : 790131

Quiet-interval(min) : 5

Response-timeout-Interval(sec) : 5

Domain-included : No

Traffic-unit : B

Packet traffic-unit : one-packet

Table 1-7 Description on the fields of the display hwtacacs scheme command

Field	Description
HWTACACS-server template name	HWTACACS server template name (that is, HWTACACS scheme name)
Primary-authentication-server	IP address and port number of the primary authentication server
Primary-authorization-server	IP address and port number of the primary authorization server
Primary-accounting-server	IP address and port number of the primary accounting server
Secondary-authentication-server	IP address and port number of the secondary authentication server
Secondary-authorization-server	IP address and port number of the secondary authorization server
Secondary-accounting-server	IP address and port number of the secondary accounting server
Current-authentication-server	IP address and port number of the active authentication server
Current-authorization-server	IP address and port number of the active authorization server
Current-accounting-server	IP address and port number of the active accounting server
Source-IP-address	Source IP address used by the router to send HWTACACS packets
key authentication	Shared key of the HWTACACS authentication server
key authorization	Shared key of the HWTACACS authorization server
key accounting	Shared key of the HWTACACS accounting server
Quiet-interval(min)	Time period that the primary server waits before it resumes the active state
Response-timeout-Interval(sec)	Response timeout time of the TACACS server
Domain-included	Format of the user name sent to the TACACS server, including domain name
Traffic-unit	Unit of data flows: B: Data are sent in bytes. GB: Data are sent in gigabytes. KB: Data are sent in kilobytes. MB: Data are sent in megabytes.
Packet traffic-unit	Unit of data packets: giga-packet: Data packets are sent in giga-packets. kilo-packet: Data packets are sent in kilo-packets. mega-packet: Data packets are sent in mega-packets. one-packet: Data packets are sent in one-packet.

1.3.4 display stop-accounting-buffer

Syntax

display stop-accounting-buffer hwtacacs-scheme hwtacacs-scheme-name

View

Any view

Parameters

hwtacacs-scheme hwtacacs-scheme-name: Displays information on the buffered stop accounting requests associated with the HWTACACS scheme specified by hwtacacs-scheme-name, a string of 1 to 32 characters.

Description

Use the display stop-accounting-buffer command to view information on the stop accounting requests buffered on the SecBlade.

Related commands: reset stop-accounting-buffer, stop-accounting-buffer enable, and retry stop-accounting.

Examples

# Display information on the buffered stop accounting requests associated with HWTACACS scheme test.

<SecBlade_FW> display stop-accounting-buffer hwtacacs-scheme test

-------------------------------------------------------------

NO. SendTime IP Address Template

1 10 172.31.1.27 test

-------------------------------------------------------------

Whole accounting stop packet to resend:1

Table 1-8 Description on the fields of the display stop-accounting-buffer command

Filed	Description
NO.	Sequence number of the stop accounting request packet
SendTime	Number of the stop accounting request packets
IP Address	IP address of the TACACS server
Template	Name of the HWTACACS authentication scheme

1.3.5 hwtacacs nas-ip

Syntax

hwtacacs nas-ip ip-address

undo hwtacacs nas-ip

View

System view

Parameters

ip-address: Source IP address. It must be the address of this device. and cannot be the address of all zeros, class D address, or network address, or an address starting with 127.

Description

Use the hwtacacs nas-ip command to specify the source address for the NAS to use as the source IP address of HWTACACS packets.

Use the undo hwtacacs nas-ip command to restore the default setting.

By specifying the source IP address of HWTACACS packets, you can avoid the situation where the packets sent back by the TACACS server cannot be received as the result of a physical interface failure. The loopback interface address is usually recommended.

By default, the source IP address of packets is the IP address of the interface where the packets are sent.

This command specifies only one source address; therefore, the newly configured source address may overwrite the original one.

Examples

# Configure the SecBlade to send HWTACACS packets from 129.10.10.1.

[SecBlade_FW] hwtacacs nas-ip 129.10.10.1

1.3.6 hwtacacs scheme

Syntax

hwtacacs scheme hwtacacs-scheme-name

undo hwtacacs scheme hwtacacs-scheme-name

View

System view

Parameters

hwtacacs-scheme-name: HWTACACS scheme name, a string of 1 to 32 characters.

Description

Use the hwtacacs scheme command to create an HWTACACS scheme and enter HWTACACS scheme view.

Use the .undo hwtacacs scheme command to delete an HWTACACS scheme.

Examples

# Create an HWTACACS scheme named test1 and enter HWTACACS scheme view.

[SecBlade_FW] hwtacacs scheme test1

[SecBlade_FW-hwtacacs-test1]

1.3.7 key

Syntax

key { accounting | authentication | authorization } string

undo key { accounting | authentication | authorization }

View

HWTACACS view

Parameters

accounting: Specifies the shared key for the accounting server.

authentication: Specifies the shared key for the authentication server.

authorization: Specifies the shared key for the authorization server.

string: Shared key, a string of 1 to 16 characters.

Description

Use the key command to configure a shared key for the TACACS authentication, authorization or accounting server.

Use the undo key command to remove the configuration.

By default, no key is set for any TACACS server.

The TACACS client (the SecBlade) and the TACACS server use the MD5 algorithm to encrypt the exchanged packets. The two ends verify packets using a shared key. Only when the same key is used can both ends accept the packets from each other and give responses. Therefore, it is necessary to ensure that the same key is set on the SecBlade and the TACACS server. If the authentication/authorization and accounting are performed on two server devices with different shared keys, you must set one shared key for each.

Related commands: display hwtacacs.

Examples

# Use hello as the shared key for the TACACS accounting server.

[SecBlade_FW] hwtacacs scheme test1

[SecBlade_FW-hwtacacs-test1] key accounting hello

1.3.8 nas-ip

Syntax

nas-ip ip-address

undo nas-ip

View

HWTACACS view

Parameters

ip-address: IP address in dotted decimal format.

Description

Use the nas-ip command to specify the source address for the NAS (the SecBlade) to send HWTACACS packets.

Use the undo nas-ip command to remove the setting.

By specifying the source address of HWTACACS packets, you can avoid the situation where the packets sent back by the TACACS server cannot be received as the result of a physical interface failure. The loopback interface address is usually recommended.

By default, the source IP address of packets is the IP address of the interface where the packets are sent.

Related commands: display hwtacacs.

Examples

# Configure the NAS to send HWTACACS packets from 10.1.1.1.

[SecBlade_FW] hwtacacs scheme test1

[SecBlade_FW-hwtacacs-test1] nas-ip 10.1.1.1

1.3.9 primary accounting

Syntax

primary accounting ip-address [ port ]

undo primary accounting

View

HWTACACS view

Parameters

ip-address: IP address of the primary accounting server, a valid unicast address in dotted decimal format.

port: Port number of the primary accounting server, which is in the range 1 to 65,535 and defaults to 49.

Description

Use the primary accounting command to configure a primary TACACS accounting server.

Use the undo primary accounting command to delete the configured primary TACACS accounting server.

By default, IP address of the primary TACACS accounting server is 0.0.0.0.

You are not allowed to assign the same IP address to both the primary and secondary accounting servers.

You can configure only one primary accounting server in a HWTACACS scheme. If you enter this command multiple times consecutively, only the late configuration applies.

You can remove an accounting server only when no active TCP connection for sending accounting packets is using it.

Examples

# Configure a primary accounting server.

[SecBlade_FW] hwtacacs scheme test1

[SecBlade_FW-hwtacacs-test1] primary accounting 10.163.155.12 49

1.3.10 primary authentication

Syntax

primary authentication ip-address [ port ]

undo primary authentication

View

HWTACACS view

Parameters

ip-address: IP address of the primary authentication server, a valid unicast address in dotted decimal format.

port: Port number of the primary authentication server, which is in the range 1 to 65535 and defaults to 49.

Description

Use the primary authentication command to configure a primary TACACS authentication server.

Use the undo primary authentication command to delete the configured authentication server.

By default, IP address of the primary TACACS authentication server is 0.0.0.0.

You are not allowed to assign the same IP address to both primary and secondary authentication servers.

You can configure only one primary authentication server in a HWTACACS scheme. If you enter this command multiple times consecutively, only the late configuration applies.

You can remove an authentication server only when no active TCP connection for sending accounting packets is using it.

Related commands: display hwtacacs.

Examples

# Configure a primary authentication server.

[SecBlade_FW] hwtacacs scheme test1

[SecBlade_FW-hwtacacs-test1] primary authentication 10.163.155.13 49

1.3.11 primary authorization

Syntax

primary authorization ip-address [ port ]

undo primary authorization

View

HWTACACS view

Parameters

ip-address: IP address of the primary authorization server, a valid unicast address in dotted decimal format.

port: Port number of the primary authorization server, which is in the range of 1 to 65535 and defaults to 49.

Description

Use the primary authorization command to configure a primary TACACS authorization server.

Use the undo primary authorization command to delete the configured primary authorization server.

By default, IP address of the primary TACACS authorization server is 0.0.0.0.

If TACACS authentication is configured for a user without TACACS authorization server, the user cannot log in regardless of its user type.

You are not allowed to assign the same IP address to both primary and secondary authorization servers.

You can configure only one primary authorization server in a HWTACACS scheme. If you enter this command multiple times consecutively, only the late configuration applies.

You can remove an authorization server only when no active TCP connection for sending accounting packets is using it.

Related commands: display hwtacacs.

Examples

# Configure a primary authorization server.

[SecBlade_FW] hwtacacs scheme test1

[SecBlade_FW-hwtacacs-test1] primary authorization 10.163.155.13 49

1.3.12 reset hwtacacs statistics

Syntax

reset hwtacacs statistics { accounting | authentication | authorization | all }

View

User view

Parameters

accounting: Clears all the HWTACACS accounting statistics.

authentication: Clears all the HWTACACS authentication statistics.

authorization: Clears all the HWTACACS authorization statistics.

all: Clears all statistics.

Description

Use the reset hwtacacs statistics command to clear HWTACACS protocol statistics.

Related commands: display hwtacacs.

Examples

# Clear all HWTACACS protocol statistics.

<SecBlade_FW> reset hwtacacs statistics all

1.3.13 reset stop-accounting-buffer

Syntax

reset stop-accounting-buffer hwtacacs-scheme hwtacacs-scheme-name

View

User view

Parameters

hwtacacs-scheme hwtacacs-scheme-name: Configures to delete the stop accounting requests from the buffer according to the specified HWTACACS scheme name. The hwtacacs-scheme-name specifies the HWTACACS scheme name with a string of 1 to 32 characters.

Description

Use the reset stop-accounting-buffer command to clear the stop accounting requests that have no response and are buffered on the SecBlade.

Related commands: stop-accounting-buffer enable, retry stop-accounting, display stop-accounting-buffer.

Examples

# Delete the buffered stop accounting requests by HWTACACS scheme test.

<SecBlade_FW> reset stop-accounting-buffer hwtacacs-scheme test

1.3.14 retry stop-accounting

Syntax

retry stop-accounting retry-times

undo retry stop-accounting

View

HWTACACS view

Parameters

retry-times: Maximum number of real time accounting request attempts, in the range 1 to 300.

Description

Use the retry stop-accounting command to enable stop accounting request retransmission and configure the maximum number of stop accounting request attempts.

Use the undo retry stop-accounting command to restore the default setting.

By default, stop accounting request retransmission is enabled and the maximum number of request attempts is set to 100.

Related commands: reset stop-accounting-buffer, hwtacacs scheme, and display stop-accounting-buffer.

Examples

# Enable stop accounting request retransmission and set the maximum number of request attempts to 50.

[SecBlade_FW-hwtacacs-test] retry stop-accounting 50

1.3.15 secondary accounting

Syntax

secondary accounting ip-address [ port ]

undo secondary accounting

View

HWTACACS view

Parameters

ip-address: IP address of the secondary accounting server, a valid unicast address in dotted decimal format.

port: Port number of the secondary accounting server, which is in the range 1 to 65,535 and defaults to 49.

Description

Use the secondary accounting command to configure a secondary TACACS accounting server.

Use the undo secondary accounting command to delete the configured secondary TACACS accounting server.

By default, IP address of the secondary TACACS accounting server is 0.0.0.0.

You are not allowed to assign the same IP address to both primary and secondary accounting servers.

You can configure only one secondary accounting server in a HWTACACS scheme. If you repeatedly use this command, only the latest configuration takes effect.

You can remove an accounting server only when no active TCP connection for sending accounting packets is using it.

Examples

# Configure a secondary accounting server.

[SecBlade_FW] hwtacacs scheme test1

[SecBlade_FW-hwtacacs-test1] secondary accounting 10.163.155.12 49

1.3.16 secondary authentication

Syntax

secondary authentication ip-address [ port ]

undo secondary authentication

View

HWTACACS view

Parameters

ip-address: IP address of the secondary authentication server, a valid unicast address in dotted decimal format.

port: Port number of the secondary authentication server, which is in the range 1 to 65,535 and defaults to 49.

Description

Use the secondary authentication command to configure a secondary TACACS authentication server.

Use the undo secondary authentication command to delete the configured secondary authentication server.

By default, IP address of the secondary TACACS authentication server is 0.0.0.0.

You are not allowed to assign the same IP address to both primary and secondary authentication servers.

You can configure only one primary authentication server in a HWTACACS scheme. If you repeatedly use this command, only the latest configuration takes effect.

You can remove an authentication server only when no active TCP connection for sending accounting packets is using it.

Related commands: display hwtacacs.

Examples

# Configure a secondary authentication server.

[SecBlade_FW] hwtacacs scheme test1

[SecBlade_FW-hwtacacs-test1] secondary authentication 10.163.155.13 49

1.3.17 secondary authorization

Syntax

secondary authorization ip-address [ port ]

undo secondary authorization

View

HWTACACS view

Parameters

ip-address: IP address of the secondary authorization server, a valid unicast address in dotted decimal format.

port: Port number of the secondary authorization server, ranging from 1 to 65535. By default, it is 49.

Description

Use the secondary authorization command to configure a secondary TACACS authorization server.

Use the .undo secondary authorization command to delete the configured secondary authorization server.

By default, IP address of the secondary TACACS authorization server is 0.0.0.0.

You are not allowed to assign the same IP address to both primary and secondary authorization servers.

You can configure only one primary authorization server in a HWTACACS scheme. If you repeatedly use this command, only the latest configuration takes effect.

You can remove an authorization server only when no active TCP connection for sending accounting packets is using it.

Related commands: display hwtacacs.

Examples

# Configure the secondary authorization server.

[SecBlade_FW] hwtacacs scheme test1

[SecBlade_FW-hwtacacs-test1] secondary authorization 10.163.155.13 49

1.3.18 stop-accounting-buffer enable

Syntax

stop-accounting-buffer enable

undo stop-accounting-buffer enable

View

HWTACACS view

Parameters

None

Description

Use the stop-accounting-buffer enable command to enable the SecBlade to buffer the stop accounting request packets that are not responded.

Use the undo stop-accounting-buffer enable command to disable the function.

By default, the stop accounting request packets with no response can be buffered on the SecBalde.

For detailed description, refer to the stop-accounting-buffer enable command in the RADIUS scheme.

Examples

# For the server in the HWTACACS scheme named test, allow the SecBlade to buffer stop accounting request packets that are not responded.

[SecBlade_FW-hwtacacs-test] stop-accounting-buffer enable

1.3.19 timer quiet

Syntax

timer quiet minutes

undo timer quiet

View

HWTACACS view

Parameters

minutes: Quiet period, in the range of 1 to 255 minutes.

Description

Use the timer quiet command to set the duration that a primary server must wait before it resumes the active state.

Use the undo timer quiet command to restore the default (five minutes).

By default, the primary server must wait five minutes before it resumes the active state.

Related commands: display hwtacacs.

Examples

# Set the quiet timer for the primary server to ten minutes.

[SecBlade_FW] hwtacacs scheme test1

[SecBlade_FW-hwtacacs-test1] timer quiet 10

1.3.20 timer realtime-accounting

Syntax

timer realtime-accounting minutes

undo timer realtime-accounting

View

HWTACACS view

Parameters

minutes: Real time accounting interval, which must be a multiple of 3 in the range 3 to 60 minutes.

Description

Use the timer realtime-accounting command to configure a real time accounting interval.

Use the undo timer realtime-accounting command to restore the default interval.

Real time accounting interval is necessary for real time accounting. After an interval value is set, the NAS transmits the accounting information of online users to the TACACS accounting server at intervals of this value.

The setting of real time accounting interval depends somewhat on the performance of the NAS and the TACACS server: a shorter interval requires higher device performance. You are therefore recommended to adopt a longer interval when there are a large number of users (more than 1000, inclusive). The following table recommends the ratio of minutes to the number of users.

Table 1-9 Recommended ratio of minutes to the number of users

Number of users	Real time accounting interval (minute)
1 – 99	3
100 – 499	6
500 – 999	12
≥ 1,000	≥ 15

By default, the real time accounting interval is 12 minutes.

Related commands: retry realtime-accounting and radius scheme.

Examples

# Set the real time accounting interval in the HWTACACS scheme test to 51 minutes.

[SecBlade_FW-hwtacacs-test] timer realtime-accounting 51

1.3.21 timer response-timeout

Syntax

timer response-timeout seconds

undo timer response-timeout

View

HWTACACS view

Parameters

seconds: Response timeout time, in the range of 1 to 300 seconds.

Description

Use the timer response-timeout command to set the response timeout timer of the TACACS server.

Use the .undo timer response-timeout command to restore the default (five seconds).

By default, the response timeout timer of the TACACS server is five seconds.

& Note:

As the HWTACACS is based on TCP, either the server response timeout or the TCP timeout may cause disconnection to the TACACS server.

Related commands: display hwtacacs.

Examples

# Set the response timeout time of the TACACS server to 30 seconds.

[SecBlade_FW] hwtacacs scheme test1

[SecBlade_FW-hwtacacs-test1] timer response-timeout 30

1.3.22 user-name-format

Syntax

user-name-format { with-domain | without-domain }

View

HWTACACS view

Parameters

with-domain: Specifies to send the username with domain name to the TACACS servers

without-domain: Specifies to send the username without domain name to the TACACS servers

Description

Use the user-name-format command to configure the username format sent to the TACACS servers.

By default, HWTACACS scheme acknowledges that the username sent to the TACACS servers includes ISP domain name.

The supplicants are generally named in userid@isp-name format. The part following the @ sign is the ISP domain name, according to which the SecBlade assigns a user to the corresponding ISP domain. However, some earlier TACACS servers reject the user name including ISP domain name. In this case, the user name is sent to the TACACS server after its domain name is removed. Accordingly, the SecBlade provides this command to decide whether the username is sent to the TACACS servers carrying ISP domain name or not.

& Note:

If a HWTACACS scheme is configured to reject usernames including ISP domain names, the HWTACACS scheme shall not be simultaneously used in more than one ISP domains. Otherwise, the TACACS servers will regard two users in different ISP domains as the same user by mistake, if they have the same username (excluding their respective domain names.)

Related commands: hwtacacs scheme.

Examples

# Specify to send the username without domain name.

[SecBlade_FW-hwtacacs-test] user-name-format without-domain

Chapter 2 ACL Configuration Commands

2.1 ACL Configuration Commands

2.1.1 acl

Syntax

acl number acl-number [ match-order { config | auto } ]

undo acl { number acl-number | all }

View

System View

Parameters

number acl-number: Defines an access control list (ACL) number, with the range 1000 to 1999 for interface-based ACLs, 2000 to 2999 for basic ACLs, 3000 to 3999 for advanced ACLs, and 4000 to 4999 for MAC-based ACLs.

match-order: Indicates the order in which rules are configured.

config: Specifies to match the rule according to configuration order that the user configured it.

auto: Specifies to match the rule in automatic order (on the "Depth first" principle.)

all: Removes all ACLs.

Description

Use the acl command to create an ACL and enter ACL view.

Use the undo acl command to remove an ACL.

An ACL consists of a list of rules that are described by a series of permit and deny sub-sentences. Several rule lists form an ACL. Before configuring the rules for an ACL, you should create the ACL first.

Examples

# Create a basic ACL numbered 2000.

[SecBlade_FW] acl number 2000

[SecBlade_FW-acl-basic-2000]

2.1.2 description

Syntax

description text

undo description

View

ACL view

Parameters

text: ACL description, a string of up to 127 characters.

Description

Use the description command to add description to an ACL.

Use the undo description command to remove the description on the ACL.

Examples

# Add description to ACL 2001.

[SecBlade_FW-acl-basic-2001] description Deny HTTP from host 10.0.0.1

2.1.3 display acl

Syntax

display acl { all | acl-number }

View

Any view

Parameters

all: Specifies all ACL rules.

acl-number: ACL with a specific number.

Description

Use the display acl command to view the rules of a configured ACL.

The rule match order defaults to config (the configuration order). If the configuration order applies, the display command does not show information on the match order. If the match order auto applies, the display command shows that.

Examples

# Display the rules of ACL 2000.

[SecBlade_FW-acl-basic-2000] display acl 2000

Basic ACL 2000, 2 rules

Acl's step is 1

rule 1 permit (0 times matched)

rule 2 permit source 1.1.1.1 0 (0 times matched)

2.1.4 reset acl counter

Syntax

reset acl counter { all | acl-number }

View

User View

Parameters

acl-number: ACL with a specific number.

all: Specifies all ACL rules.

Description

Use the reset acl counter command to clear the statistics on an ACL or all the ACLs.

Examples

# Reset the statistics on ACL 1000.

<SecBlade_FW> reset acl counter 1000

2.1.5 rule

Syntax

1) Create or remove a rule of a basic ACL

rule [ rule-id ] { permit | deny } [ source {sour-addr sour-wildcard | any } ] [ time-range time-name ] [ logging ] [ fragment ]

undo rule rule-id [ source ] [ time-range ] [ logging ] [ fragment ]

2) Create or remove a rule of an advanced ACL

rule [ rule-id ] { permit | deny } protocol [ source { source-addr source-wildcard | any } ] [ destination { dest-addr dest-wildcard | any } ] [ source-port operator port1 [ port2 ] ] [ destination-port operator port1 [ port2 ] ] [ icmp-type { icmp-message | icmp-type icmp-code } ] [ dscp dscp ] [ established ] [ precedence precedence ] [ tos tos ] [ time-range time-name ] [ logging ] [ fragment ]

undo rule rule-id [ source ] [ destination ] [ source-port ] [ destination-port ] [ icmp-type ] [ dscp ] [ precedence ] [ tos ] [ time-range ] [ logging ] [ fragment ]

3) Create or remove a rule of an interface-based ACL

rule [ rule-id ] { permit | deny } interface { interface-type interface-number | any } [ time-range time-name ] [ logging ]

undo rule rule-id [ time-range ] [ logging ] *

4) Create or remove a rule of a MAC-based ACL

rule [ rule-id ] { deny | permit } [ type type-code type-mask | lsap lsap-code lsap-mask ] [ source-mac sour-addr sour-mask ] [ dest-mac dest-addr dest-mask ]

[ time-range time-name ] [ logging ]

undo rule rule-id [ time-range ] [ logging ]

View

ACL view

Parameters

In the rule command:

rule-id: ID of an ACL rule, optional, ranging from 0 to 65534. If you specify the rule-id argument, and the ACL rule corresponding to the ID already exists, the newly defined rule will overwrite the existing rule partly, just as editing the existing ACL rule. To edit an existing ACL rule, you are recommended to remove the existing one first and then create an ACL rule. Otherwise, the configuration result may differ from your expectation. If the rule-id argument you specify does not exist, a new rule with the specified rule-id will be created. If you do not specify the rule-id argument, a new rule will be created and the system will assign a rule id to the ACL rule automatically.

deny: Discards matched packets.

permit: Permits matched packets.

protocol: Protocol type over IP expressed by name or number. The number range is from 0 to 255, and the name range covers GRE, ICMP, IGMP, IP, IPINIP, OSPF, TCP and UDP.

source: Specifies source address information of an ACL rule, optional. If it is not configured, it indicates that any source address of the packets matches.

sour-addr: Source IP address of packets, in dotted decimal format.

sour-wildcard: Source address wildcard, in dotted decimal format.

destination: Specifies destination address information of an ACL rule, optional. If it is not configured, it indicates that any destination address of the packets matches.

dest-addr: Destination IP address of packets, in dotted decimal format.

dest-wildcard: Destination address wildcard, in dotted decimal format.

any: Represents the source or destination address 0.0.0.0 with the wildcard 255.255.255.255.

icmp-type: Specifies the ICMP packet type and ICMP message code, optional. This keyword is valid only when the packet protocol is ICMP. If it is not configured, it indicates any ICMP packet matches.

icmp-type: ICMP packets can be filtered according to ICMP message type. It is a number ranging from 0 to 255.

icmp-code: ICMP packets that can be filtered according to ICMP message type can also be filtered according to message code. It is a number ranging from 0 to 255.

icmp-message: ICMP packets can be filtered according to ICMP message type or ICMP message code.

source-port: Specifies source port information of UDP or TCP packets, optional. It is valid only when the protocol specified by the rule is TCP or UDP. If it is not specified, it indicates that any source port information of TCP/UDP packets matches.

destination-port: Specifies destination port information of UDP or TCP packets, optional. It is valid only when the protocol specified by the rule is TCP or UDP. If it is not specified, it indicates that any destination port information of TCP/UDP packets matches.

operator: Comparison between port numbers of source or destination addresses, optional. Their names and meanings are as follows: lt (lower than), gt (greater than), eq (equal to), neq (not equal to) and range (between). If the operator is range, two port numbers should follow it. Others only need one port number.

port1, port2: Port number of TCP or UDP, expressed by name or number, optional. The number range is from 0 to 65535.

dscp dscp: Specifies a DSCP field (the DS byte in an IP packet).

established: Matches all TCP packets with ACK and RST flags set, including SYN+ACK, ACK, FIN+ACK, RST and RST+ACK packets. This option can match the traffic of the established TCP sessions, that is, filtering out initial TCP session requests.

precedence: Indicates that packets can be filtered according to precedence field, optional. This keyword is a number ranging from 0 to 7 or a name.

tos tos: Indicates that packets can be filtered according to type of service, optional. This keyword is a number ranging from 0 to 15 or a name.

logging: Indicates whether to log qualified packets, optional. The log contents include ACL rule sequence numbers, packets passed or discarded, upper layer protocol type over IP, source/destination address, source/destination port number, and number of packets. The system logs qualified packets only when the ACL is used as a packet filtering firewall.

time-range time-name: Specifies that the ACL is valid in this time range.

fragment: Specifies that this rule is only valid for the non-initial fragment packets. When this parameter is provided, it indicates that the rule is only valid for the non-initial fragment packets.

interface interface-type interface-number: Specifies the interface information of the packets, that is, filters the packets received from this interface. any represents all interfaces.

In the undo rule command:

rule-id: ID of an ACL rule. It should be an existing ACL rule number. If this argument is not followed by other parameters, this ACL rule will be removed completely; otherwise, only part of information related to this ACL rule will be removed.

source: Optional. Specifies to remove only the setting related to the source address part of the ACL rule.

destination: Optional. Specifies to remove only the setting related to the destination address part of the ACL rule.

source-port: Optional. Specifies to remove only the setting related to the source port part of the ACL rule. This keyword is valid only when the protocol is TCP or UDP.

destination-port: Optional. Specifies to remove only the setting related to the destination port part of the ACL rule. This keyword is valid only when the protocol is TCP or UDP.

icmp-type: Optional. Specifies to remove only the setting related to ICMP type and message code part of the ACL rule. This keyword is valid only when the protocol is ICMP.

precedence: Optional. Specifies to remove only the precedence setting of the ACL rule.

tos tos: Optional. Specifies to remove only related tos setting of the ACL rule.

time-range time-name: Optional. Specifies that the ACL rule is valid in this time range.

logging: Optional. Specifies to remove only the setting related to logging qualified packets in the ACL rule.

fragment: Optional. Specifies to remove only the setting that the ACL rule is valid only for non-initial fragment packets.

type-code: Data frame type, a 16-bit hexadecimal number corresponding to the type-code field in Ethernet_II and Ethernet_SNAP frames. See Table 5-1 for the type-code values.

type-mask: Type mask, a 16-bit hexadecimal number used for specifying the mask bits.

lsap-code: Encapsulation format of data frames, a 16-bit hexadecimal number.

lsap-mask: LSAP mask, a 16-bit hexadecimal number used to specify mask bits.

sour-addr: Source MAC address in the format of xxxx-xxxx-xxxx, used to match the source address of a packet.

sour-mask: Source MAC address mask.

dest-addr: Destination MAC address in the format of xxxx-xxxx-xxxx, used to match the destination address of a packet.

dest-mask: Destination MAC address mask.

Description

Use the rule command to add a rule in ACL view.

Use the undo rule command to remove a rule.

The rule ID is needed when you try to remove a rule. If you do not know the ID, use the display acl command to find it out.

Examples

# Create ACL 3001 and add a rule to deny RIP packets.

[SecBlade_FW] acl number 3001

[SecBlade_FW-acl-adv-3001] rule deny udp destination-port eq rip

# Add a rule to permit hosts in the network segment 129.9.0.0 to send WWW packets to hosts in the network segment 202.38.160.0.

[SecBlade_FW-acl-adv-3001] rule permit tcp source 129.9.0.0 0.0.255.255 destination 202.38.160.0 0.0.0.255 destination-port eq www

# Add a rule to deny the WWW access (80) from the host in network segment 129.9.0.0 to the host in network segment 202.38.160.0, and log events that violate the rule.

[SecBlade_FW-acl-adv-3001] rule deny tcp source 129.9.0.0 0.0.255.255 destination 202.38.160. 0 0.0.0.255 eq www logging

# Add a rule to permit the WWW access (80) from the host in network segment 129.9.8.0 to the host in network segment 202.38.160.0.

[SecBlade_FW-acl-adv-3001] rule permit tcp source 129.9.8.0 0.0.0.255 destination 202.38.160.0 0.0.0.255 destination-port eq www

# Add a rule to prohibit all hosts from establishing Telnet (23) connection to the host with the IP address 202.38.160.1.

[SecBlade_FW-acl-adv-3001] rule deny tcp destination 202.38.160.1 0 destination-port eq telnet

# Add a rule to prohibit creating UDP connections with port number greater than 128 from the hosts in network segment 129.9.8.0 to the hosts in network segment 202.38.160.0

[SecBlade_FW-acl-adv-3001] rule deny udp source 129.9.8.0 0.0.0.255 destination 202.38.160.0 0.0.0.255 destination-port gt 128

2.1.6 rule comment

Syntax

rule rule-id comment text

undo rule rule-id comment

View

ACL view

Parameters

rule-id: ID of an existing ACL rule.

comment text: Specifies comment of an ACL rule, a string of up to 128 characters.

Description

Use the rule comment command to add comment to an ACL rule.

Use the undo rule comment command to remove the comment of the ACL rule.

Examples

# Add comment to ACL rule 7.

[SecBlade_FW-acl-adv-3001] rule 7 comment Allow FTP from any source to host 172.16.0.1

2.2 Time Range Configuration Commands

2.2.1 display time-range

Syntax

display time-range { all | time-name }

View

Any view

Parameters

time-name: Name of the time range.

all: Displays all the configured time ranges.

Description

Use the display time-range command to view the configuration and the status of time range. For the active time range at present, it displays "active", and it displays "inactive" for the inactive time range.

Since there is a time deviation when the system updates ACL status, which is about 1 minute, but the display time-range command will display the information about the time range at the current time exactly. Thus, the following case may happen: use the display time-range command to view that a time range is activated, but the ACL referencing the time range is inactive, which is a normal case.

Examples

# Display all time ranges.

[SecBlade_FW] display time-range all

# Display the time range named trname.

[SecBlade_FW] display time-range trname

Current time is 02:49:36 2/15/2003 Saturday

Time-range : trname ( Inactive )

14:00 to 16:00 off-day from 00:00 12/1/2002 to 00:00 12/1/2003

2.2.2 time-range

Syntax

time-range time-name { start-time to end-time days-of-the-week [ from start-time start-date ] [ to end-time end-date ] | from start-time start-date [ to end-time end-date ] | to end-time end-date }

undo time-range time-name [ start-time to end-time days-of-the-week [ from start-time start-date ] [ to end-time end-date ] | from start-time start-date [ to end-time end-date ] | to end-time end-date ]

View

System view

Parameters

time-name: Time range name, which consists of up to 32 characters and must start with a letter of a-z or A-Z.

start-time: Start time of a time range, in the format of HH:MM, with HH ranging from 0 to 23 and MM ranging from 0 to 59. HH and MM are separated by “:”.

end-time: End time of a time range, in the format of HH:MM, with HH ranging from 0 to 23 (absolute time range) or 0 to 24 (cycled time range) and MM ranging from 0 to 59. HH and MM are separated by “:”.

days-of-the-week: Days of a week when the time range is valid. This argument can be represented in the following ways:

0 through 6, representing Sunday, Monday, Tuesday, Wednesday, Thursday, Friday, and Saturday respectively;

Sunday through Saturday, including Sunday, Monday, Tuesday, Wednesday, Thursday, Friday, and Saturday;

Working-day, including Monday through Friday;

Off-day, including Saturday and Sunday;

Daily, including the seven days of a week.

start-date: Start day of a time range, in the format of MM/DD/YYYY, with DD ranging from 1 to 31, MM ranging from 1 to 12, and YYYY (a 4-digit number) ranging from 1970 to 2100.

end-date: End time of a time range, in the format MM/DD/YYYY, with DD ranging from 1 to 31, MM ranging from 1 to 12, and YYYY (a 4-digit number) ranging from 1970 to 2100.

Description

Use the time-range command to specify a time range.

Use the undo time-range command to remove a time range.

There are the following types of time ranges:

l Absolute time range

For example:

# Configure a time range when the ACL is valid from 20:00 04/01/2003 to 20:00 12/10/2003.

[SecBlade_FW] time-range test from 20:00 04/01/2003 to 20:00 12/10/2003

You can view one single absolute time range in the configuration information.

[SecBlade_FW] display time-range test

Current time is 19:41:22 Jan/1/2000 Saturday

Time-range : test ( Inactive )

From 20:00 Apr/1/2003 to 20:00 Dec/10/2003

l Cycled time range

For example:

# Configure a time range when the ACL is valid from 12:00:00 to 17:00:00 every day.

[SecBlade_FW] time-range test 12:00 to 17:00 daily

You can only view one cycled time range in the configuration information.

[SecBlade_FW] display time-range test

Current time is 19:44:25 Jan/1/2000 Saturday

Time-range : test ( Inactive )

12:00 to 17:00 daily

l Cycled time range within an absolute time range

For example:

# Configure a time range when the ACL is valid from 14:00 to 16:00 every off-day within the period from 20:00 04/01/2003 to 20:00 12/10/2003.

[SecBlade_FW] time-range test 14:00 to 16:00 off-day from 20:00 04/01/2003 to 20:00 12/10/2003

In the configuration information, you can view one single cycled time range and one single absolute time range.

[SecBlade_FW] display time-range test

Current time is 18:39:49 Jan/1/2000 Saturday

Time-range : test ( Inactive )

14:00 to 16:00 off-day

From 20:00 Apr/1/2003 to 20:00 Dec/10/2003

l Compound time range

A compound time range consists of several cycled time ranges and/or absolute time ranges, for example:

[SecBlade_FW] time test 16:30 to 18:00 daily from 01:00 01/01/2000 to 23:00 01/10/2000

[SecBlade_FW] time test 18:00 to 21:30 daily from 23:00 01/10/2000 to 23:00 02/01/2000

[SecBlade_FW] display time-range test

Current time is 18:29:37 Jan/1/2000 Saturday

Time-range : test ( Active )

16:30 to 18:00 daily

18:00 to 21:30 daily

From 01:00 Jan/1/2000 to 23:00 Jan/10/2000

From 23:00 Jan/10/2000 to 23:00 Feb/1/2000

The actual valid time is from 16:30 to 21:30 every day within the period from 01:00 01/01/2000 to 23:00 02/01/2000, rather than from 16:30 to 18:30 within the period from 01:00 01/01/2000 to 23:00 01/10/2000 plus from 18:00 to 21:30 within the period from 23:00 01/10/2000 to 23:00 02/01/2000.

Generally, the relationship between a compound time range and various sub time ranges is as follows: If no cycled time range is available, the compound range is the sum aggregate of all absolute time ranges; if one or more cycled time range are available, the compound range is the intersection between the sum aggregate of all absolute time ranges and the sum aggregate of all cycled time ranges.

Examples

# Configure the time range when the ACL is always valid from 0:0 on Jan. 1, 2003.

[SecBlade_FW] time-range test from 0:0 1/1/2003

# Configure the time range when the ACL is valid between 14:00 and 16:00 in every weekend from 20:00 on Apr.01, 2003 to 20:00 on Dec.10, 2003.

[SecBlade_FW] time test 14:00 to 16:00 off-day from 20:00 04/01/2003 to 20:00 12/10/2003

# Configure the time range when the ACL is valid between 8:00 and 18:00 in each working day.

[SecBlade_FW] time-range test 8:00 to 18:00 working-day

# Configure the time range when the ACL is valid between 14:00 and 18:00 in each weekend day.

[SecBlade_FW] time-range test 14:00 to 18:00 off-day

Chapter 3 NAT Configuration Commands

3.1 NAT Configuration Commands

3.1.1 connection-limit default

Syntax

connection-limit default { permit | deny }

undo connection-limit default { permit | deny }

View

System view

Parameters

permit: Makes limitation. Use a default value for the upper/lower limit.

deny: Makes no limitation.

Description

Use the connection-limit default command to configure the action if no limitation policy is available.

Use the undo connection-limit default command to cancel the configured action.

The connection-limit default command can be configured repeatedly. The latter configuration will overwrite the former configuration.

Examples

# Limit the number of connections if no limitation policy is available.

[SecBlade_FW] connection-limit default permit

3.1.2 connection-limit default amount

Syntax

connection-limit default amount { upper-limit upper-limit | lower-limit lower-limit }*

undo connection-limit default amount { upper-limit | lower-limit }*

View

System view

Parameters

upper-limit: Specifies a default upper limit.

upper-limit: Default upper limit, in the range of 1 to 4,294,967,295.

lower-limit: Specifies a default lower limit.

lower-limit: Default lower limit, in the range of 0 to 4,294,967,295.

Description

Use the connection-limit default amount command to configure a default threshold for the number of connections.

Use the undo connection-limit default amount command to cancel the configured threshold.

By default, the upper limit is 50 and the lower limit is 20.

Examples

# Set a default threshold for the number of connections: 100 for upper limit, and 20 for lower limit.

[SecBlade_FW] connection-limit default amount upper-limit 100 lower-limit 20

3.1.3 connection-limit enable

Syntax

connection-limit enable

undo connection-limit enable

View

System view

Parameters

None

Description

Use the connection-limit enable command to enable the connection-limiting function.

Use the undo connection-limit enable command to disable the connection-limiting function.

By default, the connection-limiting function is disabled.

Examples

# Enable the connection-limiting function.

[SecBlade_FW] connection-limit enable

3.1.4 connection-limit policy

Syntax

connection-limit policy policy-number

undo connection-limit policy { policy-number | all }

View

System view

Parameters

policy-number: No. of a connection-limiting policy, in the range of 0 to 19.

all: Removes all connection-limiting policies.

Description

Use the connection-limit policy command to create a connection-limiting policy and enter policy view.

Use the undo connection-limit policy command to remove the connection-limiting policy.

Examples

# Create a connection-limit policy numbered 10.

[SecBlade_FW] connection-limit policy 10

3.1.5 debugging connection-limit

Syntax

debugging connection-limit

undo debugging connection-limit

View

User view

Parameters

None

Description

Use the debugging connection-limit command to enable debugging for connection-limiting.

Use the undo debugging connection-limit command to disable debugging for connection-limiting.

By default, debugging for connection-limiting is disabled.

Examples

# Enable debugging for connection-limiting.

<SecBlade_FW> debugging connection-limit

3.1.6 debugging nat

Syntax

debugging nat { alg | event | packet } [ interface { interface-type interface-number ]

undo debugging nat { alg | event | packet } [ interface interface-type interface-number ]

View

User view

Parameters

alg: Enables the application level gateway NAT debugging.

event: Enables NAT event debugging.

packet: Enables NAT data packet debugging.

interface: Enables NAT packet debugging for a specific interface.

Description

Use the debugging nat command to enable the NAT debugging function.

Use the undo debugging nat command to disable the NAT debugging function.

Examples

# Enable NAT event debugging.

<SecBlade_FW> debugging nat event

3.1.7 display connection-limit policy

Syntax

display connection-limit policy { policy-number | all }

View

Any view

Parameters

policy-number: No. of a policy, in the range of 0 to 255.

all: Displays all policies.

Description

Use the display connection-limit policy command to display a connection-limiting policy or all connection-limiting policies.

Examples

# Display a policy numbered 1.

[SecBlade_FW] display connection-limit policy 1

3.1.8 display connection-limit statistics

Command

display connection-limit statistics [ source source-addr source-mask ] [ destination destination-addr destination-mask ] [ destination-port { { eq | neq | gt | lt } destination-port | range destination-port1 destination-port2 } ]

View

Any view

Parameters

source: Specifies a source IP address.

source-addr: Source IP address.

source-mask: Mask of a source IP address.

destination: Specifies destination IP address.

destination-addr: Destination IP address.

destination-mask: Mask of a destination IP address.

destination-port: Specifies a destination port No.

eq: Displays the number of connections for a service with a destination port No equal to the specified port No.

neq: Displays the number of connections for a service with a destination port No. not equal to the specified port No.

gt: Displays the number of connections for a service with a destination port No. greater than the specified port No.

it: Displays the number of connections for a service with a destination port No. less than the specified port No.

range: Displays the number of connections for a service with a destination port No. within the specified range.

destination-port: Destination port No.

destination-port1 and destination-port2: Indicates the upper limit and lower limit of the service port No.

Description

Use the display connection-limit statistics command to display the connection-limiting information.

You can use this command to view the information on the number of connections. If no parameter is present, all connection-limiting information will be displayed.

Examples

# Display all connection-limiting information.

[SecBlade_FW] display connection-limit statistics

3.1.9 display nat

Syntax

display nat { address-group | aging-time | all | outbound | server | statistics | static | dns-map | session [ vpn-instance vpn-instance-name ] [ source { global global-addr | inside inside-addr } ] }

View

Any view

Parameters

address-group: Displays the information of the address pool.

aging-time: Displays the effective time for NAT connection.

all: Displays all the information about NAT.

outbound: Displays the information of the outbound NAT.

server: Displays the information of the internal server.

statistics: Displays the statistics of current NAT records.

static: Displays static NAT information.

dns-map: Displays the information of the domain map configurated

session: Displays the information of the currently activated connection.

vpn-instance vpn-instance-name:Only displays the NAT entry in VPN.It will display all entries ,if without this value.

source global global-addr: Only displays the NAT entry with address as global-addr after NAT.

source inside inside-addr: Only displays the NAT entry with internal address as inside-addr.

destination ip-addr: Displays the NAT table items of a special IP destination.

Description

Use the display nat command to display the configuration of address translation. Users can verify if the configuration of address translation is correct according to the output information after execution of this command. When address translation connection information is displayed, the parameters of global-addr and inside-addr can be specified for the display nat session command simultaneously.

Examples

# Display all the information about address translation.

<SecBlade_FW> display nat all

NAT address-group Information:

1: from 11.1.1.1 to 11.1.1.20

2: from 22.1.1.1 to 22.1.1.20

NAT outbound information:

GigabitEthernet0/0.1: acl(2011)-NAT address-group(1) [no-pat]

GigabitEthernet0/0.1: acl(2022)-NAT address-group(2) [no-pat]

Server in private network information:

Interface GlobalAddr GlobalPort InsideAddr InsidePort Pro

GigabitEthernet0/0.1 201.119.11.3 8080 5.5.5.5 80(www) 6(tcp)

GigabitEthernet0/0.1 201.119.11.3 2121 5.5.5.5 21(ftp) 6(tcp)

NAT dns-map information:

There are currently 2 dns-map

nat dns-map www.sina.com 1.1.1.1 80 tcp

nat dns-map www.aaaaaaaaaaaaaaaaaaaaaa.com 2.2.2.2 80 tcp

NAT aging-time value information:

tcp ---- aging-time value is 86400 (seconds)

udp ---- aging-time value is 300 (seconds)

icmp ---- aging-time value is 60 (seconds)

pptp ---- aging-time value is 86400 (seconds)

dns ---- aging-time value is 60 (seconds)

tcp-fin ---- aging-time value is 60 (seconds)

tcp-syn ---- aging-time value is 60 (seconds)

ftp-ctrl ---- aging-time value is 7200 (seconds)

ftp-data ---- aging-time value is 300 (seconds)

The information above indicates:

Two address pools are configured: Address pool 1 ranges from 11.1.1.1 to 11.1.1.20, and address tool 2 ranges from 22.1.1.1 to 22.1.1.20.

Two address translation associations are configured at GigabitEthernet0/0.1: ACL 2011 is associated with address pool 1 and one-to-one address translation is performed; and ACL 2022 is associated with address pool 2, and one-to-one address translation is performed.

GgiabitEthernet0/0.1 is configured with 2 internal servers: the www server of http://202.119.11.3:8080, whose internal address is 5.5.5.5; and the ftp server of ftp://202.119.11.3:2121, whose internal address is 5.5.5.5.

# Display NAT information.

<SecBlade_FW> display nat session

There are currently 40001 NAT sessions:

Protocol GlobalAddr Port InsideAddr Port DestAddr Port

- 192.168.100.10 --- 192.168.1.5 --- --- ---

status: NOPAT, TTL: 00:04:00, Left: 00:04:00

6 192.168.100.10 1024 192.168.1.5 1024 192.168.100.1 1025

status: NOPAT, TTL: 00:01:00, Left: 00:00:59

6 192.168.100.10 2048 192.168.1.5 2048 192.168.100.1 2049

status: NOPAT, TTL: 00:01:00, Left: 00:01:00

6 192.168.100.10 1025 192.168.1.5 1025 192.168.100.1 1026

status: NOPAT, TTL: 00:01:00, Left: 00:00:59

& Note:

In No-PAT address translation, when you use the display nat session command to display NAT entries, you can see that multiple No-PAT entries correspond to multiple connection translations initiated by each internal network address, as shown above. This ensures that only the connections initiated from the internal network to the external network will be translated and no connection initiated from the external network will be translated, thereby enhancing network security.

3.1.10 display nat connection-limit

Syntax

display nat connection-limit [ source source-addr source-wildcard ] [ destination destination-addr destination-wildcard ] [ destination-port { { eq | neq | gt | lt } destination-port | range destination-port1 destination-port2 } ]

View

Any view

Parameters

nat: Displays the information on the number of NAT-created connections.

source: Specifies a source IP address.

source-addr: Source IP address.

source-wildcard: Mask of a source IP address.

destination: Specifies destination IP address.

destination-addr: Destination IP address.

destination-wildcard: Mask of a destination IP address.

destination-port: Specifies a port destination No.

eq: Displays the number of connections for a service with a destination port No equal to the specified port No.

neq: Displays the number of all connections for a service with a destination port No. unequal to the specified port No.

gt: Displays the number of all connections for a service with a destination port No. greater than the specified port No.

it: Displays the number of all connections for a service with a destination port No. less than the specified port No.

range: Displays the number of all connections for a service with a destination port No. within the specified range.

destination-port: Destination port No.

destination-port1 and destination-port2: Indicates the upper limit and lower limit of the service port No.

Description

Use the display nat connection-limit command to display the NAT-related connection-limiting information.

You can use this command to view the information on the number of connections. If no parameter is present, all NAT-related connection-limiting information will be displayed.

Examples

# Display all NAT-related connection-limiting information.

[SecBlade_FW] display nat connection-limit

3.1.11 limit

Syntax

limit limit-id acl acl-number [ { per-source | per-destination | per-service }* amount upper-limit lower-limit ]

undo limit limit-id

View

Connection-limit policy view

Parameters

limit-id: Rule number of a connection-limiting policy, in the range of 0 to 255.

acl: Specifies an ACL. A connection-limiting policy specifies the features of the connections to be limited through an ACL. ACLs can almost specify all the features of connections.

acl-number: Specifies an ACL No., in the range of 2,000 to 3,999.

per-source: Limits the number of connections on a per-source basis.

per-destination: Limits the number of connections on a per-destination basis.

per-service: Limits the number of connections on a per-service (destination port) basis.

amount upper-limit lower-limit: Specifies an upper limit and lower limit of the number of connections for this rule. When the connection features comply with the specified rule, the upper-limit lower-limit argument is used to limit the number of connections. upper-limit ranges from 1 to 4,294,967,295 and lower-limit ranges from 0 to 4,294,967,295. When the number of connections reaches the upper limit, no new connections can be set up. In this scenario, new connections can be set up only when the number of connections is equal to or less than the lower limit.

Description

Use the limit command to create a rule under the corresponding connection-limiting policy.

Use the undo limit command to remove the rule under the corresponding connection-limiting policy.

When a policy is bound with NAT, you cannot modify or remove the rule of the policy. To modify or remove the rule, you must first unbind the policy with NAT.

By defining an ACL, you can limit both the number of TCP connections and non-TCP traffic (for example, UDP and ICMP traffic). To limit the number of TCP connections only, you must specify this point in an ACL expressly.

Examples

# Create a rule under Policy 1, use ACL 3000, and limit the source addresses. The upper limit of the connection number is 100, and the lower limit is 10..

[SecBlade_FW] connection-limit policy 1

[SecBlade_FW-connection-limit-policy-1] limit 0 acl 3000 per-source amount 100 10

3.1.12 nat address-group

Syntax

nat address-group group-number start-addr end-addr

undo nat address-group group-number

View

System view

Parameters

group-number: Address pool number, an integer ranging from 0 to 31.

start-addr: Starting IP address in the address pool.

end-addr: Ending IP address in the address pool.

Description

Use the nat address-group command to configure an address pool.

Use the undo nat address-group command to delete an IP address pool.

Address pool indicates the cluster of some outside IP addresses. If start-addr and end-addr are the same, it means that there is only one address.

Caution:

l The length of an address pool (number of all addresses contained in the address pool) cannot exceed 255.

l The address pool cannot be deleted if it has been correlated to certain access control list to perform the address translation.

Examples

# Configure an address pool from 202.110.10.10 to 202.110.10.15, with its NAT pool ID being 1.

[SecBlade_FW] nat address-group 1 202.110.10.10 202.110.10.15

3.1.13 nat aging-time

Syntax

nat aging-time { default | { dns | ftp-ctrl | ftp-data | icmp | pptp | tcp | tcp-fin | tcp-syn | udp } seconds }

View

System view

Parameters

default: Sets the address translation lifetime values to the defaults.

dns: Sets the address translation lifetime for DNS, which defaults to 60 seconds.

ftp-ctrl: Sets the address translation lifetime for FTP control links, which defaults to 7,200 seconds.

ftp-data: Sets the address translation lifetime for FTP data links, which defaults to 300 seconds.

icmp: Sets the address translation lifetime for ICMP, which defaults to 60 seconds.

pptp: Sets the address translation lifetime for PPTP, which defaults to 86,400 seconds.

tcp: Sets the address translation lifetime for TCP, which defaults to 86,400 seconds.

tcp-fin: Sets the address translation lifetime for TCP FIN or TCP RST connections, which defaults to 60 seconds.

tcp-syn: Sets the address translation lifetime for TCP SYN connections, which defaults to 60 seconds.

udp: Sets the address translation lifetime for UDP, which defaults to 300 seconds.

seconds: Time value, in the range 10 to 86,400 (24 hours).

Description

Use the nat aging-time command to set the lifetime of NAT connections.

This command is used to set the lifetime of address translation connection in seconds, and different time values are set for different types of protocols. The default ALG aging time depends on the specific application type. To effectively prevent attacks, you can set the aging time of the first packet to five seconds.

Examples

# Set the valid connection time of TCP to 240 seconds.

[SecBlade_FW] nat aging-time tcp 240

3.1.14 nat alg

Syntax

nat alg { dns | ftp | h323 | ils | msn | nbt | pptp }

undo nat alg { dns | ftp | h323 | ils | msn | nbt | pptp }

View

System view

Parameters

dns: Supports the DNS protocol.

ftp: Supports the FTP protocol.

h323: Supports the H.323 protocol.

ils: Supports the ILS protocol.

msn: Supports the MSN protocol.

nbt: Supports the NBT protocol.

pptp: Supports the PPTP protocol.

Description

Use the nat alg command to enable the application level gateway (ALG) function of NAT.

Use the undo nat alg command to disable the ALG function of NAT.

By default, the ALG function of NAT is enabled.

Examples

# Enable the ALG function of NAT, allowing it to support FTP.

[SecBlade_FW] nat alg ftp

3.1.15 nat connection-limit-policy

Syntax

nat connection-limit-policy policy-number

undo nat connection-limit-policy policy-number

View

System view

Parameters

policy-number: No. of a connection-limiting policy to be bound with NAT, in the range of 0 to 19.

Description

Use the nat connection-limit-policy command to bind a connection-limiting policy with NAT.

Use the undo nat connection-limit-policy command to remove the binding between the connection-limiting policy and NAT.

By default, a connection-limiting policy is not bound with NAT.

The nat connection-limit-policy command can be configured repeatedly. The latter configuration will overwrite the former configuration.

Examples

# Bind Policy 1 with NAT.

[SecBlade_FW] nat connection-limit-policy 1

3.1.16 nat dns-map

Syntax

nat dns-map domain-name global-addr global-port [ tcp | udp ]

undo nat dns-map domain-name

View

System view

Parameters

domain-name: Legal domain name that can be correctly translated by external DNS servers.

global-addr: IP address (a legal one) that outside hosts can access.

global-port: Port number of the services that outside hosts can access.

tcp: Indicates TCP.

udp: Indicates UDP.

Description

Use the nat dns-map command to configure a mapping entry from a domain name to the external IP address, port number and protocol type.

Use the undo nat dns-map command to remove the mapping entry from a domain name to the external IP address, port number and protocol type.

If there is no internal DNS server configured, an internal host can differentiate various internal servers and access them with the domain names after you configure the mapping entries with this command.

By default, no mapping entry is configured. Then the domain name request of the internal host can be mapped only to one internal server after being resolved by the external DNS server to get the external IP address.

Up to 16 mapping entries can be added.

Examples

# Configure a mapping entry from the domain name to the external IP address, port number and protocol type.

[SecBlade_FW] nat dns-map www.abc.com 202.112.0.1 80 tcp

3.1.17 nat outbound

Syntax

nat outbound acl-number [ address-group group-number [ no-pat ] ]

undo nat outbound acl-number [ address-group group-number [ no-pat ] ]

View

Interface view

Parameters

address-group: Configures address translation by means of address pool. If the address pool is not specified, use the IP address of the interface as the translated address, i.e., the "easy-ip" feature.

no-pat: Uses multiple-to-multiple address translation to translate only the address of the packet but not port information.

acl-number: ACL index in the range of 2000 to 3999 (the advanced ACL can be used).

group-number: The number of a defined address pool.

Description

Use the nat outbound command to associate an ACL with an address pool, indicating that the addresses specified in the acl-number can be translated by using the address pool specified by group-number.

Use the undo nat outbound command to remove the corresponding address translation.

Translation of the source address of the packet that conforms to the ACL is accomplished by configuring the association between the ACL and the address pool. The system performs address translation by selecting one address in the address pool or by directly using the IP address of the interface. Users can configure different address translation associations at the same interface. The corresponding undo form of the command can be used to delete the related address translation association. Normally, this interface is connected to ISP, and serves as the exit interface of the internal network.

The command without the address-group parameter implements the "easy-ip" feature. When performing address translation, the IP address of the interface is used as the translated address and the ACL can be used to control which addresses can be translated.

Examples

# Enable the hosts of the 10.110.10.0/24 network segment to perform address translation by selecting the addresses from 202.110.10.10 to 202.110.10.12 as the translated address. Suppose that the interface GigabitEthernet0/0.1 connects to ISP.

[SecBlade_FW] acl number 2001

[SecBlade_FW-acl-basic-2001] rule permit source 10.110.10.0 0.0.0.255

[SecBlade_FW-acl-basic-2001] rule deny

# Configure the address pool.

[SecBlade_FW] nat address-group 1 202.110.10.10 202.110.10.12

# Allow address translation and use the addresses of address pool 1 for address translation. During translation, the information of TCP/UDP port is used.

[SecBlade_FW-GigabitEthernet0/0/0] nat outbound 2001 address-group 1

# Delete the corresponding configuration.

[SecBlade_FW-GigabitEthernet0/0/0] undo nat outbound 2001 address-group 1

# Configuration of simple address translation (Not using the TCP/UDP port information to perform the address translation)

[SecBlade_FW-GigabitEthernet0/0.1] nat outbound 2001 address-group 1 no-pat

# Delete the corresponding configuration.

[SecBlade_FW-GigabitEthernet0/0.1] undo nat outbound 2001 address-group 1 no-pat

# The configuration below can be used to perform address translation by using the IP address of interface GigabitEthernet0/0.1 directly.

[SecBlade_FW-GigabitEthernet0/0.1] nat outbound 2001

# Delete the corresponding configuration.

[SecBlade_FW-GigabitEthernet0/0.1] undo nat outbound 2001

3.1.18 nat outbound interface

Syntax

nat outbound acl-number interface interface-type interface-number

undo nat outbound acl-number interface interface-type interface-number

View

Interface view

Parameters

acl-number: ACL index, in the range of 2000 to 3999.

interface interface-type interface-number: Specifies an interface by its interface type and interface number. Currently, only the loopback interface can be specified.

Description

Use the nat outbound interface command to associate an ACL with a specific interface and to set the interface address as the converted address (that is, to replace the source address of the data packets matched the ACL with the IP address of the specified interface).

Use the undo nat outbound interface command to remove the configuration.

Currently, only the loopback interface address can be specified as the converted address.

Examples

# Set the IP address of interface loopback0 as the converted address.

[SecBlade_FW]interface loopback0

[SecBlade_FW-LoopBack0] ip address 202.38.160.106

[SecBlade_FW-LoopBack0] quit

[SecBlade_FW] acl number 2000

[SecBlade_FW-acl-basic-2000] rule permit source 10.110.12.0 0.0.0.255

[SecBlade_FW-acl-basic-2000] quit

[SecBlade_FW] interface GigabitEthernet0/0.3

[SecBlade_FW- GigabitEthernet0/0.3] nat outbound 2 interface loopback 0

3.1.19 nat outbound static

Syntax

nat outbound static

undo nat outbound static

View

Interface view

Parameters

None

Description

Use the nat outbound static command to apply on the interface the static NAT entries configured using the nat static command.

Use the undo nat outbound static command to disable the static NAT entries on the interface.

Examples

# Apply the static NAT entries on the interface GigabitEthernet0/0.1.

[SecBlade_FW-GigabitEthernet0/0.1] nat outbound static

3.1.20 nat overlapaddress

Syntax

nat overlapaddress number overlappool-startaddress temppool-startaddress { pool-length pool-length | address-mask mask }

undo nat overlapaddress number

View

System view

Parameters

number: Number of the address pool pair, in the range of 0 to 7.

overlappool-startaddress: Start address of the overlap address pool. Note that no intersection is allowed between overlap address pools.

temppool-startaddress: Start address of the temporary address pool. Note that no intersection is allowed between temporary address pools. Temporary addresses cannot be the existing internal or external addresses, so you are recommended to choose private network addresses as temporary addresses.

pool-length: Length of the address pool, in decimal format. The associated overlap and temporary address pools must be configured in the same length, with one overlap address corresponding to one temporary.

mask: Subnet mask of the address pool.

Description

Use the nat overlapaddress command to configure the mapping entry from an overlap address pool to a temporary address pool.

Use the undo nat overlapaddress command to remove the mapping configuration.

& Note:

One overlap address pool corresponds to one temporary address pool. The conversion rule is as follows:

Temporary address = Start address of the temporary address pool + (overlap address - start address of the overlap address pool)

Overlap address = Start address of the overlap address pool + (temporary address - start address of the temporary address pool)

Examples

# Configure a mapping entry from 171.69.100.0 to 192.168.0.0, with address pool pair number as 0.

[SecBlade_FW] nat overlapaddress 0 171.69.100.0 192.168.0.0 address-mask 24

3.1.21 nat server

Syntax

nat server [ acl-number ] protocol pro-type global {global-addr global-port1 global-port2 | current-interface | interface type number } inside host-addr1 host-addr2 host-port

nat server [ acl-number ] protocol pro-type global { global-addr [ global-port ] | current-interface | interface type number } inside host-addr [ host-port ]

undo nat server [ acl-number ] protocol pro-type global { global-addr global-port1 global-port2 | current-interface | interface type number } inside host-addr1 host-addr2 host-port

undo nat server [ acl-number ] protocol pro-type global { global-addr [ global-port ] | current-interface | interface type number } inside host-addr [ host-port ]

View

Interface view

Parameters

acl-number: Basic or advanced ACL number, in the range of 2,000 to 3,999. A specified ACL only works upon outbound packets (that is, control their address translation), but does not work upon inbound packets.

global-addr: An IP address provided for the outside to access (a legal IP address).

global-port: A service port number provided for the outside to access. If ignored, its value shall be the same with the host-port’s value.

current-interface: Uses the address of the current public network interface of SecBlade as the public network address of the NAT Server.

interface type number: Uses the address of another interface as the public network address of the NAT Server. Now, only a LoopBack interface is supported. And the interface must have been configured in SecBlade.

host-addr: IP address of the server in the internal LAN.

host-port: Service port number provided for a server in the range of 0 to 65535, and the common used port numbers can be replaced by key words. For example, www service port number is 80, which can also be represented by www. FTP service port number is 21, and ftp can also stands for it. If the host-port is 0, it indicates that all the types of services can be provided and the key word any can be used to stand for it in this situation. If the argument is not configured, it is considered as the case of any, which is the same as that there is a static connection between global-addr and host-addr. When the host-port is configured as any, the global-port also should be any; otherwise the configuration is illegal.

global-port1, global-port2: Specifies a port range through two port numbers, forming a corresponding relation with the internal host address range. global-port2 must be larger than global-port1.

host-addr1, host-addr2: Defines a range of consecutive addresses, which respectively one-to-one matches the ports in the port range defined above. host-addr2 must be bigger than host-addr1. The number of the addresses in this range should be the same as the number of ports in the port range defined by global-port1 and global-port2.

pro-type: The protocol type carried by IP, possibly being a protocol ID, or a key word as a substitution. For example: icmp (its protocol ID is 1), tcp (its protocol ID is 6), udp (its protocol ID is 7).

Description

Use the nat server command to define the mapping table of an internal server. Users can access the internal server with the address and port being host-addr and host-port respectively through the address and port defined by global-addr and global-port.

Use the undo nat server command to remove the mapping table.

Through this command, you can configure some internal network servers for outside use. The internal server can locate in the ordinary private network. For example, the internal servers can be www, ftp, telnet, pop3, dns, and so on.

Up to 256 internal server conversion commands can be configured on one interface and at most 4096 internal servers can be configured on one interface. Up to 1024 internal server conversion commands can be configured in one system. If the nat servers are configured by using a port range (i.e., specify a port range through configuring global-port1 and global-port2, forming a corresponding relation with the address range of the internal hosts), then the number of internal servers will be the same as that of the ports configured in the range.

If both global-port and inside-port are 0, any or not configured, the internal network server can access a public network through the configuration, but the protocol initiating the access must be consistent with the configured protocol.

When configuring the NAT Server for the FTP server using a port range, you cannot configure the internal port No. as 20 or 21. If you do not use a port range to configure the NAT Server for the FTP server, you cannot configure the internal port No. as 20.

TFTP is a special protocol; therefore, make sure you configure the corresponding nat outbound command on the internal TFTP server when you configure NAT Server for the TFTP server.

The interface on which this command is configured is interconnected with ISP and serves as the exit interface of the internal network.

Examples

# Specify the IP address of the internal WWW server of the LAN as 10.110.10.10, the IP address of the internal FTP server as 10.110.10.11. It is expected that the outside can access WEB through http:// 202.110.10.10:8080 and connect FTP web site through ftp://202.110.10.10. Suppose that GigabitEthernet0/0.1 is connected to ISP.

[SecBlade_FW-GigabitEthernet0/0.1] nat server protocol tcp global 202.110.10.10 8080 inside 10.110.10.10 www

[SecBlade_FW-GigabitEthernet0/0.1] nat server protocol tcp global 202.110.10.10 inside 10.110.10.11 ftp

# Specify one internal host 10.110.10.12, expecting that an external host can ping it with the ping 202.110.10.11 command.

[SecBlade_FW-GigabitEthernet0/0.1] nat server protocol icmp global 202.110.10.11 inside 10.110.10.12

# Delete the internal WWW server.

[SecBlade_FW-GigabitEthernet0/0.1] undo nat server protocol tcp global 202.110.10.10 8080 inside 10.110.10.10 www

# Delete the internal FTP server.

[SecBlade_FW-GigabitEthernet0/0.1] undo nat server protocol tcp global 202.110.10.11 8080 inside 10.110.10.11 ftp

# Specify an outside address 202.110.10.10 to map the hosts of 10.110.10.1 to 10.110.10.100 through ports 1001 to 1100 respectively to access the telnet service. 202.110.10.10:1001 accesses 10.110.10.1 and 202.110.10:1002 accesses 10.110.10.2, etc.

[SecBlade_FW-GigabitEthernet0/0.1] nat server protocol tcp global 202.110.10.10 1001 1100 inside 10.110.10.1 10.110.10.100 telnet

# Specify the IP address obtained through the Dialer 0 interface as the public network address of the NAT Server.

[SecBlade_FW-Dialer0] nat server protocol tcp global current-interface 5000 inside 10.0.0.10 5000

3.1.22 nat static

Syntax

nat static ip-addr1 ip-addr2

undo nat static ip-addr1 ip-addr2

View

System view

Parameters

ip-addr1: Private IP address of an internal host.

ip-addr2: Public IP address.

Description

Use the nat static command to configure a one-to-one private-to-public address binding.

Use the undo nat static command to delete an existing one-to-one private-to-public address binding.

Examples

# Bind an internal private IP address with a public IP address for one-to-one address translation.

[SecBlade_FW] nat static 192.168.1.1 2.2.2.2

3.1.23 nat static inside

Syntax

nat static inside ip inside-address global ip global-address

nat static inside ip inside-start-address inside-end-address global ip global-address { mask | mask-length }

undo nat static inside ip inside-address

undo nat static inside ip inside-address global ip global-address

undo nat static inside ip inside-start-address inside-end-address [ global ip global-address { mask | mask-length } ]

View

System view

Parameters

inside-address: Internal network address of a specified static entry.

inside-start-address: Start internal address that the specified static NAT entry will convert.

inside-end-address: End internal address that the specified static NAT entry will convert.

global-address: Public network segment address converted by the specified static NAT entry.

mask: Subnet mask of the public network segment address.

mask-length: Subnet mask length of the public network segment address.

Description

Use the nat static inside command to configure the static NAT entry. Then in the conversion with the static NAT entry, only the network segment address is converted and the host address remains unchanged.

Use the undo nat static inside command to delete the existing static NAT entry.

The global-address can be any address. Then it will be calculated according to the mask and the length of the mask.

The nat static inside and nat static commands create two different types of static NAT entries. Note that the two types of addresses cannot be in conflict.

By default, no static NAT entry is configured.

Examples

# Configure the static NAT entry, which can convert the network segment addresses of 10.1.1.1 to 10.1.1.100 to 211.1.1.0 and remains their host addresses unchanged.

[SecBlade_FW] nat static inside ip 10.1.1.1 10.1.1.100 global ip 211.1.1.0 255.255.255.0

3.1.24 reset nat

Syntax

reset nat { log-entry | session }

View

User view

Parameters

log-entry: Clears NAT log buffer.

session: Clears the information of the address translation table.

Description

Use the reset nat command to clear information about the address translation mapping table stored in the memory to release the memory dynamically allocated to store the mapping table.

Examples

# Clear NAT log buffer.

<SecBlade_FW> reset nat log-entry

# Clear information of the address translation table.

<SecBlade_FW> reset nat session

Chapter 4 Firewall Configuration Commands

4.1 Packet Filter Configuration Commands

4.1.1 debugging firewall packet-filter

Syntax

debugging firewall packet-filter { { all | icmp | tcp | udp | fragments-inspect | others } [ interface type number ] | denied | permitted }

undo debugging firewall packet-filter { { all | icmp | tcp | udp | fragments-inspect | others } [ interface type number ] | denied | permitted }

View

User view

Parameters

all: Enables all debugging options.

icmp: Enables ICMP packet filter debugging.

tcp: Enables TCP packet filter debugging.

udp: Enables UDP packet filter debugging.

fragments-inspect: Enables fragment debugging.

others: Enables debugging for all the other packets except ICMP, TCP and UDP.

interface type number: Enables debugging for the corresponding packets passing the interface. Without this argument, the debugging information of all the interfaces will be displayed.

denied: Enables debugging for the denied packets.

permitted: Enables debugging for the permitted packets.

Description

Use the debugging firewall packet-filter command to enable packet filter debugging.

Use the undo debugging firewall packet-filter command to disable the packet filter debugging.

By default, all the debugging options for the packet filter are disabled.

Related commands: display debugging.

Examples

# Enable UDP packet filter debugging.

<SecBlade_FW> debugging firewall packet-filter udp

4.1.2 debugging firewall packet-filter fragments-inspect events

Syntax

debugging firewall packet-filter fragments-inspect events

undo debugging firewall packet-filter fragments-inspect events

View

User view

Parameters

None

Description

Use the debugging firewall packet-filter fragments-inspect events command to enable the event debugging for fragment detection.

Use the undo debugging firewall packet-filter fragments-inspect events command to disable the debugging.

By default, the event debugging for fragment detection is disabled.

Examples

# Enable the event debugging for fragment detection.

<SecBlade_FW> debugging firewall packet-filter fragments-inspect events

4.1.3 display firewall fragment

Syntax

display firewall fragment

View

Any view

Parameters

None

Description

Use the display firewall fragment command to display the fragments on the firewall.

Examples

# Display the fragments on the firewall.

<SecBlade_FW> display firewall fragment

4.1.4 display firewall packet-filter statistics

Syntax

display firewall packet-filter statistics { all | interface type number | fragments-inspect }

View

Any view

Parameters

all: Displays the packet filtering statistics of all the interfaces.

interface type number: Displays the packet filtering statistics of the specified interface.

fragments-inspect: Displays the fragment detection statistics.

Description

Use the display firewall packet-filter statistics command to display the packet filtering statistics.

Examples

# Display the information of fragment detection.

[SecBlade_FW] display firewall packet-filter statistics fragments-inspect

Fragments inspection is enabled.

The high-watermark for clamping is 10000.

The low-watermark for clamping is 1000.

Current records for fragments inspection is 0.

4.1.5 firewall packet-filter default

Syntax

firewall packet-filter default { permit | deny }

View

System view

Parameters

permit: Permits packets to pass by default.

deny: Denies packets to pass by default.

Description

Use the firewall packet-filter default command to configure the default filtering rule of the packet filter, that is, “permit” or “deny”.

When the firewall works in transparent mode, both the Ethernet frame ACL (numbered 4000 to 4999) and the interface ACL (numbered 1000 to 1999) should be bound so as to enable the firewall to forward packets normally in case the default filtering mode is “deny”.

By default, the system denies all packets.

Examples

# Set the default filtering rule of the packet filter to “permit”.

[SecBlade_FW] firewall packet-filter default permit

4.1.6 firewall packet-filter enable

Syntax

firewall packet-filter enable

undo firewall packet-filter enable

View

System view

Parameters

None

Description

Use the firewall packet-filter enable command to enable the packet filter function.

Use the undo firewall packet-filter enable command to disable the packet filter function.

By default, the packet filter function is enabled.

Examples

# Disable the packet filter function.

[SecBlade_FW] undo firewall packet-filter enable

4.1.7 firewall packet-filter fragments-inspect

Syntax

firewall packet-filter fragments-inspect

undo firewall packet-filter fragments-inspect

View

System view

Parameters

None

Description

Use the firewall packet-filter fragments-inspect command to enable fragment detection.

Use the undo firewall packet-filter fragments-inspect command to disable fragment detection.

By default, fragment detection is disabled.

This command is the premise of realizing exact matching. Only after fragment detection is enabled can fragment exact matching be implemented. Packet filter will record the status of a fragment, and perform exact matching against advanced ACL rules according to non-layer 3 (IP layer) information.

Packet filter consumes system resources when recording the fragment status. If the exact matching mode is not used, you are recommended to disable this function so as to improve the running efficiency of system and reduce the system cost.

Only when the fragment packet detection is enabled can the exact matching really take effect.

Related commands: firewall packet-filter (interface view).

Examples

# Enable the fragment detection.

[SecBlade_FW] firewall packet-filter fragments-inspect

4.1.8 firewall packet-filter fragments-inspect { high | low }

Syntax

firewall packet-filter fragments-inspect { high | low } { default | number }

undo firewall packet-filter fragments-inspect { high | low }

View

System view

Parameters

high number: Specifies the upper threshold of the fragment status record number. It is in the range from 100 to 10000.

low number: Specifies the lower threshold of the fragment status record number. It is in the range from 100 to 10000.

default: Specifies default number of fragment status records. The default upper threshold is 2000 and the default lower threshold is 1500.

Description

Use the firewall packet-filter fragments-inspect { high | low } command to configure the upper and lower thresholds of record number for fragment detection.

Use the undo firewall packet-filter fragments-inspect { high | low } command to restore the default upper and lower thresholds.

If fragment detection is enabled and exact matching is adopted, the efficiency of packet filter will be slightly reduced. The more the configured matching entries are configured, the more the efficiency is reduced. Therefore, the (upper and lower) thresholds should be set. When the number of fragment status records reaches the upper threshold, those status entries first reserved will be deleted until the number of records reaches the lower threshold.

The lower threshold must be no greater than the high threshold.

Related commands: display firewall packet-filter statistics fragments-inspect and firewall packet-filter fragments-inspect.

Examples

# Configure the upper threshold for fragment detection to 3000 and the lower threshold to the default value.

[SecBlade_FW] firewall packet-filter fragments-inspect high 3000

[SecBlade_FW] firewall packet-filter fragments-inspect low default

4.1.9 firewall packet-filter

Syntax

firewall packet-filter acl-number { inbound | outbound } [ match-fragments { normally | exactly } ]

undo firewall packet-filter acl-number { inbound | outbound }

View

Interface view

Parameters

acl-number: ACL number.

inbound: Filters packets received by the interface.

outbound: Filters packets sent from the interface.

match-fragments: Specifies the matching mode of fragments. This argument applies to advanced ACLs only.

normally: Adopts standard matching mode, the default mode. This argument applies to advanced ACLs only.

exactly: Adopts exact matching mode. This argument applies to advanced ACLs only.

Description

Use the firewall packet-filter command to apply ACL to the corresponding interface.

Use the undo firewall packet-filter command to remove the ACL.

Interface-based ACL (numbered from 1000 to 1999) can only use the argument outbound. An interface ACL is used to match a packet received from a specific interface, and then allow or disallow the matched packet to be sent from an interface (including the interface receiving the packet).

Packet filter on CMW platform can filter packet fragments, which matches and filters all fragments at Layer 3 (IP layer), such as by source IP address and destination IP address. It also provides standard matching and exact matching against advanced ACL rules that contain extended information (such as TCP/UDP port number and type of ICMP). The standard matching matches only Layer 3 information, while the exact matching matches packets against all advanced ACL rules. Therefore, a firewall must be able to obtain and keep the status information of the first packet fragment to get complete matching information for the fragments that followed.

By default, the standard matching is adopted.

The ACL applied to an interface does not take effect unless you enable the packet filter function.

Related commands: acl, display acl, firewall packet-filter enable, and firewall packet-filter fragments-inspect.

Examples

# Apply ACL 3001 to the GigabitEthernet0/0.2 interface to filter the packets sent from the interface.

[SecBlade_FW-GigabitEthernet0/0.2] firewall packet-filter 3001 outbound

4.1.10 reset firewall packet-filter statistics

Syntax

reset firewall packet-filter statistics { all | interface type number }

View

User view

Parameters

all: Clears the packet filtering statistics of all interfaces.

interface: Clears the packet filtering statistics of a specified interface.

type number: Interface type and interface number.

Description

Use the reset firewall packet-filter statistics command to clear the packet filter statistics.

Examples

# Clear packet filtering statistics of the interface GigabitEthernet0/0.2.

< SecBlade_FW > reset firewall packet-filter statistics interface GigabitEthernet0/0.2

4.2 ASPF Configuration Commands

4.2.1 aging-time

Syntax

aging-time { syn | fin | tcp | udp } seconds

undo aging-time { syn | fin | tcp | udp }

View

ASPF policy view

Parameters

seconds: Idle timeout time of the session entry when the SYN and FIN packets or TCP and UDP protocols are detected.

Description

Use the aging-time command to configure SYN status timeout value and FIN status idle timeout value of TCP, session entry idle timeout value of TCP and UDP.

Use the undo aging-time command to restore the timeout value to the default.

Before the aging time expires, the system will retain the connections and the sessions that have been set up.

By default, the timeout time for SYN packets, FIN packets, TCP protocol and UDP protocol are 30 seconds, 30 seconds, 3600 seconds and 30 seconds respectively.

Related commands: display aspf all, display aspf policy, display aspf session and display aspf interface.

Examples

# Configure SYN status timeout value of TCP as 20 seconds.

[SecBlade_FW-aspf-policy-1] aging-time syn 20

# Configure FIN status timeout value of FIN as 10 seconds.

[SecBlade_FW-aspf-policy-1] aging-time fin 10

# Configure TCP idle timeout value as 3000 seconds.

[SecBlade_FW-aspf-policy-1] aging-time tcp 3000

# Configure UDP idle timeout value as 110 seconds.

[SecBlade_FW-aspf-policy-1] aging-time udp 110

4.2.2 aspf-policy

Syntax

aspf-policy aspf-policy-number

undo aspf-policy aspf-policy-number

View

System view

Parameters

aspf-policy-number: ASPF policy number, ranging from 1 to 99.

Description

Use the aspf-policy command to define an ASPF policy. For a defined ASPF policy, the policy can be referenced through its policy number.

Examples

# Define an ASPF policy and enter ASPF policy view.

[SecBlade_FW] aspf-policy 1

[SecBlade_FW-aspf-policy-1]

4.2.3 debugging aspf

Syntax

debugging aspf { all | verbose | events | ftp | h323 | rtsp | session | smtp | tcp | timers | udp }

undo debugging aspf { all | verbose | events | ftp | h323 | rtsp | session | smtp | tcp | timers | udp }

View

User view

Parameters

all: Enables all ASPF debugging options.

verbose: Enables detailed debugging.

events: Enables event debugging.

ftp: Enables FTP detection debugging.

h323: Enables H.323 detection debugging.

rtsp: Enables RTSP detection debugging.

session: Enables session debugging.

smtp: Enables SMTP detection debugging.

tcp: Enables TCP detection debugging.

timers: Enables timer debugging.

udp: Enables UDP detection debugging.

Description

Use the debugging aspf command to enable ASPF debugging.

Use the undo debugging aspf command to disable ASPF debugging.

By default, ASPF debugging is disabled.

Related commands: display aspf all, display aspf policy, display aspf session and display aspf interface.

Examples

# Enable all ASPF debugging options.

<SecBlade_FW> debugging aspf all

4.2.4 debugging aspf http

Syntax

debugging aspf http { java-blocking | activex-blocking } { all | error | event | filter | packet }

undo debugging aspf http { java-blocking | activex-blocking } { all | error | event | filter | packet }

View

User view

Parameters

java-blocking: Enables Java Applet blocking debugging.

activex-blocking: Enables ActiveX blocking debugging.

all: Enables all debugging options.

error: Enables error debugging.

event: Enables event debugging.

filter: Enables filtering debugging.

packet: Enables packet debugging.

Description

Use the debugging aspf http java-blocking command to enable Java Applet blocking debugging for HTTP detection.

Use the undo debugging aspf http java-blocking command to disable Java Applet blocking debugging for HTTP detection.

Use the debugging aspf http activex-blocking command to enable ActiveX blocking debugging for HTTP detection.

Use the undo debugging aspf http activex-blocking command to disable ActiveX blocking debugging for HTTP detection.

By default, neither Java Applet blocking debugging nor ActiveX blocking debugging for HTTP detection is enabled.

Examples

# Enable all Java Applet blocking debugging options.

<SecBlade_FW> debugging aspf http java-blocking all

4.2.5 detect

Syntax

detect protocol [ aging-time seconds ]

undo detect protocol

View

ASPF policy view

Parameters

protocol: Name of the protocol supported by ASPF. It can be an application layer protocol like FTP, HTTP, H323, SMTP or RTSP, or a transport layer protocol like TCP or UDP.

seconds: Protocol idle timeout time, in the range 5 to 43200 seconds. By default, it is 3600 seconds for the application layer protocols and the TCP protocol, and is 30 seconds for the UDP protocol.

Description

Use the detect command to specify ASPF policy for application layer protocols.

Use the undo detect command to cancel the configuration.

When the protocol is HTTP, Java Applet blocking and ActiveX blocking are permitted.

If both the application layer protocol detection and generic TCP/UDP-based detection are configured, the former one has higher priority.

ASPF uses the timeout mechanism to manage session status information of protocols so that it can decide when to stop managing the session status information or delete a session that cannot be set up normally. The timeout time setting is a global setting applicable to all sessions; it can protect system resources against malicious occupation.

Related commands: display aspf all, display aspf policy, display aspf session and display aspf interface.

Examples

# Specify an ASPF policy for FTP protocol with policy number 1.

[SecBlade_FW] acl number 1

[SecBlade_FW-aspf-policy-1] detect ftp

4.2.6 detect http

Syntax

detect http [ java-blocking [ acl-number1 ] | activex-blocking [ acl-number2 ] ]* [ aging-time seconds ]

undo detect http [ java-blocking | activex-blocking ]*

View

ASPF policy view

Parameters

java-blocking: Indicates to block Java Applets.

acl-number1: Number of a basic ACL, in the range of 2000 to 2999. If this argument is not specified, all Java Applets are blocked.

activex-blocking: Indicates to block ActiveX controls.

acl-number2: Number of a basic ACL, in the range of 2000 to 2999. If this argument is not specified, all ActiveX controls are blocked.

Description

Use the detect http command to configure the detection of the HTTP protocol and the blocking of Java Applet and ActiveX controls.

Use the undo detect http command to cancel the detection.

Currently, the Java-blocking function can only be used to filter the Java requests with a “.class” suffix among HTTP requests.

By default, HTTP is not detected.

Examples

# Configure the ASPF policy to detect HTTP and block all ActiveX controls and the Java Applet from the server at 10.1.1.1.

[SecBlade_FW] acl number 2000

[SecBlade_FW-acl-basic-2000] rule permit source 10.1.1.1 0

[SecBlade_FW-acl-basic-2000] rule deny source any

[SecBlade_FW-acl-basic-2000] quit

[SecBlade_FW] aspf-policy 1

[SecBlade_FW-aspf-policy-1] detect http activex-blocking java-blocking 2000

4.2.7 display aspf all

Syntax

display aspf all

View

Any view

Parameters

None

Description

Use the display aspf all command to display the information about all ASPF policies and sessions.

Examples

# Display the information about all ASPF policies and sessions.

[SecBlade_FW] display aspf all

[ASPF Policy Configuration]

Policy Number 1:

Log: disable

SYN timeout: 30 s

FIN timeout: 30 s

TCP timeout: 3600 s

UDP timeout: 30 s

Detect Protocols:

h323 timeout 3600

rtsp timeout 3600

http timeout 3600

smtp timeout 3600

ftp timeout 3600

tcp timeout 3600

udp timeout 30

[Interface Configuration]

Interface InboundPolicy OutboundPolicy

---------------------------------------------------------------

GigabitEthernet0/0.1 none 1

Table 4-1 Description on the fields of the display aspf all command

Field	Description
Log	Indicates whether the session logging function is enabled
SYN timeout	The timeout value of the SYN status in TCP connection is 30 seconds
FIN timeout	The timeout value of the FIN status in TCP connection is five seconds
TCP timeout	The idle timeout value of TCP sessions is 3600 seconds
UDP timeout	The idle timeout value of UDP sessions is 30 seconds
Detect Protocols	Protocols detected by the ASPF policies
InboundPolicy	Inbound ASPF policies
OutboundPolicy	Outbound ASPF policies

4.2.8 display aspf interface

Syntax

display aspf interface

View

Any view

Parameters

None

Description

Use the display aspf interface command to display the interface configuration of the ASPF policy.

Examples

# Display the interface configuration of the ASPF policy.

[SecBlade_FW] display aspf interface

[Interface Configuration]

Interface InboundPolicy OutboundPolicy

---------------------------------------------------------------

GigabitEthernet0/0.1 none 1

Table 4-2 Description on the fields of the display aspf interface command

Field	Description
Inbound Policy	Inbound ASPF policies
outbound Policy	Outbound ASPF policies

4.2.9 display aspf policy

Syntax

display aspf policy aspf-policy-number

View

Any view

Parameters

aspf-policy-number: ASPF policy number, ranging from 1 to 99.

Description

Use the display aspf policy command to display the configuration of a specific ASPF policy.

Examples

# Display the configuration of the ASPF policy with policy number 1.

[SecBlade_FW] display aspf policy 1

[ASPF Policy Configuration]

Policy Number 1:

Log: disable

SYN timeout: 30 s

FIN timeout: 30 s

TCP timeout: 3600 s

UDP timeout: 30 s

Detect Protocols:

h323 timeout 3600

rtsp timeout 3600

http timeout 3600

smtp timeout 3600

ftp timeout 3600

tcp timeout 3600

udp timeout 30

Refer to Table 4-1 for the description on the fields above.

4.2.10 display aspf session

Syntax

display aspf session [ verbose ] [ vpn-instance vpn-instance-name ]

View

Any view

Parameters

verbose: Displays the detailed information of ASPF session tables.

vpn-instance-name: Name of the VPN instance.

Description

Use the display aspf session command to display information about the ASPF session table of a specified VPN instance or all ASPF session tables.

The display aspf session command and the display firewall session table command display two different session tables. These two session tables have different default aging times. A data flow may be present in the ASPF session table but may be aged out in the firewall session table, and vice versa.

Examples

# Display information about the current ASPF session table of VPN instance vpntest.

[FireWall] display aspf session vpn-instance vpntest

Total session number:2

Syn-list session number:0

Fin-list session munber:0

[Established Sessions]

VPN-instance Session Initiator Responder Application Status

vpntest 212BA84 169.254.1.121:1427 169.254.1.52:0 ftp-data TCP_DOWN

vpntest 2B738C4 169.254.1.121:1426 169.254.1.52:21 ftp FTP_CONXN_UP

# Display the detailed information of the current ASPF session table of VPN instance vpntest.

[FireWall] display aspf session verbose vpn-instance vpntest

[Session 0x256E5B24]

Total session number:1

Syn-list session number:0

Fin-list session munber:0

VPN-Instance: vpntest

Initiator: 1.1.1.4:1024 Responder: 2.1.1.2:1719

Application protocol: unknown Status: UDP_OPENING

Transport protocol: 17 Port: 1719

Child: 0x0 Parent: 0x0

Interface: GigabitEthernet0/0 Direction: inbound

Timeout 00:00:30 Time left 00:00:10

Initiator Bytes/Packets sent: 110/1

Responder Bytes/Packets sent: 0/0

Initiator tcp SeqNumber/AckNumber: 0/0

Responder tcp SeqNumber/AckNumber: 0/0

4.2.11 display aspf statistics

Syntax

display aspf statistics

View

Any view

Parameters

None

Description

Use the display aspf statistics to display ASPF statistics.

Examples

# Displays ASPF statistics.

<SecBlade_FW> display aspf statistics

ASPF Syn list full occur times:0

ASPF Hash list full occur times:0

ASPF Tacl list full occur times:0

ASPF Session table full occur times:0

ASPF Fin list error occur times:0

4.2.12 display firewall fragment

Syntax

display firewall fragment [ vpn-instance VPN-Instance name ]

View

Any view

Parameters

vpn-instance-name: Name of the VPN instance.

Description

Use the display firewall fragment command to display information about the fragment table of the specified VPN instance or all fragment tables.

Examples

# Display information about the fragment table of VPN instance vpntest.

[FireWall] display firewall fragment vpn-instance vpntest

172.31.48.45<--222.1.1.2

vpn-instance: vpntest : PacID: 758, ttl: 00:00:05 left: 00:00:01

172.31.48.45-->222.1.1.2

vpn-instance: vpntest : PacID: 755, ttl: 00:00:05 left: 00:00:01

172.31.48.45-->222.1.1.2

vpn-instance: vpntest : PacID: 756, ttl: 00:00:05 left: 00:00:01

172.31.48.45-->222.1.1.2

vpn-instance: vpntest : PacID: 757, ttl: 00:00:05 left: 00:00:01

172.31.48.45-->222.1.1.2

vpn-instance: vpntest : PacID: 758, ttl: 00:00:05 left: 00:00:01

172.31.48.45-->222.1.1.2

vpn-instance: vpntest : PacID: 759, ttl: 00:00:05 left: 00:00:01

4.2.13 display firewall session aging-time

Syntax

display firewall session aging-time

View

Any view

Parameters

None

Description

Use the display firewall session aging-time command to display the session timeout time of all protocols.

Related commands: firewall session aging-time, firewall session aging-time default.

Examples

# Display the session timeout time of all protocols.

[SecBlade_FW] display firewall session aging-time

Firewall aging-time value information:

tcp ---- aging-time value is 240 (seconds)

udp ---- aging-time value is 40 (seconds)

icmp ---- aging-time value is 20 (seconds)

finrst ---- aging-time value is 10 (seconds)

syn ---- aging-time value is 5 (seconds)

fragment ---- aging-time value is 5 (seconds)

h.323 ---- aging-time value is 600 (seconds)

ftp ---- aging-time value is 600 (seconds)

ras ---- aging-time value is 600 (seconds)

http ---- aging-time value is 240 (seconds)

smtp ---- aging-time value is 40 (seconds)

rtsp ---- aging-time value is 240 (seconds)

telnet ---- aging-time value is 240 (seconds)

netbios ---- aging-time value is 240 (seconds)

4.2.14 display firewall session table

Syntax

display firewall session table [ verbose ] [ vpn-instance VPN-Instance name ] [ source ip-address ] [ destination ip-address ]

View

Any view

Parameters

verbose: Displays the detailed information of firewall session tables.

source ip-address: Source IP address of the session.

destination ip-address: Destination IP address of the session.

vpn-instance-name: Name of the VPN instance.

Description

Use the display firewall session table command to display information about the firewall session table of the specified VPN instance or all firewall session tables.

The display aspf session command and the display firewall session table command display two different session tables. These two session tables have different default aging times. A data flow may be present in the ASPF session table but be aged out in the firewall session table, and vice versa.

Once aged out, a firewall session transitions to the timeout state and will be removed later. The period of the firewall session from timeout to removal varies with network applications.

Examples

# Display information about the current firewall session table of VPN instance vpntest.

[FireWall] display firewall session table vpn-instance vpntest

vpn-instance: vpntest Total session number: 8

vpn-instance: vpntest

HTTP:192.168.4.1:80<--192.168.4.8:3391

vpn-instance: vpntest

HTTP:192.168.4.1:80<--192.168.4.8:3392

vpn-instance: vpntest

HTTP:192.168.4.1:80<--192.168.4.8:3387

vpn-instance: vpntest

NBT datagram:192.168.4.255:138<--192.168.4.8:138

vpn-instance: vpntest

HTTP:192.168.4.1:80<--192.168.4.8:3396

vpn-instance: vpntest

NBT name:192.168.4.255:137<--192.168.4.8:137

vpn-instance: vpntest

HTTP:192.168.4.1:80<--192.168.4.8:3389

vpn-instance: vpntest

HTTP:192.168.4.1:80<--192.168.4.8:3398

# Display the detailed information of the current firewall session table of VPN instance vpntest.

[FireWall] display firewall session table vpn-instance vpntest verbose

vpn-instance: vpntest Total session number: 1

tcp, FTP,

172.31.48.45:21<--222.1.1.2:1033

tag: 0, ttl: 01:00:00 left: 00:59:59

4.2.15 display port-mapping

Syntax

display port-mapping [ application-name | port port-number ]

View

Any view

Parameters

application-name: Specifies the name of application for port mapping. The applications include FTP, HTTP, H323, SMTP and RTSP.

port-number: Port number, in the range 0 to 65535.

Description

Use the display port-mapping command to display port mapping information.

Related commands: port-mapping.

Examples

# Display all port mapping information.

[SecBlade_FW] display port-mapping

SERVICE PORT ACL TYPE

-------------------------------------------------

ftp 21 system defined

smtp 25 system defined

http 80 system defined

rtsp 554 system defined

h323 1720 system defined

4.2.16 firewall aspf

Syntax

firewall aspf aspf-policy-number { inbound | outbound } [ vpn-instance vpn-instance-name ]

undo firewall aspf aspf-policy-number { inbound | outbound } [ vpn-instance vpn-instance-name ]

View

Interface view

Parameters

aspf-policy-number: Number of the ASPF policy applied to the interface.

inbound: Applies the ASPF policy in the inbound traffic direction on the interface.

outbound: Applies the ASPF policy in the outbound traffic direction on the interface.

vpn-instance-name: Name of the VPN instance applied to the interface.

Description

Use the firewall aspf command to apply an ASPF policy in the specified traffic direction on the interface.

Use the undo firewall aspf command to remove the configuration.

There are two concepts for ASPF policy: internal interface and external interface. If the security gateway connects to the internal network and the Internet, and needs to protect the servers in the internal network by implementing ASPF, the interface through which the security gateway connects to the internal network is an internal interface, and the interface through which the security gateway connects to the Internet is an external interface.

With the vpn-instance keyword specified, this command applies an ASPF policy only to the specified VPN instance.

Examples

# Configure an ASPF policy for VPN instance vpntest in the outbound direction of GigabitEthernet 0/0.300.

[FireWall- GigabitEthernet0/0.300] firewall aspf 1 outbound vpn-instance vpntest

4.2.17 firewall session aging-time

Syntax

firewall session aging-time { fin-rst | fragment | ftp | h323 | http | icmp | netbios | ras | rtsp | smtp | syn | tcp | telnet | udp } { default | seconds }

View

System view

Parameters

default: Specifies the default timeout time for the protocols.

seconds: Default timeout time for the protocols, in seconds.

The default timeout time for the protocols are as follows:

fin-rst: 10 seconds

fragment: 5 seconds

ftp: 600 seconds

h323: 600 seconds

http: 240 seconds

icmp: 20 seconds

netbios: 240 seconds

ras: 600 seconds

rtsp: 240 seconds

smtp: 40 seconds

syn: 5 seconds

tcp: 240 seconds

telnet: 240 seconds

udp: 40 seconds

Description

Use the firewall session aging-time command to set the session timeout time for the protocols.

Related commands: firewall session aging-time default and display firewall session aging-time.

Examples

# Set the session timeout time for HTTP protocol to 1200 seconds.

[SecBlade_FW] firewall session aging-time http 1200

4.2.18 firewall session aging-time default

Syntax

firewall session aging-time default

View

System view

Parameters

None

Description

Use the firewall session aging-time default command to restore the session timeout time of all protocols to the default.

Related commands: firewall session aging-time and display firewall session aging-time.

Examples

# Restore the session timeout time of all protocols to the default.

[SecBlade_FW] firewall session aging-time default

4.2.19 log enable

Syntax

log enable

undo log enable

View

ASPF policy view

Description

Use the log enable command to enable ASPF session logging function.

Use the undo log enable command to disable logging function.

By default, session logging function is disabled.

ASPF provides enhanced session logging function, which can log all connections, including connection time, source address, destination address, port in use and number of transmitted bytes.

Related commands: display aspf all, display aspf policy, display aspf session, display aspf interface.

Examples

# Enable ASPF session logging function.

[SecBlade_FW-aspf-policy-1] log enable

4.2.20 port-mapping

Syntax

port-mapping application-name port port-number [ acl acl-number ]

undo port-mapping [ application-name port port-number [ acl acl-number ] ]

View

System view

Parameters

application-name: Name of the application protocol, which can be FTP, HTTP, H323, SMTP or RTSP.

port-number: Port number, ranging from 0 to 65535.

acl-number: Number of basic ACL, which is in the range 2000 to 2999.

Description

Use the port-mapping command to establish a mapping between the port and the application layer protocol.

Use the undo port-mapping command to delete the mapping entry.

Two mapping mechanisms are available: general port mapping and host port mapping based on basic ACL. The former is to map a user-defined port number to an application protocol. For example, mapping the port 8080 to HTTP will make all the TCP packets destined to port 8080 be regarded as HTTP packets. The latter is to map the user-defined port number to the application protocol for the packets from specific hosts. For example, you can map the TCP packets using the port 8080, which destined to the hosts on the network segment 1.1.0.0 to be HTTP packets. The range of hosts can be specified by the basic ACL.

Related commands: display port-mapping.

Examples

# Map port 3456 to FTP. (With this configuration, all the packets destined to port 3456 will be regarded as FTP packets.)

[SecBlade_FW] port-mapping ftp port 3456

4.2.21 reset aspf session

Syntax

reset aspf session

View

User view

Parameters

None

Description

Use the reset aspf session command to clear ASPF session information.

Examples

# Clear ASPF session information.

<SecBlade_FW> reset aspf session

4.2.22 reset aspf statistic http

Syntax

reset aspf statistic http [ java-blocking | activex-blocking ]

View

User view

Parameters

java-blocking: Clears Java-blocking statistics.

activex-blocking: Clears ActiveX-blocking statistics.

Description

Use the reset aspf statistic http command to clear the statistics of Java-blocking and ActiveX-blocking.

If no argument is specified, the statistics of both Java blocking and ActiveX blocking will be cleared.

Examples

# Clear Java-blocking statistics.

<SecBlade_FW> reset aspf statistic http java-blocking

4.2.23 reset firewall session table

Syntax

reset firewall session table [ vpn-instance VPN-Instance name ]

View

User view

Parameters

vpn-instance-name: Name of the VPN instance.

Description

Use the reset firewall session table command to clear the firewall session table of the specified VPN instance or all the firewall session tables.

Examples

# Clear the firewall session table of VPN instance vpntest.

<FireWall> reset firewall session table vpn-instance vpntest

4.3 VPN Instance Configuration Commands

4.3.1 firewall session limit

Syntax

firewall session limit percentage

undo firewall session limit

View

vpn-instance view

Parameters

percentage: Firewall session percentage for a VPN instance.

Description

Use the firewall session limit command to specify the maximum number of firewall sessions for a VPN instance.

Use the undo firewall session limit command to cancel the limitation.

By default, no limitation is set for a VPN instance.

Examples

# Set the maximum number of firewall sessions of VPN instance fw1 to 30% of the total sessions in the system.

[Firewall-vpn-fw1] firewall session limit 30

4.3.2 firewall fragment limit

Syntax

firewall fragment limit percentage

undo firewall fragment limit

View

vpn-instance view

Parameters

percentage: Firewall fragment table percentage for a VPN instance.

Description

Use the firewall fragment limit command to specify the maximum number of firewall fragment tables for a VPN instance.

Use the undo firewall fragment limit command to cancel the limitation.

By default, no limitation is set for a VPN instance.

Examples

# Set the maximum number of firewall fragment tables of VPN instance fw1 to 30% of the total fragment tables in the system.

[Firewall-vpn-fw1] firewall fragment limit 30

4.3.3 aspf session limit

Syntax

aspf session limit percentage

undo aspf session limit

View

vpn-instance view

Parameters

percentage: ASPF session percentage for a VPN instance.

Description

Use the aspf session limit command to specify the maximum number of ASPF sessions for a VPN instance.

Use the undo aspf session limit command to cancel the limitation.

By default, no limitation is set for a VPN instance.

Examples

# Set the maximum number of ASPF sessions of VPN instance fw1 to 30% of the total sessions in the system.

[Firewall-vpn-fw1] aspf session limit 30

4.4 Blacklist Configuration Commands

4.4.1 debugging firewall blacklist

Syntax

debugging firewall blacklist { all | item | packet }

undo debugging firewall blacklist { all | item | packet }

View

User view

Parameters

all: Enables all black list debugging options.

item: Enables debugging for the changes of black list entries.

packet: Enables packet debugging for black list.

Description

Use the debugging firewall blacklist command to enable black list debugging for the SecBlade.

Use the undo debugging firewall blacklist command to disable black list debugging.

By default, black list debugging is disabled.

Related commands: display debugging.

Examples

# Enable all black list debugging options.

<SecBlade_FW> debugging firewall blacklist all

4.4.2 display firewall blacklist

Syntax

display firewall blacklist { enable | item [ sour-addr ] }

View

Any view

Parameters

enable: Displays the running of black list.

item sour-addr: Displays a specific entry (with the IP address sour-addr) or all the black list entries.

Description

Use the display firewall blacklist command to display the running status and entries of the black list on the SecBlade. You can view black list entries by specifying the item [ sour-addr ] keyword in the command. If no IP address is specified, you can view the summary information of all the current black list entries. You can view the detailed information of a specific black list entry by specifying an IP address in the command.

Examples

# Display the summary information of all black list entries.

<SecBlade_FW> display firewall blacklist item

Firewall blacklist items :

Current manual insert items:2

Current automatic insert items:0

Need aging items:1

192.168.1.1

20.202.16.5

# Display detailed information of a specific black list entry.

<SecBlade_FW> display firewall blacklist item 192.168.1.1

Firewall blacklist items : 192.168.1.1

Insert reason : Manual

Insert time : 2003/06/11 08:04:56

Age action : Aging

Age time : 100 minutes

# Display the running of the black list.

<SecBlade_FW> display firewall blacklist enable

Blacklist is Disabled

4.4.3 firewall blacklist

Syntax

firewall blacklist { enable | sour-addr [ timeout minutes ] }

undo firewall blacklist [ enable | sour-addr ]

View

System view

Parameters

enable: Enables black list function.

sour-addr: IP address to be added into the black list.

timeout minutes: Specifies the timeout time. The minutes argument ranges from 1 to 1000 (in minutes).

Description

Use the firewall blacklist command to enable the black list function, or add black list entries.

Use the undo firewall blacklist command to disable the black list function, or remove a black list entry.

Examples

# Add a black list entry with IP address of 192.168.10.10 and timeout time of 100 minutes.

[SecBlade_FW] firewall blacklist item 192.168.10.10 timeout 100

# Enable the black list function.

[SecBlade_FW] firewall blacklist enable

4.5 MAC and IP Address Binding Configuration Commands

4.5.1 debugging firewall mac-binding

Syntax

debugging firewall mac-binding { all | item | packet }

undo debugging firewall mac-binding { all | item | packet }

View

User view

Parameters

all: Enables all debugging options.

item: Enables debugging for changes of address binding entries.

packet: Enables packet debugging for address binding entries.

Description

Use the debugging firewall mac-binding command to enable address binding debugging on the SecBlade.

Use the undo debugging firewall mac-binding command to disable address binding debugging.

By default, address binding debugging is disabled.

Related commands: display debugging.

Examples

# Enable all address binding debugging options.

<SecBlade_FW> debugging firewall mac-binding all

4.5.2 display firewall mac-binding

Syntax

display firewall mac-binding { enable | item [ ip-addr ] [ statistic ] }

View

Any view

Parameters

enable: Displays the running status of address binding.

item: Displays address binding entries.

ip-addr: Entry with the specified IP address.

statistic: Displays address binding statistics.

Description

Use the display firewall mac-binding command to display the running status and entries of address binding on the SecBlade. You can view the information of address binding entries by specifying the item [ ip-addr ] argument in the command. If no IP address is specified, you can view the summary information of all the current address binding entries. You can view the detailed information of a specific address binding entry by specifying an IP address in the command. You can specify the enable keyword in the command to view the running status of address binding.

Examples

# Display the summary information of all the address binding entries.

<SecBlade_FW> display firewall mac-binding item

Firewall mac-binding items :

Current items:2

192.168.1.1 00e0-0f0c-1149

20.202.16.5 0adc-0e0f-23ed

# Display the detailed information of a specific address binding entry.

<SecBlade_FW> display firewall mac-binding item 192.168.1.1

Firewall mac-binding items :

192.168.1.1 00e0-0f0c-1149

# Display the running status of address binding.

<SecBlade_FW> display firewall mac-binding enable

Mac-binding is Disabled

# Display address binding statistics.

<SecBlade_FW> display firewall mac-binding item statistic

Firewall Mac-binding item(s) :

Current items : 1

IP Address Mac True Pkts False Pkts

192.168.1.2 000f-1f73-fec5 0 57

4.5.3 firewall mac-binding

Syntax

firewall mac-binding ip-addr mac-addr

undo firewall mac-binding [ ip-addr ]

View

System view

Parameters

ip-addr: IP address of an address binding pair.

mac-addr: MAC address of an address binding pair.

Description

Use the firewall mac-binding command to add an MAC binding entry.

Use the undo firewall mac-binding command to remove an MAC binding entry.

If the ip-addr argument is specified in the undo firewall mac-binding command, a specific binding entry will be removed; otherwise, all binding entries will be removed.

Examples

# Add an address binding entry with IP address of 192.168.10.10 and MAC address of 00e0-0000-0001.

[SecBlade_FW] firewall mac-binding 192.168.10.10 00e0-0000-0001

# Enable address binding function.

[SecBlade_FW] firewall mac-binding enable

4.5.4 firewall mac-binding enable

Syntax

firewall mac-binding enable

undo firewall mac-binding enable

View

System view

Parameters

enable: Enables address binding function.

Description

Use the firewall mac-binding enable command to enable MAC address binding function.

Use the undo firewall mac-binding enable command to disable the MAC address binding function.

Examples

# Enable MAC address binding function.

[SecBlade_FW] firewall mac-binding enable

4.5.5 reset firewall mac-binding

Syntax

reset firewall mac-binding item [ ip-addr ] statistic

View

User view

Parameters

item: Indicates MAC and IP address binding entries.

ip-addr: IP address of a specified address binding entry.

statistic: Clears MAC and IP address binding statistics.

Description

Use the reset firewall mac-binding command to clear MAC and IP address binding statistics.

Examples

# Clear all the MAC and IP address binding statistics.

<SecBlade_FW> reset firewall mac-binding item statistic

4.6 Security Zone Configuration Commands

4.6.1 add interface

Syntax

add interface interface-type interface-number

undo add interface interface-type interface-number

View

Zone view

Parameters

interface-type interface-number: Interface type and interface number.

Description

Use the add interface command to add an interface into the security zone.

Use the undo add interface command to remove the interface from the security zone.

An interface can belong to only one security zone. You need to remove the interface from the former security zone before adding it to another security zone.

By default, no interface is added in the security zone.

For interworking between the SecBlade and other devices, you need to add corresponding interfaces to a security zone.

Examples

# Add the GigabitEthernet0/0.1 interface in the trust zone to the DMZ.

[SecBlade_FW] firewall zone trust

[SecBlade_FW-zone-trust] undo add interface GigabitEthernet0/0.1

[SecBlade_FW-zone-trust] quit

[SecBlade_FW] firewall zone DMZ

[SecBlade_FW-zone-DMZ] add interface GigabitEthernet0/0.1

4.6.2 display interzone

Syntax

display interzone [ zone1 zone2 ]

View

Any view

Parameters

zone1 zone2: Security zone names. With this argument specified, the inter-zone configuration between zone1 and zone2 is displayed.

Description

Use the display interzone command to display the inter-zone configuration.

If no argument is specified, all inter-domain information will be displayed.

Examples

# Display the inter-zone configuration between the trust zone and untrust zone.

<SecBlade_FW> display interzone trust untrust

4.6.3 display zone

Syntax

display zone [ zone-name ] [ interface | priority ]

View

Any view

Parameters

zone-name: Security zone name. Four security zones are predefined in the system, namely, trust, untrust, DMZ, and local.

interface: Displays the interfaces in the security zone.

priority: Displays the priority of the security zone.

Description

Use the command to display the interfaces in the security zone and the priority of the security zone.

Examples

# Display the priority of all the security zones.

<SecBlade_FW> display zone priority

local

priority is 100

trust

priority is 85

untrust

priority is 5

DMZ

priority is 50

4.6.4 set priority

Syntax

set priority number

View

Zone view

Parameters

number: Priority value of the security zone, in the range 1 to 100.

Description

Use the set priority command to set priority value for the security zone. High priority value means high security.

Four security zones are predefined in the system, namely, local, trust, untrust and DMZ. You cannot change their priority values. The set priority command is only used to set and modify the priority values of the newly defined security zones.

No access restriction is imposed among security zones, and security zones do not support policy configuration. To implement access control, you need to perform configuration on corresponding interfaces in a security zone.

By default, the priority value for the local zone is 100; that for the trust zone is 85; that for untrust zone is 5; that for DMZ is 50.

Examples

# Set the priority value of the security zone newzone to 70.

[SecBlade_FW] firewall zone newzone

[SecBlade_FW-zone-newzone] set priority 70

4.6.5 firewall interzone

Syntax

firewall interzone zone1 zone2

View

System view

Parameters

zone1: Security zone name.

zone2: Security zone name.

Description

Use the firewall interzone command to enter the specific inter-zone view.

Examples

# Enter the inter-zone view between the trust and untrust zone.

[SecBlade_FW] firewall interzone trust untrust

[SecBlade_FW-interzone-trust-untrust]

4.6.6 firewall zone

Syntax

firewall zone zonename

View

System view

Parameters

zonename: Security zone name.

Description

Use the firewall zone command to enter the security zone view.

Examples

# Enter the DMZ zone view.

[SecBlade_FW] firewall zone DMZ

[SecBlade_FW_FW-zone-DMZ]

4.6.7 firewall zone name

Syntax

firewall zone name zonename

undo firewall zone name zonename

View

System view

Parameters

zonename: Security zone name.

Description

Use the firewall zone name command to create a new security zone.

Use the undo firewall zone name command to remove the security zone.

Four security zones are predefined in the system, namely, local, trust, untrust and DMZ. You cannot delete these security zones.

Examples

# Create a new security zone newzone.

[SecBlade_FW] firewall zone name newzone

[SecBlade_FW-zone-newzone]

Chapter 5 Transparent Firewall Configuration Commands

5.1 Transparent Firewall Configuration Commands

5.1.1 acl number

Syntax

acl number acl-number

undo acl { number acl-number | all }

View

System view

Parameters

number acl-number: Sequence number of the MAC-address based ACL, in the range of 4,000 to 4,999.

all: Removes all ACLs, including the interface-based ACLs, basic ACLs and advanced ACLs.

Description

Use the acl number command to create ACLs.

Use the undo acl command to remove the existing ACLs.

By default, no MAC address-based ACL is defined.

Refer to acl and rule for other ACL commands.

Examples

# Create the MAC address-based ACL 4009.

[SecBlade_FW] acl number 4009

5.1.2 bridge vlanid-transparent-transmit enable

Syntax

bridge vlanid-transparent-transmit enable

undo bridge vlanid-transparent-transmit enable

View

Interface view

Parameters

None

Description

Use the bridge vlanid-transparent-transmit enable command to enable VLAN ID transparent transmission. Use the undo bridge vlanid-transparent-transmit enable command to disable VLAN ID transparent transmission.

VLAN ID transparent transmission means that an interface directly forwards a packet without processing the VLAN ID contained in the packet. The original VLAN ID of a packet will not be changed even if a VLAN ID is available in the outgoing interface.

After an Ethernet subinterface is configured with a VLAN ID, the subinterface only receives the data of the corresponding VLAN. Therefore, it determines the data of which VLANs to be transmitted by the bridge group.

After VLAN ID transparent transmission is enabled, the system does not process the VLAN ID of a packet. The switches connected at both ends can be considered directly connected. To ensure normal communication, you must configure the same VLAN ID for the trunk interfaces of the switches at two ends.

Caution:

If VLAN transparent transmission is enabled on an interface, the corresponding physical interface and corresponding subinterface must be configured with an interface-based ACL so as to filter the packets received from this interface and prevent the packets from being forwarded back again.

By default, VLAN ID transparent transmission is disabled.

Examples

# Enable VLAN ID transparent transmission in GigabitEthernet 0/0.

[SecBlade_FW] interface GigabitEthernet 0/0

[SecBlade_FW-GigabitEthernet0/0] bridge vlanid-transparent-transmit enable

5.1.3 debugging firewall eff

Syntax

debugging firewall eff [ interface interface-type interface-number ]

undo debugging firewall eff [ interface interface-type interface-number ]

View

User view

Parameters

interface interface-type interface-number: Debugging information about the specified interface.

Description

Use the debugging firewall eff command to enable debugging for Ethernet frame filtering.

Use the undo debugging firewall eff command to disable debugging for Ethernet frame filtering.

By default, debugging for Ethernet frame filtering is not enabled.

Examples

# Enable debugging for Ethernet frame filtering.

<SecBlade_FW> debugging firewall eff

Ethernet-frame-filter's debugging is on

<SecBlade_FW>

*0.1350738 SecBlade_FW EFF/8/DEBUGGING:

OutBound List 4001, deny the frame with the following head :

dest-mac is 000f-1f7e-fec5,sour-mac is 00e0-fc36-a7a9, type is 0800

*0.1350739 SecBlade_FW BRIDGE/8/DEBUGGING:

Discard a frame for the filter on outport ; received from interface GigabitEther

net0/1;and try to send to interface GigabitEthernet0/0, with following frame head :

00 0f 1f 7e fe c5 00 e0 fc 36 a7 a9 08 00

*0.1352740 SecBlade_FW EFF/8/DEBUGGING:

OutBound List 4001, deny the frame with the following head :

dest-mac is 000f-1f7e-fec5,sour-mac is 00e0-fc36-a7a9, type is 0800

*0.1352740 SecBlade_FW BRIDGE/8/DEBUGGING:

Discard a frame for the filter on outport ; received from interface GigabitEther

net0/1;and try to send to interface GigabitEthernet0/0, with following frame head :

00 0f 1f 7e fe c5 00 e0 fc 36 a7 a9 08 00

*0.1352925 SecBlade_FW EFF/8/DEBUGGING:

InBound List 4001, deny the frame with the following head :

dest-mac is ffff-ffff-ffff,sour-mac is 000f-1f7e-fec5, type is 0806

*0.1352925 SecBlade_FW BRIDGE/8/DEBUGGING:

Discard a frame for the filter on inport ; received from interface GigabitEthern

et0/0, with following frame head :

ff ff ff ff ff ff 00 0f 1f 7e fe c5 08 06

*0.1354741 SecBlade_FW EFF/8/DEBUGGING:

OutBound List 4001, deny the frame with the following head :

dest-mac is 000f-1f7e-fec5,sour-mac is 00e0-fc36-a7a9, type is 0800

*0.1354741 SecBlade_FW BRIDGE/8/DEBUGGING:

Discard a frame for the filter on outport ; received from interface GigabitEther

net0/1;and try to send to interface GigabitEthernet0/0, with following frame head :

00 0f 1f 7e fe c5 00 e0 fc 36 a7 a9 08 00

*0.1356742 SecBlade_FW EFF/8/DEBUGGING:

OutBound List 4001, deny the frame with the following head :

dest-mac is 000f-1f7e-fec5,sour-mac is 00e0-fc36-a7a9, type is 0800

*0.1356742 SecBlade_FW BRIDGE/8/DEBUGGING:

Discard a frame for the filter on outport ; received from interface GigabitEther

net0/1;and try to send to interface GigabitEthernet0/0, with following frame head :

00 0f 1f 7e fe c5 00 e0 fc 36 a7 a9 08 00

5.1.4 debugging firewall transparent-mode eth-forwarding

Syntax

debugging firewall transparent-mode eth-forwarding [ interface interface-type interface-number ]

undo debugging firewall transparent-mode eth-forwarding [ interface interface-type interface-number ]

View

User view

Parameters

interface interface-type interface-number: Debugging information of a specific interface.

Description

Use the debugging firewall transparent-mode eth-forwarding command to enable debugging for Ethernet frame forwarding on the transparent firewall.

Use the undo debugging firewall transparent-mode eth-forwarding command to disable debugging for Ethernet frame forwarding on the transparent firewall.

If no interface is specified, debugging is enabled or disabled for Ethernet frame forwarding on all interfaces.

By default, debugging for Ethernet frame forwarding on the transparent firewall is not enabled.

Examples

# Enable debugging for Ethernet frame forwarding on the transparent firewall.

<SecBlade_FW> debugging firewall transparent-mode eth-forwarding

The Transparent-mode eth-forwarding Debugging is on

*0.695514 SecBlade_FW BRIDGE/8/DEBUGGING:

Forward a frame; received from interface GigabitEthernet0/0;and try to send to interface GigabitEthernet0/1, with following frame head :

00 e0 fc 36 a7 a9 00 0f 1f 7e fe c5 08 00

*0.695514 SecBlade_FW BRIDGE/8/DEBUGGING:

Forward a frame; received from interface GigabitEthernet0/1;and try to send to interface GigabitEthernet0/0, with following frame head :

00 0f 1f 7e fe c5 00 e0 fc 36 a7 a9 08 00

*0.696515 SecBlade_FW BRIDGE/8/DEBUGGING:

Forward a frame; received from interface GigabitEthernet0/0;and try to send to interface GigabitEthernet0/1, with following frame head :

00 e0 fc 36 a7 a9 00 0f 1f 7e fe c5 08 00

*0.696515 SecBlade_FW BRIDGE/8/DEBUGGING:

Forward a frame; received from interface GigabitEthernet0/1;and try to send to interface GigabitEthernet0/0, with following frame head :

00 0f 1f 7e fe c5 00 e0 fc 36 a7 a9 08 00

*0.696582 SecBlade_FW BRIDGE/8/DEBUGGING:

Forward a frame; received from interface GigabitEthernet0/1;and try to send to interface GigabitEthernet0/0, with following frame head :

00 0f 1f 7e fe c5 00 e0 fc 36 a7 a9 08 00

*0.696582 SecBlade_FW BRIDGE/8/DEBUGGING:

Forward a frame; received from interface GigabitEthernet0/0;and try to send to interface GigabitEthernet0/1, with following frame head :

00 e0 fc 36 a7 a9 00 0f 1f 7e fe c5 08 00

*0.696584 SecBlade_FW BRIDGE/8/DEBUGGING:

Forward a frame; received from interface GigabitEthernet0/1;and try to send to interface GigabitEthernet0/0, with following frame head :

00 0f 1f 7e fe c5 00 e0 fc 36 a7 a9 08 00

*0.696584 SecBlade_FW BRIDGE/8/DEBUGGING:

Forward a frame; received from interface GigabitEthernet0/0;and try to send to interface GigabitEthernet0/1, with following frame head :

00 e0 fc 36 a7 a9 00 0f 1f 7e fe c5 08 00

5.1.5 debugging firewall transparent-mode ip-forwarding

Syntax

debugging firewall transparent-mode ip-forwarding

undo debugging firewall transparent-mode ip-forwarding

View

User view

Parameters

None

Description

Use the debugging firewall transparent-mode ip-forwarding command to enable debugging for IP packet forwarding on the transparent firewall.

Use the undo debugging firewall transparent-mode ip-forwarding command to disable debugging for IP packet forwarding on the transparent firewall.

By default, debugging for IP packet forwarding on the transparent firewall is not enabled.

Examples

# Enable debugging for IP packet forwarding on the transparent firewall.

<SecBlade_FW> debugging firewall transparent-mode ip-forwarding

The Transparent-mode Ip-forwarding Debugging is on

<SecBlade_FW>

*0.11355193 SecBlade_FW FWTP/8/rcv_ip:Receive an IP packet

interface: GigabitEthernet0/0

source_ip_addr : 192.168.3.6

source_port : 33073

destination_ip_addr : 192.168.3.8

destination_port : 52128

protocol : 1

*0.11355193 SecBlade_FW FWTP/8/sndto_secur:Send an IP packet to security module

source_ip_addr : 192.168.3.6

source_port : 17664

destination_ip_addr : 192.168.3.8

destination_port : 60

protocol : 1

return value:0

*0.11355193 SecBlade_FW FWTP/8/snd_ip:Send an IP packet

interface: GigabitEthernet0/1

source_ip_addr : 192.168.3.6

source_port : 0

destination_ip_addr : 192.168.3.8

destination_port : 1

protocol : 1

*0.11355193 SecBlade_FW FWTP/8/rcv_ip:Receive an IP packet

interface: GigabitEthernet0/1

source_ip_addr : 192.168.3.8

source_port : 33073

destination_ip_addr : 192.168.3.6

destination_port : 52128

protocol : 1

*0.11355193 SecBlade_FW FWTP/8/sndto_secur:Send an IP packet to security module

source_ip_addr : 192.168.3.8

source_port : 17664

destination_ip_addr : 192.168.3.6

destination_port : 60

protocol : 1

return value:0

*0.11355193 SecBlade_FW FWTP/8/snd_ip:Send an IP packet

interface: GigabitEthernet0/0

source_ip_addr : 192.168.3.8

source_port : 0

destination_ip_addr : 192.168.3.6

destination_port : 1

protocol : 1

5.1.6 display firewall ethernet-frame-filter

Syntax

display firewall ethernet-frame-filter { all | interface interface-type interface-number }

View

Any view

Parameters

all: Ethernet frame filtering statistics on all interfaces.

interface interface-type interface-number: Ethernet frame filtering statistics on a specified interface.

Description

Use the display firewall ethernet-frame-filter command to display Ethernet frame filtering statistics.

Examples

# Display Ethernet frame filtering statistics on all interfaces.

<SecBlade_FW> display firewall ethernet-frame-filter all

Interface: GigabitEthernet0/1

In-bound Policy: acl 4000

From 2099-08-02 5:55:05 to 2099-08-02 5:55:41

11 packets, 668 bytes, 100% permitted,

0 packets, 0 bytes, 0% denied,

0 packets, 0 bytes, 0% permitted default,

0 packets, 0 bytes, 0% denied default,

Totally 11 packets, 668 bytes, 100% permitted,

Totally 0 packets, 0 bytes, 0% denied.

Out-bound Policy: acl 4000

From 2099-08-02 5:55:07 to 2099-08-02 5:55:41

0 packets, 0 bytes, 0% permitted,

0 packets, 0 bytes, 0% denied,

0 packets, 0 bytes, 0% permitted default,

0 packets, 0 bytes, 100% denied default,

Totally 0 packets, 0 bytes, 0% permitted,

Totally 0 packets, 0 bytes, 100% denied.

5.1.7 display firewall mode

Syntax

display firewall mode

View

Any view

Parameters

None

Description

Use the display firewall mode command to display the operating mode of the current firewall.

Examples

# Display the operating mode of the current firewall.

<SecBlade_FW> display firewall mode

Firewall mode: transparent

5.1.8 display firewall transparent-mode address-table

Syntax

display firewall transparent-mode address-table [ interface interface-type interface-number | mac mac-address ]

View

Any view

Parameters

interface interface-type interface-number: Information about the MAC address associated with the specified interface.

mac mac-address: Information about the specified MAC address entry.

Description

Use the display firewall transparent-mode address-table command to display the MAC address table of the transparent firewall.

Examples

# Display the MAC address table of the transparent firewall.

<SecBlade_FW> display firewall transparent-mode address-table

The total of the address-items is 2

Mac-address Flag Aging-time Receive Send Interface-name

00e0-fc36-a7a9 PD 00:01:41 23 13 GigabitEthernet0/0.1

000f-1f7e-fec5 PD 00:03:28 121 12 GigabitEthernet0/0.2

Flag meaning: P--PERMIT N--DENY D--DYNAMIC S--STATIC

5.1.9 display firewall transparent-mode config

Syntax

display firewall transparent-mode config

View

Any view

Parameters

None

Description

Use the display firewall transparent-mode config command to display the configuration information of the transparent firewall.

Examples

# Display the configuration information of the transparent firewall.

<SecBlade_FW> display firewall transparent-mode config

Firewall transparent-info:

ARP learning : enable

System IP address: 169.0.0.1

System IP mask : 255.0.0.0

Unknown-mac:

Unicast IP packet : arp

broadcast IP packet: drop

Multicast IP packet: drop

5.1.10 display firewall transparent-mode traffic

Syntax

display firewall transparent-mode traffic [ interface interface-type interface-number ]

View

Any view

Parameters

interface interface-type interface-number: Displays the traffic information about the specified interface.

Description

Use the display firewall transparent-mode traffic command to display the traffic information about the transparent firewall.

Examples

# Display the traffic information about the transparent firewall.

<SecBlade_FW> display firewall transparent-mode traffic

system error is 0,inport error is 0,

outport error is 0 ,other error is 0

the total statistic :

Input:

860 total, 0 bpdu, 750 single,

0 multi, 110 broadcast;

860 ip,0 ipx, 0 other protocol;

860 eth2, 0 snap,

0 dlsw, 0 other,

0 vlan;

Output:

747 total, 0 bpdu, 747 single,

0 multi, 0 broadcast;

747 ip, 0 ipx, 0 other protocol;

747 eth2, 0 snap,

0 dlsw, 0 other,

0 vlan;

Send way:

0 broadcast, 0 fast, 747 other

Discard:

0 by inport state,

0 for local frame ,

0 by mac table,

0 by inport filter,

0 by outport filter,

113 by ip filter ,

0 other

the statistic of interface GigabitEthernet0/1

Input:

376 total, 0 bpdu, 375 single,

0 multi, 1 broadcast;

376 ip,0 ipx, 0 other protocol;

376 eth2, 0 snap,

0 dlsw, 0 other,

0 vlan;

Output:

374 total, 0 bpdu, 374 single,

0 multi, 0 broadcast;

374 ip, 0 ipx, 0 other protocol;

374 eth2, 0 snap,

0 dlsw, 0 other,

0 vlan;

Send way:

0 broadcast, 0 fast, 374 other

Discard:

0 by inport state,

0 for local frame ,

0 by mac table,

0 by inport filter,

0 by outport filter,

3 by ip filter ,

0 other

the statistic of interface GigabitEthernet0/0

Input:

484 total, 0 bpdu, 375 single,

0 multi, 109 broadcast;

484 ip,0 ipx, 0 other protocol;

484 eth2, 0 snap,

0 dlsw, 0 other,

0 vlan;

Output:

373 total, 0 bpdu, 373 single,

0 multi, 0 broadcast;

373 ip, 0 ipx, 0 other protocol;

373 eth2, 0 snap,

0 dlsw, 0 other,

0 vlan;

Send way:

0 broadcast, 0 fast, 373 other

Discard:

0 by inport state,

0 for local frame ,

0 by mac table,

0 by inport filter,

0 by outport filter,

110 by ip filter ,

0 other

5.1.11 firewall arp-learning enable

Syntax

firewall arp-learning enable

undo firewall arp-learning enable

View

System view

Parameters

None

Description

Use the firewall arp-learning enable command to enable learning of dynamic ARP entries on the transparent firewall.

Use the undo firewall arp-learning enable command to disable learning of dynamic ARP entries on the transparent firewall.

By default, learning of dynamic ARP entries on the transparent firewall is enabled.

Examples

# Enable learning of dynamic ARP entries on the transparent firewall.

[SecBlade_FW] firewall arp-learning enable

5.1.12 firewall ethernet-frame-filter

Syntax

firewall ethernet-frame-filter acl-number { inbound | outbound }

undo firewall ethernet-frame-filter { inbound | outbound }

View

Ethernet interface view

Parameters

acl-number: Sequence number of the MAC-address based ACL, in the range of 4,000 to 4,999.

inbound: Filters inbound frames.

outbound: Filters outbound frames.

Description

Use the firewall ethernet-frame-filter command to apply the MAC address-based ACL to the interface.

Use the undo firewall ethernet-frame-filter command to remove the MAC address-based ACL from the interface.

To apply an MAC-based ACL to an interface, the firewall must work in transparent mode. Otherwise, the system provides some error information.

By default, no MAC address-based ACL is applied to the interface.

Examples

# Apply the MAC address-based ACL 4009 to GigabitEthernet0/0.1.

[SecBlade_FW-GigabitEthernet0/0.1] firewall ethernet-frame-filter 4009 inbound

5.1.13 firewall mode

Syntax

firewall mode { route | transparent }

undo firewall mode

View

System view

Parameters

route: Specifies that the firewall operates in routing mode.

transparent: Specifies that the firewall operates in transparent mode.

Description

Use the firewall mode command to specify the operating mode of a firewall.

Use the undo firewall mode command to revert to the default operating mode.

A firewall operates in routing mode by default.

When a firewall operates in routing mode, all the interfaces of it operate in Layer 3. That is, you can assign IP addresses for these interfaces. Whereas when a firewall operates in transparent mode, all the interfaces of it operate in Layer 2. That is, the interfaces act as switching ports, and you cannot specify Layer 3 properties (such as assigning IP addresses) for them.

Examples

# Specify the firewall to operate in transparent mode.

[SecBlade_FW] firewall mode transparent

Set system ip address successfully.

All the Interfaces's ips have been deleted.

The mode is set successfully.

The output indicates that the firewall operates in transparent mode, and the IP addresses of all its interfaces are removed.

5.1.14 firewall system-ip

Syntax

firewall system-ip ip-address [ mask ]

undo firewall system-ip

View

System view

Parameters

ip-address: IP address of the firewall system.

mask: Subnet mask of the firewall system. If not provided, the default subnet mask of the class to which the IP address belongs is used.

Description

Use the firewall system-ip command to assign an IP address for a firewall system.

Use the undo firewall system-ip command to revert to the default system IP address.

The IP address of a firewall system is 169.0.0.1/8 by default.

When the firewall works in transparent mode, the system will create a Loopback0 interface (if not available in the system) with an IP address of 169.0.0.1/8 for the firewall and the address will serve as the default system IP address; the IP address of the Loopback0 interface (if available in the system) will be set to the system IP address. When you modify the IP address of the Loopback0 interface or remove the Loopback0 interface, the system IP address will also be modified or removed. Therefore, you can use this command to modify the system IP address.

You cannot configure the system IP address of a firewall when the firewall operates in routing mode.

Examples

# Configure a system IP address for a firewall.

[SecBlade_FW] firewall mode transparent

Set system ip address successfully.

All the Interfaces's ip addresses have been deleted.

The mode is set successfully.

[SecBlade_FW] firewall system-ip 10.1.1.5 255.255.255.0

Set system ip address successfully.

5.1.15 firewall transparent-mode aging-time

Syntax

firewall transparent-mode aging-time seconds

undo firewall transparent-mode aging-time

View

System view

Parameters

seconds: Aging time of the MAC forwarding table, in the range of 10 to 1,000,000 (seconds).

Description

Use the firewall transparent-mode aging-time command to configure the aging time of the MAC forwarding table.

Use the undo firewall transparent-mode aging-time command to restore the default configuration.

By default, the aging time of the MAC forwarding table is 300 seconds.

Examples

# Configure the aging time of the MAC forwarding table to 1800 seconds.

[SecBlade_FW] firewall transparent-mode aging-time 1800

5.1.16 firewall transparent-mode transmit

Syntax

firewall transparent-mode transmit { bpdu | dlsw | ipx }

undo firewall transparent-mode transmit { bpdu | dlsw | ipx }

View

System view

Parameters

bpdu: Bridge protocol data unit.

dlsw: Data link switching.

ipx: Internetwork packet exchange.

Description

Use the firewall transparent-mode transmit command to define the type of packets that are allowed to pass.

Use the undo firewall transparent-mode transmit command to define the type of packets that are not allowed to pass.

By default, the firewall filters out all packets.

Examples

# Configure the transparent firewall to allow BPDU packets to pass.

[SecBlade_FW] firewall transparent-mode transmit bpdu

5.1.17 firewall unknown-mac

Syntax

firewall unknown-mac { drop | flood }

undo firewall unknown-mac

View

System view

Parameters

drop: Drops the IP unicast, multicast and broadcast packets with unknown MAC address.

flood: Floods the IP unicast, multicast and broadcast packets with unknown MAC address to the interfaces in a specific security zone other than the interface receiving the packet. The system saves the MAC address after receiving the ARP response packet, and forwards subsequent packets through this MAC address.

Description

Use the firewall unknown-mac command to configure handling approach for the IP unicast, multicast and broadcast packets with unknown MAC address.

Use the undo firewall unknown-mac command to restore the default handling approach.

By default, the firewall handles IP unicast packets in arp mode, and IP broadcast and multicast packets in drop mode.

Related commands: firewall unknown-mac unicast, firewall unknown-mac multicast, firewall unknown-mac broadcast

Examples

# Configure the firewall to flood the IP packets with unknown MAC address.

[SecBlade_FW] firewall unknown-mac flood

5.1.18 firewall unknown-mac broadcast

Syntax

firewall unknown-mac broadcast { drop | flood }

undo firewall unknown-mac broadcast

View

System view

Parameters

drop: Drops IP broadcast packets.

flood: Floods IP broadcast packets to the interfaces in a specific security zone other than the interface receiving the packet. The system saves the MAC address after receiving the ARP response packet.

Description

Use the firewall unknown-mac broadcast command to configure handling approach for IP broadcast packets.

Use the undo firewall unknown-mac broadcast command to restore the default handling approach.

By default, the firewall drops IP broadcast packets.

Examples

# Configure the firewall to flood IP broadcast packets.

[SecBlade_FW] firewall unknown-mac broadcast flood

5.1.19 firewall unknown-mac multicast

Syntax

firewall unknown-mac multicast { drop | flood }

undo firewall unknown-mac multicast

View

System view

Parameters

drop: Drops IP multicast packets.

flood: Floods IP multicast packets to the interfaces in a specific security zone other than the interface receiving the packet. The system saves the MAC address after receiving the ARP response packet.

Description

Use the firewall unknown-mac multicast command to configure handling approach for IP multicast packets.

Use the undo firewall unknown-mac multicast command to restore the default handling approach.

By default, the firewall drops IP multicast packets.

Examples

# Configure the firewall to flood IP multicast packets.

[SecBlade_FW] firewall unknown-mac multicast flood

5.1.20 firewall unknown-mac unicast

Syntax

firewall unknown-mac unicast { drop | arp | flood }

undo firewall unknown-mac unicast

View

System view

Parameters

drop: Drops the IP packets with unknown MAC address.

arp: Broadcasts the ARP request packet to the interfaces in a specific security zone other than the interface receiving the packet, and drops the IP packets with unknown MAC address. The system saves the mapping between the MAC address and the interface after receiving the ARP response packet.

flood: Floods the ARP request packet to the interfaces in a specific security zone other than the interface receiving the packet. The system saves the MAC address after receiving the ARP response packet, and forwards subsequent packets through this MAC address.

Description

Use the firewall unknown-mac unicast command to configure a handling approach for the IP unicast packets with unknown MAC address.

Use the undo firewall unknown-mac unicast command to restore the default handling approach.

By default, the firewall handles the IP unicast packets with unknown MAC address in arp mode.

Examples

# Configure the firewall to drop the IP unicast packets with unknown MAC address.

[SecBlade_FW] firewall unknown-mac unicast drop

5.1.21 reset firewall ethernet-frame-filter

Syntax

reset firewall ethernet-frame-filter { all | interface interface-type interface-number }

View

User view

Parameters

all: Ethernet frame filtering information on all interfaces.

interface interface-type interface-number: Ethernet frame filtering information on a specified interface.

Description

Use the reset firewall ethernet-frame-filter command to clear Ethernet frame filtering information.

Examples

# Clear Ethernet frame filtering information on all interfaces.

<SecBlade_FW> reset firewall ethernet-frame-filter all

5.1.22 reset firewall transparent-mode address-table

Syntax

reset firewall transparent-mode address-table [ interface interface-type interface-number ]

View

User view

Parameters

interface interface-type interface-number: MAC address associated with the specified interface.

Description

Use the reset firewall transparent-mode address-table command to clear the MAC address table.

Examples

# Clear the MAC address entry associated with the GigabitEthernet 0/1 interface.

<SecBlade_FW> reset firewall transparent-mode address-table interface GigabitEthernet0/1

5.1.23 reset firewall transparent-mode traffic

Syntax

reset firewall transparent-mode traffic [ interface interface-type interface-number ]

View

User view

Parameters

interface interface-type interface-number: Traffic statistics on the specified interface.

Description

Use the reset firewall transparent-mode traffic command to clear the traffic statistics on the transparent firewall.

Examples

# Clear the traffic statistics on the transparent firewall.

<SecBlade_FW> reset firewall transparent-mode traffic

5.1.24 rule

Syntax

rule [ rule-id ] { permit | deny } [ type type-code type-wildcard | lsap lsap-code lsap-wildcard ] [ source-mac sour-addr source-wildcard ] [ dest-mac dest-addr dest-wildcard ] [ time-range time-name ] [ logging ]

undo rule rule-id [ time-range ] [ logging ]

View

MAC address-based ACL view

Parameters

rule-id: ID of an ACL rule, ranging from 0 to 65,534. After the number is specified, if the ACL rule related to the number has existed, the new rule will overwrite the old one, just as editing an existing ACL rule. If you want to edit an existing ACL rule, you are recommended to delete the existing rule and then create a new one. Otherwise, the edited rule may not be the expected ACL rule. If the ACL rule related to the number does not exist, use the specified number to create a new rule. If you do not specify the rule-id, a new rule will be created and the system will assign a rule-id to the ACL rule automatically.

permit: Permits matched packets.

deny: Discards matched packets.

type: Type of data frames.

type-code: Type of the Data frame, a 16-bit hexadecimal number, corresponding to the type-code field in Ethernet_II and Ethernet_SNAP frames. See Table 5-1 for the type-code values.

type-mask: A 16-bit hexadecimal number used for specifying the mask bits.

lsap: Encapsulation format of data frames.

lsap-code: Encapsulation format of data frames, a 16-bit hexadecimal number.

lsap-mask: LSAP mask, a 16-bit hexadecimal number used to specify mask bits.

source-mac: Source MAC address.

sour-addr: Source MAC address in the format of xxxx-xxxx-xxxx, used to match the source address of a packet.

sour-mask: Source MAC address mask.

dest-mac: Destination MAC address.

dest-addr: Destination MAC address in the format of xxxx-xxxx-xxxx, used to match the destination address of a packet.

dest-mask: Destination MAC address mask.

logging: Logs the packets meeting the requirements.

time-range time-name: Configures the time range when the ACL rule takes effect.

Description

Use the rule command to add an ACL rule.

Use the undo rule command to remove an existing ACL rule.

By default, no ACL rule is configured.

Examples

# Configure an ACL to deny all Ethernet frames.

[SecBlade_FW] acl number 4009

[SecBlade_FW-acl-ethernetframe-4009] rule deny

Table 5-1 Ethernet domain values

Ethernet domain value (hexadecimal value)	Description
0000-05DC	IEEE802.3 Length Field
0101-01FF	Experimental
200	XEROX PUP (see 0A00)
201	PUP Addr Trans (see 0A01)
400	Nixdorf
600	XEROX NS IDP
660	DLOG
661	DLOG
800	Internet IP (IPv4)
801	X.75 Internet
802	NBS Internet
803	ECMA Internet
804	Chaosnet
805	X.25 Level 3
806	ARP
807	XNS Compatibility
081C	Symbolics Private
0888-088A	Xyplex
900	Ungermann-Bass net debugr
0A00	Xerox IEEE802.3 PUP
0A01	PUP Addr Trans
0BAD	Banyan Systems
1000	Berkeley Trailer nego
1001-100F	Berkeley Trailer encap/IP
1600	Valid Systems
4242	PCS Basic Block Protocol
5208	BBN Simnet
6000	DEC Unassigned (Exp.)
6001	DEC MOP Dump/Load
6002	DEC MOP Remote Console
6003	DEC DECNET Phase IV Route
6004	DEC LAT
6005	DEC Diagnostic Protocol
6006	DEC Customer Protocol
6007	DEC LAVC, SCA
6008-6009	DEC Unassigned
6010-6014	3Com Corporation
7000	Ungermann-Bass download
7002	Ungermann-Bass dia/loop
7020-7029	LRT
7030	Proteon
7034	Cabletron
8003	Cronus VLN
8004	Cronus Direct
8005	HP Probe
8006	Nestar
8008	AT&T
8010	Excelan
8013	SGI diagnostics
8014	SGI network games
8015	SGI reserved
8016	SGI bounce server
8019	Apollo Computers
802E	Tymshare
802F	Tigan, Inc.
8035	Reverse ARP
8036	Aeonic Systems
8038	DEC LANBridge
8039-803C	DEC Unassigned
803D	DEC Ethernet Encryption
803E	DEC Unassigned
803F	DEC LAN Traffic Monitor
8040-8042	DEC Unassigned
8044	Planning Research Corp.
8046	AT&T
8047	AT&T
8049	ExperData
805B	Stanford V Kernel exp.
805C	Stanford V Kernel prod.
805D	Evans & Sutherland
8060	Little Machines
8062	Counterpoint Computers
8065	Univ. of Mass. @ Amherst
8066	Univ. of Mass. @ Amherst
8067	Veeco Integrated Auto.
8068	General Dynamics
8069	AT&T
806A	Autophon
806C	ComDesign
806D	Computgraphic Corp.
806E-8077	Landmark Graphics Corp.
807A	Matra
807B	Dansk Data Elektronik
807C	Merit Internodal
807D-807F	Vitalink Communications
8080	Vitalink TransLAN III
8081-8083	Counterpoint Computers
809B	Appletalk
809C-809E	Datability
809F	Spider Systems Ltd.
80A3	Nixdorf Computers
80A4-80B3	Siemens Gammasonics Inc.
80C0-80C3	DCA Data Exchange Cluster
80C4	Banyan Systems
80C5	Banyan Systems
80C6	Pacer Software
80C7	Applitek Corporation
80C8-80CC	Intergraph Corporation
80CD-80CE	Harris Corporation
80CF-80D2	Taylor Instrument
80D3-80D4	Rosemount Corporation
80D5	IBM SNA Service on Ether
80DD	Varian Associates
80DE-80DF	Integrated Solutions TRFS
80E0-80E3	Allen-Bradley
80E4-80F0	Datability
80F2	Retix
80F3	AppleTalk AARP (Kinetics)
80F4-80F5	Kinetics
80F7	Apollo Computer
80FF-8103	Wellfleet Communications
8107-8109	Symbolics Private
8130	Hayes Microcomputers
8131	VG Laboratory Systems
8132-8136	Bridge Communications
8137-8138	Novell, Inc.
8139-813D	KTI
8148	Logicraft
8149	Network Computing Devices
814A	Alpha Micro
814C	SNMP
814D	BIIN
814E	BIIN
814F	Technically Elite Concept
8150	Rational Corp
8151-8153	Qualcomm
815C-815E	Computer Protocol Pty Ltd
8164-8166	Charles River Data System
817D-818C	Protocol Engines
818D	Motorola Computer
819A-81A3	Qualcomm
81A4	ARAI Bunkichi
81A5-81AE	RAD Network Devices
81B7-81B9	Xyplex
81CC-81D5	Apricot Computers
81D6-81DD	Artisoft
81E6-81EF	Polygon
81F0-81F2	Comsat Labs
81F3-81F5	SAIC
81F6-81F8	VG Analytical
8203-8205	Quantum Software
8221-8222	Ascom Banking Systems
823E-8240	Advanced Encryption Syste
827F-8282	Athena Programming
8263-826A	Charles River Data System
829A-829B	Inst Ind Info Tech
829C-82AB	Taurus Controls
82AC-8693	Walker Richer & Quinn
8694-869D	Idea Courier
869E-86A1	Computer Network Tech
86A3-86AC	Gateway Communications
86DB	SECTRA
86DE	Delta Controls
86DF	ATOMIC
86E0-86EF	Landis & Gyr Powers
8700-8710	Motorola
8A96-8A97	Invisible Software
9000	Loopback
9001	3Com(Bridge) XNS Sys Mgmt
9002	3Com(Bridge) TCP-IP Sys
9003	3Com(Bridge) loop detect
FF00	BBN VITAL-LanBridge cache
FF00-FF0F	ISC Bunker Ramo

Chapter 6 Web and E-mail Filtering Configuration Commands

6.1 Web Filtering Configuration Commands

6.1.1 debugging firewall url-filter host

Syntax

debugging firewall url-filter host { all | filter | packet | event | error }

undo debugging firewall url-filter host { all | filter | packet | event | error }

View

User view

Parameters

all: Enables all debugging options.

filter: Enables filtered packet debugging.

packet: Enables packet debugging.

event: Enables event debugging.

error: Enables error debugging.

Description

Use the debugging firewall url-filter host command to enable Web address filtering debugging.

Use the undo debugging firewall url-filter host command to disable the debugging.

By default, the Web address filtering debugging is disabled.

Examples

# Enable all the Web address filtering debugging options.

<SecBlade_FW> debugging firewall url-filter host all

6.1.2 debugging firewall url-filter parameter

Syntax

debugging firewall url-filter parameter { all | error | event | filter | packet }

undo debugging firewall url-filter parameter { all | error | event | filter | packet }

View

User view

Parameters

all: Enables all debugging options.

filter: Enables filtered packet debugging.

packet: Enables packet debugging.

event: Enables event debugging.

error: Enables error debugging.

Description

Use the debugging firewall url-filter parameter command to enable SQL attack prevention debugging.

Use the undo debugging firewall url-filter parameter command to disable the debugging.

By default, the SQL attack prevention debugging is disabled.

Examples

# Enable error debugging for SQL attack prevention.

<SecBlade_FW> debugging firewall url-filter parameter error

6.1.3 debugging firewall webdata-filter

Syntax

debugging firewall webdata-filter { all | filter | packet | event | error }

undo debugging firewall webdata-filter { all | filter | packet | event | error }

View

User view

Parameters

all: Enables all debugging options.

filter: Enables filtered packet debugging.

packet: Enables packet debugging.

event: Enables event debugging.

error: Enables error debugging.

Description

Use the debugging firewall webdata-filter command to enable Web content filtering debugging.

Use the undo debugging firewall webdata-filter command to disable the debugging.

By default, the Web content filtering debugging is disabled.

Examples

# Enable all the Web content filtering debugging options.

<SecBlade_FW> debugging firewall webdata-filter all

6.1.4 display firewall url-filter host

Syntax

display firewall url-filter host { enable | all | item url-address | item-all }

View

Any view

Parameter

enable: Displays enable/disable status information about Web address filtering.

all: Displays all information about Web address filtering.

item url-address: Displays statistics on the specified filtering address.

item-all: Displays statistics on all filtering address items.

Description

Use the display firewall url-filter host command to display information about Web address filtering.

Examples

# Display all information about Web address filtering.

[SecBlade_FW] display firewall url-filter host all

URL-filter is enabled.

Default method : permit.

No ACL configed to be Matched

Deny http requeset when the URL is ip address ,No acl selected to be Matched

Url host filter has loaded file "flash:/urlfilter" , there are 2 item(s) in filter now( 2 Added,0 Loaded).

Packet(s) blocked.

Packet(s) allowed.

6.1.5 display firewall url-filter parameter

Syntax

display firewall url-filter parameter { enable | all | item keywords | item-all }

View

Any view

Parameters

enable: Displays enable/disable status information about SQL attack prevention filtering.

all: Displays all information about SQL attack prevention filtering.

item url-address: Displays statistics on the specified filtering keyword.

item-all: Displays statistics on all keyword items.

Description

Use the display firewall url-filter parameter command to display information about SQL attack prevention filtering.

Examples

# Display all information about SQL attack prevention filtering.

[SecBlade_FW] display firewall url-filter parameter all

Url parameter filter is enabled.

Url parameter filter has loaded file "flash:/SQLfilter" , there are 9 item(s) in filter now( 9 Added,0 Loaded).

Packet(s) blocked :0.

Packet(s) allowed :0.

6.1.6 display firewall url-filter parameter counter detail

Syntax

display firewall url-filter parameter counter detail

View

Any view

Parameters

None

Description

Use the display firewall url-filter parameter counter detail command to display the number of matches for each keyword in detail.

Examples

# Display in detail the number of matches for each keyword in detail.

[SecBlade_FW] display firewall url-filter parameter counter detail

----------------------------------------

^select^ 0

^insert^ 0

^update^ 0

^delete^ 0

^drop^ 0

-- 0

' 0

^exec^ 0

%27 0

6.1.7 display firewall webdata-filter

Syntax

display firewall webdata-filter { enable | all | item keywords | item-all }

View

Any view

Parameters

enable: Displays enable/disable status information about Web content filtering.

all: Displays all information about Web content filtering.

item url-address: Displays statistics on the specified filtering keyword.

item-all: Displays statistics on all keyword items.

Description

Use the display firewall webdata-filter command to display information about Web content filtering.

Examples

# Display information about Web content filtering.

[SecBlade_FW] display firewall webdata-filter all

Webdata-filter is enabled.

Webdata-filter has loaded file "flash:/webdatafilter" , there are 1 item(s) in

filter now ( 1 Added,0 Loaded).

Packet(s) blocked.

Packet(s) allowed.

6.1.8 firewall url-filter host acl-number

Syntax

firewall url-filter host acl-number number

undo firewall url-filter host acl-number

View

System view

Parameters

number: Number of a basic ACL, in the range of 2000 to 2999.

Description

Use the firewall url-filter host acl-number command to configure the SecBlade to filter the Web requests with IP addresses as the target URL through ACLs.

Use the undo firewall url-filter host acl-number command to remove the configured ACL rule.

This command can reference only one ACL, and the rule configured later will overwrite the previous one.

By default, no filtering rules are configured.

Examples

# Configure to permit only the web requests with the IP addresses that match ACL 2001 to pass.

[SecBlade_FW] acl number 2001

[SecBlade_FW-acl-basic-2001] rule deny source 200.1.1.0 0.0.0.255

[SecBlade_FW-acl-basic-2001] rule permit

[SecBlade_FW-acl-basic-2001] quit

[SecBlade_FW] firewall url-filter host acl-number 2001

6.1.9 firewall url-filter host add

Syntax

firewall url-filter host add { permit | deny } url-address

View

System view

Parameter

permit: Permits packets whose addresses match the predefined Web addresses.

deny: Denies packets whose addresses match the predefined Web addresses.

url-address: Web address to be added for Web address filtering.

Description

Use the firewall url-filter host add command to add a Web address for Web address filtering and specify whether or not to permit the packet that matches the specified Web address to pass.

The value of the url-address argument can be no more than 128 characters in length Those with length exceeding 128 characters are treated as invalid and are not added.If you provide http://www.sina.com/ for the url-address argument, then Web addresses such as http://www.sina.com.cn/ and news.sina.com are matched, but www.sina.com.cn is not matched. Web addresses in the form of “.*.com.cn”, “news.*.com”, and “sina.com.*” are not supported.

By default, no Web address for address filtering is added.

Examples

# Add a Web address www.163.com as the filtering item and permit matched packets.

[SecBlade_FW] firewall url-filter host add permit www.163.com

6.1.10 firewall url-filter host clear

Syntax

firewall url-filter host clear

View

System view

Parameters

None

Description

Use the firewall url-filter host clear command to clear all Web address filtering items.

Examples

# Clear all Web address filtering items.

[SecBlade_FW] firewall url-filter host clear

6.1.11 firewall url-filter host default

Syntax

firewall url-filter host default { permit | deny }

View

System view

Parameters

permit: Permits matched packets by default.

deny: Denies matched packets by default.

Description

Use the firewall url-filter host default command to permit/deny packets that do not match the predefined Web address filtering items.

By default, packets that do not match the predefined Web address filtering items are permitted.

Examples

# Specify to permit matched packets by default.

[SecBlade_FW] firewall url-filter host default permit

6.1.12 firewall url-filter host delete

Syntax

firewall url-filter host delete url-address

View

System view

Parameters

url-address: Keyword of the Web address filtering item to be deleted.

Description

Use the firewall url-filter host delete command to delete a Web address filtering item.

Examples

# Delete the Web address filtering item with Web address of www.163.com.

[SecBlade_FW] firewall url-filter host delete www.163.com

6.1.13 firewall url-filter host enable

Syntax

firewall url-filter host enable

undo firewall url-filter host enable

View

System view

Parameters

None

Description

Use the firewall url-filter host enable command to enable Web address filtering.

Use the undo firewall url-filter host enable command to disable the Web address filtering.

By default, Web address filtering is disabled.

You need to configure ASPF policies and execute the detect http and detect tcp commands first to enable Web address filtering. Refer to ASPF Configuration Commands for information about ASPF configuration commands.

Examples

# Enable Web address filtering.

[SecBlade_FW] firewall url-filter host enable

6.1.14 firewall url-filter host ip-address

Syntax

firewall url-filter host ip-address { permit | deny }

View

System view

Parameters

permit: Permits the web requests with IP addresses as the target URLs to pass.

deny: Denies the web requests with IP addresses as the target URLs to pass.

Description

Use the firewall url-filter host ip-address command to configure the SecBlade whether to permit the web requests with IP addresses as the target URLs to pass.

By default, the SecBlade denies the web requests with IP addresses as the target URLs to pass.

Examples

# Configure to permit the web requests with IP addresses as the target URLs to pass.

[SecBlade_FW] firewall url-filter host ip-address permit

6.1.15 firewall url-filter host save-file

Syntax

firewall url-filter host save-file file-name

View

System view

Parameters

file-name: Name of the Web address filtering file to be saved.

Description

Use the firewall url-filter host save-file command to save a Web address filtering file.

Examples

# Save the Web address filtering file with the name of urlfilter.

[SecBlade_FW] firewall url-filter host save-file urlfilter

6.1.16 firewall url-filter load-file

Syntax

firewall url-filter host load-file file-name

undo firewall url-filter host load-file

View

System view

Parameters

file-name: Name of the filtering file to be loaded.

Description

Use the firewall url-filter host load-file command to load a Web address filtering file.

Use the undo firewall url-filter host load-file command to unload the current Web address filtering file.

If you want to use the Web address filtering items to filter packets, you need first to load the Web address filtering file that contains these items.

Examples

# Load the Web address filtering file with the name of urlfilter.

[SecBlade_FW] firewall url-filter load-file urlfilter

6.1.17 firewall url-filter parameter add

Syntax

firewall url-filter parameter add keywords

undo firewall url-filter parameter add keywords

View

System view

Parameters

keywords: Keywords in the HTTP command.

Description

Use the firewall url-filter parameter add command to add a filtering keyword for SQL attack prevention. If the keyword is borne in a HTTP request, the SecBlade will block the request.

You can define table names, fields, saving process names (default or custom) as keywords as needed.

By default, no keyword is added.

A filter keyword is a string of up to 128 bytes. Fuzzy matching is supported, that is, the keywords asterisk (*), caret (^), question mark (?) and blank space can be added in the filtering keywords. Question mark (?) and blank space can be added through file or through Web management but cannot be input in the command line.

One asterisk stands for up to four single-byte characters. The asterisk cannot be at the beginning or ending of a string or adjacent to the caret or question mark. Be cautious when adding the keywords with asterisks to avoid possible misjudgment. It is not allowed to use two or more asterisks in a keyword. Such keywords as test1 and te*st2 are valid, but te**st, t*es*t and *test are unacceptable.

The caret can only be at the beginning or ending of a string, and you can add two carets at most. For example, the filtering keyword ^hello matches against the strings starting with hello, such as helloworld and hello, but not ahelloworld; the filtering keyword you^ matches against the strings ending with you, such as thankyou and you, but not thankyour or your.

One question mark stands for one character. You should use two question marks (??) to stand for a double-byte character. Two or more question marks can be added and followed by one another. The question mark can be added at any position, except in adjacency to an asterisk. When at the beginning or ending of a string, the question mark must be adjacent to a caret. It can only be loaded through file, but not be typed in the command line.

You can load the blank space through file or type it in the command line. There is no limitation on the number of blank spaces and their position. One blank space can match several consecutive blank spaces in a string.

Related commands: firewall url-filter parameter add-default.

Examples

# Define the custom saving process sp_additem (existing in the database) as a filtering keyword for SQL attack prevention.

[SecBlade_FW] firewall url-filter parameter add sp_additem

6.1.18 firewall url-filter parameter add-default

Syntax

firewall url-filter parameter add-default

View

System view

Parameters

None

Description

Use the firewall url-filter parameter add-default command to add the system-default filtering keywords: ^select^, ^insert^, ^update^, ^delete^, ^drop^, –, ', ^exec^ and %27.

If you delete some keywords unconsciously or use the firewall url-filter parameter clear command by mistake, you can restore the default configuration with this command.

By default, no filtering keyword is added.

Examples

# Add the system-default filtering keywords.

[SecBlade_FW] firewall url-filter parameter add-default

Success to add 9 keys!

6.1.19 firewall url-filter parameter clear

Syntax

firewall url-filter parameter clear

View

System view

Parameters

None

Description

Use the firewall url-filter parameter clear command to clear all filtering keywords.

Examples

# Clear all filtering keywords.

[SecBlade_FW] firewall url-filter parameter clear

6.1.20 firewall url-filter parameter delete

Syntax

firewall url-filter parameter delete keywords

View

System view

Parameters

keywords: Keyword of the filtering item to be deleted.

Description

Use the firewall url-filter parameter delete command to delete a filtering item.

Examples

# Delete the filtering item with the keyword select.

[SecBlade_FW] firewall url-filter parameter delete select

6.1.21 firewall url-filter parameter enable

Syntax

firewall url-filter parameter enable

undo firewall url-filter parameter enable

View

System view

Parameters

None

Description

Use the firewall url-filter parameter enable command to enable SQL attack prevention filtering.

Use the undo firewall url-filter parameter enable command to disable SQL attack prevention filtering.

By default, SQL attack prevention filtering is disabled.

Examples

# Enable SQL attack prevention filtering.

[SecBlade_FW] firewall url-filter parameter enable

6.1.22 firewall url-filter parameter load-file

Syntax

firewall url-filter parameter load-file file-name

undo firewall url-filter parameter load-file

View

System view

Parameters

file-name: Name of the filtering file to be loaded.

Description

Use the firewall url-filter parameter load-file command to load the SQL attack prevention filtering file.

Use the undo firewall url-filter parameter load-file command to unload the SQL attack prevention filtering file.

Examples

# Load the SQL attack prevention filtering file sqlfilter.

[SecBlade_FW] firewall url-filter parameter load-file sqlfilter

6.1.23 firewall url-filter parameter save-file

Syntax

firewall url-filter parameter save-file file-name

View

System view

Parameters

file-name: Name of the filtering file to be saved.

Description

Use the firewall url-filter parameter save-file command to save the SQL attack prevention filtering file.

Examples

# Save the SQL attack prevention filtering file sqlfilter.

[SecBlade_FW] firewall url-filter parameter save-file sqlfilter

6.1.24 firewall webdata-filter add

Syntax

firewall webdata-filter add keywords

View

System view

Parameters

keywords: Keyword of the filtering item to be added.

Description

Use the firewall webdata-filter add command to add a keyword for Web content filtering.

A filtering keyword is a string of up to 64 bytes. Fuzzy matching is supported, that is, the keywords asterisk (*), caret (^), question mark (?) and blank space can be added in the filtering keywords. Question mark (?) and blank space can be added through file or entered through Web management but cannot be input in the command line.

By default, no filtering keyword is added.

Caution:

The keywords for Web content filtering cannot be HTML language tags, such as <head>, <html>, <title> and <script>; otherwise, legal web pages may be filtered out.

Examples

# Add a Web content filtering item whose keyword is music.

[SecBlade_FW] firewall webdata-filter add music

6.1.25 firewall webdata-filter clear

Syntax

firewall webdata-filter clear

View

System view

Parameters

None

Description

Use the firewall webdata-filter clear command to clear all the Web content filtering items.

Examples

# Clear all the Web content filtering items.

[SecBlade_FW] firewall webdata-filter clear

6.1.26 firewall webdata-filter delete

Syntax

firewall webdata-filter delete keywords

View

System view

Parameters

keywords: Keword of the Web content filtering item to be deleted.

Description

Use the firewall webdata-filter delete command to delete a Web content filtering item.

Examples

# Delete the Web content filtering item with the keyword music.

[SecBlade_FW] firewall webdata-filter delete music

6.1.27 firewall webdata-filter enable

Syntax

firewall webdata-filter enable

undo firewall webdata-filter enable

View

System view

Parameters

None

Description

Use the firewall webdata-filter enable command to enable Web content filtering.

Use the undo firewall webdata-filter enable command to disable Web content filtering.

By default, Web content filtering is disabled.

You need to configure ASPF policies and execute the detect http and detect tcp commands first to enable Web content filtering. Refer to ASPF Configuration Commands for information about ASPF configuration commands.

Examples

# Enable Web content filtering.

[SecBlade_FW] firewall webdata-filter enable

6.1.28 firewall webdata-filter load-file

Syntax

firewall webdata-filter load-file file-name

undo firewall webdata-filter load-file

View

System view

Parameters

file-name: Name of the filtering file to be loaded.

Description

Use the firewall webdata-filter load-file command to load a Web content filtering file.

Use the undo firewall webdata-filter load-file command to unload the current Web content filtering file.

If you want to use the Web content filtering items to filter packets, you need first to load the Web content filtering file that contains these items.

With the Web content filtering function enabled, the SecBlade filters HTTP response packets that contain illegal contents. A packet is filtered out if its content matches the predefined filtering items.

Examples

# Load the Web content filtering file with the name of webdatafilter.

[SecBlade_FW] firewall webdata-filter load-file webdatafilter

6.1.29 firewall webdata-filter save-file

Syntax

firewall webdata-filter save-file file-name

View

System view

Parameters

file-name: Name of the Web content filtering file to be saved.

Description

Use the firewall webdata-filter save-file command to save a Web content filtering file.

Examples

# Save the Web content filtering file whose name is webdatafilter.

[SecBlade_FW] firewall webdata-filter save-file webdatafilter

6.1.30 reset firewall url-filter host counter

Syntax

reset firewall url-filter host counter

View

User view

Parameters

None

Description

Use the reset firewall url-filter host counter command to clear Web address filtering statistics.

Examples

# Clear Web address filtering statistics.

<SecBlade_FW> reset firewall url-filter host counter

6.1.31 reset firewall url-filter parameter counter

Syntax

reset firewall url-filter parameter counter

View

User view

Parameters

None

Description

Use the reset firewall url-filter parameter counter command to clear statistics on SQL attack prevention filtering.

Examples

# Clear statistics on SQL attack prevention filtering.

<SecBlade_FW> reset firewall url-filter parameter counter

6.1.32 reset firewall webdata-filter counter

Syntax

reset firewall webdata-filter counter

View

User view

Parameters

None

Description

Use the reset firewall webdata-filter counter command to clear Web content filtering statistics.

Examples

# Clear Web content filtering statistics.

<SecBlade_FW> reset firewall webdata-filter counter

6.2 E-mail Filtering Configuration Commands

6.2.1 debugging firewall smtp-filter

Syntax

debugging firewall smtp-filter

undo debugging firewall smtp-filter

View

User view

Parameters

None

Description

Use the debugging firewall smtp-filter command to enable E-mail filtering debugging.

Use the undo debugging firewall smtp-filter command to disable E-mail filtering debugging.

By default, the E-mail filtering debugging is disabled.

Examples

# Enable E-mail filtering debugging.

<SecBlade_FW> debugging firewall smtp-filter

6.2.2 display firewall smtp-filter

Syntax

display firewall smtp-filter { all | { rcptto | subject | content | attach } {item string | item-all } }

View

Any view

Parameters

all: Displays all information about E-mail filtering.

rcptto: Displays information about E-mail address filtering.

subject: Displays information about E-mail subject filtering.

content: Displays information about E-mail content filtering.

attach: Displays information about E-mail attachment filtering.

item string: Displays statistics on the specific filter keyword item.

item-all: Displays statistics on all filter keyword items.

Description

Use the display firewall smtp-filter command to display information about E-mail filtering.

Examples

# Display all information about E-mail filtering.

[SecBlade_FW] display firewall smtp-filter all

Smtp-filter rcptto is enabled.

Default method: deny.

Rcptto has Loaded file "flash:/rcpttofilter", there are 1 item(s) in filter now( 5 Added,0 Loaded).

Packet(s) blocked :0.

Packet(s) allowed :0.

Smtp-filter subject is enabled.

Subject has Loaded file "flash:/subjectfilter", there are 1 item(s) in filter now( 7 Added,0 Loaded).

Packet(s) blocked :0.

Smtp-filter content is enabled.

Content has Loaded file "flash:/contentfilter", there are 1 item(s) in filter now( 5 Added,0 Loaded).

Packet(s) blocked :0.

Smtp-filter attach is enabled.

Attach has Loaded file "flash:/attachfilter", there are 1 item(s) in filter now( 6 Added,0 Loaded).

Packet(s) blocked :0.

6.2.3 firewall smtp-filter attach add

Syntax

firewall smtp-filter attach add file-name

View

System view

Parameters

file-name: Attachment file name of the filtering item to be added.

Description

Use the firewall smtp-filter attach add command to add an attachment file name for E-mail attachment filtering.

The attachment file name can be up to 128 characters in length. Two forms of attachment file names are supported: full name and simplified name (such as “*.ext”). If you provide a file name in the second form, E-mails are filtered only by the extension name of the attachment file. You can add the filtering items with name *.exe and full file name (such as abc.exe) for attachment filtering. In this case, the abc.exe filtering item still works after the *.exe filtering item is deleted.

By default, no attachment file name is added.

Examples

# Add a filtering item with the attachment file name virus.exe.

[SecBlade_FW] firewall smtp-filter attach add virus.exe

6.2.4 firewall smtp-filter attach clear

Syntax

firewall smtp-filter attach clear

View

System view

Parameters

None

Description

Use the firewall smtp-filter attach clear command to clear all E-mail attachment filtering items.

Examples

# Clear all E-mail attachment filtering items.

[SecBlade_FW] firewall smtp-filter attach clear

6.2.5 firewall smtp-filter attach delete

Syntax

firewall smtp-filter attach delete file-name

View

System view

Parameters

file-name: Attachment file name of the filtering item to be deleted.

Description

Use the firewall smtp-filter attach delete command to delete an attachment filtering item with the specified attachment file name.

Examples

# Delete an attachment filtering item with the attachment file name virus.exe.

[SecBlade_FW] firewall smtp-filter attach delete virus.exe

6.2.6 firewall smtp-filter attach enable

Syntax

firewall smtp-filter attach enable

undo firewall smtp-filter attach enable

View

System view

Parameters

None

Description

Use the firewall smtp-filter attach enable command to enable E-mail attachment filtering.

Use the undo firewall smtp-filter attach enable command to disable E-mail attachment filtering.

The attachment file name can contain up to 128 characters in length.

By default, E-mail attachment filtering is disabled.

You need to configure ASPF policies and execute the detect smtp and detect tcp command first to enable E-mail attachment filtering. Refer to ASPF Configuration Commands for information about ASPF configuration commands.

Examples

# Enable E-mail attachment filtering.

[SecBlade_FW] firewall smtp-filter attach enable

6.2.7 firewall smtp-filter attach load-file

Syntax

firewall smtp-filter attach load-file file-name

undo firewall smtp-filter attach load-file

View

System view

Parameters

file-name: Name of the filtering file to be loaded.

Description

Use the firewall smtp-filter attach load-file command to load an E-mail attachment filtering file.

Use the undo firewall smtp-filter attach load-file command to unload an E-mail attachment filtering file.

If you want to use the E-mail attachment filtering items to filter E-mails, you need first to load the E-mail attachment filtering file that contains these items.

Examples

# Load the E-mail attachment filtering file with the name attachfilter.

[SecBlade_FW] firewall smtp-filter attach load-file attachfilter

6.2.8 firewall smtp-filter attach save-file

Syntax

firewall smtp-filter attach save-file file-name

View

System view

Parameters

file-name: Name of the filtering file to be saved.

Description

Use the firewall smtp-filter attach save-file command to save an E-mail attachment filtering file.

Examples

# Save the E-mail attachment filtering file with the name attachfilter.

[SecBlade_FW] firewall smtp-filter attach save-file attachfilter

6.2.9 firewall smtp-filter content add

Syntax

firewall smtp-filter content add content-keywords

View

System view

Parameters

content-keywords: Keyword of the content filtering item to be added.

Description

Use the firewall smtp-filter content add command to add a content keyword for E-mail content filtering.

The keyword can be up to 64 bytes in length. Fuzzy matching is supported, that is, the keyword asterisk “*” can be added in the filtering keywords. One asterisk represents up to four single-byte characters. Use asterisks in keywords with caution to avoid mismatches. Besides, a keyword cannot begin or end with an asterisk, neither can it contain more than two asterisks. For example, keywords such as test1 or te*st2 are valid, whereas te**st and t*es*t are invalid.

By default, no content filtering keyword is added.

Examples

# Add a content filtering item with the keyword abcde.

[SecBlade_FW] firewall smtp-filter content add abcde

6.2.10 firewall smtp-filter content clear

Syntax

firewall smtp-filter content clear

View

System view

Parameters

None

Description

Use the firewall smtp-filter content clear command to clear all E-mail content filtering items.

Examples

# Clear all E-mail content filtering items.

[SecBlade_FW] firewall smtp-filter content clear

6.2.11 firewall smtp-filter content delete

Syntax

firewall smtp-filter content delete content-keywords

View

System view

Parameters

content-keywords: Keyword of the content filtering item to be deleted.

Description

Use the firewall smtp-filter content delete command to delete a content keyword for E-mail content filtering.

Examples

# Delete the E-mail content filtering item with the keyword abcde.

[SecBlade_FW] firewall smtp-filter content delete abcde

6.2.12 firewall smtp-filter content enable

Syntax

firewall smtp-filter content enable

undo firewall smtp-filter content enable

View

System view

Parameters

None

Description

Use the firewall smtp-filter content enable command to enable E-mail content filtering.

Use the undo firewall smtp-filter content enable command to disable E-mail content filtering.

By default, E-mail content filtering is disabled.

You need to configure ASPF policies and execute the detect smtp and detect tcp commands first to enable E-mail content filtering. Refer to ASPF Configuration Commands for information about ASPF configuration commands.

Examples

# Enable E-mail content filtering.

[SecBlade_FW] firewall smtp-filter content enable

6.2.13 firewall smtp-filter content load-file

Syntax

firewall smtp-filter content load-file file-name

undo firewall smtp-filter content load-file

View

System view

Parameters

file-name: Name of the filtering file to be loaded.

Description

Use the firewall smtp-filter content load-file command to load an E-mail content filtering file.

Use the undo firewall smtp-filter content load-file command to unload the E-mail content filtering file.

If you want to use the E-mail content filtering items to filter E-mails, you need first to load the E-mail content filtering file that contains these items.

Examples

# Load the E-mail content filtering file whose name is contentfilter.

[SecBlade_FW] firewall smtp-filter content load-file contentfilter

6.2.14 firewall smtp-filter content save-file

Syntax

firewall smtp-filter content save-file file-name

View

System view

Parameters

file-name: Name of the E-mail content filtering file to be saved.

Description

Use the firewall smtp-filter content save-file command to save an E-mail content filtering file.

Examples

# Save the E-mail content filtering file whose name is contentfilter.

[SecBlade_FW] firewall smtp-filter content save-file contentfilter

6.2.15 firewall smtp-filter rcptto add

Syntax

firewall smtp-filter rcptto add { permit | deny } mail-address

View

System view

Parameters

permit: Permits E-mails whose addresses match the predefined E-mail address.

deny: Denies E-mails whose addresses match the predefined E-mail address.

mail-address: E-mail address to be added.

Description

Use the firewall smtp-filter rcptto add command to add an E-mail address for E-mail address filtering and specify whether to permit the E-mails that match this E-mail address.

The value of the mail-address argument can be up to 255 bytes in length (including user name, @, and the domain name). The user name part of an E-mail address must contain either the exact user name or the asterisk “*” sign, but cannot contain them both.

You can provide an E-mail address in the following forms:

[email protected]: Specifies to match exact E-mail addresses.

*@163.com: Specifies to match only the domain name of E-mail addresses.

For example, if you provide *@*.sina.com for the mail-address argument, then E-mail addresses with domain name of mail.sina.com and smtp.sina.com are matched, whereas those with domain name of sina.com and smtp.sina.com.cn are not matched.

The following E-mail address forms are not supported: *@*.*.com.cn, *@news.*.com, and *@163.*. That is, you can only place asterisks “*” next to @.

When checking E-mail addresses, the system first checks domain names to find one or more items matching the current domain name the most, and then checks user names according to the configuration order. If a match is found, the system will process the item as configured.

By default, no E-mail address is added for E-mail address filtering.

Examples

# Add *@163.com as an E-mail address filtering item and permit matched packets.

[SecBlade_FW] firewall smtp-filter rcptto add permit *@163.com

6.2.16 firewall smtp-filter rcptto clear

Syntax

firewall smtp-filter rcptto clear

View

System view

Parameters

None

Description

Use the firewall smtp-filter rcptto clear command to clear all E-mail address filtering items.

Examples

# Clear all E-mail address filtering items.

[SecBlade_FW] firewall smtp-filter rcptto clear

6.2.17 firewall smtp-filter rcptto default

Syntax

firewall smtp-filter rcptto default { permit | deny }

View

System view

Parameters

permit: Permits matched packets by default.

deny: Denies matched packets by default.

Description

Use the firewall smtp-filter rcptto default command to permit or deny packets that do not match the predefined E-mail address filtering items.

By default, packets that do not match the predefined E-mail address filtering items are permitted.

Examples

# Specify to permit matched packets by default.

[SecBlade_FW] firewall smtp-filter rcptto default permit

6.2.18 firewall smtp-filter rcptto delete

Syntax

firewall smtp-filter rcptto delete mail-address

View

System view

Parameters

mail-address: E-mail address filtering item to be deleted.

Description

Use the firewall smtp-filter rcptto delete command to delete an E-mail address filtering item.

Examples

# Delete the E-mail address filtering item with the E-mail address *@163.com.

[SecBlade_FW] firewall smtp-filter rcptto delete *@163.com

6.2.19 firewall smtp-filter rcptto enable

Syntax

firewall smtp-filter rcptto enable

undo firewall smtp-filter rcptto enable

View

System view

Parameters

None

Description

Use the firewall smtp-filter rcptto enable command to enable E-mail address filtering.

Use the undo firewall smtp-filter rcptto enable command to disable E-mail address filtering.

By default, E-mail address filtering is disabled.

l You need to configure ASPF policies and execute the detect http and detect tcp commands first to enable E-mail address filtering. Refer to ASPF Configuration Commands for information about ASPF configuration commands.

Examples

# Enable E-mail address filtering.

[SecBlade_FW] firewall smtp-filter rcptto enable

6.2.20 firewall smtp-filter rcptto load-file

Syntax

firewall smtp-filter rcptto load-file file-name

undo firewall smtp-filter rcptto load-file

View

System view

Parameters

file-name: Name of the filtering file to be loaded.

Description

Use the firewall smtp-filter rcptto load-file command to load an E-mail address filtering file.

Use the undo firewall smtp-filter rcptto load-file command to unload the E-mail address filtering file.

If you want to use the E-mail address filtering items to filter packets, you need first to load the E-mail address filtering file that contains these items.

Examples

# Load the E-mail address filtering file with name of rcpttofilter.

[SecBlade_FW] firewall smtp-filter rcptto load-file rcpttofilter

6.2.21 firewall smtp-filter rcptto save-file

Syntax

firewall smtp-filter rcptto save-file file-name

View

System view

Parameters

file-name: Name of the E-mail address filtering file to be saved.

Description

Use the firewall smtp-filter rcptto save-file command to save an E-mail address filtering file.

Examples

# Save the E-mail address filtering file whose name is rcpttofilter.

[SecBlade_FW] firewall smtp-filter rcptto save-file rcpttofilter

6.2.22 firewall smtp-filter subject add

Syntax

firewall smtp-filter subject add mail-subject

View

System view

Parameters

mail-subject: E-mail subject filtering item to be added.

Description

Use the firewall smtp-filter subject add command to add an E-mail subject filtering item.

The E-mail subject can be up to 128 bytes in length. Fuzzy matching is supported, that is, the asterisk sign “*” can be added in the E-mail subject keywords. One asterisk represents up to four single-byte characters. Use asterisks in keywords with caution to avoid mismatches. Besides, an E-mail subject cannot begin or end with an asterisk, neither can it contain more than two asterisks. For example, E-mail subjects such as test1 or te*st2 are valid, whereas te**st and t*es*t are invalid.

By default, no E-mail subject is added for E-mail subject filtering.

Examples

# Add an E-mail subject filtering item whose E-mail subject is Hi.

[SecBlade_FW] firewall smtp-filter subject add Hi

6.2.23 firewall smtp-filter subject clear

Syntax

firewall smtp-filter subject clear

View

System view

Parameters

None

Description

Use the firewall smtp-filter subject clear command to clear all E-mail subject filtering items.

Examples

# Clear all E-mail subject filtering items.

[SecBlade_FW] firewall smtp-filter subject clear

6.2.24 firewall smtp-filter subject delete

Syntax

firewall smtp-filter subject delete mail-subject

View

System view

Parameters

mail-subject: E-mail subject filtering item to be deleted.

Description

Use the firewall smtp-filter subject delete command to delete an E-mail subject filtering item.

Examples

# Delete the E-mail subject filtering item with the keyword Hi.

[SecBlade_FW] firewall smtp-filter subject delete Hi

6.2.25 firewall smtp-filter subject enable

Syntax

firewall smtp-filter subject enable

undo firewall smtp-filter subject enable

View

System view

Parameters

None

Description

Use the firewall smtp-filter subject enable command to enable E-mail subject filtering.

Use the undo firewall smtp-filter subject enable command to disable E-mail subject filtering.

The E-mail subject can contain up to 512 characters in length.

By default, E-mail subject filtering is disabled.

You need to configure ASPF policies and execute the detect smtp and detect tcp commands first to enable E-mail subject filtering. Refer to ASPF Configuration Commands for information about ASPF configuration commands.

Examples

# Enable E-mail subject filtering.

[SecBlade_FW] firewall smtp-filter subject enable

6.2.26 firewall smtp-filter subject load-file

Syntax

firewall smtp-filter subject load-file file-name

undo firewall smtp-filter subject load-file

View

System view

Parameters

file-name: Name of the filtering file to be loaded.

Description

Use the firewall smtp-filter subject load-file command to load an E-mail subject filtering file.

Use the undo firewall smtp-filter subject load-file command to unload the current E-mail subject filtering file.

If you want to use the E-mail subject filtering items to filter packets, you need first to load the E-mail subject filtering file that contains these items.

Examples

# Load the E-mail subject filtering file with the name subjectfilter.

[SecBlade_FW] firewall smtp-filter subject load-file subjectfilter

6.2.27 firewall smtp-filter subject save-file

Syntax

firewall smtp-filter subject save-file file-name

View

System view

Parameters

file-name: Name of the E-mail subject filtering file to be saved.

Description

Use the firewall smtp-filter subject save-file command to save an E-mail subject filtering file.

Examples

# Save the E-mail subject filtering file with the name subjectfilter.

[SecBlade_FW] firewall smtp-filter subject save-file subjectfilter

6.2.28 reset firewall smtp-filter counter

Syntax

reset firewall smtp-filter [ rcptto | subject | content | attach ] counter

View

User view

Parameters

rcptto: Clears mail address filtering statistics.

subject: Clears mail subject filtering statistics.

content: Clears mail content filtering statistics.

attach: Clears mail attachment filtering statistics.

Description

Use the reset firewall smtp-filter counter command to clear mail filtering statistics.

Examples

# Clear mail filtering statistics.

<SecBlade_FW> reset firewall smtp-filter rcptto counter

Chapter 7 Attack Defense Configuration Commands

7.1 Attack Defense Configuration Commands

7.1.1 debugging firewall defend

Syntax

debugging firewall defend { all | arp-flood | arp-spoofing | ip-spoofing | land | smurf | fraggle | frag-flood | winnuke | syn-flood | icmp-flood | udp-flood | icmp-redirect | icmp-unreachable | ip-sweep | port-scan | source-route | route-record | tracert | ping-of-death | teardrop | tcp-flag | ip-fragment | large-icmp }

undo debugging firewall defend { all | arp-flood | arp-reverse-query | arp-spoofing | ip-spoofing | land | smurf | fraggle | frag-flood | winnuke | syn-flood | icmp-flood | udp-flood | icmp-redirect | icmp-unreachable | ip-sweep | port-scan | source-route | route-record | tracert | ping-of-death | teardrop | tcp-flag | ip-fragment | large-icmp }

View

User view

Parameters

Parameters of these two commands are used to enable/disable debugging specific attack defense functions.

Description

Use the debugging firewall defend command to enable debugging for specific attack defense functions.

Use the undo debugging firewall defend command to disable debugging for specific attack defense functions.

Debugging for each attack defense function is disabled by default.

Related commands: display debugging.

Examples

# Enable debugging for SYN flood attack defense.

<SecBlade_FW> debugging firewall defend syn-flood

7.1.2 display firewall defend flag

Syntax

display firewall defend flag

View

Any view

Parameters

None

Description

Use the display firewall defend flag command to display the information about the types of attack defense functions enabled on SecBlade.

Examples

# Display information about the types of attack defense functions applied on the firewall.

<SecBlade_FW> display firewall defend flag

The attack defend flag is:

ip-spoofing land smurf fraggle

winnuke icmp-redirect icmp-unreachable source-route

route-record tracert ping-of-death tcp-flag

ip-fragment large-icmp teardrop ip-sweep

port-scan syn-flood udp-flood icmp-flood

arp-spoofing arp-flood frag-flood

7.1.3 display firewall tcp-proxy session

Syntax

display firewall tcp-proxy session [ zone zone-name | ip ip-address ]

View

Any view

Parameters

zone zone-name: Specifies to display the TCP proxy session information about the specified destination protected zone.

ip ip-address: Specifies to display the session information about the TCP proxy with the specified IP address.

Description

Use the display firewall tcp-proxy session command to display TCP proxy session information. If neither a zone name nor an IP address is specified, this command displays all TCP proxy session information.

Examples

# Display all TCP-Proxy session information.

<SecBlade_FW> display firewall tcp-proxy session

Firewall Tcp-proxy session table information:

Source zone: trust

Source IP address: 172.16.1.254 Source port: 4638

Destination zone: untrust

Destination IP address: 2.2.2.1 Destination port: 80

State:6

Source zone: trust

Source IP address: 172.16.1.254 Source port: 4637

Destination zone: untrust

Destination IP address: 2.2.2.2 Destination port: 80

State:6

Source zone: trust

Source IP address: 172.16.1.254 Source port: 4635

Destination zone: DMZ

Destination IP address: 1.1.1.1 Destination port: 80

State:6

# Display the TCP proxy session information about the specified destination protected zone.

<SecBlade_FW> display firewall tcp-proxy session zone untrust

Firewall Tcp-proxy session table information for destination zone trust:

Source zone: trust

Source IP address: 172.16.1.254 Source port: 4638

Destination zone: untrust

Destination IP address: 2.2.2.1 Destination port: 80

State:6

Source zone: trust

Source IP address: 172.16.1.254 Source port: 4637

Destination zone: untrust

Destination IP address: 2.2.2.2 Destination port: 80

State:6

# Display the information about the TCP proxy session with the specified destination IP address.

<SecBlade_FW> display firewall tcp-proxy session ip 2.2.2.1

Firewall Tcp-proxy session table information for destination IP 2.2.2.1:

Source zone: trust

Source IP address: 172.16.1.254 Source port: 4638

Destination zone: untrust

Destination IP address: 2.2.2.1 Destination port: 80

State:6

Table 7-1 Description on the fields of the display firewall tcp-proxy session command

Field	Description
SrcZone	Name of source protected zone
SrcIP	Source IP address
SrcPort	Source port number
DestZone	Name of destination protected zone
DestIP	Destination IP address
DestPort	Destination port number
State	State value of TCP Proxy session

7.1.4 firewall defend all

Syntax

firewall defend all

undo firewall defend all

View

System view

Parameters

None

Description

Use the firewall defend all command to enable all attack prevention functions.

Use the undo firewall defend all command to disable all attack prevention functions.

By default, no attack prevention function is enabled.

Examples

# Enable all attack prevention functions.

[SecBlade_FW] firewall defend all

7.1.5 firewall defend arp-flood

Syntax

firewall defend arp-flood [ max-rate rate-number ]

undo firewall defend arp-flood [ max-rate ]

View

System view

Parameters

max-rate rate-number: Defines the rate threshold for receiving ARP packets, which is in the range of 1 to 1,000,000 pps and defaults to 100 pps. When ARP packets arrive at a rate higher than the threshold, the firewall treats the event as an attack.

Description

Use the firewall defend arp-flood command to enable ARP Flood attack prevention.

Use the undo firewall defend arp-flood command to disable ARP Flood attack prevention.

By default, ARP Flood attack prevention is not enabled.

Examples

# Enable ARP_flood attack prevention.

[SecBlade_FW] firewall defend arp-flood

7.1.6 firewall defend arp-spoofing

Syntax

firewall defend arp-spoofing [ loose ]

undo firewall defend arp-spoofing [ loose ]

View

System view

Parameters

loose: Uses loose mode.

Description

Use the firewall defend arp-spoofing command to enable ARP spoofing attack prevention and use the non-loose detection mode.

Use the firewall defend arp-spoofing loose command to enable ARP spoofing attack prevention and use the loose detection mode.

Use the undo firewall defend arp-spoofing command to disable ARP spoofing attack prevention.

Use the undo firewall defend arp-spoofing loose command to disable loose detection and use the non-loose detection mode instead.

ARP spoofing attack prevention works in two modes: loose detection and non-loose detection. In the non-loose detection mode (loose is not configured), the firewall considers an ARP request as an attack and discards the ARP request if its destination MAC address is a unicast address. In the loose detection mode (loose is configured), the firewall does not consider an ARP request as an attack nor discard the ARP request if its destination MAC address is a unicast address.

By default, ARP spoofing attack prevention is not enabled.

Examples

# Enable ARP spoofing attack prevention, and use the non-loose detection mode.

[SecBlade_FW] firewall defend arp-spoofing

7.1.7 firewall defend fraggle

Syntax

firewall defend fraggle

undo firewall defend fraggle

View

System view

Parameters

None

Description

Use the firewall defend fraggle command to enable Fraggle attack defense.

Use the undo firewall defend fraggle command to disable Fraggle attack defense.

Fraggle attack defense is disabled by default.

Examples

# Enable Fraggle attack defense.

[SecBlade_FW] firewall defend fraggle

7.1.8 firewall defend frag-flood

Syntax

firewall defend frag-flood [ max-identical-rate max-identical-rate ] [ max-total-rate max-total-rate ]

undo firewall defend frag-flood [ max-identical-rate ] [ max-total-rate ]

View

System view

Parameters

max-identical-rate: Maximum rate for identical fragmented packets. It ranges 1 to 10,000 and defaults to 50.

max-total-rate: Maximum total rate for fragmented packets. It ranges 1 to 10,000 and defaults to 100.

Description

Use the firewall defend frag-flood command to enable Frag flood attack prevention.

Use the undo firewall defend frag-flood command to disable Frag flood attack prevention.

If a fragment packet attack is targeted at the firewall itself, the firewall gives an alarm but discards no packet; otherwise, the firewall gives an alarm and discards the packets.

By default, Frag flood attack prevention is not enabled.

Examples

# Enable Frag flood attack prevention.

[SecBlade_FW] firewall defend frag-flood

7.1.9 firewall defend icmp-flood

Syntax

firewall defend icmp-flood { ip ip-address | zone zone-name } [ max-rate rate-number ]

undo firewall defend icmp-flood [ ip [ ip-address [ max-rate ] ] | zone [ zone-name [ max-rate ] ] ]

View

System view

Parameters

ip ip-address: Specifies the IP address of the host to be protected. If only the ip keyword is provided in the undo firewall defend icmp-flood command, ICMP Flood detection is disabled for all the protected hosts.

zone zone-name: Specifies the name of the protected zone. With a zone name specified, this command enables ICMP Flood attack detection for all IP addresses in the protected zone. If only zone is configured in the undo command, ICMP Flood detection is disabled for all the protected zones.

max-rate rate-number: Sets the rate threshold for ICMP packets to the specific destination IP address; that is, the maximum number of ICMP packets transmitted to the address in a second. If the threshold is exceeded, it will be regarded as an attack. The default value of the rate-number argument is 1,000 packets per second and the range of the number is 1 to 1,000,000 packets per second.

Description

Use the firewall defend icmp-flood command to enable ICMP Flood attack defense on a specific IP address or zone.

Use the undo firewall defend icmp-flood command to disable ICMP Flood attack defense on specific IP address or zone.

When configuring ICMP Flood attack defense, the IP-based priority is higher than the zone-based priority. If ICMP Flood attack defense is enabled on both a particular IP address and all the IP addresses in a zone to which the IP address belongs, the IP-based detection parameters are preferred. If the IP-based configuration is disabled, the zone-based parameters will be applied.

By default, ICMP Flood attack defense is disabled.

For the firewall defend icmp-flood command to take effect, make sure you first execute the global firewall defend icmp-flood enable command and enable the incoming IP packets statistics on the specific IP address or zone..

Examples

# Enable ICMP Flood attack defense for all the IP addresses in the security zone named trust and set the rate threshold of ICMP packets to 500 packets per second.

[SecBlade_FW] firewall defend icmp-flood zone trust max-rate 500

7.1.10 firewall defend icmp-flood enable

Syntax

firewall defend icmp-flood enable

undo firewall defend icmp-flood enable

View

System view

Parameters

None

Description

Use the firewall defend icmp-flood enable command to enable ICMP Flood attack defense.

Use the undo firewall defend icmp-flood enable command to disable ICMP Flood attack defense.

By default, ICMP Flood attack defense is disabled.

Examples

# Enable ICMP Flood attack defense.

[SecBlade_FW] firewall defend icmp-flood enable

7.1.11 firewall defend icmp-redirect

Syntax

firewall defend icmp-redirect

undo firewall defend icmp-redirect

View

System view

Parameters

None

Description

Use the firewall defend icmp-redirect command to enable ICMP redirect packet attack defense.

Use the undo firewall defend icmp-redirect command to disable ICMP redirect packet attack defense.

By default, ICMP redirect packet attack defense is disabled.

Examples

# Enable ICMP redirect packet attack defense.

[SecBlade_FW] firewall defend icmp-redirect

7.1.12 firewall defend icmp-unreachable

Syntax

firewall defend icmp-unreachable

undo firewall defend icmp-unreachable

View

System view

Parameters

None

Description

Use the firewall defend icmp-unreachable command to enable ICMP unreachable packet attack defense.

Use the undo firewall defend icmp-unreachable command to disable ICMP unreachable packet attack defense.

By default, ICMP unreachable packet attack defense is disabled.

Examples

# Enable ICMP unreachable packet attack defense.

[SecBlade_FW] firewall defend icmp-unreachable

7.1.13 firewall defend ip-fragment

Syntax

firewall defend ip-fragment

undo firewall defend ip-fragment

View

System view

Parameters

None

Description

Use the firewall defend ip-fragment command to enable IP fragment packet attack defense.

Use the undo firewall defend ip-fragment command to disable IP fragment packet attack defense.

By default, IP fragment packet attack defense is disabled.

Examples

# Enable IP fragment packet attack defense.

[SecBlade_FW] firewall defend ip-fragment

7.1.14 firewall defend ip-spoofing

Syntax

firewall defend ip-spoofing

undo firewall defend ip-spoofing

View

System view

Parameters

None

Description

Use the firewall defend ip-spoofing command to enable IP Spoofing attack defense.

Use the undo firewall defend ip-spoofing command to disable IP Spoofing attack defense.

By default, IP Spoofing attack defense is disabled.

& Note:

IP Spoofing attack defense cannot be used in the transparent mode.

Examples

# Enable IP Spoofing attack defense.

[SecBlade_FW] firewall defend ip-spoofing

7.1.15 firewall defend ip-sweep

Syntax

firewall defend ip-sweep [ max-rate rate-number ] [ blacklist-timeout minutes ]

undo firewall defend ip-sweep

View

System view

Parameters

max-rate rate-number: Specifies the threshold for destination address changing rate of packets sent from the same source address. The default value of rate-number is 4,000 times per second. The value ranges from 1 to 10,000 times per second.

blacklist-timeout minutes: Indicates to add the source address into the blacklist and keeps it in the blacklist for a specified time. minutes is in the range of 0 to 1,000 minutes. The default value is 0, which means the address is not added into the blacklist.

Description

Use the firewall defend ip-sweep command to enable IP Sweep attack defense.

Use the undo firewall defend ip-sweep command to disable IP Sweep attack defense.

The timeout time for an address to remain blacklisted must be greater than the firewall session aging time (configured with the firewall session aging-time command); otherwise, an attack may bypass SecBlade. The blacklist function configured with this command takes effect only after the blacklist function is enabled on the firewall.

By default, IP Sweep attack defense is disabled.

This command takes effect only after the corresponding source IP address is configured or the outbound IP statistics function of the protected zone is enabled.

Related commands: firewall blacklist

Examples

# Enable IP Sweep attack defense, setting the threshold of sweeping rate to 1,000 and the keep-in-blacklist time to five minutes, and enable the blacklist function.

[SecBlade_FW] firewall defend ip-sweep max-rate 1000 blacklist-timeout 5

[SecBlade_FW] firewall blacklist enable

7.1.16 firewall defend land

Syntax

firewall defend land

undo firewall defend land

View

System view

Parameters

None

Description

Use the firewall defend land command to enable Land attack defense.

Use the undo firewall defend land command to disable Land attack defense.

By default, Land attack defense is disabled.

Examples

# Enable Land attack defense.

[SecBlade_FW] firewall defend land

7.1.17 firewall defend large-icmp

Syntax

firewall defend large-icmp [ length ]

undo firewall defend large-icmp

View

System view

Parameters

length: Permitted maximum length of ICMP packets, in the range of 28 to 65,535 bytes. The default value is 4,000 bytes.

Description

Use the firewall defend large-icmp command to enable large ICMP packet attack defense.

Use the undo firewall defend large-icmp command to disable large ICMP packet attack defense.

By default, large ICMP packet attack defense is disabled.

Examples

# Enable large ICMP packet attack defense and permit the ICMP packets whose length is less than 4,000 bytes to pass.

[SecBlade_FW] firewall defend large-icmp 4000

7.1.18 firewall defend ping-of-death

Syntax

firewall defend ping-of-death

undo firewall defend ping-of-death

View

System view

Parameters

None

Description

Use the firewall defend ping-of-death command to enable Ping of Death attack defense.

Use the undo firewall defend ping-of-death command to disable Ping of Death attack defense.

By default, Ping of Death attack defense is disabled.

Examples

# Enable Ping of Death attack defense.

[SecBlade_FW] firewall defend ping-of-death

7.1.19 firewall defend port-scan

Syntax

firewall defend port-scan [ max-rate rate-number ] [ blacklist-timeout minutes ]

undo firewall defend port-scan

View

System view

Parameters

max-rate rate-number: Specifies the threshold for destination port changing rate of packets sent from the same source address. The default value of rate-number is 4,000 times per second. The value ranges from 1 to 10,000 times per second.

blacklist-timeout minutes: Indicates to add the source address into the blacklist and keep it in the blacklist for the specified time. minutes is in the range of 0 to 1,000 minutes. The default value is 0, which means the address is not added into the blacklist.

Description

Use the firewall defend port-scan command to enable port scan attack defense.

Use the undo firewall defend port-scan command to disable port scan attack defense.

By default, port scan attack defense is disabled.

This command takes effect only after the corresponding source IP address is configured or the outbound IP statistics function of the protected zone is enabled.

Related commands: firewall blacklist

Examples

# Enable port scan attack defense, setting the threshold of scanning rate to 1,000 and the keep-in-blacklist time to five minutes, and enable the blacklist function.

[SecBlade_FW] firewall defend port-scan max-rate 1000 blacklist-timeout 5

[SecBlade_FW] firewall blacklist enable

7.1.20 firewall defend route-record

Syntax

firewall defend route-record

undo firewall defend route-record

View

System view

Parameters

None

Description

Use the firewall defend route-record command to enable attack defense for packets carrying route record.

Use the undo firewall defend route-record command to disable attack defense for packets carrying the route record.

By default, attack defense for packets carrying route record is disabled.

Examples

# Enable attack defense for packets carrying route record.

[SecBlade_FW] firewall defend route-record

7.1.21 firewall defend smurf

Syntax

firewall defend smurf

undo firewall defend smurf

View

System view

Parameters

None

Description

Use the firewall defend smurf command to enable Smurf attack defense.

Use the undo firewall defend smurf command to disable Smurf attack defense.

By default, Smurf attack defense is disabled.

Examples

# Enable Smurf attack defense.

[SecBlade_FW] firewall defend smurf

7.1.22 firewall defend source-route

Syntax

firewall defend source-route

undo firewall defend source-route

View

System view

Parameters

None

Description

Use the firewall defend source-route command to enable attack defense for packets carrying source route.

Use the undo firewall defend source-route command to disable attack defense for packets carrying source route.

By default, attack defense for packets carrying source route is disabled.

Examples

# Enable attack defense for packets carrying source route.

[SecBlade_FW] firewall defend source-route

7.1.23 firewall defend syn-flood

Syntax

firewall defend syn-flood { ip ip-address | zone zone-name } [ max-rate rate-number ] [ tcp-proxy ]

undo firewall defend syn-flood [ ip [ ip-address ] [ max-rate ] [ tcp-proxy ] ] | zone [ zone-name [ max-rate ] [ tcp-proxy ] ] ]

View

System view

Parameters

ip ip-address: Specifies the IP address of the host to be protected. If only ip is configured in the undo command, SYN Flood detection is disabled for all the protected hosts.

zone zone-name: Specifies the name of the protected zone. With a zone name specified, this command enables SYN Flood attack detection for all IP addresses in the protected zone. If only zone is configured in the undo command, SYN Flood detection is disabled for all the protected zones.

max-rate rate-number: Sets the rate threshold for SYN packets to the specific destination IP address; that is, the maximum number of SYN packets transmitted to the address in a second. If the threshold is exceeded, it will be regarded as an attack. The default value of rate-number is 1,000 packets per second and the range of the number is 1 to 1,000,000 packets per second.

tcp-proxy: Enables the TCP proxy. The TCP proxy can start automatically when the protected host is attacked by SYN Flood and close automatically when the host is safe.

Description

Use the firewall defend syn-flood command to enable SYN Flood attack defense and specify an IP address/zone to be protected.

Use the undo firewall defend syn-flood command to disable SYN Flood attack defense.

When configuring SYN Flood attack defense, the IP-based priority is higher than the zone-based priority. If the function of SYN Flood attack defense is enabled on both a specific IP address and all the IP addresses in a zone to which the IP address belongs, the IP-based detection parameters are preferred. If the IP-based configuration is disabled, the zone-based parameters will be applied.

To prevent SYN Flood attacks, TCP proxy must be enabled.

By default, SYN Flood attack defense is disabled.

For the firewall defend syn-flood command to take effect, make sure you first execute the global firewall defend syn-flood enable command and enable the incoming IP packet statistics on the specific IP or zone.

Examples

# Enable SYN Flood attack defense on all the IP addresses in the security zone trust, setting the rate threshold of SYN packets to 100 packets per second, and enable the TCP proxy..

[SecBlade_FW] firewall defend syn-flood zone trust max-rate 100 tcp-proxy

7.1.24 firewall defend syn-flood enable

Syntax

firewall defend syn-flood enable

undo firewall defend syn-flood enable

View

System view

Parameters

None

Description

Use the firewall defend syn-flood enable command to enable SYN Flood attack defense globally.

Use the undo firewall defend syn-flood enable command to disable SYN Flood attack defense globally.

By default, SYN Flood attack defense is disabled globally.

Examples

# Enable SYN Flood attack defense globally.

[SecBlade_FW] firewall defend syn-flood enable

7.1.25 firewall defend tcp-flag

Syntax

firewall defend tcp-flag

undo firewall defend tcp-flag

View

System view

Parameters

None

Description

Use the firewall defend tcp-flag command to enable TCP flag validity detection.

Use the undo firewall defend tcp-flag command to disable TCP flag validity detection.

By default, TCP flag validity detection is disabled.

Examples

# Enable TCP flag validity detection.

[SecBlade_FW] firewall defend tcp-flag

7.1.26 firewall defend teardrop

Syntax

firewall defend teardrop

undo firewall defend teardrop

View

System view

Parameters

None

Description

Use the firewall defend teardrop command to enable Teardrop attack defense.

Use the undo firewall defend teardrop command to disable Teardrop attack defense.

By default, Teardrop attack defense is disabled.

Examples

# Enable Teardrop attack defense.

[SecBlade_FW] firewall defend teardrop

7.1.27 firewall defend tracert

Syntax

firewall defend tracert

undo firewall defend tracert

View

System view

Parameters

None

Description

Use the firewall defend tracert command to enable Tracert packet attack defense.

Use the undo firewall defend tracert command to disable Tracert packet attack defense.

By default, Tracert packet attack defense is disabled.

Examples

# Enable Tracert packet attack defense.

[SecBlade_FW] firewall defend tracert

7.1.28 firewall defend udp-flood

Syntax

firewall defend udp-flood { ip ip-address | zone zone-name } [ max-rate rate-number ]

undo firewall defend udp-flood [ ip [ ip-address [ max-rate ] ] | zone [ zone-name [ max-rate ] ] ]

View

System view

Parameters

ip ip-address: Specifies the IP address of the host to be protected. If only ip is configured in the undo command, UDP Flood detection is disabled for all the protected hosts.

zone zone-name: Specifies the name of the protected zone. With a zone name specified, this command enables UDP Flood attack detection for all IP addresses in the protected zone. If only zone is configured in the undo command, UDP Flood detection is disabled for all the protected zones.

max-rate rate-number: Sets the rate threshold for UDP packets to the specific destination IP address; that is, the maximum number of UDP packets transmitted to the address in a second. If the threshold is exceeded, it will be regarded as an attack. The default value of rate-number is 1,000 packets per second and the range of the number is 1 to 1,000,000 packets per second.

Description

Use the firewall defend udp-flood command to enable UDP Flood attack defense on a specific IP address or zone.

Use the undo firewall defend udp-flood command to disable UDP Flood attack defense on the specific IP address or zone.

When you configure UDP Flood attack defense, the IP-based priority is higher than the zone-based priority. If the function of UDP Flood attack defense is enabled on both a particular IP address and all the IP addresses in a zone to which the IP address belongs, the IP-based detection parameters are preferred. If the IP-based configuration is disabled, the zone-based parameters will be applied.

By default, UDP Flood attack defense is disabled.

For the firewall defend udp-flood command to take effect, make sure you first execute the global firewall defend udp-flood enable command and enable the incoming IP packet statistics on the specific IP address or zone.

Examples

# Enable UDP Flood attack defense for all the IP addresses in the security zone named trust, setting the rate threshold of UDP packets to 500 packets per second.

[SecBlade_FW] firewall defend udp-flood zone trust max-rate 500

7.1.29 firewall defend udp-flood enable

Syntax

firewall defend udp-flood enable

undo firewall defend udp-flood enable

View

System view

Parameters

None

Description

Use the firewall defend udp-flood enable command to enable UDP Flood attack defense globally.

Use the undo firewall defend udp-flood enable command to disable UDP Flood attack defense globally.

By default, UDP Flood attack defense is disabled globally.

Examples

# Enable UDP Flood attack defense globally.

[SecBlade_FW] firewall defend udp-flood enable

7.1.30 firewall defend winnuke

Syntax

firewall defend winnuke

undo firewall defend winnuke

View

System view

Parameters

None

Description

Use the firewall defend winnuke enable command to enable WinNuke attack defense.

Use the undo firewall defend winnuke enable command to disable WinNuke attack defense.

By default, WinNuke attack defense is disabled.

Examples

# Enable WinNuke attack defense.

[SecBlade_FW] firewall defend winnuke

7.1.31 firewall tcp-proxy

Syntax

firewall tcp-proxy { ip ip-address | zone zone-name }

undo firewall tcp-proxy { ip ip-address | zone zone-name }

View

System view

Parameters

ip ip-address: Specifies the IP address of the protected host.

zone zone-name: Specifies the name of the protected security zone.

Description

Use the firewall tcp-proxy command to enable TCP proxy on a specified host or security zone.

Use the undo firewall tcp-proxy command to disable TCP proxy on a specified host or security zone.

By default, TCP proxy is not enabled on any host or security zone.

& Note:

Although you can also enable TCP proxy when configuring SYN flood attack prevention (see the firewall defend syn-flood command), the configuration with this command takes precedence over that. That is, TCP proxy will be enabled for protecting the target host or security zone no matter if SYN flood attacks occur.

Examples

# Enable TCP proxy on all hosts in a zone named trust.

[SecBlade_FW] firewall tcp-proxy zone trust

Chapter 8 IDS Cooperation Configuration Commands

8.1 IDS Cooperation Configuration Commands

8.1.1 ids-acl enable

Syntax

ids-acl enable

undo ids-acl enable

View

Interface view

Parameters

None

Description

Use the ids-acl enable command to enable issuing IDS-cooperation ACL rules to the current interface.

Use the undo ids-acl enable command to disable issuing IDS-cooperation ACL rules to the current interface.

IDS-cooperation ACL rules are not issued to any interface by default.

Examples

# Specify to issue IDS-cooperation ACL rules to GigabitEthernet 0/0.

[SecBlade_FW] interface GigabitEthernet 0/0

[SecBlade_FW-GigabitEthernet0/0] ids-acl enable

8.1.2 display ids

Syntax

display ids { all | controlled-interface | name name | source ip-addr | destination ip-addr }

View

Any view

Parameters

all: Displays all IDS cooperation messages.

controled-interface: Displays a list of interfaces to which IDS-cooperation ACL rules are allowed to issue.

name name: Displays the IDS cooperation message with the specified name.

source ip-addr: Displays the IDS cooperation messages with the specified source IP address.

destination ip-addr: Displays the IDS cooperation messages with the specified destination IP address.

Description

Use the display ids command to display all or some of the IDS cooperation messages.

Examples

# Display all IDS cooperation messages.

<SecBlade_FW> display ids all

Port list under IDS control is:

GigabitEthernet0/0

Number of items 4, running items 4

ACL rules created by IDS is:

1 Name 00000000000000000000000000001111

Action deny, time 12000, curtime 11740

Smac any, sip 1.1.1.1, swild 255.255.255.255, sport 1234, prot 6

Dmac any, dip 2.2.2.2, dwild 255.255.255.255, dport 444, prot 6

Interface(s) all, direction all

2 Name 00000000000000000000000000001112

Action deny, time 12000, curtime 11790

Smac any, sip any, swild 0.0.0.0, sport 0, prot any

Dmac any, dip any, dwild 0.0.0.0, dport 0, prot any

Interface(s) all, direction inbound

3 Name 00000000000000000000000000001113

Action deny, time 12000, curtime 11820

Smac any, sip 5.5.5.5, swild 255.255.255.255, sport 0, prot any

Dmac any, dip any, dwild 0.0.0.0, dport 0, prot any

Interface(s) all, direction all

4 Name 00000000000000000000000000001114

Action deny, time 12000, curtime 11860

Smac any, sip 3.3.3.3, swild 255.255.255.255, sport 0, prot 1

Dmac any, dip 4.4.4.4, dwild 255.255.255.255, dport 0, prot 1

Interface(s) all, direction all

Number of items 4, running items 4

8.1.3 display ids-acl

Syntax

display ids-acl { all | name name }

View

Any view

Parameters

all: Displays all IDS-cooperation ACL rules.

name name: Displays the ACL rule generated based on the IDS cooperation message with the specified name.

Description

Use the display ids-acl command to display IDS-cooperation ACL rules.

Examples

# Display all IDS-cooperation ACL rules.

<SecBlade_FW> dis ids-acl all

(Total ACL number is 7)

Interface: GigabitEthernet0/0

IDS_ACL Direction: InBound

rule 0 deny tcp source 1.1.1.1 0 source-port eq 1234 destination 2.2.2.2 0 destination-port eq 444 (0 times matched)

rule 1 deny ip (0 times matched)

rule 2 deny ip source 5.5.5.5 0 (0 times matched)

rule 3 deny icmp source 3.3.3.3 0 destination 4.4.4.4 0 (0 times matched)

IDS_ACL Direction: OutBound

rule 0 deny tcp source 1.1.1.1 0 source-port eq 1234 destination 2.2.2.2 0 destination-port eq 444 (0 times matched)

rule 1 deny ip source 5.5.5.5 0 (0 times matched)

rule 2 deny icmp source 3.3.3.3 0 destination 4.4.4.4 0 (0 times matched)

8.1.4 debugging ids

Syntax

debugging ids

undo debugging ids

View

User view

Parameters

None

Description

Use the debugging ids command to enable the debugging for IDS cooperation.

Use the undo debugging ids command to disable the debugging for IDS cooperation.

Examples

# Enable debugging for IDS cooperation.

<SecBlade_FW> debugging ids

Chapter 9 Packet Statistics and Log Configuration Commands

9.1 Packet Statistics Configuration Commands

9.1.1 display firewall statistic

Syntax

display firewall statistic { system | zone zone-name { inzone | outzone } | ip { ip-address { source-ip | destination-ip | both } | which } }

View

Any view

Parameters

system: Displays the statistics about the firewall system.

zone zone-name: Displays the statistics about a security zone. zone-name is the name of the security zone, which can be dmz, trust, untrust and local.

ip ip-address: Displays the statistics about the IP address specified by the ip-address argument.

inzone: Displays the inbound statistics about the security zone.

outzone: Displays the outbound statistics about the security zone.

source-ip: Displays the statistics about the source address table.

destination-ip: Displays the statistics about the destination address table.

which: Specifies to display the IP address.

Description

Use the display firewall statistic command to display the system statistics processed by the firewall module, the inbound/outbound statistics about the specified security zone and processed by the firewall module, or the statistics about an IP address in the source/destination address table and processed by the firewall module.

Examples

# Display the global statistics about the firewall system.

<SecBlade_FW> display firewall statistic system

Firewall system statistic information:

TotalBootCon, 787, Total connection(s) since last reboot

CurTotalCon, 4, Current total connection(s)

MaxSessSpeed, 9, Peak session speed(num/s)

CurSessSpeed, 0, Current session speed(num/s)

CurTcpSess, 2, Total current TCP session(s)

CurUdpSess, 2, Total current UDP session(s)

CurIcmpSess, 0, Total current ICMP session(s)

CurFtpSess, 0, Current FTP session(s)

CurHttpSess, 0, Current Http session(s)

CurH323Sess, 0, Current H.323 session(s)

CurRtspSess, 0, Current RTSP session(s)

CurSmtpSess, 0, Current SMTP session(s)

CurFrgTbls 0, Current frag table number

CurTcpproxySess, 0, Total current TCP-Proxy session(s)

RcvSynPkts, 724, TCP SYN packet(s) received

RcvFinPkts, 929, TCP FIN packet(s) received

RcvSynAckPkts, 578, TCP SYNACK packet(s) received

RcvRstPkts, 358, TCP RST packet(s) received

RcvIcmpPkts, 10, Received ICMP packet(s)

RcvIcmpOcts, 840, Received ICMP byte(s)

PassIcmpPkts, 10, Passed ICMP packet(s)

PassIcmpOcts, 840, Passed ICMP byte(s)

RcvTcpPkts, 11732, Received TCP packet(s)

RcvTcpOcts, 3288722, Received TCP byte(s)

PassTcpPkts, 11729, Passed TCP packet(s)

PassTcpOcts, 3288578, Passed TCP byte(s)

RcvUdpPkts, 2675, Received UDP packet(s)

RcvUdpOcts, 225437, Received UDP byte(s)

PassUdpPkts, 2535, Passed UDP packet(s)

PassUdpOcts, 211363, Passed UDP byte(s)

RcvEtcPkts, 0, Received Etc packet(s)

RcvEtcOcts, 0, Received Etc byte(s)

PassEtcPkts, 0, Passed Etc packet(s)

PassEtcOcts, 0, Passed Etc byte(s)

RcvFragPkts, 0, Received frag packet(s)

RcvFragOcts, 0, Received frag byte(s)

RcvFtpPkts, 0, Received FTP packet(s)

RcvFtpOcts, 0, Received FTP byte(s)

RcvSmtpPkts, 0, Received SMTP packet(s)

RcvSmtpOcts, 0, Received SMTP byte(s)

RcvHttpPkts, 7934, Received Http packet(s)

RcvHttpOcts, 3096083, Received Http byte(s)

RcvH323Pkts, 0, Received H.323 packet(s)

RcvH323Octs, 0, Received H.323 byte(s)

RcvRtspPkts, 0, Received RTSP packet(s)

RcvRtspOcts, 0, Received RTSP byte(s)

BlsDscdPkts, 0, Black list discard packet(s)

BlsDscdOcts, 0, Black list discard byte(s)

SessDscdPkts, 0, Failed session table discard packet(s)

SessDscdOcts, 0, Failed session table discard byte(s)

TotalPkts, 14417, Received Total packet(s)

TotalOcts, 3514999, Received Total byte(s)

& Note:

l The packets shown in the information display above are those passing the firewall detection.

l The display firewall statistic command displays only the statistics generated since the statistics function is enabled. The CurTotalCon field of the display firewall statistic system command means the number of system connections established since the statistics function is enabled. It may be different from the current number of sessions in the system. The CurTotalCon field in the display firewall statistic zone trust inzone command means the number of connections established since the inbound statistics function is enabled in the zone trust.

l The statistics about received packets displayed by the display firewall statistic system command refers to all the outbound packets from all protected zones of the firewall, including those from the local zone. The statistics about permitted packets displayed by this command refers to all the inbound packets to all the protected zones of the firewall, including those sent to the local zone.

9.1.2 display firewall statistic system defend

Syntax

display firewall statistic system defend

View

Any view

Parameters

None

Description

Use the display firewall statistic system defend command to display the counts of different types of attack packets received and the number of attacks.

Examples

# Display the counts of different types of attack packets received and the number of attacks.

<SecBlade_FW> display firewall statistic system defend

Display firewall defend statistic:

IP-spoofing, 7 time(s)

Land, 0 time(s)

Smurf, 0 time(s)

Fraggle, 0 time(s)

Winnuke, 0 time(s)

SYN-flood, 0 time(s)

ICMP-flood, 0 time(s)

UDP-flood, 0 time(s)

ICMP-redirect, 0 time(s)

ICMP-unreachable, 0 time(s)

Tracert, 0 time(s)

Tcp-flag, 0 time(s)

Ping-of-death, 0 time(s)

Teardrop, 0 time(s)

IP-fragment, 0 time(s)

IP-sweep, 2 time(s)

Large-icmp, 0 time(s)

Source-route attack, 0 time(s)

Route-record attack, 0 time(s)

ARP-spoofing, 0 time(s)

ARP-flood, 0 time(s)

Frag-flood, 0 time(s)

TCP port-scan, 0 time(s)

UDP port-scan, 0 time(s)

Other attack, 0 time(s)

total, 9 time(s)

9.1.3 display firewall statistic system flow-percent

Syntax

display firewall statistic system flow-percent [ default ]

View

Any view

Parameters

default: Default traffic percentage value.

Description

Use the display firewall statistic system flow-percent command to display the percentage of different types of attack packets received.

Examples

# Display the percentage of different types of attack packets received.

<SecBlade_FW> display firewall statistic system flow-percent

Current tcp percent: 75

Current udp percent: 15

Current icmp percent: 5

Current alternation: 25

Current time interval: 60 minutes

9.1.4 firewall statistic system connect-number

Syntax

firewall statistic system connect-number { tcp | udp } { high high-value low low-value }

undo firewall statistic system connect-number { tcp | udp }

View

System view

Parameters

tcp: Indicates TCP connection.

udp: Indicates UDP connection.

high high-value: Specifies the upper threshold. The upper threshold of the number of firewall system-based TCP and UDP connections ranges from 1 to 500,000 and defaults to 500,000.

low low-value: Specifies the lower threshold. The lower threshold of the number of firewall system-based TCP and UDP connections ranges from 1 to 500,000 and defaults to 1.

Description

Use the firewall statistic system connect-number command to set the upper and lower threshold of the total number of firewall system-based TCP or UDP connections.

Use the undo firewall statistic system connect-number command to revert to the default thresholds.

The number of firewall system-based connections refers to the total number of connections on both directions in the system. So the thresholds of the number of firewall system-based connections are not direction-sensitive. Once the number of connections exceeds the upper threshold (which indicates an abnormal state), an alarm is logged; once this number falls below the lower threshold (which indicates the system restores the normal state), a report is logged.

Note: Use the firewall statistic system connect-number command in system view to configure thresholds of system level and use the statistic connect-number command in security zone view to configure thresholds for a security zone or an IP address.

Examples

# Set the upper and lower thresholds of the number of firewall system-based TCP connections to 120,000 and 60,000 respectively.

[SecBlade_FW] firewall statistic system connect-number tcp high 120000 low 60000

9.1.5 firewall statistic system enable

Syntax

firewall statistic system enable

undo firewall statistic system enable

View

System view

Parameters

None

Description

Use the firewall statistic system enable command to enable global statistics.

Use the undo firewall statistic system enable command to disable global statistics.

Global statistics is enabled by default.

Examples

# Enable global statistics.

[SecBlade_FW] firewall statistic system enable

9.1.6 firewall statistic system flow-percent

Syntax

firewall statistic system flow-percent { tcp tcp-percent udp udp-percent icmp icmp-percent alteration alteration-percent [ time time-value ] }

undo firewall statistic system flow-percent

View

System view

Parameters

tcp-percent: Percentage of TCP packets, which ranges from 0 to 100 and defaults to 75.

udp-percent: Percentage of UDP packets, which ranges from 0 to 100 and defaults to 15.

icmp-percent: Percentage of ICMP packets, which ranges from 0 to 100 and defaults to 5.

alteration-percent: Percentage alternating range of the above three types of packets, which is in terms of the percentage of the above three arguments. It ranges from 0 to 25 and defaults to 25.

time-value: Interval in minutes to figure out the flow percent of the firewall, which ranges from 1 to 6000 and defaults to 60.

Description

Use the firewall statistic system flow-percent command to set the percentages of the above three types of packets, their alternating range, and the detecting interval.

Use the undo firewall statistic system flow-percent command to revert to the default settings.

If the percentage of a type of packet (TCP, UDP, ICMP or else) exceeds the configured upper threshold (plus the alternating range) or is below the configured lower threshold (minus the alternating range), the system outputs a log alarm.

When using this command, you need to set the percentage of the three types of packets simultaneously and explicitly. And the sum of the three percentages cannot be more than 100 if this command is to take effect. Percentages of other types of packets are not needed for this command.

Examples

# Set the percentage of TCP, UDP, and ICMP packets to 50, 25, and 15 respectively with an alternating range of 10%.

[SecBlade_FW] firewall statistic system flow-percent tcp 50 udp 25 icmp 15 alteration 10

9.1.7 firewall statistic warning-level drop

Syntax

firewall statistic warning-level drop

undo firewall statistic warning-level drop

View

System view

Parameters

None

Description

Use the firewall statistic warning-level drop command to set the warning level for the number of connections and the connection rates of the firewall to warning information output and packet drop.

Use the undo firewall statistic warning-level drop command to set the warning level for the number of connections and the connection rates of the firewall to warning information output only.

There are two warning levels: one level is warning, that is, when the number of connections or the connection rate exceeds the upper threshold value, only warning information is output; another level is drop, that is, when the number of connections or the connection rate exceeds the upper threshold value, the warning information is output and all subsequent packets are dropped. When the number of connections or the connection rate decreases to the lower threshold value, packets are not dropped.

By default, only the warning information is output, that is, the warning level is warning.

Related commands: statistic connect-number ip, statistic connect-number zone, statistic connect-speed ip, and statistic connect-speed zone.

Examples

# Set the warning level to drop.

[SecBlade_FW] firewall statistic warning-level drop

9.1.8 reset firewall statistic ip

Syntax

reset firewall statistic ip ip-address { source-ip | destination-ip | both }

View

User view

Parameters

ip ip-address: Clears statistics information about the specified IP address.

source-ip: Clears statistics information about the specified IP address in the source address table.

destination-ip: Clears statistics information about the specified IP address in the destination address table.

both: Clears the statistics about both the source address table and destination address table.

Description

Use the reset firewall statistic ip command to clear statistics information in source/destination address table.

If the specified IP address does not exist in the source/destination address table, this command performs no operation.

Examples

# Clear statistics information about 1.1.1.1 in the source address table.

<SecBlade_FW> reset firewall statistic ip 1.1.1.1 source-ip

9.1.9 reset firewall statistic system

Syntax

reset firewall statistic system [ defend | current ]

View

User view

Parameters

defend: Clears defense information.

current: Clears the current connection statistics.

Description

Use the reset firewall statistic system command to clear the global statistics information or global defense information.

Examples

# Clear the global statistics information.

<SecBlade_FW> reset firewall statistic system

9.1.10 reset firewall statistic zone

Syntax

reset firewall statistic zone zone-name { inzone | outzone }

View

User view

Parameters

zone zone-name: Clears the statistics about the security zone, whose name is specified by the zone-name argument.

inzone: Clears the inbound statistics about the security zone.

outzone: Clears the outbound statistics about the security zone.

Description

Use the reset firewall statistic zone command to clear the inbound/outbound statistics about the current security zone.

If the specified security zone does not exist, this command performs no operation.

Examples

# Clear the outbound statistics about the security zone named Trust.

<SecBlade_FW> reset firewall statistic zone trust outzone

9.1.11 statistic connect-number ip

Syntax

statistic connect-number ip outzone { tcp | udp } high high-limit low low-limit

statistic connect-number id id ip outzone { tcp | udp } high high-limit low low-limit acl-number acl-number

undo statistic connect-number [ id id ] ip outzone { tcp | udp }

statistic connect-number ip inzone { tcp | udp } high high-limit low low-limit

undo statistic connect-number ip inzone { tcp | udp }

View

Security zone view

Parameters

id id: Rule ID, in the range of 1 to 99.

ip: IP-based threshold value.

inzone: Inbound direction of the security zone.

outzone: Outbound direction of the security zone.

tcp: TCP connection.

udp: UDP connection.

high high-value: Upper threshold value for IP-based TCP connections and UDP connections, in the range of 1 to 500,000. It is 500,000 by default.

low low-value: Lower threshold value for IP-based TCP connections and UDP connections, in the range of 1 to 500,000. It is 450,000 by default.

acl-number acl-number: Specifies a basic ACL number ranging from 2000 to 2999. By specifying an ACL, you can control for which IP addresses the threshold values are to be set.

Description

Use the statistic connect-number ip command to set the higher threshold value and lower threshold value for the total number of IP-based TCP connections and UDP connections originated in a certain direction.

Use the undo statistic connect-number ip command to restore the default value.

The threshold value for the number of IP-based connections must be set respectively based on the directions of packets to a relative security zone. When the number of connections exceeds the upper threshold value or decreases to the lower threshold value, the system will perform corresponding actions as specified in the firewall statistic warning-level command.

Related commands: firewall statistic warning-level.

Examples

# Set the IP-based upper threshold value for the number of originated TCP connections into the Untrust security zone to 5,000 and the lower threshold value to 500.

[SecBlade_FW-zone-untrust] statistic connect-number ip inzone tcp high 5000 low 500

9.1.12 statistic connect-number zone

Syntax

statistic connect-number zone { inzone | outzone } { tcp | udp } high high-limit low low-limit

undo statistic connect-number zone { inzone | outzone } { tcp | udp }

View

Security zone view

Parameters

zone: Specifies security zone-based thresholds.

inzone: Sets inbound thresholds for the security zone.

outzone: Sets outbound thresholds for the security zone.

tcp: Sets thresholds for TCP connections.

udp: Sets thresholds for UDP connections.

high high-value: Sets the upper threshold for the number of security zone-based TCP/UDP connections. It ranges from 1 to 500,000 and defaults to 500,000.

low low-value: Sets the lower threshold for the number of security zone-based TCP/UDP connections. It ranges from 1 to 500,000 and defaults to 450,000.

Description

Use the statistic connect-number command to set the upper and lower threshold of the number of security zone/IP-based TCP/UDP inbound/outbound connections.

Use the undo statistic connect-number command to revert to the default value.

The thresholds of number of connections are set by the direction in which packets pass through a security zone, that is, inbound thresholds and outbound thresholds are set respectively.

When the number of connections exceeds the set upper threshold value or decreases to the lower threshold value, the system will perform corresponding actions as specified in the firewall statistic warning-level command.

Related commands: firewall statistic warning-level.

Examples

# Set the upper threshold of the number of inbound TCP connections of the security zone named Untrust to 25,000 and the lower threshold to 10,000.

[SecBlade_FW-zone-untrust] statistic connect-number zone inzone tcp high 25000 low 10000

9.1.13 statistic connect-speed ip

Syntax

statistic connect-speed ip outzone { tcp | udp } high high-limit low low-limit

statistic connect-speed id id ip outzone { tcp | udp } high high-limit low low-limit acl-number acl-number

undo statistic connect-speed [ id id ] ip outzone { tcp | udp }

statistic connect-speed ip inzone { tcp | udp } high high-limit low low-limit

undo statistic connect-speed ip inzone { tcp | udp }

View

Security zone view

Parameters

id id: Specifies an ACL rule ID, in the range of 1 to 99.

ip: Indicates the thresholds are set for the IP address.

inzone: Sets inbound thresholds for the security zone.

outzone: Sets the outbound thresholds for the security zone.

tcp: Indicates TCP connections.

udp: Indicates UDP connections.

high high-value: Sets the upper threshold for the connection speed. For the TCP and UDP connection, the IP address-based upper threshold ranges from 1 to 10,000 and defaults to 10,000.

low low-value: Sets the lower threshold for the connection speed. For the TCP and UDP connection, the IP address-based lower threshold ranges from 1 to 10,000 and defaults to 9000.

acl-number acl-number: Specifies a basic ACL number ranging from 2000 to 2999. By specifying an ACL, you can control for which IP addresses the threshold values are to be set.

Description

Use the statistic connect-speed ip command to set the upper and lower connection speed threshold of the TCP and UDP connections initiated at a specific IP address.

Use the undo statistic connect-speed ip command to revert to the default settings.

The transmission speed thresholds are set with respect to an IP address and apply to packets that pass through a security zone. When a connection speed is greater than the upper threshold or is restored below the lower threshold, the system takes actions as configured with the firewall statistic warning-level command.

Related commands: firewall statistic warning-level.

Examples

# For inbound TCP connections of the security zone named Untrust, set the IP address-based upper connection speed threshold to 5000, and the lower connection speed threshold to 500.

[SecBlade_FW-zone-untrust] statistic connect-speed ip inzone tcp high 5000 low 500

9.1.14 statistic connect-speed zone

Syntax

statistic connect-speed zone { inzone | outzone } { tcp | udp } high high-value low low-value

undo statistic connect-speed zone { inzone | outzone } { tcp | udp }

View

Security zone view

Parameters

zone: Specifies security zone-based thresholds.

inzone: Sets inbound thresholds for the security zone.

outzone: Sets outbound thresholds for the security zone.

tcp: Sets thresholds for TCP connections.

udp: Sets thresholds for UDP connections.

high high-value: Sets the upper threshold for the connection speed. For the TCP and UDP connection, the security zone-based upper threshold ranges from 1 to 10,000 and defaults to 10,000.

low low-value: Sets the lower threshold for the connection speed. For the TCP and UDP connection, the security zone-based lower threshold ranges from 1 to 10,000 and defaults to 9000.

Description

Use the statistic connect-speed zone command to set the higher threshold value and lower threshold value for the speed of security zone-based TCP connections and UDP connections originated in a direction.

Use the undo statistic connect-speed zone command to restore the default value.

The connection speed thresholds are set with respect to a security zone and apply to packets that pass through a security zone. When a connection speed is greater than the upper threshold or is restored below the lower threshold, the system takes actions as configured with the firewall statistic warning-level command.

Related commands: firewall statistic warning-level

Examples

# For inbound TCP connections of the security zone named Trust, set the security zone-based upper connection speed threshold to 2500 and the lower connection speed threshold to 1000.

[SecBlade_FW-zone-trust] statistic connect-speed zone inzone tcp high 2500 low 1000

9.1.15 statistic enable

Syntax

statistic enable { ip | zone } { inzone | outzone }

undo statistic enable { ip | zone } { inzone | outzone }

View

Security zone view

Parameters

inzone: Takes accounts of the inbound packets of the security zone or the IP address. An inbound packet is the packet destined for the local zone or the IP address.

outzone: Takes accounts of the outbound packets of the security zone or the IP address. An outbound packet is the packet sourced from the local zone or the IP address.

Description

Use the statistic enable command to enable security zone/IP-based statistics.

Use the undo statistic enable command to disable security zone/IP-based statistics.

By default, zone/IP-based statistics is disabled.

Examples

# Enable IP-based statistics in the security zone named Trust to perform statistics on inbound packets according to the destination addresses only.

[SecBlade_FW-zone-trust] statistic enable ip inzone

# Enable security zone-based statistics in the security zone named trust to perform statistics on outbound packets.

[SecBlade_FW-zone-trust] statistic enable zone outzone

9.2 SMTP Client Configuration Commands

9.2.1 debugging smtpc

Syntax

debugging smtpc

undo debugging smtpc

View

User view

Parameters

None

Description

Use the debugging smtpc command to enable the SMTP client debugging.

Use the undo debugging smtpc command to disable the SMTP client debugging.

By default, the SMTP client debugging is disabled.

Examples

# Enable the SMTP client debugging.

<SecBlade_FW> debugging smtpc

The debug switch for smtp client opened.

9.2.2 display smtpc

Syntax

display smtpc [ administrator | trigger ]

View

Any view

Parameters

administrator: Mail recipient.

trigger: Trigger time.

Description

Use the display smtpc command to display the configuration of the SMTP client.

Examples

# Display the mail recipient.

<SecBlade_FW> display smtpc administrator

The following mail address configured:

[email protected]

# Display the trigger time.

<SecBlade_FW> display smtpc trigger

The following trigger time configured:

10:30 12:00 15:15 17:30

9.2.3 smtpc administrator mail

Syntax

smtpc administrator mail mail-address

undo smtpc administrator { all | mail mail-address }

View

System view

Parameters

mail-address: Address of the mail recipient.

all: The addresses of all recipients.

Description

Use the smtpc administrator mail command to configure the recipient address.

Use the undo smtpc administrator command to delete the recipient address.

The recipient address to be added must be compliant with the format of the SMTP mail address. You can add up to five recipient addresses using this command multiple times.

By default, no recipient address is configured.

Examples

# Add a recipient address [email protected].

[SecBlade_FW] smtpc administrator mail [email protected]

The mail address [email protected] has been added.

9.2.4 smtpc trigger time

Syntax

smtpc trigger time hh:mm

undo smtpc trigger { all | time hh:mm }

View

System view

Parameters

hh:mm: Trigger time in the range of 00:00 to 23:59.

all: All configured trigger time.

Description

Use the smtpc trigger time command to configure the everyday trigger time of a timed mail.

Use the undo smtpc trigger command to cancel the trigger time.

You can add up to five trigger time using this command multiple times.

By default, no trigger time for the mail is configured.

Examples

# Configure the trigger time to be 17:30.

[SecBlade_FW] smtpc trigger time 17:30

The trigger time 17:30 has been added.

9.3 DNSC Configuration Commands

9.3.1 debugging dnsc

Syntax

debugging dnsc

undo debugging dnsc

View

User view

Parameters

None

Description

Use the debugging dnsc command to enable DNSC debugging.

Use the undo debugging dnsc command to disable DNSC debugging.

By default, DNSC debugging is disabled.

Examples

# Enable DNSC debugging.

<SecBlade_FW> debugging dnsc

9.3.2 display dnsc

Syntax

display dnsc { server | cache }

View

Any view

Parameters

server: Specifies to display the DNS servers configured.

cache: Specifies to display the DNS cache entries.

Description

Use the display dnsc command to display DNSC configuration.

Examples

# Display the DNS servers configured.

<SecBlade_FW> display dnsc server

10.1.1.1

10.1.1.2

10.1.1.3

Total 3 dns server configed.

9.3.3 dnsc server

Syntax

dnsc server ip ip-address

undo dnsc server { all | ip ip-address }

View

System view

Parameters

ip ip-address: Specifies an IP address for the DNS server.

all: Specifies to remove all DNS servers.

Description

Use the dnsc server command to configure a DNS server.

Use the undo dnsc server command to remove the DNS server configured.

By default, no DNS server is configured.

Examples

# Configure a DNS server with an IP address of 10.1.1.3.

[SecBlade_FW] dnsc server ip 10.1.1.3

9.3.4 dnsc cache

Syntax

dnsc cache add domain domain-name type { a | mx } ip ip-address ttl ttl

dnsc cache delete domain domain-name type { a | mx }

undo dnsc cache { all | domain domain-name type { a | mx } }

View

System view

Parameters

add: Adds a DNS cache entry.

delete: Deletes a DNS cache entry.

domain domain-name: Specifies a domain name containing 3 to 255 characters.

type: Specifies the type of cache entries.

a: Specifies host (A) records.

mx: Specifies mail exchange records.

ip ip-address: Specifies the IP address corresponding to the domain name.

ttl ttl: Specifies the cache entry TTL (time to live) in milliseconds, ranging from 0 to 4,294,967,295.

all: Specifies to delete all cache entries.

Description

Use the dnsc cache add command to add a DNS cache entry.

Use the dnsc cache delete command or the undo dnsc cache command to delete a DNS cache entry.

By default, no DNS cache entry is configured.

Examples

# Add cache entries of MX type.

[SecBlade_FW] dnsc cache add domain h3c.com type mx ip 1.1.1.1 ttl 600000

9.4 Log Configuration Commands

9.4.1 firewall session log-type

Syntax

firewall session log-type syslog

undo firewall session log-type

View

System view

Parameters

syslog: Sets to output traffic log in text format.

Description

Use the firewall session log-type command to set the output format (text or binary) of traffic log.

Use the undo firewall session log-type command to restore the default configuration.

Traffic logs are output in text format by default.

Examples

# Set to output traffic log in syslog format.

[SecBlade_FW] firewall session log-type syslog

9.4.2 firewall log-time

Syntax

firewall { defend | statistic | http | smtp } log-time time

undo firewall { defend | statistic | http | smtp } log-time

View

System view

Parameters

defend: Attack prevention information.

session: Session information.

statistic: Traffic statistics information.

http: HTTP filtering information.

smtp: SMTP filtering information.

time: Duration (in second) to scan the log buffer, which ranges from 1 to 65,535.

Description

Use the firewall log-time command to set the duration to scan these log buffers.

Use the undo firewall log-time command to revert to the default scan durations.

The scan duration is 30 seconds by default.

Examples

# Set the duration to scan the defense log buffer to 100 seconds.

[SecBlade_FW] firewall defend log-time 100

9.4.3 reset firewall log-buf

Syntax

reset firewall log-buf { session | defend | statistic | http | smtp }

View

User view

Parameters

session: Clears the NAT/ASPF log buffer.

defend: Clears the defense log buffer.

statistic: Clears the statistics log buffer.

http: Clears HTTP filtering information.

smtp: Clears SMTP filtering information.

Description

Use the reset firewall log-buf command to clear a log buffer.

Examples

# Clear the NAT/ASPF log buffer.

<SecBlade_FW> reset firewall log-buf session

H3C S9500 Series Routing Switches SecBlade FW VPN Cards Command Manual(V1.03)

1.1.4 authentication

1.1.10 domain

1.1.11 ip pool

1.2.5 display local-server statistics

1.2.6 display radius scheme

1.2.7 display radius statistics

1.2.12 primary accounting

1.2.15 radius nas-ip

1.2.28 timer realtime-accounting

1.2.30 user-name-format

1.3.3 display hwtacacs scheme

1.3.4 display stop-accounting-buffer

1.3.6 hwtacacs scheme

1.3.15 secondary accounting

1.3.16 secondary authentication

1.3.17 secondary authorization

1.3.18 stop-accounting-buffer enable

1.3.22 user-name-format

2.1.2 description

3.1.23 nat static inside

4.1.1 debugging firewall packet-filter

4.1.5 firewall packet-filter default

4.1.6 firewall packet-filter enable

4.1.8 firewall packet-filter fragments-inspect { high | low }

4.1.10 reset firewall packet-filter statistics

4.2.4 debugging aspf http

4.2.12 display firewall fragment