Array AG 9.
4
CLI Handbook
                                                                           Copyright Statement
Copyright Statement
Copyright©2000-2018 Array Networks, Inc., 1371 McCarthy Blvd, Milpitas, California 95035,
USA. All rights reserved.
This document is protected by copyright and distributed under licenses restricting its use, copying,
distribution, and compilation. No part of this document can be reproduced in any form by any
means without prior written authorization of Array Networks. Documentation is provided “as is”
without warranty of any kind, either express or implied, including any kind of implied or express
warranty of non-infringement or the implied warranties of merchantability or fitness for a
particular purpose.
Array Networks reserves the right to change any products described herein at any time, and
without notice. Array Networks assumes no responsibility or liability arising from the use of
products described herein, except as expressly agreed to in writing by Array Networks. The use
and purchase of this product does not convey a license to any patent copyright, or trademark rights,
or any other intellectual property rights of Array Networks.
        Warning: Modifications made to the Array Networks unit, unless expressly approved by
        Array Networks, could void the user’s authority to operate the equipment.
Declaration of Conformity
We, Array Networks, Inc., 1371 McCarthy Blvd, Milpitas, CA 95035, 1-866-692-7729; declare
under our sole responsibility that the product(s) Array Networks, Array Appliance complies with
Part 15 of FCC Rules. Operation is subject to the following two conditions: (1) this device can not
cause harmful interference, and (2) this device must accept any interference received, including
interference that can cause undesired operation.
        Warning: This is a Class A digital device, pursuant to Part 15 of the FCC rules. These
        limits are designed to provide reasonable protection against harmful interference when the
        equipment is operated in a commercial environment. This equipment generates, uses, and
        can radiate radio frequency energy, and if not installed and used in accordance with the
        instruction manual, can cause harmful interference to radio communications. In a
        residential area, operation of this equipment is likely to cause harmful interference in
        which case the user can be required to take adequate measures. In a domestic environment
        this product can cause radio interference in which case the user can be required to take
        adequate measures.
2000-2018 Array Networks, Inc.
                                                                                                    I
All Rights Reserved.
                                                                         About Array Networks
About Array Networks
Array Networks is a global leader in networking solutions for connecting users and applications
while ensuring performance, availability and security. Using Array, companies can provide access
for any user, anywhere, on any device to applications, desktops and services running in either the
cloud or the enterprise data center. From Web sites to e-commerce to enterprise applications to
cloud services, Array solutions deliver a premium end-user experience and demonstrable security
while ensuring that revenue and productivity gains always outweigh CAPEX and OPEX.
Engineered for the modern data center, Array Networks application, desktop and cloud service
delivery solutions support the scalability, price-performance, software agility and leading-edge
feature innovation essential for successfully transforming today's challenges in mobile and cloud
computing into opportunities for mobilizing and accelerating business.
Contacting Array Networks
Please use the following information to contact us at Array Networks:
Website:
https://www.arraynetworks.com/
Telephone:
Phone: (408)240-8700
Toll Free: 1-866-692-7729 (1-866-MY-ARRAY)
Support: 1-877-992-7729 (1-877-99-ARRAY)
Fax: (408)240-8754
Telephone access to Array Networks is available Monday through Friday, 9 A.M. to 5 P.M. PST.
Email:
info@arraynetworks.com
Address:
1371 McCarthy Boulevard
Milpitas, California 95035, USA
2000-2018 Array Networks, Inc.
                                                                                                     II
All Rights Reserved.
                                                                        Revision History
Revision History
        Date                                      Description
July 4, 2016          9.4.0.49 GA release.
October 18, 2016      Updated for ArrayOS AG 9.4.0.66 patch release.
January 3, 2017       Updated for ArrayOS AG 9.4.0.94 patch release.
Februaray 27, 2017    Updated for ArrayOS AG 9.4.0.107 patch release.
April 24, 2017        Updated for ArrayOS AG 9.4.0.135 patch release.
August 21, 2017       Updated for ArrayOS AG 9.4.0.163 patch release.
October 30, 2017      Updated for ArrayOS AG 9.4.0.170 patch release.
January 2, 2018       Updated for ArrayOS AG 9.4.0.188 patch release
March 30, 2018        Updated for ArrayOS AG 9.4.0.201 patch release
2000-2018 Array Networks, Inc.
                                                                                      III
All Rights Reserved.
                                                                                                                    Table of Contents
Table of Contents
Copyright Statement ......................................................................................................................... I
Declaration of Conformity ................................................................................................................ I
About Array Networks ..................................................................................................................... II
Contacting Array Networks ............................................................................................................. II
Revision History ............................................................................................................................. III
Table of Contents ............................................................................................................................IV
Chapter 1 CLI Basics ........................................................................................................................ 1
       Login to the AG Appliance ....................................................................................................... 2
       Levels of Global Access Control .............................................................................................. 2
       Levels of Virtual Site Access Control ....................................................................................... 4
       Switching Between Global and Virtual Site ............................................................................. 4
Chapter 2 Basic System Operations .................................................................................................. 6
       Basic Commands....................................................................................................................... 6
       Basic Network Settings ........................................................................................................... 12
       DNS Settings ........................................................................................................................... 21
       System Tune Settings .............................................................................................................. 26
       System Time Settings.............................................................................................................. 29
Chapter 3 Virtual Site ..................................................................................................................... 31
       Virtual Site .............................................................................................................................. 31
       SSL.......................................................................................................................................... 33
              SM2 ................................................................................................................................. 52
Chapter 4 AAA ............................................................................................................................... 57
       General Settings ...................................................................................................................... 57
       Server ...................................................................................................................................... 59
              LocalDB .......................................................................................................................... 60
              LDAP .............................................................................................................................. 83
              RADIUS .......................................................................................................................... 96
              Certificate ...................................................................................................................... 101
2000-2018 Array Networks, Inc.
                                                                                                                                                   IV
All Rights Reserved.
                                                                                                                    Table of Contents
              SMS............................................................................................................................... 113
              SMX .............................................................................................................................. 120
              HTTP............................................................................................................................. 122
       SAML ................................................................................................................................... 133
       OAuth Authentication ........................................................................................................... 136
       Method .................................................................................................................................. 142
       Rank ...................................................................................................................................... 144
       Accounting ............................................................................................................................ 145
       Group Mapping ..................................................................................................................... 146
       Hardware ID.......................................................................................................................... 147
Chapter 5 User Policy ................................................................................................................... 158
       Role Configuration ................................................................................................................ 158
       ACL Configuration ............................................................................................................... 172
       Session Management............................................................................................................. 176
              Global Settings .............................................................................................................. 176
              Per-VS Settings ............................................................................................................. 180
Chapter 6 Access Method ............................................................................................................. 188
       Web Access ........................................................................................................................... 188
              QuickLink ..................................................................................................................... 188
              WRM............................................................................................................................. 191
              Custom Rewrite............................................................................................................. 194
              URL Policy ................................................................................................................... 195
              SSO ............................................................................................................................... 198
              Proxy ............................................................................................................................. 202
              URL Filter ..................................................................................................................... 204
              Statistics ........................................................................................................................ 204
       Network Access and Array Client......................................................................................... 205
              General Settings ............................................................................................................ 205
              Netpool .......................................................................................................................... 206
              VPN Resourse/VPN Resource Group ........................................................................... 225
2000-2018 Array Networks, Inc.
                                                                                                                                                   V
All Rights Reserved.
                                                                                                                    Table of Contents
              Speed Tunnel................................................................................................................. 230
              VPN Valid Code ........................................................................................................... 232
              Mobile VPN .................................................................................................................. 233
              Site2Site VPN ............................................................................................................... 242
       HTTP Setting Commands ..................................................................................................... 243
       File Share .............................................................................................................................. 258
Chapter 7 Web Portal .................................................................................................................... 260
       Portal Configuration .............................................................................................................. 260
       Portal Customization ............................................................................................................. 272
              Portal Custom................................................................................................................ 272
              Portal Theme ................................................................................................................. 276
       DesktopDirect Integration ..................................................................................................... 280
       Application SSO ................................................................................................................... 281
Chapter 8 High Availablity ........................................................................................................... 282
       Cluster ................................................................................................................................... 282
       HA (High Availability) ......................................................................................................... 287
              General Settings ............................................................................................................ 288
              HA Groups .................................................................................................................... 296
              Health Check ................................................................................................................. 299
              Decision ........................................................................................................................ 309
Chapter 9 WebWall....................................................................................................................... 312
       Access List ............................................................................................................................ 312
       Access Group ........................................................................................................................ 321
       WebWall ............................................................................................................................... 322
Chapter 10 Client Security ............................................................................................................ 324
Chapter 11 System Monitoring ..................................................................................................... 330
       Graphic Monitoring............................................................................................................... 330
       Logging ................................................................................................................................. 330
              General Settings ............................................................................................................ 330
              Log Customization ........................................................................................................ 332
2000-2018 Array Networks, Inc.
                                                                                                                                                  VI
All Rights Reserved.
                                                                                                                Table of Contents
             Remote Syslog Host ...................................................................................................... 334
             Disabling Individual System Log.................................................................................. 337
             Log Alert ....................................................................................................................... 337
       SNMP Commands................................................................................................................. 338
             General Settings ............................................................................................................ 338
             SNMP Request .............................................................................................................. 339
             SNMP Access Control .................................................................................................. 341
             SNMP Traps.................................................................................................................. 342
      Troubleshooting Commands ................................................................................................. 344
      Debug Commands ................................................................................................................. 346
             General Settings ............................................................................................................ 346
             Debug Snapshot ............................................................................................................ 347
             Debug Trace .................................................................................................................. 348
             Debug Usage ................................................................................................................. 352
             Debug File Export ......................................................................................................... 352
             Debug Monitor .............................................................................................................. 353
Chapter 12 Admin Tools ............................................................................................................... 356
      Administrators....................................................................................................................... 356
             Admin User and Admin Access .................................................................................... 356
             Role-based Privilege Management ............................................................................... 360
             Admin AAA .................................................................................................................. 362
      System Access ...................................................................................................................... 371
             Console Access ............................................................................................................. 371
             WebUI Access............................................................................................................... 371
             WebUI SSL Settings ..................................................................................................... 373
             SSH Access ................................................................................................................... 373
             RESTful API Access ..................................................................................................... 376
             XML-RPC Access......................................................................................................... 376
      System Management ............................................................................................................. 377
             System Information ....................................................................................................... 377
2000-2018 Array Networks, Inc.
                                                                                                                                             VII
All Rights Reserved.
                                                                                                                    Table of Contents
              System Resource Status ................................................................................................ 379
              System License ............................................................................................................. 379
              System Reboot and Shutdown ...................................................................................... 379
              System Update and Fallback ......................................................................................... 381
              System Dump ................................................................................................................ 383
       Configuration Management .................................................................................................. 383
              Viewing Running Configuration and Startup Configuration ........................................ 383
              Configuration Backup ................................................................................................... 384
              Configuraiton Restore ................................................................................................... 388
              Configuration Clearance ............................................................................................... 391
              Configuration Factory Reset ......................................................................................... 392
              Configuration Synchronization ..................................................................................... 392
       Remote Host Access ............................................................................................................. 395
Chapter 13 Advanced System Operations..................................................................................... 397
       RTS ....................................................................................................................................... 397
       Bond ...................................................................................................................................... 398
       NAT ...................................................................................................................................... 399
       HTTP Compression............................................................................................................... 400
Chapter 14 IPv6 Support ............................................................................................................... 404
Chapter 15 DesktopDirect ............................................................................................................. 405
       Basic ART Commands.......................................................................................................... 405
              Name Resolution ........................................................................................................... 405
       ART Instance ........................................................................................................................ 406
       ART Users, Groups and Desktops ........................................................................................ 408
              ART User ...................................................................................................................... 408
              ART Group ................................................................................................................... 409
              Desktop Publishing ....................................................................................................... 412
       Power Management............................................................................................................... 415
       Device Based Identification .................................................................................................. 419
       Host SSO ............................................................................................................................... 424
2000-2018 Array Networks, Inc.
                                                                                                                                                VIII
All Rights Reserved.
                                                                                                                    Table of Contents
       Registration Policies ............................................................................................................. 425
       SMX & VMView SSO ......................................................................................................... 426
       Replication ............................................................................................................................ 427
       Client Package ...................................................................................................................... 428
       Application Publishing .......................................................................................................... 428
              Terminal Server............................................................................................................. 428
              XenApp Definition ........................................................................................................ 434
              Association .................................................................................................................... 436
       External Providers ................................................................................................................. 438
       Data Protection...................................................................................................................... 444
       Client Settings ....................................................................................................................... 447
       Client Verification................................................................................................................. 461
       ART Import and Export ........................................................................................................ 463
              Import ............................................................................................................................ 463
              Export ............................................................................................................................ 465
Chapter 16 MotionPro................................................................................................................... 467
       Basic Commands................................................................................................................... 467
       AAA ...................................................................................................................................... 467
       Role ....................................................................................................................................... 471
       Client Rule ............................................................................................................................ 472
       Web Resources...................................................................................................................... 475
              Web APP ....................................................................................................................... 475
       Native Applications............................................................................................................... 477
       MDM..................................................................................................................................... 479
       Backup and Restore .............................................................................................................. 481
       Import and Export ................................................................................................................. 481
       Portal Configuration .............................................................................................................. 483
       Synchronization .................................................................................................................... 484
Appendix I System CLI Boundaries ............................................................................................. 486
Appendix II SNMP OID List ........................................................................................................ 492
2000-2018 Array Networks, Inc.
                                                                                                                                                   IX
All Rights Reserved.
                                  Table of Contents
2000-2018 Array Networks, Inc.
                                                 X
All Rights Reserved.
                                                                           Chapter 1 CLI Basics
Chapter 1 CLI Basics
The CLI allows you to configure and control key functions of the AG appliance to better manage
the performance of your servers and the accessibility to the contents therein.
The AG appliance software has been designed with specific enhancements to make interaction
with the Appliance more user friendly, such as Shorthand. Shorthand is the intuitive method by
which the Appliance completes CLI commands based on the first letters entered. Other user
shortcuts are listed below:
                                      Table 1-1 List of Shortcuts
       CLI Shortcuts                                           Operation
           Ctrl+a/e               Move the cursor to the beginning/end of a line.
           Ctrl+f/b               Move the cursor forward/backward one character.
            Esc+f                 Move the cursor forward one word.
           Esc+b                  Move the cursor backward one word.
           Ctrl+d                 Delete the character under the cursor.
           Ctrl+k                 Delete from the cursor to the end of the line.
           Ctrl+u                 Delete the entire line.
The AG appliance CLI commands will generally adhere to the following style conventions:
                                Table 1-2 AG CLI Style Conventions
        Style                                               Convention
        Bold                The body of a CLI command is in Boldface.
        Italic              CLI parameters are in Italic.
           <>               Parameters in angle brackets < > are mandatory.
                            Parameters in square brackets [ ] are optional.
           []
                            Subcommand such as “no”, “show” and “clear” commands.
                            Alternative items are grouped in braces and separated by vertical bars.
       {x|y|…}
                            At least one should be selected.
                            Optional alternative items are grouped in square brackets and separated
       [x|y|…]
                            by vertical bars. One or none is selected.
       Note:
               It is recommended to enclose the string-type parameter value by double quotes to
                make sure that the appliance can execute the command correctly.
               Please do not use “],” in the parameter value because the combination of these two
                characters is resvered as the system’s separator.
For example:
ip address {system_ifname|vlan_ifname|bond_ifname|mnet_ifname} <ip_address>
{netmask|prefix}
2000-2018 Array Networks, Inc.
                                                                                                      1
All Rights Reserved.
                                                                           Chapter 1 CLI Basics
Login to the AG Appliance
After getting connected to the AG appliance successfully via an SSH or Console connection, the
administrator will be prompted for a login username and a password. The default/initial login
username and password are “array” and “admin”.
The AG appliance provides the recovery mechanism for the “array” account to allow
administrators to:
    Recover the password of the “array” account if changing the password of the “array”
     administrator account and forgetting the new password.
    Recover the “array” account if it is deleted mistakenly.
To recover the password of the “array” account or the entire “array” account, please perform the
following steps:
1.   Establish a Console connection with the AG appliance.
2.   Input the command “recovery” in the CLI.
3.   Copy the challenge string generated by the AG appliance and paste it in an email sent to
     Array Network Customer Support to request the response string. The challenge string is the
     string behind “challenge:”, for example “challenge:waker Parma baker galah woke”.
4.   Paste the entire response string returned by the Array Network Customer Support behind the
     “response:” prompt and press “Enter”. The response string begins with “--begin--” and ends
     with “--end--”.
After the preceding steps are performed, if the “array” account exists, the system will reset the
password of the “array” account to “admin” and the access privilege to “Config”; if the “array”
account does not exist, the system will create the “array” account with password “admin” and the
access privilege “Config”.
Levels of Global Access Control
The AG appliance offers three levels for global configuration and access to the ArrayOS. The CLI
prompt of each level consists of the host name of the AG appliance followed by a unique cursor
prompt, either “>”, “#” or “(config)#”.
The first level of administration is the User level. At this level, the administrator is only authorized
to operate some very basic troubleshooting commands and non-critical functions such as ping and
traceroute. Here is how the User level prompt appears in the CLI.
AN>
The second level of administration is the Enable level. At this level, administrators have (in
addition to User level permissions) access to a majority of view only commands such as “show
version”. In order to gain access to this level of appliance management, the user must run the
“enable” command and supply a special “enable” password. If correct password is entered, the
2000-2018 Array Networks, Inc.
                                                                                                      2
All Rights Reserved.
                                                                        Chapter 1 CLI Basics
CLI prompt will change from “AN>” to “AN#”, which means the administrator has been granted
access to the Enable level. The default password for the Enable level is null (i.e., leave the
password blank/empty).
AN>enable
Enable password:
AN#
The third level of administration is the Config level. At this level, the administrator can make
changes to the configuration of the AG appliance (in addition to all User and Enable level
permissions). No two administrators can access the Config level at the same time (whether they
are in global or virtual site shell). To gain full configuration access of the AG appliance, the
administrator must use the following command:
AN#config terminal
Once this command is entered, the CLI prompt will change to:
AN(config)#
In the event that another administrator is already in the Config level, the following command can
be run to kick that administrator out of Config level:
AN#admin reset configmode
At any level, the administrator can type “?” to view the currently available commands. For
example, entering “AN(config)#system ?” will display all the commands starting with “system” in
the Config level.
AN(config)#system ? [enter]
command      Set command execution timeout when loading configurations
component    Component update commands
console      Console operation
date         Set system date
dump         Determine whether system should do sysdump when panic
fallback     Set fallback software version to boot if available
flexlicense  Disable/enable Array Appliance pre-paid Flex License
interactive  Set system interactive mode to control command output messages
license      Setting Appliance License Key
mail         System mail configuration
reboot       Reboot the system
shutdown     Shut down system
…
2000-2018 Array Networks, Inc.
                                                                                                    3
All Rights Reserved.
                                                                           Chapter 1 CLI Basics
Levels of Virtual Site Access Control
For virtual sites, the AG appliance offers three levels of administrative access control. The CLI
prompt of each level consists of the virtual site name followed by a unique cursor prompt, either
“%”, “$” or “(config)$”.
The first level of administration is the User level. At this level, administrators are only authorized
to operate some very basic commands. Here is how the User mode prompt appears in the CLI.
vs1%
The second level of administration is the Enable level. At this level, administrators have access to
a majority of view only commands such as “show user”. The cursor will display the
pre-configured name of the virtual site followed by “$” as such.
vs1$
The third level of administration is the Config level. At this level, administrators can make
changes to the configuration of the virtual site. No two administrators can access the Config level
at the same time (whether they are in global or virtual site shell). To gain full configuration access
for a specific virtual site of the AG appliance, the administrator must run the following command:
vs1$config terminal
Once this command is entered, the CLI prompt will change to:
vs1(config)$
        Note: The global administrators have the ability to access to all virtual sites and global
        configuration features and functionality.
Switching Between Global and Virtual Site
The AG appliance allows the administrator to switch between the global scope and the virtual site
scope via the following command:
switch <global|virtual_site_name> [enable|config]
For example, the administrator can switch from global scope to vs1 scope (e.g., a virtual site
named “vs1”) by running the following command:
AN#switch vs1
Once this command is entered, the CLI prompt will change to:
vs1$
To switch back to the global scope, the administrator can run the following command:
vs1$switch global
2000-2018 Array Networks, Inc.
                                                                                                     4
All Rights Reserved.
                                                                         Chapter 1 CLI Basics
Once this command is entered, the CLI prompt will change to:
AN#
By default, when switching between the global scope and virtual site scope the administrator
privilege level (e.g., Enable level or Config level) will stay the same. However, if the
“enable|config” parameter is specified during the switch, the administrator’s privilege level will be
explicitly set accordingly.
For example, the administrator executes the following command:
AN#switch vs1 config
Once this command is entered, the CLI prompt will change to:
vs1(config)$
2000-2018 Array Networks, Inc.
                                                                                                   5
All Rights Reserved.
                                                       Chapter 2 Basic System Operations
Chapter 2 Basic System Operations
The commands introduced in this chapter cover some general operations such as basic system
setup, network settings and system tuning.
Basic Commands
help
This command is used to display all available commands based on level and function. This
command can be executed at any level while configuring the AG appliance.
enable [recovery]
This command is used to access the Enable level of the AG appliance. When running this
command, the system will prompt the administrator to supply the Enable level password. The
default password is null (empty).
If the administrator forgets the Enable password, he can reset the password to the default null
(empty) value as follows:
1.   Enter “enable recovery” at the User level prompt.
2.   A challenge string will be displayed.
3.   Email the challenge string to Customer Support at support@arraynetworks.com.
4.   The response code will be returned via email by the Customer Support personnel.
5. Copy and paste the response code into the CLI, and press “Enter”. The Enable level password
will then be reset to empty.
passwd enable [password]
This command is used to change the “Enable” password.
password                        Optional. This parameter specifies the new “Enable” password. Its
                                value must be a string of 1 to 8 characters. The default password is
                                empty.
                                Note: If the new “Enable” password contains “%”, the
                                administrator needs use “%%” to replace “%” when entering the
                                password value for accessing the system via WebUI.
configure terminal
This command is used for switching to the “Config” access mode.
admin reset configmode
This command is used to terminate all “Config” mode administrator sessions.
2000-2018 Array Networks, Inc.
                                                                                                   6
All Rights Reserved.
                                                        Chapter 2 Basic System Operations
configure timeout <timeout>
This command is used to set the administrator “Config” mode timeout limit. The timeout value is
measured in seconds ranging from 30 to 36,000. The default setting is 180 seconds. This limit
determines the length of time that an active “Config” session will remain active even when other
administrators are attempting to switch to the “Config” mode at the same time. Once the active
“Config” session has been active for longer than the “timeout” limit, the next request for “Config”
mode access will be granted and the current active “Config” mode session will be terminated.
show config timeout
This command is used to display the configured timeout limit.
clear config timeout
This command is used to reset the configured timeout limit to the default setting of 180 seconds
(or 3 minutes).
disable
This command is used to return to the User mode from the current privileged mode.
exit
This command is used to return to the next lower-level mode from the current privileged mode. If
the current mode is the User mode, this command will kick the administrator out of the CLI shell
system.
quit
This command is used to leave the CLI shell system from any level.
show tech [message]
This command is used to display real-time statistics of the current running system and network.
message                          This parameter defines the system message to be displayed.
show system warning
This command is used to check the instant system warning message.
When the yellow LED on the appliance is activated, the administrator can execute this command
to check whether one of the following errors is causing the problem:
1.     The CPU fan stopped working.
2.     The CPU overheated.
3.     The system overheated.
4.     One of the dual power supplies failed (If redundant power supply applies to the appliance).
2000-2018 Array Networks, Inc.
                                                                                                     7
All Rights Reserved.
                                                       Chapter 2 Basic System Operations
        Note: If the error is recovered, the warning message will be cleared. But it still can be
        traced in system logs.
show statistics tcp
This command is used to display the number of TCP connections based on state:
AN#show statistics tcp
LISTEN: 1
SYN_SENT: 0
SYN_RCVD: 0
ESTABLISHED: 0
CLOSE_WAIT: 0
FIN_WAIT_1: 0
CLOSING: 0
LAST_ACK: 0
FIN_WAIT_2: 0
TIME_WAIT: 432
Compared with the “show memory” output, the “TIME_WAIT” value is the same as “USED”
TCP small pcb. All the rest, from “LISTEN” value to “FIN_WAIT” value, add up to “USED”
TCP pcb.
hostname <host_name>
This command is used to set or change the given host name for an AG appliance.
host_name                       This parameter defines the host name of the AG appliance. The host
                                name can be entered as a single set of continuous alphanumeric
                                characters or a set of alphanumeric characters housed within double
                                quotation marks. Currently, the maximum length for the host name
                                is 64 characters.
show hostname
This command is used to display the given host name for an AG appliance.
no hostname
This command is used to clear an AG appliance’s host name. After the host name is cleared, the
default name “AN” will be used as the host name.
system mail from <from_string>
The AG appliance can be configured to send out emails for certain events (e.g., URL filtering,
logging alerts,…,etc.). This command is used to configure the value of the “From” header in the
mail being sent out. The default value for the “from_string” parameter is “%h alert@log.domain”.
2000-2018 Array Networks, Inc.
                                                                                                    8
All Rights Reserved.
                                                     Chapter 2 Basic System Operations
%                              An escape character in both strings.
%h                             Full host name defined by the “hostname” command.
%q                             Double quote (“”).
%%                             A literal percent.
no system mail from
This command is used to reset the “From” header to the default value of “%h alert@log.domain”
(see previous CLI command above).
system mail hostname <host_name>
The AG appliance can be configured to send out emails for certain events (e.g., URL filtering,
logging alerts,…,etc.). This command is used to configure the value of the host name from which
the mail is recorded as sent. The default value for “host_name” parameter is
“%l.alert_pseudo_domain”.
host_name                      This parameter defines the SMTP EHLO/HELO host name.
no system mail hostname
This command is used to reset the SMTP ELHO/HELO hostname to the default value of
“%l.alert_pseudo_domain” (see previous CLI command above).
show system mail
This command is used to display system mail configuration.
clear system mail
This command is used to clear the system mail configuration.
system mail relay server <host_name> <relay_server>
This command allows the administrator to create a new system mail relay server.
host_name                      This parameter specifies the assigned name of the relay host.
relay_server                   This parameter specifies the IP address or the server name.
no system mail relay server <host_name>
This command is used to delete a system mail relay server.
host_name                      This parameter specifies the assigned name of the relay host.
2000-2018 Array Networks, Inc.
                                                                                                  9
All Rights Reserved.
                                                      Chapter 2 Basic System Operations
system mail relay {on|off}
This command is used to enable/disable the system mail relay service. The following CLI example
shows how to set up a mail relay server.
AN(config)#system mail relay server “arraynertworks.com.cn” “relay.com”
AN(config)#system mail relay on
The AG appliance will send emails using “relay.com” with the host name of
“arraynetworks.com.cn”. Please note that the “relay.com” server must be reachable by the AG
appliance.
show system relay
This command is used to display the configuration and status of the relay service.
clear system relay
This command is used to remove all the relay servers and disable mail relay service.
system interactive on
This command is used to enable CLI command interactive mode. If this command is executed,
more command result messages to be displayed.
system interactive off
This command is used to disable CLI command interactive mode. If this command is executed,
less command result messages to be displayed.
show system interactive
This command is used to display the current system interactive setting (on|off).
system command timeout <timeout>
This command is used to set the command execution timeout when the system boots up or users
execute the “config file|config memory” command. Fastlog and syslog will log the timeout
command for troubleshooting.
timeout                         This parameter specifies the timeout value in seconds. Its value
                                should be 0 or an integer ranging from 30 to 65,535. The default
                                value is 0.
show system command timeout
This command is used to display the command execution timeout value.
switch <virtual_site> [enable|config]
This command is used to switch between the global scope and a target virtual site scope, or
between virtual scopes.
2000-2018 Array Networks, Inc.
                                                                                                   10
All Rights Reserved.
                                                        Chapter 2 Basic System Operations
virtual_site                    This parameter specifies the name of the virtual site that the
                                administrator wants to switch to. To switch to the global scope, set
                                this parameter to “global”.
enable|config                   This parameter specifies the desired access level when switching to
                                the target virtual site scope. If this parameter is not specified, then
                                the current access level will be assumed.
who [virtual_site]
This command is used to display the active administrators in the target virtual site. If the
“virtual_site” parameter is not specified, all active administrators will be displayed.
virtual_site                    This parameter selects a specific virtual site.
whoami
This command is used to display the current administrator's information.
configure terminal
This command is used to gain access to the Config level to configure the AG appliance.
show statistics cpu
This command is used to display the system CPU usage.
show statistics system
This command is used to display the system CPU, connection and request per second statistics.
show statistics memory
This command is used to display the memory usage statistics.
clear synconfig status
This command is used to delete all synchronous logs for rollback.
system flexlicense {enable|disable}
This command is used to enable or disable the Array appliance pre-paid flex license.
no system license flex
This global command is used to delete Array Networks Flex License Key.
system serialnumber
This command is used to generate vxAG’s serial number. Please provide the vxAG serial number
to the support team to obtain the system license.
2000-2018 Array Networks, Inc.
                                                                                                   11
All Rights Reserved.
                                                       Chapter 2 Basic System Operations
        Note:
             When the vxAG is installed on your virtual environment and started up for the first
              time, the system will automatically generate a serial number for the vxAG.
             Under certain circumstances, the serial number on the vxAG may be invalid, for
              example the serial number on the cloned vxAG. In this case, run this command to
              manually generate a valid serial number.
             It is not recommended to downgrade vxAG to earlier versions after a serial number
              has been generated.
registration set <registration_status>
This command is used to set the registration status of the AG appliance as “incomplete”,
“complete” or “never”.
registration_status
                                This parameter sets the registration status of the AG appliance as
                                “incomplete”, “complete” or “never”. “incomplete” indicates that
                                you will register later, “complete” indicates that you will register
                                now and “never” indicates to never register.
registration status
This command is used to display the registration status of the AG appliance, which is
“incomplete”, “complete” or “never”.
Basic Network Settings
ip address {system_ifname|vlan_ifname|bond_ifname|mnet_ifname}
<ip_address> {netmask|prefix}
This command is used to set the IP address and netmask or prefix length of the system interface,
VLAN interface or bond interface or MNET interface.
system_ifname|vlan_ifname|      This parameter specifies the name of the existing interface. Its value
bond_ifname|mnet_ifname         must be:
                                    system_ifname: indicates a system interface. The default
                                     system interface name is “port1”, “port2”, “port3” or
                                     “port4”. The system interface name can be customized by
                                     using the “interface name” command.
                                    vlan_ifname: indicates a VLAN interface.
                                    bond_ifname: indicates a bond interface. The default bond
                                     interface names are “bond1”, “bond2”, “bond3” and “bond4”.
                                     The bond interface name can be customized by using the
2000-2018 Array Networks, Inc.
                                                                                                  12
All Rights Reserved.
                                                          Chapter 2 Basic System Operations
                                     “bond name” command.
                                    mnet_ifname: indicates a MNET interface.
ip_address                      This parameter specifies the IP address of the interface. Its value
                                must be an IPv4 or IPv6 address.
netmask|prefix                  This parameter specifies the netmask or prefix length of the
                                interface IP address.
                                    “netmask” is used for an IPv4 address. Its value must be a
                                     dotted IP address or an integer or an integer ranging from 0 to
                                     32.
                                    “prefix” is used for an IPv6 address. Its value must be an
                                     integer ranging from 0 to 128.
Example:
AN(config)#ip address port1 209.120.10.1 255.255.255.0
AN(config)#ip address port2 2012:1030::10:3:40:32 64
no ip address <interface_name> [version]
This command is used to delete the IP address from the specified interface.
interface_name                  This parameter specifies the name of the existing interface.
version                         Optional. This parameter specifies the version of the IP protocol. Its
                                value must be:
                                    4: indicates the IPv4 protocol.
                                    6: indicates the IPv6 protocol.
                                The default value is 4.
show ip address
This command is used to display the IP-related configurations of all interfaces.
clear ip address
This command is used to clear all the IP-related configurations of all interfaces.
ip arp <ip> <mac_address>
This command is used to create an ARP entry.
ip                              This parameter specifies the IP address.
2000-2018 Array Networks, Inc.
                                                                                                  13
All Rights Reserved.
                                                      Chapter 2 Basic System Operations
mac_address                     This parameter specifies the MAC address. The MAC address
                                should follow the format “XX: XX: XX: XX: XX: XX”.
no ip arp <ip_address>
This command is used to delete an ARP entry.
ip                              This parameter specifies the IP address.
clear ip arp
This command is used to clear all ARP entries.
show ip arp <ip_address>
This command is used to display ARP entries.
ip                              This parameter specifies the IP address.
ip dhcp {on|off} <interface_name>
This command is used to enable or disable the DHCP function for the specified system interface.
After this function is enabled, the specified system interface will obtain the IP address from the
DHCP server automatically. By default, this function is disabled.
interface_name                  This parameter specifies an existing system interface name. The
                                system interface name can be set by using the “interface name”
                                command. The default system interface name is port1, port2, port3,
                                port4, etc.
show ip dhcp
This command is used to display the DHCP status of all system interfaces.
ip route default <gateway_ip>
This command is used to set the default gateway IP address for the AG appliance. Only one
default route can be configured for IPv4 address, and one for IPv6 address.
gateway_ip                      This parameter assigns the gateway IP address. It can be IPv4 or
                                IPv6 address.
no ip route default <gateway_ip>
The command is used to remove the default IP route from the AG appliance.
gateway_ip                      This parameter specifies the gateway IP address.
2000-2018 Array Networks, Inc.
                                                                                                   14
All Rights Reserved.
                                                       Chapter 2 Basic System Operations
ip route static <destination_ip> {netmask|prefix} <gateway_ip>
This command is used to add static route as used by the AG appliance. Multiple static routes are
permitted to be configured.
destination_ip                  This parameter specifies the destination IP address. It can be an
                                IPv4 or IPv6 address. Typically it is a network IP address.
netmask|prefix                  This parameter specifies the netmask or prefix length of the
                                destination IP address.
                                    “netmask” is used for an IPv4 address. Its value should be a
                                     dotted IP address.
                                    “prefix” is used for an IPv6 address. Its value should range
                                     from 0 to 128.
gateway_ip                      This parameter specifies the gateway IP address.
no ip route static <destination_ip> {netmask|prefix} <gateway_ip>
This command is used to remove the static route from the running configuration.
destination_ip                  This parameter specifies the destination IP address.
netmask|prefix                  This parameter specifies the netmask or prefix length of the
                                destination IP address.
gateway_ip                      This parameter specifies the gateway IP address.
show ip route
This command is used to display the static routing table.
clear ip route
This command is used to remove both default route and static routes.
show statistics droute
This command is used to display the Direct Route statistics.
clear statistics droute
This command is used to clear the Direct Route statistics.
clear droute
This command is used to clear all the Direct Route statistics.
show statistics ip [ip_address]
2000-2018 Array Networks, Inc.
                                                                                                    15
All Rights Reserved.
                                                        Chapter 2 Basic System Operations
This command is used to display the gathered information for the specific IP address. If no IP
address is assigned, this command displays all relevant statistics for all configured IP addresses.
ip_address                       Optional. This parameter specifies a single IP address. It can be
                                 IPv4 or IPv6 address.
clear statistics ip [ip_address]
This command will clear the statistics for a specific IP address. If no IP address is assigned, this
command will clear all.
ip_address                       Optional. This parameter specifies a single IP address. It can be
                                 IPv4 or IPv6 address.
interface mtu <interface_id> <mtu_size>
This command is used to set the largest frame size that can be transmitted over the network.
interface_id                     This parameter specifies the interface ID of a specific physical
                                 interface on the AG appliance (e.g., “port1”, “port2”, “port3”,
                                 “port4”,…“port8”).
mtu_size                         This parameter specifies the MTU (Maximum Transmission Unit)
                                 size preference. This is the largest frame size that can be transmitted
                                 over the network. The default size is 1,500 bytes. Each interface
                                 used by TCP/IP can have different MTU values.
interface name <interface_id> <interface_name>
This command is used to set the interface name.
interface_id                     This parameter specifies the default interface ID (e.g., “port1”,
                                 “port2”, “port3”, “port4”,…“port8”) for the physical interfaces on
                                 the AG appliance. The number of the physical interfaces supported
                                 by the AG appliance depends on the appliance model. At most 14
                                 interfaces are supported now.
interface_name                   This parameter specifies a unique name for the physical interface.
                                 This name should be an alphanumeric string of up to 32 characters.
                                 The default interface names are “port1”, “port2”, “port3”,
                                 “port4”,…“port8”.
interface speed <interface_id> <speed_option>
This command is used to set the interface speed. The interface speed of a 10G port can only be set
to “auto”.
2000-2018 Array Networks, Inc.
                                                                                                       16
All Rights Reserved.
                                                         Chapter 2 Basic System Operations
interface_id                      This parameter specifies the interface ID of a specific physical
                                  interface on the AG appliance (e.g., “port1”, “port2”, “port3”,
                                  “port4”,…“port8”).
speed_option                      This parameter can be10half (10 Mbps Ethernet half duplex
                                  communications), 100half (100 Mbps Ethernet half duplex
                                  communications), 100full (100 Mbps full duplex communications),
                                  1,000full (1,000 Mbps Ethernet full duplex communications) or
                                  auto.
           Note: The AG appliance sets the interface speeds to auto by default. If any interface is
           setup to be connected to a device, such as a router or switch with a specific speed and
           duplex mode, users will need to set the AG appliance to match those requirements. Run
           the “show interface” command to view the current speed settings.
show interface [interface_name]
This command is used to display the statistical information for all the system interfaces. If a
specific interface name is specified, the system will only display the statistical information for that
interface.
interface_name                    This parameter specifies the interface ID of a specific physical
                                  interface on the AG appliance (e.g., “port1”, “port2”, “port3”,
                                  “port4”,…“port8”).
           Note: If the IP statistics function is off, the number of the WebWall permit or drop
           packages will be 0 in the output of “show interface” command. The IP statistics function
           is disabled by default. But, you can enable it via the “ip statistics on” command.
show route match <source_ip> <source_port> <destination_ip>
<destination_port> <protocol>
This command is used to display a specific route which matches the given conditions.
source_ip                         This parameter specifies the source IP address.
source_port                       This parameter specifies the source port.
destination_ip                    This parameter specifies the destination IP address.
destination_port                  This parameter specifies the destination port.
protocol                          This parameter specifies the protocol. It can be set to “tcp”, “udp”
                                  or “any”.
2000-2018 Array Networks, Inc.
                                                                                                      17
All Rights Reserved.
                                                       Chapter 2 Basic System Operations
clear interface name
This command is used to reset all the interface names to the default.
clear interface speed {interface_id|all}
This command is used to restore the specified interface’s speed and duplex mode. “all” means all
the interfaces.
interface_id                    This parameter specifies the interface ID of a specific physical
                                interface on the AG appliance (e.g., “port1”, “port2”, “port3”,
                                “port4”,…“port8”).
clear interface mtu {interface_id|all}
This command is used to remove the specified interface’s MTU size limit. “all” means all the
interfaces.
interface_id                    This parameter specifies the interface ID of a specific physical
                                interface on the AG appliance (e.g., “port1”, “port2”, “port3”,
                                “port4”,…“port8”).
no interface name <interface_id>
This command is used to reset the specified interface name to the default.
interface_id                    This parameter specifies the interface ID of a specific physical
                                interface on the AG appliance (e.g., “port1”, “port2”, “port3”,
                                “port4”,…“port8”).
ip statistic {on|off}
This command is used to enable/disable the IP statistics.
show ip statistic
This command is used to display IP statistics.
ip ipflow {on|off}
This command is used to enable/ disable the IP flow.
ip ipflow expire <time>
This command is used to define the IP flow timeout.
time                            This parameter defines the expiration time. It can be set between 1
                                to 86,400 seconds. The default value is 60 seconds.
ip ipflow priority <priority>
2000-2018 Array Networks, Inc.
                                                                                                   18
All Rights Reserved.
                                                        Chapter 2 Basic System Operations
This command is used to define the IP flow priority.
priority                        This parameter defines the IP flow priority. It can be set between 0
                                to 1999 seconds. The default value is 1,000.
clear ip ipflow
This command is used to reset the IP flow settings to their default.
show ip ipflow
This command is used to display the IP flow settings.
show statistics ipflow
This command is used to display the IP Flow statistics.
clear statistics ipflow
This command is used to clear the IP Flow statistics.
ip mcastfwd <interface_name> <multicast_ip>
This global command is used to configure a multicast IP address to which the specified interface
listens. The multicast IP address represents a multicast group, a group of interested hosts for
receiving multicast traffic.
interface_name                  This parameter specifies the name of an existing interface. Its value
                                must be a system or bond interface.
multicast_ip                    This parameter specifies a multicast IP address. Its value must be an
                                IPv4 address ranging from 224.0.0.0 to 239.255.255.255.
                                Note: With a multicast IP address configured, the AG appliance can
                                listen to and receive the multicast traffic destined for the multicast
                                group represented by the multicast IP address. Otherwise, all
                                multicast packets will be discarded.
vlan <interface_name> <vlan_interface_name> <vlan_tag>
This command is used to create a VLAN (Virtual Local Area Network) interface for the specified
system interface or bond interface. The AG appliance supports up to 250 VLAN interfaces.
interface_name                  This parameter specifies the interface ID of a specific physical
                                interface on the AG appliance (e.g., “port1”, “port2”, “port3”,
                                “port4”,…“port8”). Its value should be a string of 1 to 32
                                characters.
vlan_interface_name             This parameter specifies a name for the VLAN interface. Its value
2000-2018 Array Networks, Inc.
                                                                                                   19
All Rights Reserved.
                                                     Chapter 2 Basic System Operations
                              should be a string of 1 to 32 characters.
vlan_tag                      This parameter specifies an ID (integer from 1 to 4,094) for the
                              VLAN interface.
no vlan <vlan_interface_name>
This command is used to delete the specified VLAN interface.
show vlan
This command is used to display the configuration for all VLAN interfaces.
clear vlan
This command is used to remove the configurations for all VLAN interfaces.
no connection [local_ip] [local_port] [remote_ip] [remote_port]
This command is used to manually delete the specific connection(s).
local_ip                      This parameter specifies the connections’ local IP address. This
                              parameter is optional, and the default value is “0.0.0.0”.
local_port                    This parameter specifies the connections’ local port. This parameter
                              is optional, and the default value is “0”.
remote_ip                     This parameter specifies the connections’ remote IP address. This
                              parameter is optional, and the default value is “0.0.0.0”.
remote_port                   This parameter specifies the connections’ remote port. This
                              parameter is optional, and the default value is “0”.
show connection [protocol] [type] [ip_address]
This command is used to display the system's user connections.
protocol                      Optional. This parameter specifies which protocol connections to
                              show. It can be set to “tcp” (the default), “udp” or “all”.
type                          Optional. This parameter can be set to “data” (the default) or
                              “count”. If it is set to “data”, the AG appliance will display detailed
                              information. If it is set to “count”, the AG appliance will display the
                              count of connections.
ip_address                    Optional. This parameter specifies the local or remote IP address for
                              which the related connections will be shown. It can be IPv4 or IPv6
2000-2018 Array Networks, Inc.
                                                                                                 20
All Rights Reserved.
                                                      Chapter 2 Basic System Operations
                               address.
mnet {system_ifname|bond_ifname} <mnet_interface_name>
This command is used to create a Multi-Netting (MNET) interface on the specified system
interface or bond interface. ArrayOS supports creating at most 32 MNET interfaces.
system_ifname|bond_ifname      This parameter specifies the name of the existing interface. Its value
                               must be:
                                   system_ifname: indicates a system interface. The default
                                    system interface name is “port1”, “port2”, “port3” or
                                    “port4”. The system interface name can be customized by
                                    using the “interface name” command.
                                   bond_ifname: indicates a bond interface. The default bond
                                    interface names are “bond1”, “bond2”, “bond3” and “bond4”.
                                    The bond interface name can be customized by using the
                                    “bond name” command.
mnet_interface_name            This parameter specifies the name of the MNET interface. Its value
                               must be a string of 1 to 32characters.
no mnet <mnet_ifname>
This command is used to delete a specified MNET interface.
show mnet
This command is used to display the configurations of all MNET interfaces.
clear mnet
This command is used to clear the configurations of all MNET interfaces.
DNS Settings
ip dns cache {on|off}
This global command is used to enable/disable the DNS cache. The default value is off.
ip dns cache expire <min_seconds> <max_seconds>
This global command is used to configure the DNS cache expiration time. If the TTL (Time to
Live) of the DNS response is shorter than “min_seconds” or longer than “max_seconds”, the
expiration time will be determined based on “min_seconds” and “max_seconds” respectively. The
default value for the “min_seconds” is 60. And, the default value for the “max_seconds” is 3,600.
min_seconds                    This parameter specifies the minimum cache expiration time in
2000-2018 Array Networks, Inc.
                                                                                                 21
All Rights Reserved.
                                                      Chapter 2 Basic System Operations
                               seconds.
max_seconds                    This parameter specifies the maximum cache expiration time in
                               seconds.
ip dns host <host_name> <ip>
This global command is used to add a static host entry.
host_name                      This parameter specifies the host name.
ip                             This parameter specifies the IP address.
no ip dns host <host_name>
This global command is used to remove a static host entry.
host_name                      This parameter specifies the host name.
show ip dns host
This global command is used to display all static DNS host entries.
clear ip dns host
This command is used to clear all static DNS host entries.
ip dns nameserver <ip_address>
This global command is used to configure an IPv4 DNS name server.
ip_address                     This parameter specifies the IPv4 address of the IPv4 DNS name
                               server.
no ip dns nameserver <ip_address>
This global command is used to delete the specified IPv4 DNS name server.
ip dns nameserver6 <ip_address>
This global command is used to configure an IPv6 DNS name server.
ip_address                     This parameter specifies the IPv6 address of the IPv6 DNS name
                               server.
no ip dns nameserver6 <ip_address>
This global command is used to delete the specified IPv6 DNS name server.
ip dns serverredundancy {on|off}
2000-2018 Array Networks, Inc.
                                                                                               22
All Rights Reserved.
                                                        Chapter 2 Basic System Operations
This global command is used to enable or disable the DNS server redundancy function for every
virtual site. When this function is enabled, if the “dns useglobal off” command is configured to
instruct a virtual site to use the custom DNS settings to resolve the DNS query, the system will
first try to use the virtual site’s DNS server with the highest priority to resolve the DNS query; if
this DNS server fails to resolve the DNS query, the system will then try to use the virtual site’s
DNS server with the second highest priority to resolve the DNS query; if the second DNS server
still fails to resolve the DNS query, the system at last will try to use the virtual site’s DNS server
with the lowest priority to resolve the DNS query. The earlier the DNS server is configured for the
virtual site, the higher the priority of the DNS server will be. By default, this function is disabled
and only the virtual site’s DNS server with the highest priority can be used to resolve the DNS
query.
ip dns search <path>
This global command is used to add a domain entry to the resolver search path.
path                            This parameter specifies the domain to add to the resolver search
                                path.
no ip dns search <path>
This global command is used to remove a domain entry to the resolver search path.
path                            This parameter specifies the domain to remove from the resolver
                                search path.
ip dns staticttl [expiration_time]
This global command is used to define the expiration time for the static host entry responses.
expiration_time                 This optional parameter sets the response expiration time in
                                seconds. It can be set between 1 to 43,200 seconds (the default
                                value is “43,200”).
show ip dns config
This global command is used to display DNS cache settings (including the settings made by the
“dns cache on|off” and “dns cache expire” commands).
clear ip dns config
This global command is used to restore the DNS settings to their defaults.
clear ip dns cache content
This global command is used to clear all dynamic DNS cache entries.
ip dns request timeout <second> <millisecond>
This global command is used to define the DNS request timeout value.
2000-2018 Array Networks, Inc.
                                                                                                   23
All Rights Reserved.
                                                       Chapter 2 Basic System Operations
second                         This parameter specifies the DNS request time out in seconds.
millisecond                    This parameter specifies the DNS request time out in milliseconds.
dns cache {on|off}
This command is used to enable/disable DNS cache. The default value is off.
dns cache expire <min_seconds> <max_seconds>
This command is used to configure the DNS cache expiration time. If the TTL (Time to Live) of
the DNS response is shorter than “min_seconds” or longer than “max_seconds”, the expiration
time will be determined based on the “min_seconds” and “max_seconds” respectively. The default
value for the “min_seconds” is 60. And, the default value for the “max_seconds” is 3,600.
min_seconds                    This parameter specifies the minimum cache expiration time in
                               seconds.
max_seconds                    This parameter specifies the maximum cache expiration time in
                               seconds.
dns host <host_name> <ip>
This command is used to add a static DNS host entry.
host_name                      This parameter specifies the host name.
ip                             This parameter specifies the IP address.
no dns host <host_name>
This command is used to remove a static DNS host entry .
show dns host
This command is used to display all static DNS host entries.
clear dns host
This command is used to clear all static DNS host entries.
dns nameserver <ip_address>
This command is used to configure an IPv4 DNS name server.
ip_address                     This parameter specifies the IPv4 address of the IPv4 DNS name
                               server.
no dns nameserver <ip_address>
2000-2018 Array Networks, Inc.
                                                                                               24
All Rights Reserved.
                                                      Chapter 2 Basic System Operations
This command is used to delete the specified IPv4 DNS name server.
dns nameserver6 <ip_address>
This command is used to configure an IPv6 DNS name server.
ip_address                      This parameter specifies the IPv6 address of the IPv6 DNS name
                                server.
no dns nameserver6 <ip_address>
This command is used to delete the specified IPv6 DNS name server.
dns search <path>
This command is used to add a domain entry to the resolver search path.
path                            This parameter specifies the domain to add to resolver search path.
no dns search <path>
This command is used to remove a domain entry to the resolver search path.
path                            This parameter specifies the domain to add to resolver search path.
dns staticttl [expiration_time]
This command is used to define the expiration time for the static host entry responses.
expiration_time                 Optional. This parameter sets the response expiration time in
                                seconds. It can be set between 1 to 43,200 seconds (the default
                                value is 43,200).
dns useglobal on
This command is used to instruct the AG appliance to use the global DNS settings for a virtual
site.
dns useglobal off
This command is used to instruct the AG appliance to use the custom DNS settings for a virtual
site.
show dns config
This command is used to display all DNS settings.
clear dns config
This command is used to restore the DNS settings.
clear dns cache content
2000-2018 Array Networks, Inc.
                                                                                                  25
All Rights Reserved.
                                                       Chapter 2 Basic System Operations
This command is used to clear all dynamic DNS cache entries.
System Tune Settings
show system tune
This command is used to display the user-defined system tuning values.
clear system tune
This command is used to reset the defined system tuning values.
system tune defraglimit <smallest_object_size>
This command is used to consolidate packet data into less frames. Users set the
“smallest_object_size” (measured in bytes) for packets received for defragmentation. Assume the
user is dealing with a 10K object with the server MTU set to 1K. The AG appliance will receive
roughly 10 packets where 10 frames are used to cache the object. If “system tune defraglimit
512” is configured, the AG appliance will have to cache the 10K data from 10 frames onto 20
frames (0.5 K data/frame) to fully utilize the frame memory.
smallest_object_size            This parameter sets the cache defragmentation limit.
system tune hwcksum {on|off}
This command is used to enable hardware checksums on the network cards. The default setting is
on.
no system tune hwcksum
This command is used to reset hardware checksums to their default value.
system tune tcpidle <max_idle_time>
This command is used to set the maximum idle time, in seconds, before terminating a TCP
connection. The idle timeout ranges from 60 seconds to 7,200 seconds (the default is 300
seconds).
no system tune tcpidle
This command is used to reset the TCP idle timeout.
system tune tcp retransmit timeout <time>
This command is used to set TCP retransmission timeout.
system tune tcp retransmit dupacks <dupacks>
This command is used to set the number of duplicate ACKs to start TCP fast retransmission. The
default setting is 3. It is recommended that the default settings not be changed without contacting
Array Support.
system tune tcp retransmit policy {newreno|adaptive}
2000-2018 Array Networks, Inc.
                                                                                                 26
All Rights Reserved.
                                                       Chapter 2 Basic System Operations
This command allows users to change the default policy from NewReno to Adaptive for starting
TCP fast retransmission. It is recommended that the default settings not be changed without
contacting Array Support.
system tune tcp slowstart {on|off}
This command is used to enable/disable the slow start feature. It is recommended that the default
“on” setting not be changed without contacting Array Support.
no system tune tcp slowstart
This command is used to reset the slow start feature to the default “on” setting.
system tune tcp delack count <count>
This command is used to specify the maximum packets that can be ACK delay. The default is “4”.
“0” means no delay ACK.
system tune tcp delack timeout <timeout>
This command is used to specify the maximum timeout (in milliseconds) for ACK delay. The
value of the “timeout” parameter must be a multiple of 10. The default value is 100ms.
no system tune tcp delack
This command is used to reset the TCP ACK delay to the default setting.
no system tune tcp retransmit {timeout|dupacks|policy}
This command is used to reset the TCP retransmit settings (timeout, dupacks or policy) to their
default value.
system tune ip randomid {on|off}
This command is used to enable/disable the feature of setting a random number for an IP packet.
By default, this feature is disabled and the identification of an IP packet will be sequentially
increased. If enabled, the IP packet’s identification will be a random number.
no system tune ip randomid
This command is used to disable the random IP ID.
no system tune defraglimit
This command is used to disable the defragmentation limit.
system tune tcp syntimeout <min_timeout>
This command is used to set the minimum timeout (in seconds) for TCP SYN packets.
no system tune tcp syntimeout
This command is used to reset the SYN timeout value.
no system tune verifycert
2000-2018 Array Networks, Inc.
                                                                                                  27
All Rights Reserved.
                                                       Chapter 2 Basic System Operations
This command is used to disable certificate verification.
system tune tcp zwdefend {on|off}
This command is used to enable or disable the zero window probe timer. By default, this function
is disabled.
system tune tcp pktdropopt <packet_drop_option>
This command is used to control the packet drop behavior when TCP packets are received and
dropped on a closed TCP port. This function is useful to slow down anyone who is port scanning a
system, attempting to detect vulnerable services on a system. It could potentially also slow down
someone that is attempting a DoS attack.
By default, the system will return a TCP RST.
packet_drop_option              Its value must be:
                                    0: indicates that the system returns a TCP RST.
                                    1: indicates that the system silently drops TCP SYN, and
                                     returns TCP RST for all other TCP packets.
                                    2: indicates that the system silently drops all TCP packets.
no system tune tcp pktdropop
This command is used to restore the TCP packet drop behavior.
system tune udp pktdropopt <packet_drop_option>
This command is used to control the packet drop behavior when UDP packets are received and
dropped on a closed UDP port. This function is useful to slow down anyone who is port scanning
a system, attempting to detect vulnerable services on a system. It could potentially also slow down
someone that is attempting a DoS attack.
By default, the system will return an ICMP port unreachable message.
packet_drop_option              Its value must be:
                                    0: indicate that the system returns an ICMP port unreachable
                                     message.
                                    1: indicates that the system silently drops all UDP packets.
no system tune udp pktdropop
This command is used to restore the UDP packet drop behavior.
system tune vpn nattimeout <timeout>
This command is used to set the maximum timeout for the VPN Netpool NAT function. When the
connection between the AG appliance and the backend server is idle for the specified timeout
2000-2018 Array Networks, Inc.
                                                                                                    28
All Rights Reserved.
                                                         Chapter 2 Basic System Operations
value, NAT entries for the VPN Netpool NAT function will be cleared. If this command is not
configured, the default maximum timeout for the VPN Netpool NAT function is 300 seconds.
timeout                           This parameter specifies the maximum timeout in seconds. Its value
                                  must be an integer ranging from 1 to 100,000.
no system tune vpn nattimeout
This command is used reset the maximum timeout for the VPN Netpool NAT function to default.
System Time Settings
system date <year> <month> <day>
In the event that a network does not rely on an NTP server, users can set the AG appliance system
date by running this command. The values for each parameter can be entered as one or two digits
as necessary. For example, if a user wants to enter the date “October 20, 2011” the input should be
as follows:
AN(config)#system date 11 10 20
show date
This command is used to view the current system date and time of the AG appliance.
system time <hour> <minute> <second>
In the event that a network does not rely on an NTP server, users can set the AG appliance system
time by running this command. The values for each parameter can be entered as one or two digits
as necessary (Note: The AG appliance runs on a twenty-four hour/military standard clock.). For
example, if a user wants to enter the time “11:33:51 PM” the input will be as follows:
AN(config)#system time 23 33 51
system timezone [timezone_string]
This command allows users to set the system time zone. When this command is executed, the AG
appliance will present the user with a three-step menu driven process to set the correct time zone.
The first step/menu in the process is to choose the correct continent (i.e. Asia, Europe or North
America). After the desired continent is entered, the next menu will offer the list of supported
countries within the specified continent (i.e. China, Hong Kong, Japan, South Korea, Singapore or
Taiwan). The final step is to choose the specific time zone region from the AG appliance
generated list.
          Note: At any time during the time zone setup, users can enter “0” to return to the
          previous option (e.g., entering “0” on the country list page will return users to the
          continent page).
show system timezone
2000-2018 Array Networks, Inc.
                                                                                                  29
All Rights Reserved.
                                                       Chapter 2 Basic System Operations
This command is used to display current timezone.
clear system timezone
This command is used to set the system timezone to “GMT” (the default).
ntp {on|off}
This command is used to enable/disable synchronizing the AG appliance clock with the NTP
server. The NTP server settings and NTP time setting received by the AG appliance will preempt
the CLI date and time settings. The “ntp server” command must be configured before the NTP
feature can be enabled.
ntp server <ip> [version]
This command is used to configure an NTP server with which the AG appliance synchronize the
time. The NTP function will not work if the time difference between the NTP server and the AG
appliance is greater than 1,000 seconds (approximately 16 minutes). If the time difference is
greater than 1,000 seconds, please adjust the system time of the AG appliance to a closer value by
using the “system time” command.
ip                             This parameter specifies the IP address of the NTP server. Its value
                               must be an IPv4 or IPv6 address.
version                        Optional. This parameter specifies the NTP version. Its value must
                               be 1, 2, 3 or 4. The default value is 4.
show ntp
This command is used to display the current NTP configuration. This command will also display
the time dispersion and association of the current server.
clear ntp
This command is used to clear the NTP configuration.
2000-2018 Array Networks, Inc.
                                                                                                30
All Rights Reserved.
                                                                          Chapter 3 Virtual Site
Chapter 3 Virtual Site
Virtual Site
virtual site name <virtual_site> [description] [type] [parent_site]
This global command is used to create a virtual site.
virtual_site                       This parameter specifies the name of the virtual site. Its value
                                   must be a string of 1 to 63 characters. Only 0-9, a-z, A-Z and
                                   characters “_” and “-” are supported.
description                        Optional. This parameter specifies the description of the virtual
                                   site. Its value must be a string of 1 to 63 characters. If this
                                   parameter is not specified, no description will be displayed for
                                   the virtual site.
                                   If the virtual site is used for the MotionPro feature, the parameter
                                   value should only be “motionPro_dedicated”.
type                               Optional. This parameter specifies the type of the virtual site. Its
                                   value must be “exclusive”, “shared”, or “alias”. The default
                                   value is “exclusive”.
parent_site                        Optional. This parameter specifies the name of the parent virtual
                                   site.
                                       When the “type” parameter is set to “alias”, the parent
                                        virtual site must be an existing shared virtual site.
                                       When the “type” parameter is set to “exclusive” or
                                        “shared”, the parent virtual site should not be specified.
no virtual site name <virtual_site>
This global command is used to delete the specified virtual site.
show virtual site name
This global command is used to display the name, description, type and parent site information of
all the existing virtual sites.
virtual site ip <virtual_site> <ip_address> [port]
This global command is used to add the IP address and port to a virtual site.
virtual_site                    This parameter specifies the name of the virtual site.
2000-2018 Array Networks, Inc.
                                                                                                     31
All Rights Reserved.
                                                                          Chapter 3 Virtual Site
ip_address                      This parameter specifies the IP address to be assigned to the virtual
                                site. Its value must be an IPv4 or IPv6 address.
port                            Optional. This parameter specifies the port to be assigned to the
                                virtual site. It value must be an integer ranging from 0 to 65,535,
                                and defaults to 443.
no virtual site ip <virtual_site> <ip_address> [port]
This global command is used to delete the specified IP address and port from the virtual site.
show virtual site ip [virtual_site]
This global command is used to display the IP address and port of the specified virtual site. If the
“virtual_site” parameter is not specified, the IP addresses and ports of all virtual sites will be
displayed.
virtual site domain <virtual_site> <domain_name>
This global command is used to add the domain name to a virtual site.
virtual_site                    This parameter specifies the name of the virtual site.
domain_name                     This parameter specifies the domain name to be assigned to the
                                virtual site. Its value must be a string of 1 to 64 characters.
no virtual site domain <virtual_site> <domain_name>
This global command is used to delete the specified domain name from the virtual site.
show virtual site domain [virtual_site]
This global command is used to display the domain name of the specified virtual site. If the
“virtual_site” parameter is not specified, the domain names of all virtual sites will be displayed.
show virtual site config [virtual_site]
This global command is used to display the name, IP and domain configurations of the specified
virtual site.
virtual_site                    Optional. This parameter specifies the name of the virtual site. If
                                this parameter is not specified, the configurations of all virtual sites
                                will be displayed.
clear virtual site config
This global command is used to clear the configurations of all virtual sites.
show info
2000-2018 Array Networks, Inc.
                                                                                                      32
All Rights Reserved.
                                                                           Chapter 3 Virtual Site
This command is used to display the name, IP and domain configurations of the virtual site.
show statistics virtual
This global command is used to display the statistics under the global scope and each virtual site
scope.
clear statistics virtual
This global command is used to clear the statistics under the global scope and each virtual site
scope.
SSL
ssl csr [key_length] [signature_algorithm]
This command is used to generate a CSR (Certificate Signing Request) and an SSL key pair for
the current virtual site. After this command is executed, the administrator will be led through a
series of prompts so that the system can gather the required information to generate the CSR. The
administrator can choose to set the private key as exportable and set the passphrase for the private
key to protect it.
In addition, this command also generates a “test” certificate for the virtual site. If the administrator
has not uploaded the intermediate CA certificates and root CA certificate of this “test” certificate
using the “ssl import interca” command, a warning message indicating an incomplete certificate
chain will be displayed.
key_length                       Optional. This parameter specifies the length of the generated SSL
                                 key pair in bits. Its value must be 1024, 2048 or 4096. The default
                                 value is 2048.
signature_algorithm              Optional. This parameter specifies the signature algorithm of the
                                 CSR file. Its value must be “sha256”, “sha384”, “sha512” or
                                 “sha1”. The default value is “sha256”.
The requested data will be prompted as follows:
vs(config)$ssl csr
Type 'YES' to generate a new key and overwrite the existing key file.
Type 'NO' will just generate CSR file[YES/(NO)]:YES
Generating key for "vs"...please wait
We will now gather some required information about your ssl virtual site,
This information is encoded into your certificate
Two character country code for your organization (eg. US):
State or province:
Location or local city:
Organization Name:
Organizational Unit:
2000-2018 Array Networks, Inc.
                                                                                                     33
All Rights Reserved.
                                                                            Chapter 3 Virtual Site
Do you want to use the domain name "vs" as the Common Name (recommended)?(Y/N):
Email address of administrator:
Do you want the private key to be exportable [Yes/(No)]:
Enter passphrase for the private key:
Confirm passphrase for the private key:
Once the above information has been provided, the AG appliance will display a data message that
should be copied over an email and sent to CA (Certificate Authority) for certificate signing. The
lengths of these subject fields in the CSR should conform to the following limits:
    Two Character Country Code: 2 bytes
    Common Name: 64 bytes
    State or Province: 64 bytes
    Location or Local City: 64 bytes
    Organization Name: 64 bytes
    Organizational Unit: 64 bytes
    Email Address for Administrator: 80 bytes
        Note:
             Entered characters for the subject fields “Country Code”, “State or Province”,
              “Location or Local City”, “Organization Name”, “Organizational Unit”, and
              “Common Name” (available when “Site FQDN as Common Name” is set to “No”)
              only support a-z, A-Z, numbers, space and characters “'”, “(”, “)”, “+”, “-”, “=”, “,”,
              “.”, “:”, “/” and “?”.
             The subject field “Email Address for Administrator” cannot contain any of the
              characters “!”, “#”, “$”, “%”, “^”, “*”, “(”, “)”, “~”, “?”, “>”, “<”, “&”, “/”, “\”, “,”,
              “"” and “'”.
             The test certificate generated by the “ssl csr” command is only used for testing
              purposes, not for production systems.
ssl ecc csr [curve_name] [signature_algorithm_index]
This command is used to generate a CSR (Certificate Signing Request) and an SSL key pair based
on the Elliptic Curve Cryptography (ECC) for the current virtual site. After this command is
executed, the administrator will be led through a series of prompts so that the system can gather
the required information to generate the ECC CSR. The administrator can choose to set the private
key as exportable and set the passphrase for the private key to protect it.
In addition, this command also generates a “test” certificate for the virtual site. If the administrator
has not uploaded the intermediate CA certificates and root CA certificate of this “test” certificate
using the commands “ssl import interca” and “ssl import rootca”, a warning message indicating
an incomplete certificate chain will be displayed.
2000-2018 Array Networks, Inc.
                                                                                                      34
All Rights Reserved.
                                                                            Chapter 3 Virtual Site
curve_name                         Optional. This parameter specifies the elliptic curve name. Its value
                                   must be “prime256v1”, “secp384r1”, or “secp521r1”.
                                   The default value is “prime256v1”.
signature_algorithm_index          Optional. This parameter specifies the index of the CSR signature
                                   algorithm. Its value must be sha256, sha384, sha512, and sha1.
                                   The default value is “sha256”.
           Note: If the elliptic curve field in the ClientHello message does not match the elliptic
           curve in the ECC certificate activated for the virtual site, the SSL handshake will fail.
no ssl csr [csr_type]
This command is used to delete the CSR of the specified type for the current virtual site.
csr_type                           Optional. This parameter specifies the type of the CSR. Its value
                                   must be:
                                       rsa: indicates the RSA CSR will be deleted.
                                       sm2: indicates the SM2 CSR will be deleted.
                                       ecc: indicates that the ECC CSR will be deleted.
                                       all: indicates all types of CSRs will be deleted.
                                   The default value is “all”.
show ssl csr [csr_type]
This command is used to display the CSR of the specified type for the current virtual site.
csr_type                           Optional. This parameter specifies the type of the CSR. Its value
                                   must be:
                                       rsa: indicates the RSA CSR will be deleted.
                                       sm2: indicates the SM2 CSR will be deleted.
                                       ecc: indicates that the ECC CSR will be displayed.
                                       all: indicates all types of CSRs will be deleted.
                                   The default value is “all”.
ssl import key [key_index] [tftp_ip] [file_name]
2000-2018 Array Networks, Inc.
                                                                                                       35
All Rights Reserved.
                                                                        Chapter 3 Virtual Site
This command is used to import a private key for the current virtual site. The administrator can
import three private keys at most.
The administrator can execute this command and copy-n-paste the private key directly into the
CLI. The system also supports importing private keys from a remote TFTP server.
key_index                      Optional. This parameter specifies the index to be associated with
                               the imported key. Its value must be 1, 2 or 3, and defaults to 1.
tftp_ip                        Optional. This parameter specifies the IP address of the remote
                               TFTP server, which is required only when the private key is
                               imported via TFTP. It value must be an IPv4 address.
file_name                      Optional. This parameter specifies the file name of the key on the
                               remote TFTP server, which is required only when the private key is
                               imported via TFTP. Its value must be a string of 1 to 256 characters,
                               and defaults to “<host_name>.key”.
ssl export key [key_index] [key_type]
This command is used to export a private key. After this command is executed, the specified key
will be displayed.
key_index                      Optional. This parameter specifies the index of the imported key to
                               be exported. Its value must be 1, 2 or 3. If this parameter is not
                               specified, the active key will be displayed.
key_type                       Optional. This parameter specifies the type of the private key to be
                               displayed. Its value must be:
                                    rsa: indicates that the RSA private key will be displayed.
                                    ecc: indicates that the ECC private key will be displayed.
                                    all: indicates that both RSA and ECC private keys will be
                                     displayed.
                               The default value is “all”.
ssl import certificate [cert_index] [tftp_ip] [file_name]
This command is used to import a certificate for the current virtual site. The administrator can
import three certificates at most. The imported certificate can be activated by the command “ssl
activate certificate [cert_index]”.
The administrator can execute this command and copy-n-paste the PEM format certificate directly
into the CLI. The system also supports importing PEM, DER and PFX formats as well as the
certificates used by IIS 4, IIS 5 and Netscape iPlanet servers from a remote TFTP server.
2000-2018 Array Networks, Inc.
                                                                                                   36
All Rights Reserved.
                                                                          Chapter 3 Virtual Site
cert_index                      Optional. This parameter specifies the index to be associated with
                                the imported certificate. Its value must be 1, 2 or 3, and defaults to
                                1.
tftp_ip                         Optional. This parameter specifies the IP address of the remote
                                TFTP server, which is required only when the certificate is
                                imported via TFTP. It value must be an IPv4 address.
file_name                       Optional. This parameter specifies the file name of the certificate on
                                the remote TFTP server, which is required only when the certifcate
                                is imported via TFTP. Its value must be a string of 1 to 256
                                characters, and defaults to “<host_name>.crt”.
no ssl certificate [cert_index] [cert_type]
This command is used to delete an imported certificate of the specified type for the current virtual
site.
cert_index                      Optional. This parameter specifies the index of the certificate. Its
                                value must be 1, 2 or 3. The default value is 1.
cert_type                       Optional. This parameter specifies the type of the certificate. Its
                                value must be:
                                    rsa: indicates that the RSA certificate will be deleted.
                                    ecc: indicates that the ECC certificate will be deleted.
                                    all: indicates that both RSA and ECC certificates will be
                                     deleted.
                                The default value is “all”.
ssl activate certificate [cert_index] [cert_type]
This command is used to activate an imported certificate as the default certificate.
cert_index                      Optional. This parameter specifies the index of the certificate to be
                                activated. Its value must be 1, 2 or 3. The default value is 1.
cert_type                       Optional. This parameter specifies the type of certificate to be
                                activated. Its value must be:
                                    rsa: indicates the RSA certificate will be activated.
                                    sm2: indicates the SM2 certificates will be activated.
2000-2018 Array Networks, Inc.
                                                                                                      37
All Rights Reserved.
                                                                          Chapter 3 Virtual Site
                                   ecc: indicates that the ECC certificate will be activated.
                                   all: indicates all types of certificates will be activated.
                               The default value is “all”.
        Note:
            For each type of certificate, only one certificate/key (with the same index) pair can
             stay active in the system. The certificate/key pair generated by the command “ssl
             csr” is active by default. The certificate/key pair generated by the command “ssl ecc
             csr” is active by default. The certificate/key pair generated by the “ssl sm2 csr”
             command is inactive by default.
            If the elliptic curve field in the ClientHello message does not match the elliptic
             curve in the ECC certificate activated for the virtual site, the SSL handshake will
             fail.
show ssl certificate [display_mode] [cert_index] [cert_type]
This command is used to display an imported certificate.
display_mode                   Optional. This parameter specifies the display mode of certificate.
                               Its value must be:
                                   complete: indicates that all the information of the certificate
                                    will be displayed.
                                   simple: indicates that only Issuer, Validity and Subject of the
                                    certificate will be displayed.
                               The default value is “complete”.
cert_index                     Optional. This parameter specifies the index of the imported
                               certificate to be displayed. Its value must be 1, 2 or 3. If this
                               parameter is not specified, the active certificate will be displayed.
cert_type                      Optional. This parameter specifies the type of certificate to be
                               displayed. Its value must be:
                                   rsa: indicates the RSA certificate will be displayed.
                                   sm2: indicates the SM2 certificates will be displayed.
                                   ecc: indicates that the ECC certificate will be displayed.
                                   all: indicates all types of certificates will be displayed.
                               The default value is “all”.
2000-2018 Array Networks, Inc.
                                                                                                   38
All Rights Reserved.
                                                                           Chapter 3 Virtual Site
show ssl certinfo <virtual_site>
This global command is used to display the information about the SSL certificate(s) of a specified
virtual site.
virtual_site                      This parameter specifies the name of an existing virtual site.
For example:
AN#show ssl certinfo vs
RSA certificates status:
Cert Index                     Imported                       Status
       1                         YES                              Active
       2                         NO                                  -
       3                         NO                                  -
ECC certificates status:
Cert Index                     Imported                       Status
       1                         YES                              Active
       2                         NO                                  -
       3                         NO                                  -
SM2 certificates status:
Cert Index           Imported                  Status
                       Sign/Enc
     1                 YES/NO                      -
     2                 NO /NO                     -
     3                 NO /NO                     -
ssl import rootca [tftp_ip] [file_name]
Under the global scope, this command is used to import a trusted CA certificate for all the virtual
sites.
Under the virtual site scope, this command is used to import a trusted CA certificate for the
current virtual site.
The administrator can execute this command and copy-n-paste the trusted CA certificate of PEM
format directly into the CLI. The system also supports importing trusted CA certificate of PEM
and DER formats from a remote TFTP server.
tftp_ip                           Optional. This parameter specifies the IP address of the remote
                                  TFTP server, which is required only when the trusted CA certificate
                                  is imported via TFTP. Its value must be an IPv4 address.
file_name                         Optional. This parameter specifies the file name of the trusted CA
                                  certificate on the remote TFTP server, which is required only when
                                  the trusted CA certificate is imported via TFTP. Its value must be a
2000-2018 Array Networks, Inc.
                                                                                                   39
All Rights Reserved.
                                                                          Chapter 3 Virtual Site
                                string of 1 to 256 characters, and defaults to “<host_name>.crt”.
no ssl rootca [certificate_number]
Under the global scope, this command is used to delete an imported trusted CA certificate from all
the virtual sites.
Under the virtual site scope, this command is used to delete an imported trusted CA certificate
from the current virtual site.
certificate_number              Optional. This parameter specifies the serial number of the trusted
                                CA certificate to be deleted. Administrators can find the serial
                                number of the certificate via the “show ssl rootca” command. If
                                this parameter is not specified, all the trusted CA certificates will be
                                deleted.
show ssl rootca [display_mode]
Under the global scope, this command is used to display the trusted CA certificate imported for all
the virtual sites.
Under the virtual site scope, this command is used to display the trusted CA certificate imported
for the current virtual site.
display_mode                    Optional. This parameter specifies the display mode of certificate.
                                Its value must be:
                                    complete: indicates that all the information of the certificate
                                     will be displayed.
                                    simple: indicates that only Issuer, Validity and Subject of the
                                     certificate will be displayed.
                                The default value is “complete”.
ssl import interca [tftp_ip] [file_name]
This command is used to import an intermediate CA certificate for the current virtual site.
The administrator can execute this command and copy-n-paste the intermediate CA certificate of
PEM format directly into the CLI. The system also supports importing intermediate CA certificate
of PEM and DER formats from a remote TFTP server.
tftp_ip                         Optional. This parameter specifies the IP address of the remote
                                TFTP server, which is required only when the intermediate CA
                                certificate is imported via TFTP. Its value must be an IPv4 address.
2000-2018 Array Networks, Inc.
                                                                                                    40
All Rights Reserved.
                                                                           Chapter 3 Virtual Site
file_name                        Optional. This parameter specifies the file name of the intermediate
                                 CA certificate on the remote TFTP server, which is required only
                                 when the intermediate CA certificate is imported via TFTP. Its
                                 value must be a string of 1 to 256 characters, and defaults to
                                 “<host_name>.crt”.
no ssl interca [certificate_number]
This command is used to delete an imported intermediate CA certificate from the current virtual
site.
certificate_number               Optional. This parameter specifies the serial number of the
                                 intermediate CA certificate to be deleted. Administrators can find
                                 the serial number of the certificate via the “show ssl interca”
                                 command. If this parameter is not specified, all the intermediate CA
                                 certificates will be deleted.
show ssl interca [display_mode]
This command is used to display the intermediate CA certificate imported for the current virtual
site.
display_mode                     Optional. This parameter specifies the display mode of certificate.
                                 Its value must be:
                                     complete: indicates that all the information of the certificate
                                      will be displayed.
                                     simple: indicates that only Issuer, Validity and Subject of the
                                      certificate will be displayed.
                                 The default value is “complete”.
ssl backup certificate <file_name> <password>
This command is used to back up the certificate and the private key of the current virtual site into
a PFX file. This PFX file will be zipped with the trusted CA certificate (refer to “ssl import
rootca” command) and intermediate CA certificate (refer to “ssl import interca” command) into
a .tgz file. This .tgz file can be stored in the local system or on a specified TFTP server. If anyone
wants to access the .tgz file, the correct password is required.
file_name                        This parameter specifies the file name. Its value must be a string of
                                 1 to 256 characters, which is recommended to be enclosed by
                                 double quotes. Only numbers, letters and underscore “_” are
                                 supported.
                                     To store the backup file locally, use a valid local file name
2000-2018 Array Networks, Inc.
                                                                                                      41
All Rights Reserved.
                                                                          Chapter 3 Virtual Site
                                     (excluding the path and extension).
                                    To store the backup file on a remote server, use a properly
                                     formatted TFTP string (e.g., "tftp://server/filename").
password                        This parameter specifies the password that allows access to the
                                backup file. Its value must be a string of 1 to 128 characters, which
                                is recommended to be enclosed by double quotes. Only numbers,
                                letters and underscore “_” are supported.
no ssl backup certificate <file_name>
This command is used to delete the specified backup certificate/key file stored in the local system.
The parameter “file_name” must be a valid local file name.
show ssl backup certificate
This command is used to display the backup certificate/key file that stored in the local system.
ssl restore certificate <file_name> <password>
The command is used to restore the certificate and the private key from a PFX file, which can be
stored in the local system or on the remote TFTP server. The password string must be identical to
the string entered when this backup file was produced using the “ssl backup certificate”
command.
file_name                       This parameter specifies the file name.
password                        This parameter specifies the password that allows access to the
                                specified backup file.
ssl settings protocol <version>
This command is used to set the supported SSL protocol version for the current virtual site. The
AG appliance supports three types of protocols: SSLv3, TLSv1 and TLSv1.2.
version                         This parameter specifies the SSL protocol version. Its value must
                                be:
                                    SSLv3: indicates that SSLv3 protocol is supported.
                                    TLSv1: indicates that TLSv1 protocol is supported.
                                    TLSv12: indicates that TLSv1.2 protocol is supported.
                                    SM2v11: indicates that SM2v1.1 protocol is supported.
                                    ALL: indicates that the above four SSL protocols are all
                                     supported.
                                    To use more than one protocol, use colon “:” to separate each
2000-2018 Array Networks, Inc.
                                                                                                   42
All Rights Reserved.
                                                                          Chapter 3 Virtual Site
                                      other.
                                 For cipher suites supported by each protocol, please refer to
                                 ArrayOS AG 9.4 User Guide.
For example:
AN(config)#ssl settings protocol SSLv3
AN(config)#ssl settings protocol ALL
ssl settings ciphersuite <cipher_string>
This command is used to set the supported cipher suite for the current virtual site.
cipher_string                    This parameter specifies the cipher suite. To use more than one
                                 cipher suite, use colon “:” to separate each other.
Below is a list of supported cipher suites:
    DES-CBC3-SHA
    RC4-SHA
    RC4-MD5
    EXP-RC4-MD5
    AES128-SHA
    AES256-SHA
    AES128-SHA256
    AES256-SHA256
    ECDHE-RSA-AES128-SHA
    ECDHE-RSA-AES256-SHA
    ECDHE-RSA-AES128-SHA256
    ECDHE-RSA-AES256-SHA384
    ECDHE-RSA-AES128-GCM-SHA256
    ECDHE-RSA-AES256-GCM-SHA384
    ECDHE-ECDSA-AES128-SHA
    ECDHE-ECDSA-AES256-SHA
    ECDHE-ECDSA-AES128-SHA256
    ECDHE-ECDSA-AES256-SHA384
    ECDHE-ECDSA-AES128-GCM-SHA256
2000-2018 Array Networks, Inc.
                                                                                                   43
All Rights Reserved.
                                                                          Chapter 3 Virtual Site
    ECDHE-ECDSA-AES256-GCM-SHA384
    ECC-SM4-SM3
    ECDHE-SM4-SM3
        Note: Only experienced administrators should use this command. If you have any
        questions regarding these settings, please call customer support BEFORE using this
        command.
ssl settings signalgo <signature_algorithm>
This command is used to set the signature algorithm that will be used in the ServerKeyExchange
message generated during SSL handshake for the current virtual site. This command takes effect
for only the negotiation of ECDHE cipher suites.
If the signature algorithm field in the ClientHello message matches multiple configured signature
algorithms, the first one configured in this command will be used. If the signature algorithm field
in the ClientHello message does not match any configured signature algorithm, the SSL
handshake will fail. Please note that this configuration takes effect only when the TLSv1.2
protocol is used.
If this command is not configured, the default signature algorithms are
“sha256ECDSA:sha256RSA:sha384ECDSA:sha384RSA:sha512ECDSA:sha512RSA:sha224EC
DSA:sha224RSA:sha1ECDSA:sha1RSA”.
signature_algorithm             This parameter specifies the signature algorithm that will be used in
                                the ServerKeyExchange message generated during SSL handshake.
                                Its value must be “sha256ECDSA”, “sha256RSA”,
                                “sha384ECDSA”, “sha384RSA”, “sha512ECDSA”, “sha512RSA”,
                                “sha224ECDSA”, “sha224RSA”, “sha1ECDSA”, and “sha1RSA”.
                                Multiple signature algorithms can be configured. To use more than
                                one signature algorithm, use colon “:” to separate each other.
ssl settings curves <curve_name>
This command is used to set the elliptic curve that will be used in the ServerKeyExchange
message generated during SSL handshake for the current virtual site. This command takes effect
for only the negotiation of ECDHE cipher suites.
If the elliptic curve field in the ClientHello message matches multiple configured elliptic curves,
the first one configured in this command will be used. If the elliptic curve field in the ClientHello
message does not match any configured elliptic curve, the SSL handshake will fail.
If this command is not configured, the default elliptic curves are
“secp256r1:secp384r1:secp521r1”.
curve_name                      This parameter specifies the name of the elliptic curve that will be
                                used in the ServerKeyExchange message generated during SSL
2000-2018 Array Networks, Inc.
                                                                                                   44
All Rights Reserved.
                                                                           Chapter 3 Virtual Site
                                 handshake. Its value must be “secp256r1”, “secp384r1” and
                                 “secp521r1”. Multiple elliptic curves can be configured. To use
                                 more than one elliptic curve, use colon “:” to separate each other.
ssl settings clientcert signalgo <signature_algorithm>
This command is used to set the signature algorithm that will be used in the CertificateRequest
message generated during SSL handshake for the current virtual site.
For TLSv1.2, the signature algorithm field in the CertificateRequest message contains all
configured signature algorithms. For other SSL versions lower than TLSv 1.2, the configured
signature algorithm must contain sha1RSA or sha1ECDSA; otherwise, the SSL handshake will
fail.
If this command is not configured, the default signature algorithms are
“sha256ECDSA:sha256RSA:sha384ECDSA:sha384RSA:sha512ECDSA:sha512RSA:sha224EC
DSA:sha224RSA:sha1ECDSA:sha1RSA”.
signature_algorithm              This parameter specifies the signature algorithm that will be used in
                                 the CertificateRequest message generated during SSL handshake.
                                 Its value must be “sha256ECDSA”, “sha256RSA”,
                                 “sha384ECDSA:”, “sha384RSA:”, “sha512ECDSA”,
                                 “sha512RSA:”, “sha224ECDSA:”, “sha224RSA”, “sha1ECDSA”
                                 and “sha1RSA”. Multiple signature algorithms can be configured.
                                 To use more than one signature algorithm, use colon “:” to separate
                                 each other.
ssl settings clientauth [subject_filter]
This command is used to enable the client authentication feature. If the host is an SSL virtual site,
all SSL clients connecting to this virtual site must present a client certificate in order to proceed
with communication. If the host is an SSL real host, it will present a certificate to the server when
requested for further communication.
In addition to basic client certificate validation, the SSL virtual site can also perform pattern
matching of the certificate “Subject” field against a set of configured filter rules. If no match is
found, client access will be denied.
subject_filter                   Optional. This parameter specifies one or more certificate filter
                                 rules. Its value must be enclosed in double quotes with each rule
                                 separated by “/” (e.g., “/C=US/ST=CA”). If more than one rule is
                                 specified, rules will be enforced with an “AND” relationship (all
                                 rules must be matched). If this parameter is not specified, the
                                 system will not perform filtering on the “Subject” fields.
2000-2018 Array Networks, Inc.
                                                                                                       45
All Rights Reserved.
                                                                          Chapter 3 Virtual Site
The filter rules can be configured with any of the RDNs (Relative Distinguished Name) supported
by the AG appliances, including:
       RDN                           Standard Name                                 OID
         C            Country Name                                    2.5.4.6
        ST            State or Province Name                          2.5.4.8
         L            Locality Name                                   2.5.4.7
        O             Organization Name                               2.5.4.10
       OU             Organizational Unit Name                        2.5.4.11
        CN            Common Name                                     2.5.4.3
        SN            Serial Number                                   2.5.4.5
   dnQualifier        DN Qualifier                                    2.5.4.46
   Pseudonym          Pseudonym                                       2.5.4.65
       Title          Title                                           2.5.4.12
       GQ             Generation Qualifier                            2.5.4.44
      Initials        Initials                                        2.5.4.43
      Name            Name                                            2.5.4.41
   givenName          Given Name                                      2.5.4.42
     Surname          Surname                                         2.5.4.4
        DC            Domain Component                                0.9.2342.19200300.100.1.25
  emailAddress        Email Address                                   1.2.840.113549.1.9.1
{OID expression}      OID information, for example: 1.2.3.4
For example:
AN(config)#ssl settings clientauth
"/C=US/O=Array/OU=QA/emailAddress=admin@arraynetworks.com"
In this example, all client certificates with the country name of “US”, organization name of
“Array”, organizational unit name of “QA” and email address of “admin@arraynetworks.com” in
the certificate “Subject" field will pass the subject filter.
AN(config)#ssl settings clientauth "/2.5.4.6=JP"
In this example, the OID “2.5.4.6” represents “Country Name”. All client certificates with the
OID “2.5.4.6” of “JP” in the certificate “Subject” field will pass the subject filter.
no ssl settings clientauth
This command is used to disable the client authentication feature.
ssl settings ocsp <ocsp_server>
This command is used to configure the OCSP server and enable the OCSP server online check.
After this command is executed, the AG appliance will first attempt to validate client certificates
online through the OCSP server specified in the client certificate. If this validation fails, the AG
appliance will then attempt to validate the client certificate online through the OCSP server
configured by this command.
2000-2018 Array Networks, Inc.
                                                                                                   46
All Rights Reserved.
                                                                        Chapter 3 Virtual Site
ocsp_server                     This parameter specifies the IP address of the OCSP server. Its
                                value must be an IPv4 address.
          Note: If both the OCSP server and CRL check are configured, only the OCSP server will
          be used to validate the certificate.
no ssl settings ocsp
This command is used to disable the OCSP server online check.
ssl import crlca [tftp_ip] [file_name]
This command is used to import a CRL CA certificate for the current virtual site.
When the AG appliance attempts to validate client certifiates using the CRL (Certificate
Revocation List) issued by CA, CRL CA certificate is needed to verify the validity of the CRL
files.
The administrator can execute this command and copy-n-paste the CRL CA certificate of PEM
format directly into the CLI. The system also supports importing CRL CA certificate of PEM and
DER formats from a remote TFTP server.
tftp_ip                         Optional. This parameter specifies the IP address of the remote
                                TFTP server, which is required only when the CRL CA certificate is
                                imported via TFTP. Its value must be an IPv4 address.
file_name                       Optional. This parameter specifies the file name of the CRL CA
                                certificate on the remote TFTP server, which is required only when
                                the CRL CA certificate is imported via TFTP. Its value must be a
                                string of 1 to 256 characters, and defaults to “<host_name>.crt”.
no ssl crlca [certificate_number]
This command is used to delete an imported CRL CA certificate from the current virtual site.
certificate_number              Optional. This parameter specifies the serial number of the CRL CA
                                certificate to be deleted. Administrators can find the serial number
                                of the certificate via the “show ssl crlca” command. If this
                                parameter is not specified, all the CRL CA certificates will be
                                deleted.
show ssl crlca [display_mode]
This command is used to display the CRL CA certificate imported for the current virtual site.
display_mode                    Optional. This parameter specifies the display mode of certificate.
                                Its value must be:
2000-2018 Array Networks, Inc.
                                                                                                  47
All Rights Reserved.
                                                                        Chapter 3 Virtual Site
                                   complete: indicates that all the information of the certificate
                                    will be displayed.
                                   simple: indicates that only Issuer, Validity and Subject of the
                                    certificate will be displayed.
                               The default value is “complete”.
ssl settings crl online
This command is used to enable the CRL online check.
After this command is executed, the AG appliance will attempt to validate the certificate using the
CRL downloaded from the CDP (CRL Distribution Point) specified in the client certificate. This
command will take effect only when the client authentication feature is enabled.
        Note: This command cannot be used together with the “ssl settings crl offline” command.
no ssl settings crl online
This command is used to disable the CRL online check.
ssl settings crl offline <cdp_name> <crl_distribution_point> [time_interval]
[delay_time]
This command is used to enable the CRL offline check.
After this command is executed, the AG appliance will attempt to validate the certificate using the
CRL downloaded from the configured CDP at the desired time interval. HTTP, FTP and LDAP
are supported protocols to fetch the CRL files. For each virtual site, the administrator can
configure ten CDPs. This command will only take effect when the client authentication feature is
enabled.
cdp_name                       This parameter specifies the name of the CDP. Its value must be a
                               string of 1 to 32 characters. Only 0-9, a-z, A-Z and underscore “_”
                               are supported.
crl_distribution_point         This parameter specifies the URL address of the CDP. Its value
                               must be a string of 1 to 512 characters.
time_interval                  Optional. This parameter specifies the time interval between CRL
                               file downloads in minutes. Its value must be an integer ranging
                               from 1 to 65,535, and defaults to 1440.
delay_time                     Optional. This parameter specifies the delay time of the CRL file
                               expiration in minutes. Its value must be an integer ranging from 1 to
2000-2018 Array Networks, Inc.
                                                                                                  48
All Rights Reserved.
                                                                       Chapter 3 Virtual Site
                              65,535, and defaults to 0.
                                  When it is larger than 0, the AG appliance will check for
                                   expiration after downloading the CRL file. For example, if the
                                   current time is greater than the sum of the next update time
                                   (expiration time of this file) and delay time, the CRL file is
                                   expired and the AG appliance will refuse all SSL connections
                                   that need to authenticate the client certificate via the CRL. If
                                   the current time is less than or equal to the sum of the next
                                   update time and delay time, the CRL file is valid.
                                  When it is equal to 0, the AG appliance will not check for
                                   expiration after downloading the CRL file.
        Note: Before executing this command, you must first import the CRL CA certificate via
        the “ssl import crlca” command.
no ssl settings crl offline [cdp_name]
This command is used to disable the CRL offline check.
cdp_name                      Optional. This parameter specifies the name of the CDP. Its value
                              must be:
                                  the CDP name: indicates that CRL files will not be
                                   downloaded from the specified CDP.
                                  ALL: indicates that the CRL files will not be downloaded from
                                   any CDP.
                              The default value is “ALL”.
show ssl crlstatus [cdp_name]
This command is used to display the information of CRL files downloaded from the specified
CDP.
cdp_name                      Optional. This parameter specifies the name of the CDP. Its value
                              must be:
                                  the CDP name: indicates that the system will display the CRL
                                   files downloaded from the specified CDP.
                                  ALL: indicates that the system will display the CRL files
                                   downloaded from all the CDP.
                              The default value is “ALL”.
ssl settings authmandatory
2000-2018 Array Networks, Inc.
                                                                                                49
All Rights Reserved.
                                                                           Chapter 3 Virtual Site
This command is used to enable the client mandatory authentication mode. By default, the client
mandatory authentication mode is enabled.
no ssl settings authmandatory
This command is used to disable the client mandatory authentication mode.
ssl settings acceptchain
This command is used to enable the accept certificate chain function. Once enabled, the SSL
virtual site will utilize the certificate chain sent by the peer during an SSL handshake to verify that
peer’s certificate. The SSL virtual site will try to use the certificate chain from peer to form the
certificate chain until it finds one CA certificate in its own trust CA list. This command will only
take effect when client authentication is enabled.
no ssl settings acceptchain
This command is used to disable the accept certificate chain function.
ssl settings minimum <cipher_strength> <redirect_url>
This command is used to specify the minimum encryption strength of the client. If any client
connecting to this virtual site does not support the encryption strength specified by the
“cipher_strength” parameter, it will be redirected to the URL specified by the “redirect_url”
parameter. This command should only be used with SSL virtual sites doing HTTPS.
cipher_strength                  This parameter specifies the minimum encryption strength in bits.
                                 Its value must be 40, 56, 128,168, 256 or 512.
redirect_url                     This parameter specifies the HTTP or HTTPS URL address to
                                 redirect to. Its value must be a string of 1 to 512 characters.
no ssl settings minimum
This command is used to disable the minimum encryption strength requirement.
ssl settings renegotiation
This command is used to enable the SSL renegotiation function for the current virtual site. By
default, the SSL renegotiation function is disabled for the virtual site.
        Note: The SM2v1.1 protocol does not support the SSL renegotiation function.
no ssl settings renegotiation
This command is used to disable the SSL renegotiation function for the current virtual site.
ssl settings reuse
2000-2018 Array Networks, Inc.
                                                                                                    50
All Rights Reserved.
                                                                           Chapter 3 Virtual Site
This command is used to enable the SSL session reuse function. By default, the SSL session reuse
function is enabled.
no ssl settings reuse
This command is used to disable the SSL session reuse function.
show ssl settings
This command is used to display the SSL settings for the current virtual site.
ssl globals sendclosenotify {on|off}
This global command is used to enable or disable the function of sending SSL close notification.
By default, this function is enabled.
ssl globals ignoreclosenotify {on|off}
This global command is used to enable or disable the function of the AG appliance ignoring the
SSL close notification sent from the client. It applies to all configured SSL virtual sites. By default,
this function is enabled.
    If this function is enabled, the AG appliance will ignore SSL close notify errors when a client
     does not terminate an SSL connection correctly (or terminates an SSL connection without
     sending the Close Notify Alert). Consequently, the AG appliance will continue to reuse the
     associated SSL sessions.
    If this function is disabled, the AG appliance will require the connection to be closed with the
     Close Notify Alert. In this case, if a client does not send the Close Notify Alert before closing
     a connection then the associated SSL session will be marked as invalid and flushed.
    ssl globals verifycert {on|off}
This global command is used to enable or disable the server certificate verification function. This
function is needed when the AG appliance needs to verify the certificates sent by the backend
servers. After this function is enabled, trusted root CA certificates should be imported under the
global scope. By default, this function is disabled.
ssl globals renegotiation {on|off}
This global command is used to enable or disable the SSL renegotiation function globally. By
default, this function is disabled globally.
        Note: When any virtual site uses certificate authentication, the SSL renegotiation
        function needs to be enabled globally.
ssl globals fastcrl {on|off}
This global command is used to enable or disable CRL memory. When enabled, the CRL files on
disk will be loaded into memory immediately. By default, this function is disabled.
ssl globals sessiontimeout <timeout>
2000-2018 Array Networks, Inc.
                                                                                                    51
All Rights Reserved.
                                                                           Chapter 3 Virtual Site
This global command is used to set the SSL session cache timeout value.
timeout                          This parameter specifies the timeout value in seconds. Its value
                                 must be an integer ranging from 60 to 86,400 characters.
show ssl globals
This global command is used to display SSL global settings.
ssl start
This command is used to enable SSL service for a specific host. All services associated with this
specified SSL virtual site will be affected. The AG appliance will check the certificate chain for
the SSL virtual site when starting the virtual site. A warning message, stating that the certificate
chain is incomplete will be displayed if the certificate chain cannot be formed using the
intermediate CA file and global trusted CA file.
          Note: SSL virtual site settings cannot be changed while SSL is enabled. To make
          changes, SSL must first be disabled (see the “ssl stop” command below).
ssl stop
This command is used to disable the SSL service for a specific host. It will not remove the
associated information such as key and certificate data.
clear ssl
This command is used to clear the SSL configurations, including the key and certificate pair. If
this command is executed, there is no way to retrieve the key even if there is a copy of the CSR.
To reconfigure SSL for this virtual site, a new key and a replacement certificate will need to be
created.
          Note: To execute this command, all services associated with this specified SSL virtual
          site will be affected.
show statistics ssl
This command is used to display all the SSL statistics for the current virtual site.
clear statistics ssl
This command is used to clear all relative SSL statistics for the current virtual site.
SM2
ssl globals sm2 {on|off}
This global command is used to enable or disable the SM2 function. By default, this function is
disabled.
2000-2018 Array Networks, Inc.
                                                                                                    52
All Rights Reserved.
                                                                          Chapter 3 Virtual Site
ssl sm2 csr [curve_name] [csr_format]
This command is used to generate an SM2 CSR and an SM2 signature key pair for the current
virtual site. Please enable the SM2 function first before executing this command. After this
command is executed, the administrator will be led through a series of prompts so that the system
can gather the required information to generate the CSR. The administrator can choose to set the
private key as exportable and set the passphrase for the private key to protect it. In addition, this
command also generates a “test” signature certificate for the virtual site.
Please refer to the “ssl csr” command for the requested data and other details displayed after this
command is executed.
curve_name                      Optional. This parameter specifies the curve name used by the SM2
                                algorithm. Its value must only be “sm2”. The default value is
                                “sm2”.
csr_format                      Optional. This parameter specifies the CSR format. Its value must
                                be “SCCA” or “CFCA”. The default value is “SCCA”.
ssl sm2 import enckey [key_index] [tftp_ip] [file_name]
This command is used to import an SM2 encryption key for the current virtual site. The
administrator can import three private keys at most.
The administrator can execute this command and copy-n-paste the private key directly into the
CLI. The system also supports importing private keys from a remote TFTP server.
key_index                       Optional. This parameter specifies the index to be associated with
                                the imported SM2 encryption key. Its value must be 1, 2 or 3. The
                                default value is 1.
tftp_ip                         Optional. This parameter specifies the IP address of the remote
                                TFTP server. This parameter needs to be specified when you want
                                to import the SM2 encryption key from a remote TFTP server. It
                                value must be an IPv4 address.
file_name                       Optional. This parameter specifies the file name of the SM2
                                encryption key on the remote TFTP server. This parameter needs to
                                be specified when you want to import the SM2 encryption key from
                                a remote TFTP server. Its value must be a string of 1 to 256
                                characters. The default value is “<host_name>.key”.
ssl sm2 export enckey [key_index]
This command is used to export an SM2 encryption key. After this command is executed, the
specified key will be displayed.
2000-2018 Array Networks, Inc.
                                                                                                   53
All Rights Reserved.
                                                                         Chapter 3 Virtual Site
key_index                       Optional. This parameter specifies the index of the imported SM2
                                encryption key to be exported. Its value must be 1, 2 or 3. If this
                                parameter is not specified, the active key will be displayed.
ssl sm2 import encevp [key_index] [digital_envelope_format] [tftp_ip]
[file_name]
This command is used to import an SM2 digital envelope returned by CA for the current virtual
site. Before importing the SM2 digital envelope of the SCCA format, please import the
corresponding SM2 signature key first using the “ssl sm2 import signkey” command.
The administrator can execute this command and copy-n-paste the SM2 digital envelope directly
into the CLI. The system also supports importing private keys from a remote TFTP server.
key_index                       Optional. This parameter specifies the index to be associated with
                                the imported SM2 encryption key. Its value must be 1, 2 or 3. The
                                default value is 1.
digital_envelope_format         Optional. This parameter specifies the format of the SM2 digital
                                envelope obtained from the trusted CA. Its value must be “SCCA”
                                or “CFCA”. The default value is “SCCA”.
tftp_ip                         Optional. This parameter specifies the IP address of the remote
                                TFTP server. This parameter needs to be specified when you want
                                to import the SM2 digital envelope from a remote TFTP server. It
                                value must be an IPv4 address.
file_name                       Optional. This parameter specifies the file name of the SM2 digital
                                envelope on the remote TFTP server. This parameter needs to be
                                specified when you want to import the SM2 digital envelope from a
                                remote TFTP server. Its value must be a string of 1 to 256
                                characters. The default value is “<host_name>.evp”.
ssl sm2 import enccertificate [cert_index] [tftp_ip] [file_name]
This command is used to import an SM2 encryption certificate for the current virtual site. The
administrator can import three certificates at most. The imported certificate can be activated by the
command “ssl activate certificate [cert_index]”.
The administrator can execute this command and copy-n-paste the PEM format certificate directly
into the CLI. The system also supports importing PEM, DER and PFX formats as well as the
certificates used by IIS 4, IIS 5 and Netscape iPlanet servers from a remote TFTP server.
cert_index                      Optional. This parameter specifies the index to be associated with
                                the imported SM2 encryption certificate. Its value must be 1, 2 or 3.
2000-2018 Array Networks, Inc.
                                                                                                  54
All Rights Reserved.
                                                                       Chapter 3 Virtual Site
                               The default value is 1.
tftp_ip                        Optional. This parameter specifies the IP address of the remote
                               TFTP server. This parameter needs to be specified when you want
                               to import the SM2 encryption certificate from a remote TFTP
                               server. It value must be an IPv4 address.
file_name                      Optional. This parameter specifies the file name of the SM2
                               encryption certificate on the remote TFTP server. This parameter
                               needs to be specified when you want to import the SM2 encryption
                               certificate from a remote TFTP server. Its value must be a string of
                               1 to 256 characters. The default value is “<host_name>.crt”.
no ssl sm2 enccertificate [cert_index]
This command is used to delete an imported SM2 encryption certificate. The corresponding SM2
encryption key pair will also be deleted.
ssl sm2 import signkey [key_index] [tftp_ip] [file_name]
This command is used to import an SM2 signature key for the current virtual site. The
administrator can import three private keys at most.
The administrator can execute this command and copy-n-paste the private key directly into the
CLI. The system also supports importing private keys from a remote TFTP server.
key_index                      Optional. This parameter specifies the index to be associated with
                               the imported SM2 signature key. Its value must be 1, 2 or 3. The
                               default value is 1.
tftp_ip                        Optional. This parameter specifies the IP address of the remote
                               TFTP server. This parameter needs to be specified when you want
                               to import the SM2 signature key from a remote TFTP server. It
                               value must be an IPv4 address.
file_name                      Optional. This parameter specifies the file name of the SM2
                               signature key on the remote TFTP server. This parameter needs to
                               be specified when you want to import the SM2 signature key from a
                               remote TFTP server. Its value must be a string of 1 to 256
                               characters. The default value is “<host_name>.key”.
ssl sm2 export signkey [key_index]
This command is used to export an SM2 signature key. After this command is executed, the
specified key will be displayed.
2000-2018 Array Networks, Inc.
                                                                                                55
All Rights Reserved.
                                                                         Chapter 3 Virtual Site
key_index                       Optional. This parameter specifies the index of the imported SM2
                                signature key to be exported. Its value must be 1, 2 or 3. If this
                                parameter is not specified, the active key will be displayed.
ssl sm2 import signcertificate [cert_index] [tftp_ip] [file_name]
This command is used to import an SM2 signature certificate for the current virtual site. The
administrator can import three certificates at most. The imported certificate can be activated by the
command “ssl activate certificate [cert_index]”.
The administrator can execute this command and copy-n-paste the PEM format certificate directly
into the CLI. The system also supports importing PEM, DER and PFX formats as well as the
certificates used by IIS 4, IIS 5 and Netscape iPlanet servers from a remote TFTP server.
cert_index                      Optional. This parameter specifies the index to be associated with
                                the imported SM2 signature certificate. Its value must be 1, 2 or 3.
                                The default value is 1.
tftp_ip                         Optional. This parameter specifies the IP address of the remote
                                TFTP server. This parameter needs to be specified when you want
                                to import the SM2 signature certificate from a remote TFTP server.
                                It value must be an IPv4 address.
file_name                       Optional. This parameter specifies the file name of the SM2
                                signature certificate on the remote TFTP server. This parameter
                                needs to be specified when you want to import the SM2 signature
                                certificate from a remote TFTP server. Its value must be a string of
                                1 to 256 characters. The default value is “<host_name>.crt”.
no ssl sm2 signcertificate [cert_index]
This command is used to delete an imported SM2 signature certificate. The corresponding SM2
signature key pair will also be deleted.
2000-2018 Array Networks, Inc.
                                                                                                  56
All Rights Reserved.
                                                                                  Chapter 4 AAA
Chapter 4 AAA
The AAA module provides user authentication, authorization and accounting functions. The
commands in this chapter illustrate how to deploy this module.
General Settings
aaa {on|off}
This command is used to enable or disable the AAA function for the virtual site. When this
function is enabled, users will have to log in before gaining access to internal resources; when this
function is disabled, users will automatically pass authentication and obtain authorized resources
according to their assigned roles. Note that any roles depending on “Group Name” conditions will
no longer work. Roles depending on other conditions still work as before such as “Username” (all
users will be assigned the same “guest” username), AAA method, Source IP, and Login Time. By
default, this function is enabled.
show aaa configure
This command is used to display the AAA configurations of the virtual site.
clear aaa configure
This command is used to clear the AAA configurations of the virtual site.
    AAA Lockout
        Note:
            If AAA lockout and LocalDB lockout are both configured, only the configurations of
             AAA lockout will take effect.
            The AAA lockout function cannot take effect for the certificate authentication.
            The configurations of AAA lockout cannot be synchronized to the peer HA units.
            For the two-step SMS authentication, the AAA lockout function takes effect only for
             the static authentication, such as LocalDB and LDAP, and cannot take effect for the
             SMS verification code authentication.
            ForAAA servers with multiple AAA methods configured, the AAA lockout function
             takes effect for all AAA methods in the rank list.
            With the system reboot, the recorded number of login failures of all AAA accounts
             will be cleared.
aaa lockout auto loginfailure [failure_times] [duration]
2000-2018 Array Networks, Inc.
                                                                                                  57
All Rights Reserved.
                                                                                Chapter 4 AAA
This command is used to enable automatic login-failure lockout for all AAA accounts. A AAA
account will be locked out after the number of login failures using this account reaches the
specified value of the parameter “failure_times”. By default, this function is disabled.
failure_times                  Optional. This parameter specifies the number of login failures for
                               locking out AAA accounts. Its value must be an integer ranging
                               from 1 to 65,535. The default value is 10.
duration                       Optional. This parameter specifies the duration of the lockout in
                               seconds. Its value must be an integer ranging from 0 to
                               4,294,967,295. The default value is 0, indicating that the AAA
                               account will remain locked out until being manually unlocked by
                               using the command “aaa lockout unlock”.
no aaa lockout auto loginfailure
This command is used to disable automatic login-failure lockout for all AAA accounts.
show aaa lockout auto loginfailure
This command is used to display the configuration of automatic login-failure lockout for all AAA
accounts.
aaa lockout manual <account_name> [duration]
This command is used to manually lock out a specified AAA account for a specific duration.
account_name                   This parameter specifies the name of the AAA account to be locked
                               out.
duration                       Optional. This parameter specifies the duration of the lockout in
                               seconds. Its value must be an integer ranging from 0 to
                               4,294,967,295. The default value is 0, indicating that the account
                               will be locked out until being manually unlocked by using the
                               command “aaa lockout unlock [account_name]”.
aaa lockout list [lockout_type] [account_name] [start] [count]
This command is used to display the currently locked AAA accounts.
lockout_type                   Optional. This parameter specifies the type of the locked AAA
                               accounts. Its value must be “auto”, “manual” or “all”. The default
                               value is “all”, indicating that all types of locked AAA accounts will
                               be displayed.
account_name                   Optional. This parameter specifies the name of the locked AAA
                               account. Its value must be a case-sensitive string of 1 to 64
2000-2018 Array Networks, Inc.
                                                                                                58
All Rights Reserved.
                                                                              Chapter 4 AAA
                              characters.
                                  If the parameter is specified, the specified locked AAA
                                   account will be displayed.
                                  If the parameter is not specified, all locked AAA accounts will
                                   be displayed.
                              The default value is empty.
start                         Optional. This parameter specifies the start of locked AAA accounts
                              from which to be displayed. Its value must be an integer ranging
                              from 1 to 4,294,967,295 and the default value is 1.
count                         Optional. This parameter specifies the number of locked AAA
                              accounts to be displayed. Its value must be an integer ranging from
                              1 to 4,294,967,295. The default value is 0, indicating all locked
                              AAA accounts will be displayed.
aaa lockout unlock [account_name]
This command is used to unlock a previously locked AAA account.
account_name                  Optional. This parameter specifies the name of the AAA account to
                              be unlocked. The default value is empty, indicating all locked AAA
                              accounts will be unlocked.
show aaa lockout count
This command is used to display the statistics of locked AAA accounts.
Server
aaa server name <type> <server_name> [description]
This command is used to define a AAA server of a particular type.
type                          This parameter specifies the type of the AAA server. Its value must
                              only be:
                                  localdb
                                  ldap
                                  radius
                                  certificate
2000-2018 Array Networks, Inc.
                                                                                              59
All Rights Reserved.
                                                                                Chapter 4 AAA
                                   sms
                                   smx
                                   http
server_name                    This parameter specifies the name of the AAA server, which must
                               be unique among all servers in the same virtual site. Its value must
                               be a string of 1 to 32 characters.
                               For LocalDB, the server name must be the same as the virtual site
                               name. In addition, only one LocalDB server can be defined per
                               virtual site.
                               For SMX, the characters for the server name must only contain 0-9,
                               a-z, A-Z, and characters “_” and “-”.
description                    Optional. This parameter specifies the server description. Its value
                               must be a string of 1 to 127 characters. If it is not specified, the
                               default description will be the value of “server_name”.
        Note: Please ensure that the SSL renegotiation feature has been enabled both globally
        and for the virtual site under the following conditions:
             Multiple AAA methods are configured and one of them uses the Certificate
              authentication (no matter the AAA method includes the Certificate authentication
              only or is multi-factor authentication including Certificate authentication)
             The AAA rank function is disabled.
no aaa server name <server_name>
This command is used to delete a specified AAA server.
show aaa server name
This command is used to display all the configured AAA servers.
LocalDB
   LocalDB Server
aaa server localdb usernamecaseinsensitive
This command is used to set the username as case-insensitive during the LocalDB authentication.
        Note: Please delete LocalDB accounts with usernames different only in case sensitivity
        before this command is configured.
2000-2018 Array Networks, Inc.
                                                                                                 60
All Rights Reserved.
                                                                                 Chapter 4 AAA
no aaa server localdb usernamecaseinsensitive
This command is used to set the username as case-sensitive during the LocalDB authentication.
aaa server localdb defaultgroup <default_group>
This command is used to define the default group assigned to authenticated users who do not
belong to any other LocalDB group.
default_group                 This parameter specifies the name of the default LocalDB group. Its
                              value must be a string of 1 to 80 characters.
no aaa server localdb defaultgroup
This command is used to delete the default LocalDB group configured for authenticated users who
do not belong to any other LocalDB group.
show aaa server localdb defaultgroup
This command is used to display the default LocalDB group configured for authenticated users
who do not belong to any other LocalDB group.
aaa server localdb authmode [mode]
This command is used to set the mode of the LocalDB authentication. If this command is not
configured, the LocalDB server uses only the static password for authentication.
mode                           Optional. This parameter specifies the mode of the LocalDB
                               authentication. Its value must be:
                                   0: indicates that users only need to input the static password to
                                    log into the virtual site.
                                   1: indicates that users only need to input the dynamic
                                    password (generated by the MotionProOTP application
                                    installed on the mobile phone) to log into the virtual site. For
                                    example, if the dynamic code is “768950”, users should input
                                    “768950” to log into the virtual site.
                                   2: indicates that users need to input both the static password
                                    and dynamic password to log into the virtual site. For example,
                                    if the static password is “a” and the dynamic code is “768950”,
                                    users should input “a768950” to log into the virtual site.
                               The default value is 0.
show aaa server localdb authmode
This command is used to display the mode of the LocalDB authentication.
aaa server localdb dynamiccode rebind {enable|disable}
2000-2018 Array Networks, Inc.
                                                                                                 61
All Rights Reserved.
                                                                                 Chapter 4 AAA
This command is used to enable or disable the dynamic code rebinding for LocalDB accounts.
With this function enabled, after logging into the MotionProOTP application in one mobile client,
the user can also log into the MotionProOTP application in another mobile client with the same
LocalDB account. The old registered credential of the user will be replaced by the new registered
credential. By default, this function is disabled.
      LocalDB Account
localdb account <account_name> <password> [phone] [mail] [nfs_group]
[nfs_account] [custom_info1] [custom_info2] [custom_info3] [custom_info4]
[custom_info5]
This command is used to create a new LocalDB account or update the existing LocalDB account.
If the administrator wants to use LocalDB authentication or the Site2Site VPN function, this
command must be configured. For the Site2Site VPN function, a LocalDB account should be
configured for each spoke to log into the virtual site.
account_name                   This parameter specifies the name of the LocalDB account to be
                               created or updated. Its value must be a case-sensitive string of 1 to
                               64 characters.
password                       This parameter specifies the password of the LocalDB account. Its
                               value must be a case-sensitive string of 1 to 32 characters enclosed
                               by double quotes. Only 0-9, a-z, A-Z, the space character and some
                               special printable ASCII characters such as ! @ # $ % ^ & * ( ) _ - ~
                               = { } [ ] | \ / ? : ; ’ ` < > , . are allowed.
phone                          Optional. This parameter specifies the telephone number of the
                               LocalDB account. Its value must be a string of 1 to 32 characters
                               enclosed by double quotes. Only numbers, spaces, “+” and “-” are
                               allowed. The default value is empty.
mail                           Optional. This parameter specifies the mail address of the LocalDB
                               account in the format of “abc@xyz.com”. Its value must be a string
                               of 1 to 128 characters enclosed by double quotes. The default value
                               is empty.
nfs_group                      Optional. This parameter specifies the NFS (Network File System)
                               group ID of the LocalDB account. Its value must be an integer
                               ranging from 0 to 65,535. The default value is 0.
nfs_account                    Optional. This parameter specifies the NFS (Network File System)
                               account of the LocalDB account. Its value must be an integer
                               ranging from 0 to 65,535. The default value is 0.
2000-2018 Array Networks, Inc.
                                                                                                 62
All Rights Reserved.
                                                                               Chapter 4 AAA
custom_info1                  Optional. This parameter specifies the customized user information
                              of the LocalDB account. Its value must be a string of 1 to 256
                              characters. The default value is empty.
custom_info2                  Optional. This parameter specifies the customized user information
                              of the LocalDB account. Its value must be a string of 1 to 256
                              characters. The default value is empty.
custom_info3                  Optional. This parameter specifies the customized user information
                              of the LocalDB account. Its value must be a string of 1 to 256
                              characters. The default value is empty.
custom_info4                  Optional. This parameter specifies the customized user information
                              of the LocalDB account. Its value must be a string of 1 to 256
                              characters. The default value is empty.
custom_info5                  Optional. This parameter specifies the customized user information
                              of the LocalDB account. Its value must be a string of 1 to 256
                              characters. The default value is empty.
no localdb account <account_name>
This command is used to delete an existing LocalDB account.
show localdb account [account_name] [group_name] [start] [count] [column]
[index]
This command is used to display the specified LocalDB account.
account_name                  Optional. This parameter specifies a string to match the existing
                              LocalDB accounts. Its value must be a case-sensitive string of 1 to
                              64 characters.
                                  If the parameter is specified, LocalDB accounts whose names
                                   including this string will be displayed.
                                  If the parameter is not specified, all LocalDB accounts will be
                                   displayed.
                              The default value is empty.
group_name                    Optional. This parameter specifies the name of the LocalDB group
                              to which the LocalDB accounts to be displayed belongs to.
                                  If this parameter is specified, only LocalDB accounts belong
                                   to the LocalDB group will be displayed.
2000-2018 Array Networks, Inc.
                                                                                               63
All Rights Reserved.
                                                                              Chapter 4 AAA
                                  If this parameter is not specified, the displayed LocalDB
                                   accounts will not be filtered by the LocalDB group.
                              The default value is empty.
start                         Optional. This parameter specifies the start of LocalDB accounts
                              from which to be displayed. Its value must be an integer ranging
                              from 1 to 4,294,967,295 and the default value is 1.
count                         Optional. This parameter specifies the number of LocalDB accounts
                              to be displayed. Its value must be an integer ranging from 1 to
                              4,294,967,295. The default value is 0, indicating all LocalDB
                              accounts will be displayed.
column                        Optional. This parameter specifies the columns of a LocalDB
                              account entry to be displayed. This parameter supports the
                              following columns that must be represented by the letters in the
                              brackets in the parameter value: user_name(U), telephone(T),
                              e-mail(E), nfs_info(N), coutom_info1-5(C), assigned_group(G),
                              force_passwd_change(F), lockout_manual(M),
                              lockout_manual_expires_time(L), passwd_expire_time(P), ip(I),
                              netmask(K), and user_passwd(W). The parameter value is
                              case-sensitive and can support multiple columns. The default value
                              is “UTENC”.
index                         Optional. This parameter specifies how to sort the displayed
                              LocalDB accounts in the output. This parameter supports sorting
                              LocalDB accounts by: user_name (alphabetical or U),
                              create_time(time), telephone(T), e-mail(E),
                              coutom_info1-5(coutom_info1-5),
                              lockout_manual_expires_time(L), passwd_expire_time(P), ip(I), or
                              netmask(K). This parameter value is case-insensitive and the
                              default value is “alphabetical”.
clear localdb account
This command is used to delete all existing LocalDB accounts.
show statistics localdb account [account_name] [group_name]
This command is used to display the LocalDB account statistics.
account_name                  Optional. This parameter specifies a string to match the existing
                              LocalDB accounts. Its value must be a case-sensitive string of 1 to
                              64 characters.
2000-2018 Array Networks, Inc.
                                                                                               64
All Rights Reserved.
                                                                                 Chapter 4 AAA
                                 If this parameter is specified, LocalDB accounts statistics
                                  whose account names including this string will be displayed.
                                 If the parameter is not specified, the statistics of all LocalDB
                                  accounts will be displayed.
                             The default value is empty.
group_name                   Optional. This parameter specifies the name of the LocalDB group
                             to which the LocalDB accounts to be displayed belongs to.
                                 If this parameter is specified, only LocalDB account statistics
                                  belongs to the LocalDB group will be displayed.
                                 If this parameter is not specified, the displayed LocalDB
                                  account statistics will not be filtered by the LocalDB group.
                             The default value is empty.
localdb update accountname <account_name> <new_account_name>
This command is used to change the name of the specified LocalDB account.
account_name                 This parameter specifies the original LocalDB account name.
new_account_name             This parameter specifies the new account name for the LocalDB
                             account. Its value must be a string of 1 to 64 characters.
localdb update password <account_name> <new_password>
This command is used to change the password of the specified LocalDB account. If the command
“localdb passwdqc oldpasswd” is configured, the new password must not be the same as the old
password.
account_name                 This parameter specifies the name of the LocalDB account.
new_password                 This parameter specifies the new password of the LocalDB account.
                             Its value must be a case-sensitive string of 1 to 32 characters
                             enclosed by double quotes. Only 0-9, a-z, A-Z, the space character
                             and some special printable ASCII characters such as ! @ # $ % ^ &
                             * ( ) _ - + = { } [ ] | \ / ? : ; ’ < > , . are allowed. The string cannot
                             contain any of the characters “ ~ `”.
   LocalDB Group
localdb group <group_name> [nfs_group]
This command is used to add a LocalDB group.
2000-2018 Array Networks, Inc.
                                                                                                  65
All Rights Reserved.
                                                                               Chapter 4 AAA
group_name                    This parameter specifies the name of the LocalDB group. Its value
                              must be a case-sensitive string of 1 to 64 characters.
nfs_group                     Optional. This parameter specifies the name of the NFS file share
                              group. Its value must be an integer ranging from 0 to 65,535. The
                              default value is 0.
no localdb group <group_name>
This command is used to delete a specified LocalDB group.
show localdb group [group_name] [account_name] [start] [count] [column]
[index]
This command is used to display the specified LocalDB group.
group_name                    Optional. This parameter specifies a string to match the existing
                              LocalDB groups. Its value must be a case-sensitive string of 1 to 64
                              characters.
                                  If this parameter is specified, the LocalDB groups whose
                                   names including the string will be displayed.
                                  If this parameter is not specified, all LocalDB groups will be
                                   displayed.
                              The default value is empty.
account_name                  Optional. This parameter specifies the name of the LocalDB
                              account.
                                  If this parameter is specified, only LocalDB groups including
                                   the specified LocalDB accounts will be displayed.
                                  If this parameter is not specified, the displayed LocalDB
                                   groups will not be filtered by the LocalDB account.
                              The default value is empty.
start                         Optional. This parameter specifies the start of LocalDB groups
                              from which to be displayed. Its value must be an integer ranging
                              from 1 to 4,294,967,295. The default value is 1.
count                         Optional. This parameter specifies the number of LocalDB groups
                              to be displayed. Its value must be an integer ranging from 1 to
                              4,294,967,295. The default value is 0, indicating all LocalDB
                              accounts will be displayed.
2000-2018 Array Networks, Inc.
                                                                                               66
All Rights Reserved.
                                                                             Chapter 4 AAA
column                        Optional. This parameter specifies the columns of a LocalDB group
                              entry to be displayed. This parameter supports the following
                              columns that must be represented by the letters in the brackets in
                              the parameter value: user_name(U), telephone(T), e-mail(E),
                              nfs_info(N), coutom_info1-5(C), assigned_group(G),
                              force_passwd_change(F), lockout_manual(M),
                              lockout_manual_expires_time(L), passwd_expire_time(P), ip(I),
                              netmask(K), and user_passwd(W). The parameter value is
                              case-sensitive and can support multiple columns. The default value
                              is “UTENC”.
index                         Optional. This parameter specifies how to sort the displayed
                              LocalDB groups in the output. This parameter supports sorting
                              LocalDB groups by: user_name (alphabetical or U),
                              create_time(time), telephone(T), e-mail(E),
                              coutom_info1-5(coutom_info1-5),
                              lockout_manual_expires_time(L), passwd_expire_time(P), ip(I) or
                              netmask(K). This parameter value is case-insensitive and the
                              default value is “alphabetical”.
clear localdb group
This command is used to delete all existing LocalDB groups.
localdb update groupname <group_name> <new_group_name>
This command is used to change the name of an existing LocalDB group.
group_name                    This parameter specifies the original name of the LocalDB group.
                              Its value must be a string of 1 to 64 characters.
new_groupname                 This parameter specifies the new name of the LocalDB group. Its
                              value must be a string of 1 to 64 characters.
localdb member <group_name> <account_name>
This command is used to associate an existing LocalDB account with an existing LocalDB group.
One LocalDB account can be associated with 20 LocalDB groups.
group_name                    This parameter specifies the name of the LocalDB group. Its value
                              must be a string of 1 to 64 characters.
account_name                  This parameter specifies the name of the LocalDB account. Its
                              value must be a string of 1 to 64 characters.
no localdb member <group_name> <account_name>
2000-2018 Array Networks, Inc.
                                                                                              67
All Rights Reserved.
                                                                                Chapter 4 AAA
This command is used to disassociate an existing LocalDB account from an existing LocalDB
group.
show localdb member account [account_name]
This command is used to display the associations of LocalDB groups with the specified LocalDB
account. If the “account_name” parameter is not specified, all associations between LocalDB
groups and accounts in the LocalDB will be displayed.
show localdb member group [group_name]
This command is used to display the associations of LocalDB accounts with the specified
LocalDB group. If the “group_name” parameter is not specified, all associations between
LocalDB groups and accounts in the LocalDB will be displayed.
clear localdb member [group_name]
This command is used to disassociate all LocalDB accounts from the specified LocalDB group. If
the “group_name” parameter is not specified, all LocalDB accounts are disassociated with all
LocalDB groups.
show statistics localdb group [group_name] [account_name]
This command is used to display the LocalDB group statistics.
group_name                    Optional. This parameter specifies a string to match the existing
                              LocalDB groups. Its value must be a case-sensitive string of 1 to 64
                              characters.
                                  If this parameter is specified, LocalDB group statistics whose
                                   group names including the string will be displayed.
                                  If this parameter is not specified, the statistics of all LocalDB
                                   groups will be displayed.
                              The default value is empty.
account_name                  Optional. This parameter specifies the name of the LocalDB
                              account.
                                  If this parameter is specified, only LocalDB group statistics
                                   including the specified LocalDB accounts will be displayed.
                                  If this parameter is not specified, the displayed LocalDB group
                                   statistics will not be filtered by the LocalDB account.
                              The default value is empty.
   LocalDB Account Password Settings
localdb passwdqc length [length]
2000-2018 Array Networks, Inc.
                                                                                                 68
All Rights Reserved.
                                                                              Chapter 4 AAA
This command is used to enable the password checking policy requiring a minimum password
length. By default, this policy is disabled. After this command is configured, to update the
password of the existing LocalDB account or create a new account, the length of the new
password must be greater than or equal to the value specified by the parameter “length”.
length                        Optional. This parameter specifies the minimum length of the
                              LocalDB account password. Its value must be an integer ranging
                              from1 to 32. The default value is 8.
no localdb passwdqc length
This command is used to disable the password checking policy requiring a minimum password
length.
localdb passwdqc upperchar
This command is used to enable the password checking policy requiring at least one upper-case
character in the LocalDB account password. By default, this policy is disabled. After this
command is configured, to update the password of the existing LocalDB account or create a new
account, the new password must include at least one upper-case letter.
no localdb passwdqc upperchar
This command is used to disable the password checking policy requiring at least one upper-case
letter in the LocalDB account password.
localdb passwdqc lowerchar
This command is used to enable the password checking policy requiring at least one lower-case
character in the LocalDB account password. By default, this policy is disabled. After this
command is configured, to update the password of the existing LocalDB account or create a new
account, the new password must include at least one lower-case character.
no localdb passwdqc lowerchar
This command is used to disable the password checking policy requiring at least one lower-case
letter in the LocalDB account password.
localdb passwdqc numchar
This command is used to enable the password checking policy requiring at least one numeric
character in the LocalDB account password. By default, this policy is disabled. After this
command is configured, to update the password of the existing LocalDB account or create a new
account, the new password must include at least one numeric character.
no localdb passwdqc numchar
This command is used to disable the password checking policy requiring at least one numeric
character in the LocalDB account password.
localdb passwdqc nonalphanum
2000-2018 Array Networks, Inc.
                                                                                               69
All Rights Reserved.
                                                                                 Chapter 4 AAA
This command is used to enable the password checking policy requiring at least one
non-alphanumeric character in the LocalDB account password. By default, this policy is disabled.
After this command is configured, to update the password of the existing LocalDB account or
create a new account, the new password must include at least one non-alphanumeric character.
no localdb passwdqc nonalphanum
This command is used to disable the password checking policy requiring at least one
non-alphanumeric character in the LocalDB account password.
localdb passwdqc username
This command is used to enable the password checking policy requiring that the username cannot
be a subset of the password. By default, this policy is disabled. After this command is configured,
to update the password of the existing LocalDB account or create a new account, the new
password cannot include the account name.
no localdb passwdqc username
This command is used to disable the password checking policy requiring that the password cannot
be a subset of the username.
localdb passwdqc oldpasswd
This command is used to enable the password checking policy requiring that the new password
cannot be the same as the old password. By default, this policy is disabled. After this command is
configured, to update the password of the existing LocalDB account or create a new account, the
new password cannot be the same as the old password.
no localdb passwdqc oldpasswd
This command is used to disable the password checking policy requiring that the new LocalDB
account password cannot be the same as the old password.
localdb passwdqc minunique [unique_char]
This command is used to enable the password checking policy requiring that a minimum number
of unique characters included in the LocalDB account password. By default, this policy is disabled.
After this command is configured, to update the password of the existing LocalDB account or
create a new account, the new password must include a specified number (by the parameter
“unique_char”) of unique characters.
unique_char                     Optional. This parameter specifies the minimum number of unique
                                characters. Its value must be a number between 1 and 32. The
                                default value is 5.
no localdb passwdqc minunique
This command is used to disable the password checking policy requiring that a minimum number
of unique characters included in the LocalDB account password.
2000-2018 Array Networks, Inc.
                                                                                                 70
All Rights Reserved.
                                                                                 Chapter 4 AAA
localdb passwdqc all
This command is used to enable all the above password checking policies.
no localdb passwdqc all
This command is used to disable all the above password checking policies.
show localdb passwdqc
This command is used to display all the configured password checking policies.
clear localdb passwdqc
This command is used to clear all password checking policies.
localdb passwdexpire age [account_name] [duration] [mode]
This command is used to set the password expiration age for a specified LocalDB account.
account_name                   Optional. This parameter specifies the name of an existing LocalDB
                               account. The default value is empty, indicating the password
                               expiration age is set for all LocalDB accounts.
duration                       Optional. This parameter specifies the expiration age (counted from
                               the last password change) of the LocalDB account password in
                               seconds. Its value must be an integer ranging from 1 to
                               2,147,483,647. The default value is 99,999,999.
mode                           Optional. This parameter specifies the time to execute this
                               command. The parameter value must be empty or “repeat”. If this
                               parameter is empty, the LocalDB user will be asked to change the
                               password once and only when the password expiration age has
                               elapsed since the user changes the password last time. When this
                               parameter is set to “repeat”, the LocalDB user will be asked to
                               change the password every time the password expiration age has
                               elapsed after changing the password. The default value is empty.
no localdb passwdexpire age <account_name>
This command is used to delete the password expiration age configuration for a specified
LocalDB account.
show localdb passwdexpire age [account_name] [mode]
This command is used to display the password expiration age configuration for a specified
LocalDB account. If the “account_name” parameter is not specified, the password expiration age
configuration for all LocalDB accounts will be displayed.
clear localdb passwdexpire age
2000-2018 Array Networks, Inc.
                                                                                              71
All Rights Reserved.
                                                                               Chapter 4 AAA
This command is used to delete the password expiration age configuration for all LocalDB
accounts.
localdb passwdexpire nextlogin [account_name]
This command is used to enable forcible password expiration upon next login for the specified
LocalDB account. The LocalDB user will be asked to change the password on next login. By
default, this function is disabled.
account_name                   Optional. This parameter specifies the name of an existing LocalDB
                               account. The default value is empty, indicating the forcible
                               password expiration upon next login for all LocalDB accounts will
                               be enabled.
no localdb passwdexpire nextlogin <account_name>
This command is used to disable forcible password expiration upon next login for the specified
LocalDB account.
show localdb passwdexpire nextlogin [account_name]
This command is used to display the configuration of forcible password expiration upon next login
for the specified LocalDB account. If the “account_name” parameter is not specified, the
password configuration of expiration upon next login for all LocalDB accounts will be displayed.
clear localdb passwdexpire nextlogin
This command is used to delete the configuration of password expiration upon next login for all
LocalDB accounts.
   LocalDB Lockout
localdb lockout auto idletime [idle_time] [duration]
This command is used to enable auto idle lockout for all LocalDB accounts. LocalDB accounts
will be locked out when the idle time is up. By default, this function is disabled.
idle_time                      Optional. This parameter specifies the idle time after which the
                               LocalDB account will be locked out, in seconds. Its value must be
                               integer ranging from 1 to 4,294,967,295. The default value is
                               99,999,999.
duration                       Optional. This parameter specifies the duration of the lockout, in
                               seconds. Its value must be an integer ranging from 0 to
                               4,294,967,295. If its value is set to “0”, then the LocalDB account
                               will remain locked out until being manually unlocked by using the
                               command “localdb lockout unlock [account_name]”. The default
                               value is 0.
2000-2018 Array Networks, Inc.
                                                                                                  72
All Rights Reserved.
                                                                                Chapter 4 AAA
no localdb lockout auto idletime
This command is used to disable the auto idle lockout for all LocalDB accounts.
show localdb lockout auto idletime
This command is used to display the configuration of the auto idle lockout for all LocalDB
accounts.
localdb lockout auto loginfailure [failure_times] [duration]
This command is used to enable auto login failure lockout for all LocalDB accounts. LocalDB
accounts will be locked out after reaching the number of login failures specified by the parameter
“failure_times”. By default, this function is disabled.
failure_times                  Optional. This parameter specifies the number of login failures after
                               which the LocalDB account is locked out. Its value must be an
                               integer ranging from 1 to 65,535. The default value is 10.
duration                       Optional. This parameter specifies the duration of the lockout in
                               seconds. Its value must be an integer ranging from 0 to
                               4,294,967,295. The default value is 0, indicating that the LocalDB
                               account will remain locked out until being manually unlocked by
                               using the command “localdb lockout unlock [account_name]”.
no localdb lockout auto loginfailure
This command is used to disable auto login failure lockout for all LocalDB accounts.
show localdb lockout auto loginfailure
This command is used to display the configuration of auto login failure lockout for all LocalDB
accounts.
localdb lockout manual [account_name] [duration]
This command is used to manually lock out a specified LocalDB account for a specific duration.
After this command is configured, the specified LocalDB account will be locked out for a specific
duration.
account_name                   Optional. This parameter specifies the name of the account to be
                               locked out. The default value is empty, indicating all LocalDB
                               accounts will be locked out by default.
duration                       Optional. This parameter specifies the duration in seconds for
                               which the account will be locked out. Its value must be an integer
                               ranging from 0 to 4,294,967,295. If its value is set to “0”, the
                               LocalDB account will be locked out until being manually unlocked
                               by using the command “localdb lockout unlock [account_name]”.
2000-2018 Array Networks, Inc.
                                                                                                  73
All Rights Reserved.
                                                                                 Chapter 4 AAA
                               The default value is 0.
show localdb lockout manual [account_name]
This command is used to display the lockout duration of a specified LocalDB account. If the
“account_name” parameter is not specified, the lockout duration of all LocalDB accounts will be
displayed.
localdb lockout list [type] [username] [start] [count]
This command is used to display the currently locked LocalDB accounts.
type                           Optional. This parameter specifies the lockout type of the locked
                               LocalDB accounts to be displayed. Its value must only be:
                                   “loginfailure”: indicates that the LocalDB accounts locked out
                                    due to login failures will be displayed.
                                   “idletime”: indicates that the LocalDB accounts locked out due
                                    to idle timeout will be displayed.
                                   “manual”: indicates that the LocalDB accounts locked out
                                    manually by the administrator will be displayed.
                                   “all”: indicates that the LocalDB accounts of all the preceding
                                    three types will be displayed.
                               The default value is all.
username                       Optional. This parameter specifies a string to match the LocalDB
                               account. Its value must be a string of 1 to 64 characters. All locked
                               LocalDB accounts whose names including the string will be
                               displayed. If this parameter is not specified, locked accounts will
                               not be filtered by username.
start                          Optional. This parameter specifies the start of locked LocalDB
                               accounts to be displayed. Its value must be between 1 and
                               4,294,967,295. The default value is 1.
count                          Optional. This parameter specifies the number of locked LocalDB
                               accounts to be displayed. Its value must be an integer ranging from
                               0 to 4,294,967,295. The default value is 0, indicating all locked
                               LocalDB accounts matching the other parameter settings will be
                               displayed.
localdb lockout unlock [account_name]
This command is used to unlock a previously locked LocalDB account.
2000-2018 Array Networks, Inc.
                                                                                                 74
All Rights Reserved.
                                                                                Chapter 4 AAA
account_name                   Optional. This parameter specifies the name of the LocalDB
                               account to be unlocked. The default value is empty, indicating all
                               locked LocalDB accounts will be unlocked.
show statistics localdb lockout [account_name]
This command is used to display the lockout statistics of a specified LocalDB account.
account_name                   Optional. This parameter specifies a string to match the account. All
                               LocalDB accounts including the string will be matched. If the
                               parameter “account_name” is not specified, the lockout statistics for
                               all LocalDB accounts will be displayed.
   LocalDB Backup and Restoration
localdb backup <backup_name>
This command is used to back up the virtual site’s LocalDB. A maximum of 20 LocalDB backup
files can be configured in the system. If 20 LocalDB backup files already exist, to create new
LocalDB backup files, the old ones must be deleted.
backup_name                    This parameter specifies the name of the LocalDB backup. Its value
                               must be a string of 1 to 32 characters.
        Note: For the MotionPro-type virtual site, this command will back up all the data in the
        LocalDB including the MDM data but excluding the MDM CLI configurations.
no localdb backup <backup_name>
This command is used to delete the specified LocalDB backup file.
show localdb backup
This command is used to display the LocalDB backup files.
clear localdb backup
This command is used to delete all LocalDB backup files.
localdb autobackup <count> [time] [dayofweek]
This command is used to configure the LocalDB auto-backup settings. If this command is not
configured, the default setting “localdb autobackup 3 0:00 0” will be used, which means to
automatically back up the LocalDB daily at 0:00 and at most three auto-backup files can be kept.
If three auto-backup files already exist, new auto-backup files will overwrite the old ones.
count                          This parameter specifies the number of auto-backup files to be kept
                               in the system. Its value must be an integer ranging from 0 to 5. If
                               the parameter is set to “0”, auto-backup will be turned off. When
2000-2018 Array Networks, Inc.
                                                                                                   75
All Rights Reserved.
                                                                               Chapter 4 AAA
                              the count is exceeded, the oldest backup file would be overwritten.
time                          Optional. This parameter specifies the time for the auto-backup in
                              “HH:MM” (24-hour) format, for example, 6:23, 05:05, 23:59. The
                              default value is 0:00.
dayofweek                     Optional. This parameter specifies the day of the week for the
                              auto-backup. Its value must be an integer ranging from 0 to 7. The
                              default value is 0, indicating the LocalDB database will be backed
                              up on a daily basis.
                              If the parameter is set to “1” to “7”, the LocalDB database will be
                              backed up once a week, respectively from Monday to Sunday.
show localdb autobackup
This command is used to display the settings of the existing LocalDB auto-backup.
localdb restore <backup_name>
This command is used to restore LocalDB from the specified LocalDB backup.
backup_name                   This parameter specifies the name of the LocalDB backup database.
                              Its value must be a string of 1 to 32 characters.
      LocalDB Export and Import
localdb export <file_name> {account|group|member}
This command is used to export accounts, groups or member relations from the LocalDB database
into a configuration file on the system.
file_name                     This parameter specifies the name of the file on the system. Its
                              value must be a string of 1 to 32 characters.
account|group|member          This parameter specifies the type of information to be exported. Its
                              value must only be “account”, “group” or “member”.
                                  account: indicates that the account information, such as the
                                   username, password, creation time and so on, will be exported.
                                  group: indicates that the group information, such as the group
                                   name, expiration time, creation time and so on, will be
                                   exported.
                                  member: indicates that only the account and group name will
                                   be exported.
2000-2018 Array Networks, Inc.
                                                                                                 76
All Rights Reserved.
                                                                                Chapter 4 AAA
        Note: The files exported from LocalDB directly are in the UTF-8 encoding format. To
        read or edit the exported file, make sure that your file viewer or editor supports UTF-8
        encoding.
no localdb export <file_name> {account|group|member}
This command is used to delete the configuration file exported from the LocalDB database.
show localdb export {account|group|member}
This command is used to display the configuration of accounts, groups or member relations
exported from the LocalDB database.
clear localdb export {account|group|member}
This command is used to delete all configurations of accounts, groups or member relations
exported from the LocalDB database.
localdb netexport scp {account|group|member} <server_name>
<user_name> <file_path>
This command is used to export a file containing accounts, groups or member relations to an SCP
server.
account|group|member           This parameter specifies the type of information to be exported. Its
                               value must only be “account”, “group” or “member”.
                                   account: indicates that the account information, such as the
                                    username, password, creation time and so on, will be exported.
                                   group: indicates that the group information, such as the group
                                    name, the expiration time, creation time and so on, will be
                                    exported.
                                   member: indicates that only the account and group name will
                                    be exported.
server_name                    This parameter specifies the name of the server to which data will
                               be exported. Its value must be a string of 1 to 128 characters.
user_name                      This parameter specifies the name of the remote user on the SCP
                               server. Its value must be a string of 1 to 64 characters.
file_path                      This parameter specifies the path, which must include the file name,
                               to export the file on the SCP server. Its value must be a string of 1
                               to 256 characters.
2000-2018 Array Networks, Inc.
                                                                                                   77
All Rights Reserved.
                                                                                Chapter 4 AAA
        Note: The files exported via SCP are in the UTF-8 encoding format. To read or edit the
        exported file, make sure that your file viewer or editor supports UTF-8 encoding.
localdb netexport tftp {account|group|member} <ip> <file_name>
This command is used to export a file containing accounts, groups or member relations to a TFTP
server.
account|group|member           This parameter specifies the type of information to be exported. Its
                               value must only be “account”, “group” or “member”.
                                   account: indicates that the account information, such as the
                                    username, password, creation time and so on, will be exported.
                                   group: indicates that the group information, such as the group
                                    name, the expiration time, creation time and so on, will be
                                    exported.
                                   member: indicates that only the account and group name will
                                    be exported.
ip                             This parameter specifies the IP address of the TFTP server.
file_name                      This parameter specifies the name of the file to export data on the
                               TFTP server. Its value must be a string of 1 to 256 characters.
        Note: The files exported via TFTP are in the UTF-8 encoding format. To read or edit the
        exported file, make sure that your file viewer or editor supports UTF-8 encoding.
localdb import <file_name> {account|group|member} [overwrite|ignore]
This command is used to import a file containing accounts, groups or member relations into
LocalDB from the system.
file_name                      This parameter specifies the name of the file to be imported into
                               LocalDB. Its value must be a string of 1 to 127 characters.
account|group|member           This parameter specifies the type of information to be imported. Its
                               value must only be “account”, “group” or “member”.
                                   account: indicates that the account information, such as the
                                    username, password, creation time and so on, will be imported.
                                   group: indicates that the group information, such as the group
                                    name, expiration time, creation time and so on, will be
                                    imported.
                                   member: indicates that only the account and group name will
2000-2018 Array Networks, Inc.
                                                                                                   78
All Rights Reserved.
                                                                               Chapter 4 AAA
                                   be imported.
overwrite|ignore              Optional. This parameter specifies how to handle the conflicted
                              duplicate data. Its value must only be:
                                  overwrite: The duplicate data will be merged with the existing
                                   data.
                                  ignore: The duplicate data will not be imported.
                              If this parameter is not specified, the administrator must execute
                              this command based on the CLI prompt.
        Note: The files imported to LocalDB directly must be in the UTF-8 encoding format.
        Otherwise, the importing might fail.
localdb netimport http {account|group|member} <url> {overwrite|ignore}
This command is used to import a file containing accounts, groups or member relations from an
HTTP resource.
account|group|member          This parameter specifies the type of information to be imported. Its
                              value must only be “account”, “group” or “member”.
                                  account: indicates that the account information, such as the
                                   username, password, creation time and so on, will be exported.
                                  group: indicates that the group information, such as the group
                                   name, expiration time, creation time and so on, will be
                                   exported.
                                  member: indicates that only the account and group name will
                                   be exported.
url                           This parameter specifies the URL of the HTTP resource. Its value
                              must be a string of 1 to 64 characters.
overwrite|ignore              This parameter specifies how to handle the conflicted duplicate
                              data. Its value must be “overwrite” and “ignore”.
                                  overwrite: The duplicate data will be merged with the existing
                                   data.
                                  ignore: The duplicate data will not be imported.
        Note: The files imported via SCP must be in the UTF-8 encoding format. Otherwise, the
        importing might fail.
2000-2018 Array Networks, Inc.
                                                                                                   79
All Rights Reserved.
                                                                                Chapter 4 AAA
localdb netimport scp {account|group|member} <server_name>
<user_name> <file_name> {overwrite|ignore}
This command is used to import a file containing accounts, groups or member relations from an
SCP server.
account|group|member          This parameter specifies the type of information to be imported. Its
                              value must only be “account”, “group” or “member”.
                                  account: indicates that the account information, such as the
                                   username, password, creation time and so on, will be imported.
                                  group: indicates that the group information, such as the group
                                   name, expiration time, creation time and so on, will be
                                   imported.
                                  member: indicates that only the account and group name will
                                   be imported.
server_name                   This parameter specifies the name of the server from which data
                              will be imported. Its value must be a string of 1 to 127 characters.
user_name                     This parameter specifies the name of the remote user on the SCP
                              server. Its value must be a string of 1 to 64 characters.
file_path                     This parameter specifies the path, which must include the file name,
                              to import the file from the SCP server. Its value must be a string of
                              1 to 256 characters.
overwrite|ignore              This parameter specifies how to handle the conflicted duplicate
                              data. Its value must be “overwrite” and “ignore”.
                                  overwrite: The duplicate data will be merged with the existing
                                   data.
                                  ignore: The duplicate data will not be imported.
        Note: The files imported via SCP must be in the UTF-8 encoding format. Otherwise, the
        importing might fail.
localdb netimport tftp {account|group|member} <ip> <file_name>
{overwrite|ignore}
This command is used to import a file containing accounts, groups or member relations from a
TFTP server.
account|group|member          This parameter specifies the type of information to be imported. Its
2000-2018 Array Networks, Inc.
                                                                                                80
All Rights Reserved.
                                                                                 Chapter 4 AAA
                                value must only be “account”, “group” or “member”.
                                    account: indicates that the account information, such as the
                                     username, password, creation time and so on, will be imported.
                                    group: indicates that the group information, such as the group
                                     name, expiration time, creation time and so on, will be
                                     imported.
                                    member: indicates that only the account and group name will
                                     be imported.
ip                              This parameter specifies the IP address of the TFTP server.
file_name                       This parameter specifies the name of the file to import data from on
                                the TFTP server. Its value must be a string of 1 to 256 characters.
overwrite|ignore                This parameter specifies how to handle conflict, e.g., duplicate data.
                                Its value must be “overwrite” and “ignore”.
                                    overwrite: The duplicate data will be merged with the existing
                                     data.
                                    ignore: The duplicate data will not be imported.
          Note: The files imported via TFTP must be in the UTF-8 encoding format. Otherwise,
          the importing might fail.
    LocalDB IP
localdb ip account <account_name> <ip_address> <netmask>
This command is used to set a fixed IP address for the specified LocalDB account. After the fixed
IP address is set for the specified LocalDB account:
    For users accessing the backend resources through the L3VPN tunnel, the system will assign
     the fixed IP address to the LocalDB account while ignoring the IP address assignment by the
     Netpool authorized to the LocaDB account.
    For users accessing the backend resources through the Site2Site VPN tunnel, the system will
     assign the fixed IP address (tunnel IP) to the LocalDB account.
account_name                    This parameter specifies the name of the LocalDB account.
ip_address                      This parameter specifies the IP address assigned to the LocalDB
                                account. Its value must be given in dotted decimal notation.
netmask                         This parameter specifies the netmask of subnet to which the IP
2000-2018 Array Networks, Inc.
                                                                                                  81
All Rights Reserved.
                                                                                Chapter 4 AAA
                               address belongs. Its value must be given in dotted decimal notation.
no localdb ip account <account_name>
This command is used to delete the fixed IP address set for the specified LocalDB account.
show localdb ip account <account_name>
This command is used to display the fixed IP address set for the specified LocalDB account.
    LocalDB SSO
localdb sso account <account_name> <sso_account> <sso_passwd>
[sso_domain]
This command is used to configure an application login credential for the specified LocalDB
account in the LocalDB server.
account_name                   This parameter specifies the LocalDB account name. Its value must
                               be a string of 1 to 64 characters.
sso_account                    This parameter specifies the account name of the application login
                               credential used for Application SSO. Its value must be a string of 1
                               to 64 characters.
sso_passwd                     This parameter specifies the password of the application login
                               credential used for Application SSO. Its value must be a string of 1
                               to 64 characters. Only 0-9, a-z, A-Z and printable ASCII characters
                               are allowed.
sso_domain                     Optional. This parameter specifies the domain or workgroup used
                               for Application SSO. Its value must be a string of 1 to 256
                               characters. By default, this parameter is not specified.
        Note:
             The portal login username must be the same as the LocalDB account username
              associated with the application login credential.
             If the Application SSO function is enabled for DesktopDirect applications, the
              administrator needs to associate the DesktopDirect resources with the application
              login name used for Application SSO instead of the binding LocalDB account using
              the command “art desktop assign user” or “art application associate user”.
no localdb sso account <account_name>
This command is used to delete the application login credential configured for the specified
LocalDB account.
2000-2018 Array Networks, Inc.
                                                                                                82
All Rights Reserved.
                                                                                    Chapter 4 AAA
show localdb sso account <account_name>
This command is used to display the application login credential configured for the specified
LocalDB account.
      LocalDB Status
show localdb config <virtual_site>
This global command is used to display all LocalDB configurations for a particular virtual site.
show localdb config
This command is used to display all LocalDB configurations of the virtual site.
      LocalDB Statistics
show statistics aaa
This command is used to display the AAA statistics of the virtual site.
show statistics aaa [virtual_site]
This global command is used to display the AAA statistics of the specified virtual site. If the
parameter “virtual_site” is not specified, the AAA statistics of all virtual sites will be displayed.
clear statistics aaa
This command is used to delete the AAA statistics of the virtual site.
clear statistics aaa [virtual_site]
This global command is used to delete the AAA statistics of the specified virtual site. If the
parameter “virtual_site” is not specified, the AAA statistics of all virtual sites will be deleted.
LDAP
aaa server ldap host <ldap_server_name> <ip> <port> <username>
<password> <base_dn> <timeout> [index] [tls_flag]
This command is used to configure an LDAP host for the specified LDAP server. A maximum of
three LDAP hosts can be configured for one LDAP server.
ldap_server_name                 This parameter specifies the name of an existing LDAP server. Its
                                 value must be a string of 1 to 32 characters.
ip                               This parameter specifies the IP address of the LDAP host. Its value
                                 must be an IPv4 address.
port                             This parameter specifies the port of the LDAP host. Its value must
                                 be an integer ranging from 1 to 65,535.
2000-2018 Array Networks, Inc.
                                                                                                        83
All Rights Reserved.
                                                                                 Chapter 4 AAA
username                       This parameter specifies the username of the LDAP server
                               administrator. Its value must be a string of 1 to 127 characters.
password                       This parameter specifies the password of the LDAP server
                               administrator.
base_dn                        This parameter specifies the Distinguished Name (DN) of the
                               LDAP entry at which to start the search for users. Its value must be
                               a string of 1 to 900 characters.
timeout                        This parameter specifies the timeout value of the search in seconds.
                               Its value must be an integer ranging from 1 to 65,535.
index                          Optional. This parameter specifies the host index. Its value must be
                               1, 2 or 3. The default value is 1.
tls_flag                       Optional. This parameter specifies whether to access the LDAP
                               server over the TLS protocol. Its value must be:
                                   “tls”: indicates that the LDAP server is accessed over the TLS
                                    protocol.
                                   empty: indicates the LDAP server is not accessed over the
                                    TLS protocol.
                               The default value is empty.
no aaa server ldap host <ldap_server_name> <index>
This command is used to delete an LDAP host of the specified LDAP server.
show aaa server ldap host <ldap_server_name>
This command is used to display the LDAP server host(s) configured for the specified LDAP
server.
aaa server ldap idletime <ldap_server_name> [idle_time]
This command is used to set the idle timeout value for the specified LDAP server. The connection
to the LDAP server will be terminated when the connection is idle for the specified timeout value.
ldap_server_name               This parameter specifies the name of an existing LDAP server.
idle_time                      Optional. This parameter specifies the idle timeout value in
                               seconds. Its value must be an integer ranging from 60 to 3000. The
                               default value is 600.
2000-2018 Array Networks, Inc.
                                                                                                   84
All Rights Reserved.
                                                                                  Chapter 4 AAA
no aaa server ldap idletime <ldap_server_name>
This command is used to delete the idle timeout setting of the specified LDAP server.
show aaa server ldap idletime <ldap_server_name>
This command is used to display the idle timeout value configured for the specified LDAP server.
aaa server ldap searchfilter <ldap_server_name> <filter_string>
This command is used to configure a search filter for the specified LDAP server. The search filter
plays an important role in authenticating and authorizing users through LDAP. For the functions
of the search filter in static and dynamic binding, please refer to the commands “aaa server ldap
bind dynamic” and “aaa server ldap bind static”.
ldap_server_name               This parameter specifies the name of an existing LDAP server.
filter_string                  This parameter specifies a filter string used to search for the LDAP
                               entries. Its value must be a string of 1 to 80 characters enclosed by
                               double quotes.
                               The filter string consists of:
                                   attribute: Common Name (cn), Distinguished Name (dn), User
                                    Id (uid), Organization Unit (ou) and so on.
                                   comparison operator: “>”, “<” or “=”.
                                   logical operator: “& (and),” “| (or)”, “! (not)”, “= (equal to)”,
                                    or “* (any)”.
                               Please refer to the RFC for details of the LDAP filter string.
                               The filter string can contain at most three tokens represented by
                               “<USER>”, which is case-insensitive. For example, if the
                               “filter_string” parameter is set to “cn=<USER>”, the system will
                               generate a search filter by replacing “<USER>” with an end user’s
                               real username upon receiving authentication or authorization
                               requests.
         Note: If this command is not configured for the specified LDAP server, AAA uses
         “uid=<USER>” as the default search filter string.
For example:
Search an entry with cn being the real username:
vs(config)aaa server ldap searchfilter ldap1 "cn=<USER>"
Search an entry without cn being the real username:
2000-2018 Array Networks, Inc.
                                                                                                   85
All Rights Reserved.
                                                                                 Chapter 4 AAA
vs(config)aaa server ldap searchfilter ldap1 "(!(cn=<USER>))"
Search an entry with objectClass being Person and with sn being the real username or cn being a
value containing the real username:
vs(config)aaa server ldap searchfilter ldap1
"(&(objectClass=Person)(|(sn=<USER>)(cn=<USER>*)))"
no aaa server ldap searchfilter <ldap_server_name>
This command is used to delete the search filter configured for the specified LDAP server.
show aaa server ldap searchfilter <ldap_server_name>
This command is used to display the search filter configured for the specified LDAP server.
aaa server ldap attribute group <ldap_server_name> <attribute>
This command is used to specify the attribute used to obtain the external LDAP group of the user
from the LDAP entry for the specified LDAP server.
ldap_server_name                This parameter specifies the name of an existing LDAP server.
attribute                       This parameter specifies the name of the attribute used to obtain the
                                external LDAP group of the user from the LDAP entry. Its value
                                must be a string of 1 to 80 characters.
no aaa server ldap attribute group <ldap_server_name>
This command is used to delete the configuration of the attribute used to obtain the external LDAP
group from the LDAP entry for the specified LDAP server.
show aaa server ldap attribute group <ldap_server_name>
This command is used to display the configuration of the attribute used to obtain the external
LDAP group from the LDAP entry for the specified LDAP server.
aaa server ldap attribute phonenumber <ldap_server_name> <attribute>
This command is used to specify the attribute used to obtain the mobile phone number of the user
from the LDAP entry for the specified LDAP server.
ldap_server_name                This parameter specifies the name of an existing LDAP server.
attribute                       This parameter specifies the name of the attribute used to obtain the
                                mobile phone number of the user from the LDAP entry. Its value
                                must be a string of 1 to 80 characters.
no aaa server ldap attribute phonenumber <ldap_server_name>
2000-2018 Array Networks, Inc.
                                                                                                 86
All Rights Reserved.
                                                                               Chapter 4 AAA
This command is used to delete the configuration of the attribute used to obtain the mobile phone
number of the user from the LDAP entry for the specified LDAP server.
show aaa server ldap attribute phonenumber <ldap_server_name>
This command is used to display the configuration of the attribute used to obtain the mobile phone
number of the user from the LDAP entry for the specified LDAP server.
aaa server ldap attribute defaultgroup <ldap_server_name> <group>
This command is used to configure the default group assigned to authenticated users for whom no
LDAP group is obtained for the specified LDAP server.
ldap_server_name               This parameter specifies an existing name of the LDAP server.
group                          This parameter specifies the default group name for the user for
                               whom no LDAP group is obtained. Its value must be a string of 1 to
                               80 characters.
no aaa server ldap attribute defaultgroup <ldap_server_name>
This command is used to delete the configuration of the default group assigned to authenticated
users for whom no LDAP group is obtained for the specified LDAP server.
show aaa server ldap attribute defaultgroup <ldap_server_name>
This command is used to display the configuration of the default LDAP group assigned to
authenticated users for whom no LDAP group is obtained for the specified LDAP server.
aaa server ldap bind dynamic <ldap_server_name>
This command is used to enable the “dynamic” LDAP bind mode for the specified LDAP server.
In this case, AAA will fetch the DN from the LDAP server first.
After the “dynamic” LDAP bind mode is enabled, AAA sends a bind request containing the end
user’s username and password to the LDAP server and then a search request containing the search
filter string configured by the command “aaa server ldap searchfilter” to obtain the LDAP entry
of the end user. Then AAA sends the DN obtained from the LDAP entry together with the
password of the end user in another bind request to the LDAP server. After the end user passes the
authentication, AAA reuses the obtained LDAP entry to authorize the end user.
ldap_server_name               This parameter specifies the name of an existing LDAP server.
no aaa server ldap bind dynamic <ldap_server_name>
This command is used to disable the “dynamic” LDAP bind mode for the specified LDAP server.
aaa server ldap bind static <ldap_server_name> <dn_prefix> <dn_suffix>
This command is used to enable the “static” LDAP bind mode for the specified LDAP server. In
this case, the system will construct the user’s DN by concatenating the strings
2000-2018 Array Networks, Inc.
                                                                                                  87
All Rights Reserved.
                                                                             Chapter 4 AAA
“<dn_prefix><USER><dn_suffix>”. <USER> is the username used to log into the virtual site.
“<dn_prefix>” and “<dn_suffix>”must be the same for all users using the same virtual site.
After the “static” LDAP bind mode is enabled, AAA sends the DN
(<dn_prefix><USER><dn_suffix>) together with the password of the end user in a bind request to
the LDAP server. After the end user passes the authentication, AAA sends a search request
containing the search filter string configured by the command “aaa server ldap searchfilter” to
obtain the LDAP entry of this end user. Then, it authorizes the end user based on the obtained
LDAP entry.
ldap_server_name              This parameter specifies the name of an existing LDAP server.
dn_prefix                     This parameter specifies the DN prefix extracted from the LDAP
                              server. Its value must be a string of 1 to 80 characters.
dn_suffix                     This parameter specifies the DN suffix extracted from the LDAP
                              server. Its value must be a string of 1 to 80 characters.
For example:
vs(config)aaa server ldap bind static "AD" "cn=" ",ou=array,dc=spxad,dc=cn"
no aaa server ldap bind static <ldap_server_name>
This command is used to disable the “static” LDAP bind mode for the specified LDAP server.
show aaa server ldap bind <ldap_server_name>
This command is used to display the configuration of the LDAP bind mode for the specified
LDAP server.
       Note: The “static” and “dynamic” LDAP bind function cannot be enabled at the same
       time.
aaa server ldap pwdexpirewarning <ldap_server_name>
<password_expiry_warning>
This command is used to configure password expiry warning, that is, configure whether and when
to display a password expiry warning message on the welcome page for the specified LDAP
server. After this command is configured, if the remaining valid time of the LDAP user’s
password is equal to or less than the value of the “password_expiry_warning” parameter at user
login, a password expiry warning message will be displayed on the welcome page. If this
command is not configured, no password expiry warning message will be displayed on the
welcome page.
ldap_server_name              This parameter specifies the name of the existing LDAP server.
2000-2018 Array Networks, Inc.
                                                                                               88
All Rights Reserved.
                                                                                Chapter 4 AAA
password_expiry_warning         This parameter specifies the time in seconds that a warning
                                message will be displayed on the welcome page preceding to the
                                user’s LDAP password expiry. Its value must be an integer ranging
                                from 1 to 1,209,600.
        Note:
        Before using the LDAP password change function, please make sure that:
              On related LDAP servers, the lifetime of LDAP passwords has been configured.
              For the OpenLDAP server, the external default policy has been configured.
              For the Windows Active Directory (AD) server, its system time must be the same as
               the system time of the AG appliance.
              On the AG appliance, the related Windows AD servers have been configured to use
               port 636 and to be accessed using the TLS protocol.
no aaa server ldap pwdexpirewarning <ldap_server_name>
This command is used to delete the configuration of the password expiry warning for the specified
LDAP server.
show aaa server ldap pwdexpirewarning <ldap_server_name>
This command is used to display the configuration of the password expiry warning for the
specified LDAP server.
aaa server ldap pwdpolicy <ldap_server_name> <password_policy_DN>
This command is used to set the policy DN for the specified LDAP server when the LDAP server
is an OpenLDAP server.
Before configuring password expiry warning for the OpenLDAP server, you must execute this
command to set the policy DN first. Otherwise, the password expiry warning configuration will
not be accepted by the OpenLDAP server.
ldap_server_name                This parameter specifies the name of an existing LDAP server. Its
                                value must be a string of 1 to 32 characters.
password_policy_DN              This parameter specifies the policy DN. Its value must be a string of
                                1 to 32 characters and must be the same as the default policy DN
                                set on the OpenLDAP server.
For example:
vs(config)$ aaa server ldap pwdpolicy AD "cn=pwspolicy"
no aaa server ldap pwdpolicy <ldap_server_name>
2000-2018 Array Networks, Inc.
                                                                                                 89
All Rights Reserved.
                                                                                Chapter 4 AAA
This command is used to delete the configuration of the policy DN for the specified LDAP server.
show aaa server ldap pwdpolicy <ldap_server_name>
This command is used to display the configuration of the policy DN for the specified LDAP
server.
aaa group in dn
This command is used to enable the function of extracting the DN as the user’s group. The
administrator can use the command to “aaa group regex” to define which part of the DN will be
extracted as the user’s group. By default, this function is disabled.
no aaa group in dn
This command is used to disable the function of extracting the DN as the user’s group.
aaa group regex <expression>
This command is used to define which part of the DN to be extracted as the user’s group.
expression                     This parameter specifies a regular expression that indicates the part
                               of the DN to be extracted as the user’s group. Its value must be a
                               string of 1 to 64 characters. The “()” meta-character is supported. At
                               most five “()” meta-characters can be configured.
For example,
vs(config)$ aaa group regex "OU=([^,]*), OU=([^,]*)"
If the DN is “OU=Information Department, OU=Users, OU=1025, DC=staff, DC=org”, the
“Information Department” and “Users” will be extracted respectively as two groups of the user.
   LDAP Autosearch
aaa server ldap autosearch profile <profile_name>
This command is used to define an LDAP auto-search profile. A maximum of five LDAP
auto-search profiles can be configured for a virtual site.
profile_name                   This parameter specifies the name of the LDAP auto-search profile.
                               Its value must be a string of 1 to 32 characters.
no aaa server ldap autosearch profile <profile_name>
This command is used to delete the specified LDAP auto-search profile.
show aaa server ldap autosearch profile
This command is used to display all LDAP auto-search profiles.
aaa server ldap autosearch host <profile_name> <ip> <port> <username>
<password> <base_dn> <timeout> <tls_flag>
2000-2018 Array Networks, Inc.
                                                                                                 90
All Rights Reserved.
                                                                              Chapter 4 AAA
This command is used to configure an LDAP host for the specified LDAP auto-search profile. The
LDAP host must be configured before the profile is enabled using the command “aaa server ldap
autosearch on <profile_name>”.
profile_name                  This parameter specifies the name of an existing LDAP auto-search
                              profile.
ip                            This parameter specifies the IP address of the LDAP host. Its value
                              must be an IPv4 address.
port                          This parameter specifies the port of the LDAP host. Its value must
                              be an integer ranging from 1 to 65,535.
username                      This parameter specifies the username of the LDAP server
                              administrator.
password                      This parameter specifies the password of the LDAP server
                              administrator.
base_dn                       This parameter specifies the DN of the LDAP entry at which to start
                              the search for users. Its value must be a string of 1 to 900
                              characters.
timeout                       This parameter specifies the maximum timeout in seconds. Its value
                              must be an integer ranging from 1 to 65,535.
tls_flag                      Optional. This parameter specifies whether to access the LDAP
                              server over the TLS protocol. Its value must be:
                                 “tls”: indicates that the LDAP server is accessed over the TLS
                                  protocol.
                                 empty: indicates the LDAP server is not accessed over the
                                  TLS protocol.
                              The default value is empty.
no aaa server ldap autosearch host <profile_name>
This command is used to delete the LDAP host configured for the specified LDAP auto-search
profile.
show aaa server ldap autosearch host <profile_name>
This command is used to display the LDAP host configured for the specified LDAP auto-search
profile.
2000-2018 Array Networks, Inc.
                                                                                              91
All Rights Reserved.
                                                                                 Chapter 4 AAA
aaa server ldap autosearch filter <profile_name> <filter_string>
This command is used to configure the search filter for the specified LDAP auto-search profile.
The search filter must be configured before the profile is enabled using the command “aaa server
ldap autosearch on <profile_name>”.
This command is also used to modify the existing configuration of the search filter for the
specified LDAP auto-search profile.
profile_name                    This parameter specifies the name of the LDAP auto-search profile.
filter_string                   This parameter specifies a filter string used to filter the LDAP
                                entries. Its value must be a string of 1 to 128 characters, which must
                                be enclosed by double quotes.
                                Please refer to the command “aaa server ldap searchfilter” for
                                details of the parameter explanation.
no aaa server ldap autosearch filter <profile_name>
This command is used to delete the search filter configured for the specified LDAP auto-search
profile.
show aaa server ldap autosearch filter <profile_name>
This command is used to display the search filter configured for the specified LDAP auto-search
profile.
aaa server ldap autosearch attribute <profile_name> <search_attribute>
This command is used to configure the LDAP attribute to be searched for the specified LDAP
auto-search profile. The LDAP attribute must be configured before the profile is enabled using the
command “aaa server ldap autosearch on <profile_name>”.
This command is also used to modify the existing configuration of the LDAP attribute to be
searched for the specified LDAP auto-search profile.
profile_name                    This parameter specifies the name of an existing LDAP auto-search
                                profile.
search_attribute                This parameter specifies the name of the LDAP attribute to be
                                searched. Its value must be a string of 1 to 32 characters.
no aaa server ldap autosearch attribute <profile_name>
This command is used to delete the configuration of the LDAP attribute to be searched for the
specified LDAP auto-search profile.
show aaa server ldap autosearch attribute <profile_name>
2000-2018 Array Networks, Inc.
                                                                                                  92
All Rights Reserved.
                                                                               Chapter 4 AAA
This command is used to display the configuration of the LDAP attribute to be searched for the
specified LDAP auto-search profile.
aaa server ldap autosearch time daily <profile_name> <hour>
This command is used to configure a daily auto-search frequency for the specified LDAP
auto-search profile. By default, auto-search is performed on 0:00 daily for the LDAP auto-search
profile.
This command is also used to modify the existing configuration of the daily auto-search frequency
for the specified LDAP auto-search profile.
profile_name                   This parameter specifies the name of an existing LDAP auto-search
                               profile.
hour                           This parameter specifies the hour when the daily auto-search is
                               carried out. Its value must be an integer ranging from 0 to 23,
                               indicating the hour ranging from 0:00 to 23:00.
aaa server ldap autosearch time weekly <profile_name> <hour> <day>
This command is used to configure a weekly auto-search frequency for the specified LDAP
auto-search profile.
This command is also used to modify the existing configuration of the weekly auto-search
frequency for the specified LDAP auto-search profile.
profile_name                   This parameter specifies the name of an existing LDAP auto-search
                               profile.
hour                           This parameter specifies the hour when the weekly auto-search is
                               carried out. Its value must be an integer ranging from 0 to 23,
                               indicating the hour ranging from 0:00 to 23:00.
day                            This parameter specifies the day when the weekly auto-search is
                               carried out. Its value must be “Monday”, “Tuesday”, “Wednesday”,
                               “Thursday”, “Friday”, “Sataurday” and “Sunday”, which is
                               case-insensitive.
aaa server ldap autosearch time monthly <profile_name> <hour> <date>
This command is used to configure a monthly auto-search frequency for the specified LDAP
auto-search profile.
This command is also used to modify the existing configuration of the monthly auto-search
frequency for the specified LDAP auto-search profile.
2000-2018 Array Networks, Inc.
                                                                                                 93
All Rights Reserved.
                                                                                Chapter 4 AAA
profile_name                   This parameter specifies the name of an existing LDAP auto-search
                               profile.
hour                           This parameter specifies the hour when the monthly auto-search is
                               carried out. Its value must be an integer ranging from 0 to 23,
                               indicating the hour ranging from 0:00 to 23:00.
date                           This parameter specifies the date when the monthly auto-search is
                               carried out. Its value must be an integer ranging from 1 to 31.
                               If a month does not have the specified date, such as 31 in June, the
                               search will not be carried out in this month.
no aaa server ldap autosearch time <profile_name>
This command is used to delete the setting of the auto-search frequency for the specified LDAP
auto-search profile.
show aaa server ldap autosearch time <profile_name>
This command is used to display the setting of auto-search frequency for the specified LDAP
auto-search profile.
aaa server ldap autosearch email <profile_name> <email_address>
This command is used to configure the email address for the specified LDAP auto-search profile.
When the search result is different from the last search result, an email will be sent to the
configured email addresses to notify the administrators of the LDAP entry changes. A maximum
of five “aaa server ldap autosearch email” configurations are supported for every profile. This
command configuration is optional for every profile.
profile_name                   This parameter specifies the name of the LDAP auto-search profile.
email_address                  This parameter specifies the email address. Its value must be a
                               string of 1 to 128 characters enclosed by double quotes.
no aaa server ldap autosearch email <profile_name> <email_address>
This command is used to delete the configuration of an email address for the specified LDAP
auto-search profile.
show aaa server ldap autosearch email <profile_name>
This command is used to display all the email addresses configured for the specified LDAP
auto-search profile.
aaa server ldap autosearch subject <profile_name> <email_subject>
2000-2018 Array Networks, Inc.
                                                                                                 94
All Rights Reserved.
                                                                                Chapter 4 AAA
This command is used to configure the email subject for the specified LDAP auto-search profile.
The subject will be used for sending emails to all the email addresses of this profile. This
command configuration is optional for every profile.
profile_name                   This parameter specifies the name of the LDAP auto-search profile.
email_subject                  This parameter specifies the email subject. Its value must be a
                               string of 1 to 256 characters enclosed by double quotes.
no aaa server ldap autosearch subject <profile_name>
This command is used to delete the configuration of the email subject for the specified LDAP
auto-search profile.
show aaa server ldap autosearch subject <profile_name>
This command is used to display the email subject configured for the specified LDAP auto-search
profile.
aaa server ldap autosearch {on|off} <profile_name>
This command is used to enable or disable the specified LDAP auto-search profile. Before
enabling the LDAP auto-search profile, make sure that related LDAP auto-search configurations
have been made.
profile_name                   This parameter specifies the name of an existing LDAP auto-search
                               profile.
show aaa server ldap autosearch status <profile_name>
This command is used to display the status of the specified LDAP auto-search profile.
aaa server ldap autosearch update <profile_name>
This command is used to carry out a search immediately based on the specified LDAP auto-search
profile.
profile_name                   This parameter specifies the name of an exisiting LDAP
                               auto-search profile.
aaa server ldap autosearch result <profile_name>
This command is used to display the search results and result changes of the specified LDAP
auto-search profile.
profile_name                   This parameter specifies the name of an existing LDAP auto-search
                               profile.
aaa server ldap autosearch acknowledge <profile_name>
2000-2018 Array Networks, Inc.
                                                                                                 95
All Rights Reserved.
                                                                               Chapter 4 AAA
This command is used to acknowledge the search result changes of the specified LDAP
auto-search profile.
profile_name                  This parameter specifies the name of an existing LDAP auto-search
                              profile.
RADIUS
aaa server radius host <radius_server_name> <ip> <authentication_port>
<secret> <retries> <timeout> [index] [accounting_port]
This command is used to configure a RADIUS host for a specified RADIUS server. A maximum
of three RADIUS hosts can be configured for one RADIUS server.
radius_server_name            This parameter specifies the name of an existing RADIUS server.
                              Its value must be a string of 1 to 32 characters.
ip                            This parameter specifies the IP address of the RADIUS host. Its
                              value must be an IPv4 address.
authentication_port           This parameter specifies the port number used for RADIUS
                              authentication. Its value must be an integer ranging from 1 to
                              65,535.
secret                        This parameter specifies the shared secret text string used by the
                              AG appliance and the RADIUS server to encrypt passwords and
                              exchange responses.
retries                       This parameter specifies the retry times to connect the RADIUS
                              server. Its value must be an integer ranging from 1 to 65,535.
timeout                       This parameter specifies the timeout value of the search in seconds.
                              Its value must be an integer ranging from 1 to 65,535.
index                         Optional. This parameter specifies the host index. Its value must be
                              1, 2 or 3. The default value is 1.
accounting_port               Optional. This parameter specifies the port number used for
                              RADIUS accounting. Its value must be an integer ranging from 1 to
                              65535. The default value is 1813.
no aaa server radius host <radius_server_name> <index>
This command is used to delete a RADIUS host configured for the specified RADIUS server.
2000-2018 Array Networks, Inc.
                                                                                                96
All Rights Reserved.
                                                                               Chapter 4 AAA
show aaa server radius host <radius_server_name>
This command is used to display the RADIUS host(s) configured for the specified RADIUS
server.
aaa server radius attribute group <radius_server_name> <attribute>
This command is used to specify an attribute used to obtain the external RADIUS group of the
user from the RADIUS entry for the specified RADIUS server. Please note that individual
attributes may vary depending on the individual network requirements.
radius_server_name            This parameter specifies the name of an existing RADIUS server.
attribute                     This parameter specifies the ID of the attribute used to obtain the
                              external RADIUS group of the user from the RADIUS entry. Its
                              value must be an integer ranging from 1 to 63. For details of each
                              attribute, please refer to the following list.
                              Please note that the attributes may vary depending on the individual
                              network requirements.
1 User-Name
2 User-Password
3 CHAP-Password
4 NAS-IP-Address
5 NAS-Port
6 Service-Type
7 Framed-Protocol
8 Framed-IP-Address
9 Framed-IP-Netmask
10 Framed-Routing
11 Filter-Id
12 Framed-MTU
13 Framed-Compression
14 Login-IP-Host
15 Login-Service
16 Login-TCP-Port
17 (unassigned)
2000-2018 Array Networks, Inc.
                                                                                               97
All Rights Reserved.
                                                                                 Chapter 4 AAA
18 Reply-Message
19 Callback-Number
20 Callback-Id
21 (unassigned)
22 Framed-Route
23 Framed-IPX-Network
24 State
25 Class
26 Vendor Specific
27 Session Timeout
28 Idle-Timeout
29 Termination-Action
30 Called-Station-Id
31 Calling-Station-Id
32 NAS-Identifier
33 Proxy-State
34 Login-LAT-Service
35 Login-LAT-Node
36 Login-LAT-Group
37 Framed-AppleTalk-Link
38 Framed-AppleTalk-Network
39 Framed-AppleTalk-Zone
40-59 (rev. for accounting)
60 CHAP-Challenge
61 NAS-Port-Type
62 Port-Limit
63 Login-LAT-Port
        Note: To modify the existing attribute, please delete the existing configuration using the
        command “no aaa server radius attribute group” first.
2000-2018 Array Networks, Inc.
                                                                                                 98
All Rights Reserved.
                                                                                 Chapter 4 AAA
no aaa server radius attribute group <radius_server_name>
This command is used to delete the configuration of the attribute used to obtain the external
RADIUS group of the user from the RADIUS entry for the specified RADIUS server.
show aaa server radius attribute group <radius_server_name>
This command is used to display the configuration of the attribute used to obtain the external
RADIUS group of the user from the RADIUS entry for the specified RADIUS server.
aaa server radius attribute clientip <radius_server_name> <attribute_ip>
<attribute_netmask>
This command is used to specify the attribute used to obtain the VPN client IP and netmask of the
user from the RADIUS entry for the specified RADIUS server.
radius_server_name              This parameter specifies the name of an existing RADIUS server.
attribute_ip                    This parameter specifies the ID of the attribute used to obtain the
                                VPN client IP of the user from the RADIUS entry for the specified
                                RADIUS server.
attribute_netmask               This parameter specifies the ID of the attribute used to obtain the
                                VPN netmask of the user from the RADIUS entry for the specified
                                RADIUS server.
no aaa server radius attribute clientip <radius_server_name>
This command is used to delete the configuration of the attributes used to obtain the VPN client IP
and netmask of the user from the RADIUS entry for the specified RADIUS server.
show aaa server radius attribute clientip <radius_server_name>
This command is used to display the configuration of the attributes used to obtain the VPN client
IP and netmask of the user from the RADIUS entry for the specified RADIUS server.
aaa server radius attribute phonenumber <radius_server_name>
<attribute>
This command is used to specify the attribute used to obtain the mobile phone numbers of the user
from the RADIUS entry for the specified RADIUS server.
radius_server_name              This parameter specifies the name of an existing RADIUS server.
attribute                       This parameter specifies the mobile phone numbers of users
                                extracted from the RADIUS server. Its value must be a string of 1
                                to 80 characters.
no aaa server radius attribute phonenumber <radius_server_name>
2000-2018 Array Networks, Inc.
                                                                                                 99
All Rights Reserved.
                                                                                 Chapter 4 AAA
This command is used to delete the attribute used to obtain the mobile phone number of the user
from the RADIUS entry for the specified RADIUS server.
show aaa server radius attribute phonenumber <radius_server_name>
This command is used to display the attribute used to obtain the mobile phone number of the user
from the RADIUS entry for the specified RADIUS server.
aaa server radius defaultgroup <radius_server_name> <group>
This command is used to configure the default group assigned to authenticated users for whom no
RADIUS group is obtained for the specified RADIUS server.
radius_server_name             This parameter specifies the name of an existing RADIUS server.
group                          This parameter specifies the default RADIUS group name. Its value
                               must be a string of 1 to 80 characters.
no aaa server radius defaultgroup <radius_server_name>
This command is used to delete the default group assigned to authenticated users for whom no
RADIUS group is obtained for the specified RADIUS server.
show aaa server radius defaultgroup <radius_server_name>
This command is used to display the default group assigned to authenticated users for whom no
RADIUS group is obtained for the specified RADIUS server.
aaa server radius nasip <radius_server_name> <nasip>
This command is used to set the “NAS-IP-Address” (IP address of NAS, Network Access Server)
attribute in the RADIUS requests for the specified RADIUS server. If this command is not
configured, the system will select an available port IP address as the NAS IP address in the
sequence of “port1, port2, port3…”.
radius_server_name             This parameter specifies the name of an existing RADIUS server.
nasip                          This parameter specifies the NAS IP address for the RADIUS
                               server. Its value must be an IPv4 address.
        Note: The “NAS-IP-Address” attribute must be specified if only the bond or VLAN
        interface is configured with the IP address but no system interface is configured with the IP
        address on the AG appliance.
no aaa server radius nasip <radius_server_name>
This command is used to delete the setting of the “NAS-IP-Address” attribute for the specified
RADIUS server.
show aaa server radius nasip <radius_server_name>
2000-2018 Array Networks, Inc.
                                                                                                 100
All Rights Reserved.
                                                                                 Chapter 4 AAA
This command is used to display the setting of the “NAS-IP-Address” attribute for the specified
RADIUS server.
Certificate
aaa server certificate authenticate type <cert_server_name>
<authentication_type>
This command is used to set the Certificate server used for authentication and the authentication
type of the Certificate server.
cert_server_name                This parameter specifies the name of an existing Certificate server
                                used for authentication.
authentication_type             This parameter specifies the authentication type of the Certificate
                                server. Its value must be:
                                    anonymous: indicates the system will only authenticate the
                                     user’s SSL client certificate.
                                    challenge: indicates the system will authenticate the user’s
                                     SSL client certificate and validate that the username and
                                     password of the user’s account exists on the LDAP or
                                     LocalDB server assisting the Certificate server in
                                     authentication.
                                    nochallenge: indicates the system will authenticate the user’s
                                     SSL client certificate and validate that the username of the
                                     user’s account exists on the LDAP or LocalDB server assisting
                                     the Certificate server in authentication.
        Note: For the authentication types “challenge” and “nochallenge”, the administrator needs
        to set the type of the AAA server assisting this Certificate server in authentication using
        the “aaa server certificate authenticate server” command and configure other related
        settings. For the authentication types “challenge”, after passing the certificate
        authentication, the user will be directed to the challenge page, requiring the user to enter
        the (username and) password. For details, please refer to the command “aaa server
        certificate authenticate userid”.
no aaa server certificate authenticate type <cert_server_name>
This command is used to delete the configuration of the Certificate server used for authentication.
show aaa server certificate authenticate type <cert_server_name>
This command is used to display the configuration of the Certificate server used for
authentication.
2000-2018 Array Networks, Inc.
                                                                                                101
All Rights Reserved.
                                                                                    Chapter 4 AAA
aaa server certificate anonymous <cert_server_name> <cert_field>
This command is used to set the certificate field used to obtain the username of the user account
from the certificate for the specified Certificate server used for authentication of the “anonymous”
type. If this command is not configured, the default username of the user account is “cert user”.
The value of the specified certificate field will be used as the account name of the user and will be
displayed on the portal welcome page when the user passes the certificate authentication.
cert_server_name                This parameter specifies the name of an existing Certificate server.
cert_field                      This parameter specifies the certificate field used to obtain the
                                username of the user account from the certificate. Its value must be
                                a string of 1 to 256 characters and must be:
                                    Standard certificate field names
                                    All standard OIDs in the standard certificate fields (in the
                                     format of x.x.x.x and must be enclosed by double quotes)
                                    Standard extension OIDs in the extension field (in the format
                                     of x.x.x.x and must be enclosed by double quotes)
                                    Combination of the DN name and OID (in the format of
                                     DN.OID)
                                    Standard extension field names in the extension field (only
                                     ext.subjectAltName and ext.issuerAltName).
                                For detailed description for the values of the “cert_field” parameter,
                                please refer to the command “aaa server certificate
                                externalgroup”.
The following table describes the values of the “cert_field” parameter in detail.
             Value                                           Description
                                The “cert_field” parameter supports the following standard
                                certificate field names:
                                    subject and
                                     subject.cn/c/o/ou/st/l/emailaddress/pseudonym/title/sn/name/s
                                     urname/givenname/initials/dnqualifier/gq/dn/dc (certificate’s
Standard certificate field           subject field)
names
                                    issuer and
                                     issuer.cn/c/o/ou/st/l/emailaddress/pseudonym/title/sn/name/su
                                     rname/givenname/initials/dnqualifier/gq/dc (certificate’s
                                     issuer field)
                                    serial (certificate’s serial number field)
2000-2018 Array Networks, Inc.
                                                                                                    102
All Rights Reserved.
                                                                                Chapter 4 AAA
            Value                                           Description
                                  notbefore (certificate’s not before field)
                                  notafter (certificate’s not after field)
                                  commonname (certificate’s common name field, same as the
                                   subject.cn)
                                  validity (certificate’s validity field)
                                  publickey (certificate’s public key field)
All standard OIDs in the
                              OIDs for the standard certificate field names
standard certificate fields
                              The “cert_field” parameter supports the following standard
                              extension OIDs enclosed by double quotes:
                                  2.5.29.35
                                  2.5.29.14
                                  2.5.29.15
                                  2.5.29.32
                                  2.5.29.33
                                  2.5.29.17
Standard extension OIDs in        2.5.29.18
the extension field
                                  2.5.29.9
                                  2.5.29.19
                                  2.5.29.30
                                  2.5.29.36
                                  2.5.29.37
                                  2.5.29.31
                                  2.5.29.54
                                  2.5.29.46
                              The “cert_field” parameter supports the following combinations of
                              the DN name and OID:
                                  subject.oid: for example, subject.1.2.840.113549.1.9.1
Combination of the DN
                                   indicates the OID 1.2.840.113549.1.9.1 (email address) in the
name and OID
                                   certificate’s subject field.
                                  issuer.oid: for example, issuer.1.2.840.113549.1.9.1 indicates
                                   the OID 1.2.840.113549.1.9.1 (email address) in the
2000-2018 Array Networks, Inc.
                                                                                             103
All Rights Reserved.
                                                                                  Chapter 4 AAA
            Value                                             Description
                                     certificate’s issuer field.
                                    ext.oid: for example, ext.2.5.29.35 indicates the OID
                                     2.5.29.35 in the certificate’s extension field.
                                    oid.oid: for example, oid.2.5.29.17 indicates the OID
                                     2.5.29.17 in the entire certificate’s To Be Signed (TBS) part.
                                The “cert_field” parameter supports only the following two
                                standard extension field names:
Standard extension field
names in the extension field        ext.subjectAltName
                                    ext.issuerAltName
no aaa server certificate anonymous <cert_server_name>
This command is used to delete the configuration of the certificate field used to obtain the
username of the user account from the certificate for the specified Certificate server used for
authentication of the “anonymous” type.
show aaa server certificate anonymous <cert_server_name>
This command is used to display the configuration of the certificate field used to obtain the
username of the user account from the certificate for the specified Certificate server used for
authentication of the “anonymous” type.
aaa server certificate authenticate userid <cert_server_name> <id_action>
This command is used to set the user ID action for the specified Certificate server whose
authentication type is “challenge”. When this command is not configured, the username text box
will not be displayed for the user to enter the username on the Certificate challenge page. The
value of the certificate field specified by the command “aaa server certificate ldap search” or
“aaa server certificate localdb search” will be used as the username.
This command is also used to modify the existing configuration of the user ID action of the
specified Certificate server used for authentication.
cert_server_name                This parameter specifies the name of an existing Certificate server
                                whose authentication type is “challenge”.
id_action                       This parameter specifies the user ID action for the Certificate
                                server. Its value must be:
                                    showid: indicates that the username text box will be displayed
                                     on the Certificate challenge page and the value of the
                                     certificate field specified by the command “aaa server
                                     certificate ldap search” or “aaa server certificate localdb
                                     search” is displayed as the username.
2000-2018 Array Networks, Inc.
                                                                                                  104
All Rights Reserved.
                                                                                  Chapter 4 AAA
                                    getid: indicates that the username text box will be displayed on
                                     the Certificate challenge page and the user needs to enter the
                                     username manually.
no aaa server certificate authenticate userid <cert_server_name>
This command is used to delete the configuration of the user ID action for the specified Certificate
server whose authentication type is “challenge”.
show aaa server certificate authenticate userid <cert_server_name>
This command is used to display the configuration of the user ID action for the specified
Certificate server whose authentication type is “challenge”.
aaa server certificate authenticate server <cert_server_name>
<server_type>
This command is used to set the type of the AAA server assisting the specified Certificate server
in authentication. This command needs to be configured only when the authentication type of the
Certificate server is “challenge” or “nochallenge”.
cert_server_name                This parameter specifies the name of an existing Certificate server
                                used for authentication.
server_type                     This parameter specifies the type of the AAA server assisting the
                                Certificate server for authentication. Its value must be:
                                    localdb: indicates that the virtual site’s LocalDB server will
                                     assist the Certificate server in authentication.
                                    ldap: indicates that the LDAP server specified by the “aaa
                                     server certificate ldap serverid” command will assist the
                                     Certificate server in authentication.
no aaa server certificate authenticate server <cert_server_name>
This command is used to delete the configuration of the type of the AAA server assisting the
specified Certificate server in authentication.
show aaa server certificate authenticate server <cert_server_name>
This command is used to display the configuration of the type of the AAA server assisting the
specified Certificate server in authentication.
aaa server certificate ldap serverid <cert_server_name>
<ldap_server_name>
This command is used to set the LDAP server used to assist the specified Certificate server in
authentication or authorization.
2000-2018 Array Networks, Inc.
                                                                                                  105
All Rights Reserved.
                                                                                   Chapter 4 AAA
cert_server_name                This parameter specifies the name of an existing Certificate server.
ldap_server_name                This parameter specifies the name of an existing LDAP server.
no aaa server certificate ldap serverid<cert_server_name>
This command is used to delete the configuration of the LDAP server used to assist the specified
Certificate server in authentication or authorization.
show aaa server certificate ldap serverid<cert_server_name>
This command is used to display the configuration of the LDAP server used to assist the specified
Certificate server in authentication or authorization.
aaa server certificate ldap search <cert_server_name> <cert_field>
<ldap_attribute> [user_id]
This command is used to configure the search filter for the specified Certificate server using an
LDAP server to assist in authentication or authorization.
When the authentication type of the Certificate server is “nochallenge” or “challenge”, the LDAP
attribute specified by the “ldap_attribute” parameter and the value of the certificate field specified
by the “cert_field” parameter in the client certificate will constitute the search filter. For the
authentication type “nochallenge”, if any LDAP entry on the LDAP server matches this search
filter, the user passes the authentication and the value of the certificate field specified by the
“cert_field” parameter in the client certificate will be displayed as the username in the portal
welcome page. For the authentication type “challenge”, if any LDAP entry on the LDAP server
matches this search filter and the username and password on the Certificate challenge page, the
user passes the authentication and the value of the LDAP attribute specified by the “user_id”
parameter in the retrieved LDAP entry will be displayed as the username in the portal welcome
page.
cert_server_name                This parameter specifies the name of an existing Certificate server.
cert_field                      This parameter specifies the certificate field used to obtain the
                                username of the user account from the certificate. Its value must be
                                a string of 1 to 256 characters. Its value must be:
                                     Standard certificate field names
                                     All standard OIDs in the standard certificate fields (in the
                                      format of x.x.x.x and must be enclosed by double quotes)
                                     Standard extension OIDs in the extension field (in the format
                                      of x.x.x.x and must be enclosed by double quotes)
                                     Combination of the DN name and OID (in the format of
                                      DN.OID)
2000-2018 Array Networks, Inc.
                                                                                                     106
All Rights Reserved.
                                                                                   Chapter 4 AAA
                                    Standard extension field names in the extension field (only
                                     ext.subjectAltName and ext.issuerAltName).
                                For detailed description for the values of the “cert_field” parameter,
                                please refer to the command “aaa server certificate
                                externalgroup”.
ldap_attribute                  This parameter specifies the LDAP attribute used to constitute the
                                search filter. Its value must be a string of 1 to 80 characters.
user_id                         Optional. This parameter specifies the LDAP attribute used to
                                identify the user. If this parameter is not specified, the default value
                                is the same as the value of the “ldap_attribute” parameter.
no aaa server certificate ldap search <cert_server_name>
This command is used to delete the search rule configured for the specified Certificate server
using an LDAP server to assist in authentication or authorization.
show aaa server certificate ldap search <cert_server_name>
This command is used to display the search filter configured for the specified Certificate server
using an LDAP server to assist in authentication or authorization.
aaa server certificate localdb search <cert_server_name> <cert_field>
This command is used to configure the search filter for the specified Certificate server using the
LocalDB server to assist in authentication or authorization.
For the authentication type “nochallenge”, if the username of any LocalDB account on the
LocalDB server matches the value of the certificate field specified by the “cert_field” parameter in
the client certificate, the user passes the authentication and the certificate field specified by the
“cert_field” parameter in the client certificate will be displayed as the username in the portal
welcome page. For the authentication type “challenge”, if the username and password of any
LocalDB account on the LocalDB server match the username and password on the certificate
challenge page, the user passes the authentication and the username used by the certificate
Challenge page will be displayed as the username in the portal welcome page.
cert_server_name                This parameter specifies the name of an existing Certificate server
                                used for authentication.
cert_field                      This parameter specifies the certificate field used to obtain the
                                username of the user account from the certificate. Its value must be
                                a string of 1 to 32 characters and must be:
                                    Standard certificate field names
                                    All standard OIDs in the standard certificate fields (in the
2000-2018 Array Networks, Inc.
                                                                                                    107
All Rights Reserved.
                                                                                     Chapter 4 AAA
                                       format of x.x.x.x and must be enclosed by double quotes)
                                      Standard extension OIDs in the extension field (in the format
                                       of x.x.x.x and must be enclosed by double quotes)
                                      Combination of the DN name and OID (in the format of
                                       DN.OID)
                                      Standard extension field names in the extension field (only
                                       ext.subjectAltName and ext.issuerAltName).
                                  For detailed description for the values of the “cert_field” parameter,
                                  please refer to the command “aaa server certificate
                                  externalgroup”.
no aaa server certificate localdb search <cert_server_name>
This command is used to delete the search filter configured for the specified Certificate server
using the LocalDB server to assist in authentication or authorization.
show aaa server certificate localdb search <cert_server_name>
This command is used to display the search filter configured for the specified Certificate server
using the LocalDB server to assist in authentication or authorization.
The following commands are used to configure authorization using the Certificate server.
During the authorization using the Certificate server, the external group name of the user can be
obtained from three ways:
    Specified certificate field in the client certificate
    LDAP server
    LocalDB
The three ways are mutually exclusive for one Certificate server used for authorization.
aaa server certificate externalgroup <cert_server_name> <cert_field>
This command is used to set the certificate field used to obtain the external group name for the
specified Certificate server. The value of the certificate field in the client certificate will be used as
the external group name of the user.
cert_server_name                  This parameter specifies the name of an existing Certificate server.
cert_field                        This parameter specifies the certificate field used to obtain the
                                  external group name in the client certificate. Its value must be a
                                  string of 1 to 64 characters. Its value must be:
                                      Standard certificate field names
                                      All standard OIDs in the standard certificate fields (in the
2000-2018 Array Networks, Inc.
                                                                                                      108
All Rights Reserved.
                                                                                  Chapter 4 AAA
                                     format of x.x.x.x and must be enclosed by double quotes)
                                    Standard extension OIDs in the extension field (in the format
                                     of x.x.x.x and must be enclosed by double quotes)
                                    Combination of the DN name and OID (in the format of
                                     DN.OID)
                                    Standard extension field names in the extension field (only
                                     ext.subjectAltName and ext.issuerAltName).
no aaa server certificate externalgroup <cert_server_name>
This command is used to delete the configuration of the certificate field used to obtain the external
group name for the specified Certificate server.
aaa server certificate externaldefault <cert_server_name> <default_group>
This command is used to configure the default group assigned to a user for the specified
Certificate server when the system fails to obtain the external group name from the specified
certificate field in the client certificate.
cert_server_name                This parameter specifies the name of an existing Certificate server.
default_group                   This parameter specifies the default group name. Its value must be a
                                string of 1 to 64 characters.
no aaa server certificate externaldefault <cert_server_name>
This command is used to delete the configuration of the default group assigned to a user for the
specified Certificate server when the system fails to obtain the external group name from the
specified certificate field in the client certificate.
aaa server certificate authorize server <cert_server_name> <server_type>
This command is used to sets the type of the AAA server assisting the specified Certificate server
in authorization.
cert_server_name                This parameter specifies the name of an existing Certificate server
                                used for authorization. Its value must be a string of 1 to 32
                                characters.
server_type                     This parameter specifies the type of the AAA server assisting the
                                specified Certificate server in authorization. Its value must be:
                                    localdb: indicates that the virtual site’s LocalDB server will
                                     assist the Certificate server in authorization.
                                    ldap: indicates that the LDAP server specified by the “aaa
                                     server certificate ldap serverid” command will assist the
2000-2018 Array Networks, Inc.
                                                                                                  109
All Rights Reserved.
                                                                                 Chapter 4 AAA
                                     Certificate server in authorization.
        Note: If the “server_type” parameter is set to “ldap” and the system fails to obtain the
        external group name for the user from the LDAP server, the system will use the default
        group setting configured for the LDAP server itself using the command “aaa server ldap
        attribute defaultgroup”.
no aaa server certificate authorize server <cert_server_name>
This command is used to delete the configuration of the type of the AAA server assisting the
specified Certificate server in authorization.
show aaa server certificate authorize server <cert_server_name>
This command is used to display the configuration of the type of the AAA server assisting the
specified Certificate server in authorization.
aaa server certificate localdb defaultgroup <cert_server_name>
<default_group>
This command is used to configure the default group assigned to users for the specified the
Certificate server when the system fails to obtain the group name for the user from the LocalDB
server. If this command is not configured and the system fails to obtain the group name for the
user from the LocalDB server, the group name of the user will be empty rather than the default
group setting for the LocalDB server itself.
cert_server_name                This parameter specifies the name of an existing Certificate server.
default_group                   This parameter specifies the name of the default group in LocalDB.
no aaa server certificate localdb defaultgroup <cert_server_name>
This command is used to delete the configuration of the default group assigned to users for the
specified the Certificate server when the system fails to obtain the group name for the user from
the LocalDB server.
show aaa server certificate localdb defaultgroup <cert_server_name>
This command is used to display the configuration of the default group assigned to users for the
specified Certificate server when the system fails to obtain the group name for the user from the
LocalDB server.
aaa server certificate sms type <cert_server_name>
{certificate|ldap|localdb}
This command is used to set how to obtain mobile phone numbers of users from the specified
Certificate server.
cert_server_name                This parameter specifies the name of an existing Certificate server.
2000-2018 Array Networks, Inc.
                                                                                                110
All Rights Reserved.
                                                                                  Chapter 4 AAA
certificate|ldap|localdb        This parameter specifies how to obtain mobile phone numbers of
                                users. Its value must be:
                                    certificate: indicates that the system obtains mobile phone
                                     numbers of users from certificates stored on the Certificate
                                     server.
                                    ldap: indicates that the system obtains mobile phones numbers
                                     of users from the LDAP server that is used by the Certificate
                                     server for authentication or authorization.
                                    localdb: indicates that the system obtains mobile phones
                                     numbers of users from LocalDB that is used by the Certificate
                                     server for authentication or authorization.
        Note: If the “certificate|ldap|localdb” parameter is set to “ldap” or “localdb”, the associated
        LDAP server or LocalDB configured in the command “aaa server certificate authenticate
        server <server_name> {localdb|ldap}” or “aaa server certificate authorize server
        <server_name> {localdb|ldap}” must be actually used for certification and authorization.
        Otherwise, mobile phone numbers of users cannot be obtained.
no aaa server certificate sms type <cert_server_name>
This command is used to delete the configuration of how to obtain mobile phone numbers of users
from the specified Certificate server.
show aaa server certificate sms type <cert_server_name>
This command is used to display the configuration of how to obtain mobile phone numbers of
users from the specified Certificate server.
aaa server certificate sms certificate <cert_server_name> <cert_field>
This command is used to set the certificate field used to obtain mobile phone numbers of users on
the specified Certificate server. This command needs to be configured when the
“certificate|ldap|localdb” parameter is set to “certificate” in the command “aaa server certificate
sms type”.
cert_server_name                This parameter specifies the name of an existing Certificate server.
cert_field                      This parameter specifies the certificate field used to obtain mobile
                                phone numbers of users. Its value must be a string of 1 to 80
                                characters and must be:
                                    Standard certificate field names
                                    All standard OIDs in the standard certificate fields (in the
                                     format of x.x.x.x and must be enclosed by double quotes)
2000-2018 Array Networks, Inc.
                                                                                                    111
All Rights Reserved.
                                                                                 Chapter 4 AAA
                                    Standard extension OIDs in the extension field (in the format
                                     of x.x.x.x and must be enclosed by double quotes)
                                    Combination of the DN name and OID (in the format of
                                     DN.OID)
                                    Standard extension field names in the extension field (only
                                     ext.subjectAltName and ext.issuerAltName).
                                For detailed description for the values of the “cert_field” parameter,
                                please refer to the command “aaa server certificate
                                externalgroup”.
no aaa server certificate sms certificate <cert_server_name>
This command is used to delete the configuration of the certificate field used to obtain mobile
phone numbers of users on the specified Certificate server.
show aaa server certificate sms certificate <cert_server_name>
This command is used to delete the configuration of the certificate field used to obtain mobile
phone numbers of users on the specified Certificate server.
aaa server certificate sms ldap <cert_server_name> <attribute>
This command is used to set the LDAP entry’s attribute used to obtain mobile phone numbers of
users from the LDAP server used by the Certificate server for authentication or authorization. This
command needs to be configured when the “certificate|ldap|localdb” parameter is set to “ldap” in
the command “aaa server certificate sms type”.
cert_server_name                This parameter specifies the name of an existing Certificate server.
attribute                       This parameter specifies the LDAP entry’s attribute from which the
                                AAA obtains mobile phone numbers of users. Its value must be a
                                string of 1 to 80 characters.
no aaa server certificate sms ldap <cert_server_name>
This command is used to delete the configuration of the LDAP entry’s attribute used to obtain
mobile phone numbers of users from the LDAP server used by the Certificate server for
authentication or authorization.
show aaa server certificate sms ldap <cert_server_name>
This command is used to display the configuration of the LDAP entry’s attribute used to obtain
mobile phone numbers of users from the LDAP server used by the Certificate server for
authentication or authorization.
2000-2018 Array Networks, Inc.
                                                                                                  112
All Rights Reserved.
                                                                                Chapter 4 AAA
SMS
aaa server sms host <sms_server_name> <host_ip> <host_port> <protocol>
[user_name] [password] [service_id] [source_number]
[conn_reuse|conn_close] [tls_flag]
This command is used to configure a host for the specified Short Message Service (SMS) server.
Only one host can be configured for each SMS server.
sms_server_name               This parameter specifies the name of an existing SMS server.
host_ip                       This parameter specifies the IP address of the SMS host. Its value
                              must be an IPv4 address.
host_port                     This parameter specifies the port used by the host to communicate
                              with the AAA. Its value must be an integer ranging from 0 to
                              65535.
protocol                      This parameter specifies the protocol type used by the SMS server.
                              Its value is case-insensitive and must be:
                                  CMPP2: indicates the CMPPv2.0 protocol.
                                  CMPP3: indicates the CMPPv3.0 protocol.
                                  EM: indicates the EM proprietary protocol.
                                  CUSTOM: indicates the custom protocol.
                              If the administrator needs to use the CUSTOM protocol, the SMS
                              authentication request template must be imported via the “aaa
                              server sms custom import request” command and SMS
                              authentication response filter rule must be configured via the “aaa
                              server sms custom result” command.
user_name                     Optional. This parameter specifies the username used to log into the
                              host of the SMS server. Its value must be enclosed by double quotes
                              when beginning with a non-alphabetical character.
                              The default value is empty, indicating that authentication is not
                              required by the SMS host.
password                      Optional. This parameter specifies the password used to log into the
                              host of the SMS server. Its value must be enclosed by double quotes
                              when beginning with a non-alphabetical character.
                              The default value is empty, indicating that authentication is not
2000-2018 Array Networks, Inc.
                                                                                                  113
All Rights Reserved.
                                                                                Chapter 4 AAA
                               required by the SMS host.
service_id                     Optional. This parameter specifies the ID of the SMS service. Its
                               value must be a string of 1 to 10 characters.
                               This parameter is used only when the “protocol” parameter is set to
                               “CMPP2” or “CMPP3”. The SMS service ID can be obtained when
                               you subscribe to SMS services from China Mobile. The default
                               value is empty.
source_number                  Optional. This parameter specifies the source number of SMS
                               messages. Its value must be a string of 1 to 21 characters.
                               This parameter is used only when the “protocol” parameter is set to
                               “CMPP2” or “CMPP3”. The source number can be obtained when
                               you subscribe to SMS services from China Mobile. The default
                               value is empty.
conn_reuse|conn_close          Optional. This parameter specifies how to handle the connection
                               between the AG appliance and the SMS server after the AG
                               appliance receives SMS authentication response. Its vaule must be:
                                   conn_reuse: indicates the connection will be reused after the
                                    AG appliance receives SMS authentication response.
                                   conn_close: indicates the connection will be forcefully
                                    disconnected after the AG appliance receives SMS
                                    authentication response.
                               The default value is “conn_reuse”.
tls_flag                       Optional. This parameter specifies whether to access the SMS host
                               over the TLS protocol. Its value must be:
                                   “tls”: indicates that the TLS protocol is used to access the SMS
                                    host.
                                   empty: indicates that the TLS protocol is not used to access the
                                    SMS host.
                               The default value is empty.
                               This parameter is used only when the “protocol” parameter is set to
                               “CUSTOM”.
no aaa server sms host <sms_server_name>
This command is used to delete the host configured for the specified SMS server.
2000-2018 Array Networks, Inc.
                                                                                              114
All Rights Reserved.
                                                                               Chapter 4 AAA
show aaa server sms host <sms_server_name>
This command is used to display the host configured for the specified SMS server.
aaa server sms companyinfo <sms_server_name> <company_name>
<contactor> <phone_number> <mobile_number> <email> <fax> <address>
<postcode>
This command is used to configure the information about the company that subscribes to SMS
services from Emay for the specified SMS server. The company information is required to register
the SMS service account on the SMS server.
sms_server_name                This parameter specifies the name of an existing SMS server.
company_name                   This parameter specifies the company name. Its value must be a
                               string of 1 to 60 characters enclosed by double quotes when
                               beginning with a non-alphabetical character.
contactor                      This parameter specifies the name of the contact person of the
                               company. Its value must be a string of 1 to 20 characters enclosed
                               by double quotes when beginning with a non-alphabetical character.
phone_number                   This parameter specifies the telephone number of the company. Its
                               value must be a string of 1 to 20 characters enclosed by double
                               quotes when beginning with a non-alphabetical character.
mobile_number                  This parameter specifies the mobile phone number of the company.
                               Its value must be a string of 1 to 15 characters enclosed by double
                               quotes when beginning with a non-alphabetical character.
email                          This parameter specifies the email of the company. Its value must
                               be a string of 1 to 60 characters enclosed by double quotes when
                               beginning with a non-alphabetical character.
fax                            This parameter specifies the fax of the company. Its value must be a
                               string of 1 to 20 characters enclosed by double quotes when
                               beginning with a non-alphabetical character.
address                        This parameter specifies the address of the company. Its value must
                               be a string of 1 to 60 characters enclosed by double quotes when
                               beginning with a non-alphabetical character.
postcode                       This parameter specifies the postcode of the company. Its value
                               must be a string of 1 to 6 characters enclosed by double quotes
                               when beginning with a non-alphabetical character.
2000-2018 Array Networks, Inc.
                                                                                              115
All Rights Reserved.
                                                                                Chapter 4 AAA
no aaa server sms companyinfo <sms_server_name>
This command is used to delete the company information setting of the specified SMS server.
show aaa server sms companyinfo <sms_server_name>
This command is used to display the company information on the specified SMS server.
aaa server sms message <sms_server_name> <string> [escape_flag]
This command is used to modify the content of the short message sent to the mobile phone for the
specified SMS server. The verification code is contained in the short message for SMS
authentication. If this command is not configured, the default content of the short message sent to
the mobile phone is “Verification code: <OTP>”.
sms_server_name                This parameter specifies the name of an existing SMS server.
string                         This parameter specifies the content of the short message sent to the
                               mobile phone. Its value must be a string of 1 to 60 characters
                               enclosed by double quotes.
                               This parameter supports regular expressions “<OTP>” and
                               “<USER>”. “<OTP>” is mandatory in the string and stands for the
                               verification code sent to a mobile phone; “<USER>” stands for the
                               user name of a mobile phone.
escape_flag                    Optional. This parameter specifies whether to escape the short
                               message. This parameter needs to be specified when the short
                               message is sent in the URL of the HTTP request. Its value must be:
                                    0: indicates the short message will not be escaped.
                                    1: indicates the short message will be escaped.
                               The default value is 0.
For example:
vs(config)$aaa server sms message sms_server "Hi <USER>, the verification code is
<OTP>" 0
vs(config)$aaa server sms message sms_server "Verification code is <OTP>" 0
no aaa server sms message <sms_server_name> <string>
This command is used to reset the content of the short message sent to the mobile phone to the
default value “Verification code: <OTP>” for the specified SMS server.
show aaa server sms message <sms_server_name>
2000-2018 Array Networks, Inc.
                                                                                                 116
All Rights Reserved.
                                                                                  Chapter 4 AAA
This command is used to display the content of the short message sent to the mobile phone for the
specified SMS server.
aaa server sms verificationcode <sms_server_name> <length>
<character_type>
This command is used to modify the length and character type of verification codes for the
specified SMS server. If this command is not configured, the default length of verification codes is
8 bytes, and verification codes comprise both letters and numbers by default.
sms_server_name                 This parameter specifies the name of an existing SMS server.
length                          This parameter specifies the length of verification codes in bytes.
                                Its value must be an integer ranging from 6 to 16.
character_type                  This parameter specifies the character type of verification codes. Its
                                value must be:
                                    letter: indicates that verification codes comprise only letters.
                                    num: indicates that verification codes comprise only numbers.
                                    both: indicates that verification codes comprise both letters
                                     and numerals.
no aaa server sms verificationcode <sms_server_name>
This command is used to reset the length and character type of verification codes to the default
configuration for the specified SMS server.
show aaa server sms verificationcode <sms_server_name>
This command is used to display the length and character type of verification codes for the
specified SMS server.
aaa server sms expiretime <sms_server_name> <time>
This command is used to modify the expiration time of verification codes for the specified SMS
server. If this command is not configured, the default expiration time of verification codes is 300
seconds.
sms_server_name                 This parameter specifies the name of an existing SMS server.
time                            This parameter specifies the effective time of verification codes for
                                the SMS server in seconds. Its value must be an integer ranging
                                from 5 to 600.
no aaa server sms expiretime <sms_server_name>
2000-2018 Array Networks, Inc.
                                                                                                  117
All Rights Reserved.
                                                                                Chapter 4 AAA
This command is used to reset the expiration time of verification codes to the default value 300
seconds for the specified SMS server.
show aaa server sms expiretime <sms_server_name>
This command is used to display the expiration time of verification codes for the specified SMS
server.
aaa server sms custom import request <sms_server_name> <url>
This command is used to import the SMS authentication request template for the specified SMS
server. AG constructs the SMS authentication request using the SMS authentication request
template and sends the constructed SMS authentication request to the SMS server for
authentication. Only one SMS authentication request template can be imported.
sms_server_name                 This parameter specifies the name of an existing custom SMS
                                server.
url                             This parameter specifies the HTTP or FTP URL from which the
                                custom SMS authentication request template is imported. Its value
                                must be a string of 1 to 256 characters.
The format of the SMS authentication request template is as follows:
POST /smsend.jsp HTTP/1.1\r\n
Accept: */*\r\n
Accept-Encoding: NONE\r\n
Host: <SMS_SERVER_IP>:<SMS_SERVER_PORT>\r\n
Connection: Keep-Alive\r\n
Content-Length: <CONTENT_LENGTH>
Cache-Control: no-cache\r\n
\r\n
username=<USERNAME>&password=<PASSWORD>&dst=<PHONE>&msg=<MESSAGE>&r
eport=0&sendtime=0&seqid=<SEQID>&uname=<RT_USERNAME>&passwd=<RT_PASSWO
RD>
When preparing the SMS authentication request template, please bear the following information in
the mind:
     The field <SMS server IP> and <SMS server port> will be replaced by the IP address and
      port of the SMS host selected by AG.
     The <CONTENT_LENGTH> field will be filled with the value of the transfer-length of the
      HTTP request body.
     The fields <USERNAME> and <PASSWORD> will be filled with the username and
      password used to log into the host of the SMS server. The <phone> field will be filled with
      the mobile phone number of the end user.
2000-2018 Array Networks, Inc.
                                                                                               118
All Rights Reserved.
                                                                                 Chapter 4 AAA
      The field <MESSAGE> will be replaced by the message configured via the “aaa server sms
       message” command by AG.
      The field <SEQID> will be filled by AG according to the request ID of the SMS
       authentication request.
      The fields <RT_USERNAME> and <RT_PASSWORD> will be filled with the username
       and password of the user used to log into the virtual site.
         Note: The SMS authentication request template must be a plain text file.
show aaa server sms custom template <sms_server_name> <type>
This command is used to display the SMS authentication request template for the specified custom
SMS server.
sms_server_name                 This parameter specifies the name of an existing custom SMS
                                server.
type                            This parameter specifies the file type of the custom SMS
                                authentication request template. Its value must be “request”.
aaa server sms custom result <sms_server_name> <regex> <end_flag>
This command is used to configure an SMS authentication response filter rule for the specified
custom SMS server.
sms_server_name                 This parameter specifies the name of an existing custom SMS
                                server.
regex                           This parameter specifies the regular expression indicating the
                                successful SMS authentication response. Its value must be a string
                                of 1 to 256 characters. If the SMS authentication response received
                                by AG matches this regular expression, AG displays the SMS
                                authentication page for the user to enter the verification code.
end_flag                        Optional. This parameter specifies the end location of the SMS
                                authentication response. Its value must be a string of 1 to 256
                                characters.
                                If this parameter is specified:
                                    AG will begin to parse the received SMS authentication
                                     response when the SMS authentication response received by
                                     AG contains “end_flag”.
2000-2018 Array Networks, Inc.
                                                                                                  119
All Rights Reserved.
                                                                               Chapter 4 AAA
                              If this parameter is not specified or the configured “end_flag”
                              parameter is not found in the SMS authentication response:
                                  When the SMS authentication response received by AG
                                   contains the header “Content-Length”, AG begins to parse the
                                   received SMS authentication response after the whole body of
                                   the SMS authentication response is received. When the SMS
                                   authentication response received by AG contains the header
                                   “Transfer-Encoding: chunked”, AG begins to parse the
                                   received SMS authentication response after all data chunks of
                                   the response are received.
                                  When the SMS authentication response received by AG does
                                   not contain the header “Content-Length”, AG begins to parse
                                   the received SMS authentication response after the first
                                   segment of the response is received.
                              The default value is empty.
       Note: The SMS authentication response must include the request ID <SEQID> of the SMS
       authentication request.
no aaa server sms custom result <sms_server_name>
This command is used to delete the SMS authentication response matching rule for the specified
custom SMS server.
show aaa server sms custom settings <sms_server_name>
This command is used to display the configurations of the custom SMS server.
sms_server_name               This parameter specifies the name of an existing SMS server.
SMX
aaa server smx host <smx_server_name> <host_name> <host_port>
[host_index]
This command is used to create a host for the specified SMX (SECUREMATRIX) server. A
maximum of two hosts can be configured for an SMX server and they have different index values
specified by the parameter “host_index”.
smx_server_name               This parameter specifies the name of an existing SMX server.
host_name                     This parameter specifies the host name or IP address of the host.
                              For the host name, its value must be a string of 1 to 128 characters;
                              for the IP address, its value must be an IPv4 address enclosed by
2000-2018 Array Networks, Inc.
                                                                                                120
All Rights Reserved.
                                                                                  Chapter 4 AAA
                               double quotes.
host_port                      This parameter specifies the port number used by the host. Its value
                               is an integer ranging from 0 to 65535.
host_index                     Optional. This parameter specifies the index of the host among
                               hosts of the SMX server. Its value must be:
                                   1: indicates that this is a primary host.
                                   2: indicates that this is a secondary host.
                               The secondary host is used only when the user fails the
                               authentication performed by the primary host or when the primary
                               host is unavailable.
                               The default value is 1.
no aaa server smx host <smx_server_name> <host_index>
This command is used to delete a host from the specified SMX server.
show aaa server smx host <smx_server_name>
This command is used to show the host(s) created for the specified SMX server.
aaa server smx certimport <smx_server_name> <host_index>
<user@remote_host> <password> <file_path>
This command is used to import the certificate file for the specified SMX host from a remote host.
smx_server_name                This parameter specifies the name of an existing SMX server.
host_index                     This parameter specifies the index of the host among hosts of the
                               SMX server.
user@remote_host               This parameter specifies the remote host from which the certificate
                               file is imported and the username for logging into the remote host.
                               Its value must be a string of 1 to 512 characters in the format of
                               “user@remote_host”, which must be enclosed by double quotes.
password                       This parameter specifies the password for logging into the remote
                               host.
file_path                      This parameter specifies the path, which includes the certificate file
                               name, of the certificate file on the remote host. Its value must be a
                               string of 1 to 1024 characters. The certificate file is a .zip file
2000-2018 Array Networks, Inc.
                                                                                                121
All Rights Reserved.
                                                                                  Chapter 4 AAA
                             containing the private key, cert file and CA file.
HTTP
aaa server http host <http_server_name> <host_name> [host_port] [tls_flag]
[timeout] [retries] [index] [max_connections]
This command is used to configure an HTTP host for the specified HTTP AAA server. A
maximum of three HTTP hosts can be configured for one HTTP AAA server.
http_server_name             This parameter specifies the name of an existing HTTP AAA server.
host_name                    This parameter specifies the host name or IP address of the HTTP
                             host. For the host name, its value must be a string of 1 to 128
                             characters; for the IP address, its value must be an IPv4 address
                             enclosed by double quotes.
host_port                    Optional. This parameter specifies the port of the HTTP host (The
                             HTTP host of the HTTP AAA server can be an HTTP or HTTPS
                             server used for authentication/authorization). Its value must be an
                             integer ranging from 0 to 65,535.
                             The default value is 0, indicating the default port. For the HTTP
                             server, “0” indicates the port 80; for the HTTPS server, “0”
                             indicates the port 443.
tls_flag                     Optional. This parameter specifies whether to access the HTTP host
                             over the TLS protocol. Its value must be:
                                 “tls”: indicates that the HTTPS server is used.
                                 empty: indicates that the HTTP server is used.
                             The default value is empty.
timeout                      Optional. This parameter specifies the maximum time that AG waits
                             for the HTTP response, in seconds. If not receiving the HTTP
                             response in the specified time, AG will resend the HTTP
                             authentication request. Its value must be an integer ranging from 0
                             to 65,535. “0” indicates no timeout. The default value is 5.
retries                      Optional. This parameter specifies the retry times send the HTTP
                             authentication request to the HTTP host. Its value must be 1, 2 or 3.
                             The default value is 1.
2000-2018 Array Networks, Inc.
                                                                                             122
All Rights Reserved.
                                                                               Chapter 4 AAA
index                          Optional. This parameter specifies the host index. Its value must be
                               1, 2 or 3. The default value is 1.
max_connections                Optional. This parameter specifies the maximum number of
                               concurrent connections allowed by the HTTP AAA host. Its value
                               must be an integer ranging from 0 to 65,535. The default value is 0,
                               indicating no limitation on the maximum number of concurrent
                               connections.
no aaa server http host <http_server_name> <index>
This command is used to delete an HTTP host of the specified HTTP AAA server.
show aaa server http host <http_server_name>
This command is used to display the HTTP hosts configured for the specified HTTP AAA server.
aaa server http login template <http_server_name> <request_url>
This command is used to import an HTTP authentication login template for the specified HTTP
AAA server. When receiving an HTTP authentication login request from the client, AG constructs
the HTTP authentication login request using the HTTP authentication login template by replacing
the dynamic data in the template with user information of the user to be authenticated and sends
the constructed HTTP request to the HTTP AAA server for authentication.
Only one HTTP authentication request template can be configured for one HTTP AAA server.
http_server_name               This parameter specifies the name of an existing HTTP AAA server.
request_url                    This parameter specifies the HTTP or FTP URL of the HTTP
                               authentication login template to be imported. Its value must be a
                               string of 1 to 256 characters.
The format of the HTTP authentication login template is as follows:
 POST /iaccess/services HTTP/1.1
 Accept-Encoding: NONE
 Host: <an_serverhost>
 Content-Length: <an_content-length>
 SOAPAction: "http://IaccessMessageFlow/login"
 User-Agent: Axis2
 <?xml version='1.0' encoding='UTF-8'?>
 <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
 <soapenv:Body>
 <ns1:login xmlns:ns1="http://IaccessMessageFlow">
 <username><an_username></username>
2000-2018 Array Networks, Inc.
                                                                                              123
All Rights Reserved.
                                                                                 Chapter 4 AAA
    <password><an_password></password>
    <deviceid><an_cus-define-var1></deviceid>
    <devicetype>P</devicetype>
    <clientversion>9.0.0.0</clientversion>
    <clientip><an_clientip></clientip>
    <regionid><an_cus-define-var2></regionid>
    <regioncolor>G</regioncolor>
    </ns1:login>
    </soapenv:Body>
    </soapenv:Envelope>
When preparing the HTTP authentication login template, please bear the following information in
the mind:
      The fields <an_username>, <an_password> and <an_clientip> will be filled with user
       information of the user to be authenticated.
      The field <an_serverhost> will be replaced by the IP address of the HTTP host selected by
       AG.
      The field <an_content-length> will be filled by AG according the actual length of the
       content.
      The fields <an_cus-define-var1> and <an_cus-define-var2> will be filled with the
       customized user variables configured using the “portal custom variant name” command.
           Note:
              The HTTP authentication login template must be plain text file only.
              For HTTP authentication request with customized user information, the portal theme
               login page should be used.
      no aaa server http login template <http_server_name>
This command is used to delete the HTTP authentication login template imported for the specified
HTTP AAA server.
show aaa server http login template <http_server_name> <seperate>
This command is used to display the HTTP authentication login template imported for the
specified HTTP AAA server.
http_server_name                 This parameter specifies the name of an existing HTTP AAA server.
seperate                         Optional. This parameter specifies whether to display the dynamic
                                 data in the HTTP authentication login template separately. Its value
                                 must be:
2000-2018 Array Networks, Inc.
                                                                                                124
All Rights Reserved.
                                                                               Chapter 4 AAA
                                  0: indicates the dynamic data will not be displayed separately.
                                  1: indicates the dynamic data will be displayed separately.
                              The default value is 0.
aaa server http login challengemessage <http_server_name>
<login_response_id> <login_response_filter> <message>
This command is used to set the HTTP authentication login challenge message for the specified
HTTP AAA server. This command should be configured when the backend server needs more
user information to perform the authentication. A maximum of five HTTP authentication login
challenge messages can be configured.
http_server_name              This parameter specifies the name of an existing HTTP AAA server.
login_response_id             This parameter specifies the ID of the HTTP authentication login
                              response. Its value must be an integer ranging from 1 to 5.
login_response_filter         This parameter specifies the filter condition for the HTTP
                              authentication login response. Its value must be a string of 1 to 255
                              characters. The value can contain the variables and related rules
                              defined by the commands “aaa server http variant response
                              name” and “aaa server http variant response profile”.
message                       This parameter specifies the challenge message included in the
                              HTTP authentication login response. Its value must be a string of 1
                              to 255 characters. The value can contain the variables defined by
                              the “aaa server http variant response name” command.
For example:
When the HTTP authentication login response contains an “an_ret” variable whose vaule is 2, a
challenge is required and the challenge message will be “please enter the login PIN number.”
vs(config) aaa server http login challengemessage "http_server" "1" "<an_ret>=2" "please
enter the login PIN number"
no aaa server http login challengemessage <http_server_name>
<login_response_id>
This command is used to delete a specified HTTP authentication login challenge message for the
specified HTTP AAA server.
show aaa server http login configure <http_server_name>
This command is used to display the configuration of HTTP authentication login challenge
messages for the specified HTTP AAA server.
2000-2018 Array Networks, Inc.
                                                                                              125
All Rights Reserved.
                                                                                Chapter 4 AAA
aaa server http challenge template <http_server_name> <challenge_id>
<request_url>
This command is used to import an HTTP authentication challenge template for the specified
HTTP AAA server. When receiving an HTTP authentication challenge request from the client,
AG constructs the HTTP authentication challenge request using the HTTP authentication
challenge template and sends the constructed HTTP authentication challenge request to the HTTP
AAA server. A maximum of five HTTP authentication challenge templates can be configured for
one HTTP AAA server.
This command should be used together with the “aaa server http challenge require” command.
The HTTP challenge template is similar to the HTTP authentication login template. For details,
please refer to the “aaa server http login template” command.
http_server_name               This parameter specifies the name of an existing HTTP AAA server.
challenge_id                   This parameter specifies the ID of the HTTP authentication
                               challenge template. Its value must be an integer ranging from 1 to
                               5.
request_url                    This parameter specifies the HTTP or FTP URL of the HTTP
                               challenge template to be imported. Its value must be a string of 1 to
                               256 characters.
no aaa server http challenge template <http_server_name> <challenge_id>
This command is used to delete the specified HTTP authentication challenge template for the
specified HTTP AAA server.
show aaa server http challenge template <http_server_name>
<challenge_id> [seperate]
This command is used to display the specified HTTP authentication challenge template for the
specified HTTP AAA server.
http_server_name               This parameter specifies the name of an existing HTTP AAA server.
challenge_id                   This parameter specifies the ID of the HTTP authentication
                               challenge template.
seperate                       Optional. This parameter specifies whether to display the dynamic
                               data in the HTTP authentication login template separately. Its value
                               must be:
                                   0: indicates the dynamic data will not be displayed separately.
                                   1: indicates the dynamic data will be displayed separately.
2000-2018 Array Networks, Inc.
                                                                                               126
All Rights Reserved.
                                                                              Chapter 4 AAA
                               The default value is 0.
aaa server http challenge require <http_server_name> <challenge_id>
[challenge_condition]
This command is used to set a challenge condition based upon which to select the HTTP
authentication challenge template for the specified HTTP AAA server. Please define a customized
user variable using the “portal custom variant name” command first before configuring this
command.
http_server_name               This parameter specifies the name of an existing HTTP AAA server.
challenge_id                   This parameter specifies the ID of the HTTP authentication
                               challenge template.
challenge_condition            This parameter specifies the challenge condition based on which to
                               select the HTTP authentication challenge template. Its value must
                               be a string of 1 to 255 characters in the format of “<an_xx>=yy”,
                               such as “<an_param1>=chal1”.
For example:
vs(config) aaa server http challenge require "http_server" "1" "<an_param1>=chal1"
no aaa server http challenge require <http_server_name> <challenge_id>
This command is used to delete a specified challenge condition based upon which to select the
HTTP authentication challenge template for the specified HTTP AAA server.
aaa server http challenge challengemessage <http_server_name>
<challenge_id> <login_response_id> <challenge_response_filter>
<message>
This command is used to set the HTTP authentication challenge message for the specified HTTP
AAA server. This command should be configured if a further challenge is required after the HTTP
authentication login challenge. A maximum of five HTTP authentication challenge messages can
be configured.
http_server_name               This parameter specifies the name of an existing HTTP AAA server.
challenge_id                   This parameter specifies the ID of the HTTP authentication
                               challenge template.
login_response_id              This parameter specifies the ID of the HTTP authentication login
                               response.
2000-2018 Array Networks, Inc.
                                                                                                127
All Rights Reserved.
                                                                                Chapter 4 AAA
challenge_response_filter      This parameter specifies the filter condition for the HTTP
                               authentication challenge message. Its value must be a string of 1 to
                               255 characters. The value can contain the variables and related rules
                               defined by the commands “aaa server http variant response
                               name” and “aaa server http variant response profile”.
message                        This parameter specifies the message included in the HTTP
                               authentication challenge response. Its value must be a string of 1 to
                               255 characters. The value can contain the variables defined by the
                               “aaa server http variant response name” command.
For example:
When the challenge response contains an “an_random” variable whose vaule is 1, a further
challenge is required and the challenge message will be “Please use the UTF-8 encoding format if
multi-byte characters are used.”
vs(config) aaa server http challenge challengemessage http_server" "1" "1"
"<an_random>=1" "Please use the UTF-8 encoding format if multi-byte characters are
used."
no aaa server http challenge challengemessage <http_server_name>
<challenge_id> <login_response_id>
This command is used to delete the specified HTTP authentication challenge message for the
specified HTTP AAA server.
show aaa server http challenge configure <http_server_name>
<challenge_id>
This command is used to display the configurations of HTTP challenge authentication for the
specified HTTP AAA server.
aaa server http variant response name <http_server_name> <var_name>
[var_filter]
This command is used to configure the customized user variable included in the HTTP
authentication login response and set a single-variable parsing rule for the specified HTTP AAA
server. The configured customized user variable can be used for the constitution of the HTTP
authentication login challenge message.
http_server_name               This parameter specifies the name of an existing HTTP AAA server.
var_name                       This parameter specifies the name of the customized user variable
                               in the HTTP authentication login response. Its value must be a
                               string of 1 to 32 characters in the format of <an_xx>, such as
                               <an_param1>.
2000-2018 Array Networks, Inc.
                                                                                               128
All Rights Reserved.
                                                                                  Chapter 4 AAA
var_filter                      Optional. This parameter specifies the filter used to parse this
                                variable included in the HTTP authentication login response. Its
                                value must be a string of 1 to 256 characters. The default value is
                                empty.
For example:
vs(config) aaa server http variant response name " http_server" "<an_need_challenge>"
"var_AN_need_challenge=<an_need_challenge>;"
no aaa server http variant response name <http_server_name>
<var_name>
This command is used to delete a specified customized user variable included in the HTTP
authentication login response and the associated single-variable resolution rule for the specified
HTTP AAA server.
aaa server http variant response profile <http_server_name> <var_filter>
<priority>
This command is used to set a multi-variable parsing rule for the specified HTTP AAA server.
This command should be used together with the command “aaa server http variant response
name”. The configured multi-variable parsing rule can be used for the constitution of an HTTP
authentication login challenge message.
http_server_name                This parameter specifies the name of an existing HTTP AAA server.
var_filter                      This parameter specifies the filter condition used to parse the single
                                user variable included in the HTTP authentication login response.
                                Its value must be a string of 1 to 256 characters.
priority                        Optional. This parameter specifies the priority of the rule. Its value
                                must be an integer ranging from 1 to 100. The lower the value, the
                                higher the priority. The default value is 50.
For example:
vs(config) aaa server http variant response name "http_server" "<an_var1>"
vs(config) aaa server http variant response name "http_server" "<an_var2>"
vs(config) aaa server http variant response name "http_server" "<an_var2>"
vs(config) aaa server http variant response profile "http_server" "var
_AN_var=<an_var1>::<an_var2>::<an_var3>;"
no aaa server http variant response profile <http_server_name>
<var_filter>
2000-2018 Array Networks, Inc.
                                                                                                 129
All Rights Reserved.
                                                                                    Chapter 4 AAA
This command is used to delete a specified multi-variable parsing rule for the specified HTTP
AAA server.
show aaa server http variant response <http_server_name>
This command is used to display the configurations of customized user variables included in the
HTTP authentication login response and the associated variable parsing rules for the specified
HTTP AAA server.
aaa server http result <http_server_name> <regex> [user_name]
[group_name] [phone] [picture_url] [uid] [end_flag] [error_message]
This command is used to configure an HTTP response filter rule for the specified HTTP AAA
server. Only one HTTP response filter rule can be configured for one HTTP AAA server.
                               This parameter specifies the name of an existing HTTP AAA server.
http_server_name
regex                          This parameter specifies the regular expression indicating the
                               successful HTTP authentication response. If the HTTP
                               (authentication) response received by AG matches this regular
                               expression, the end user passes the HTTP authentication.
                               Its value must be a string of 1 to 256 characters.
                               Note: It is recommended to simplify the parameter value to increase
                               the matching efficiency.
user_name                      Optional. This parameter specifies the way to obtain the username
                               from the HTTP (authorization) response. If the username is
                               successfully obtained from the HTTP response, AG will display the
                               obtained username on the welcome portal page.
                               Its value must be a string of 1 to 256 characters in the format of
                               “xxx<an_value>xxx”. Besides, the parameter supports the
                               following escape characters:
                                   \r\n: indicates the line break.
                                   \q: indicates the quotes.
                                   \\: indicates the backslash.
                               The default value is empty, indicating not obtaining the username
                               from the HTTP response.
group_name                     Optional. This parameter specifies the way to obtain the group
                               name of the end user from the HTTP (authorization) response. The
2000-2018 Array Networks, Inc.
                                                                                                130
All Rights Reserved.
                                                                              Chapter 4 AAA
                            obtained group name may be further used for the user authorization.
                            Its value must be a string of 1 to 256 characters in the format of
                            “xxx<an_value>xxx”. Besides, the parameter supports the
                            following escape characters:
                                 \r\n: indicates the line break.
                                 \q: indicates the quotes.
                                 \\: indicates the backslash.
                            The default value is empty, indicating not obtaining the group name
                            from the HTTP response.
phone                       Optional. This parameter specifies the way to obtain the phone
                            number of the end user from the HTTP (authorization) response.
                            The obtained phone number is used for SMS authentication when
                            both HTTP authentication and SMS authentication are required.
                            Its value must be a string of 1 to 256 characters in the format of
                            “xxx<an_value>xxx”. Besides, the parameter supports the
                            following escape characters:
                                 \r\n: indicates the line break.
                                 \q: indicates the quotes.
                                 \\: indicates the backslash.
                            The default value is empty, indicating not obtaining the phone
                            number from the HTTP response.
picture_url                 Optional. This parameter specifies the way to obtain the avatar
                            picture URL of the end user from the HTTP (authorization)
                            response.
                            This parameter needs to be specified when the HTTP-type AAA
                            server is used for OAuth authentication.
uid                         Optional. This parameter specifies the way to obtain the UID of the
                            end user from the HTTP (authorization) response. Its value must be
                            in the format of “uid=<an_value>”.
                            This parameter needs to be specified when the HTTP-type AAA
                            server is used for OAuth authentication.
2000-2018 Array Networks, Inc.
                                                                                              131
All Rights Reserved.
                                                                              Chapter 4 AAA
end_flag                      Optional. This parameter specifies the end location of the HTTP
                              response to be filtered. Its value must be a string of 1 to 256
                              characters.
                              If the “end_flag” parameter is configured:
                                  When the HTTP response received by AG contains the
                                   “end_flag”, AG starts the HTTP response filter process.
                              If the “end_flag” parameter is not configured or the configured
                              “end_flag” parameter is not found in the HTTP response:
                                  When the HTTP response received by AG contains the header
                                   “Content-Length”, AG starts the HTTP response filter process
                                   after the whole HTTP body of the HTTP response is received.
                                   When the HTTP response received by AG contains the header
                                   “Transfer-Encoding: chunked”, AG starts HTTP response
                                   filter process after all data chunks of the HTTP response are
                                   received.
                                  When the HTTP response received by AG does not contain the
                                   header “Content-Length”, AG starts the HTTP response filter
                                   process after the first segment of the HTTP response is
                                   received.
                              The default value is empty.
error_message                 Optional. This parameter specifies the error message to display if
                              the user fails to pass HTTP authentication. The default error
                              message is empty.
For example:
vs(config)$aaa server http result "http" "welcome" "username<an_value>\r\n"
"groupname<an_value>\r\n" "phonenumber<an_value>\r\n" "" "" "abc"
"error=<an_value>;"
vs(config)$aaa server http result "oauth_server" "access_token" "username=<an_value>;"
"" "" "pic_url=<an_value>;" "uid=<an_value>;" "" "error=<an_value>;"
no aaa server http result <http_server_name>
This command is used to delete the HTTP response filter rule configured for the specified HTTP
AAA server.
show aaa server http result <http_server_name>
This command is used to display the HTTP response filter rule configured for the specified HTTP
AAA server.
2000-2018 Array Networks, Inc.
                                                                                                132
All Rights Reserved.
                                                                               Chapter 4 AAA
aaa server http defaultgroup <http_server_name> <default_group>
This command is used to configure the default group assigned to authenticated users for whom no
HTTP group is obtained for the specified HTTP AAA server.
http_server_name               This parameter specifies the name of an existing HTTP AAA server.
default_group                  This parameter specifies the name of the default HTTP group. Its
                               value must be a string of 1 to 64 characters.
no aaa server http defaultgroup <http_server_name>
This command is used to delete the configuration of the default group assigned to authenticated
users for whom no HTTP group is obtained for the specified HTTP AAA server.
show aaa server http defaultgroup <http_server_name>
This command is used to display the configuration of the default group assigned to authenticated
users for whom no HTTP group is obtained for the specified HTTP AAA server.
SAML
Security Assertion Markup Language (SAML) is an XML-based open standard for describing and
exchanging security information between on-line business partners. AG supports authentication
and authorization using the SAML protocol. In the SAML architecture, AG works as a Service
Provider (SP), providing resources for users and depending on the assertion of the Identity
Provider (IdP) for user authentication and authorization.
The section covers the commands for configuring the SAML function.
aaa saml {enable|disable}
This command is used to enable or disable the SAML function. By default, this function is
disabled.
When the SAML function is enabled, the virtual site will use only SAML for authentication and
authorization, and ignore the other authentication and authorization configuration of the AAA
function, such as LocalDB and LDAP. When the SAML function is disabled, the virtual site will
use the authentication and authorization configuration of the AAA function.
aaa saml idp name <idp_name>
This command is used to configure an IdP. A maximum of three IdPs can be configured for one
virtual site.
idp_name                       This parameter specifies the name of an IdP. Its value must be a
                               string of 1 to 64 characters.
no aaa saml idp name <idp_name>
2000-2018 Array Networks, Inc.
                                                                                              133
All Rights Reserved.
                                                                                    Chapter 4 AAA
This command is used to delete a specified IdP.
aaa saml sp idp <idp_name>
This command is used to enable the specified IdP for the SAML SP (AG).
Before enabling an IdP, you need to import the metadata of the IdP using the “aaa saml idp
metadata” command and specify the attributes used to obtain the user identity information from
the SAML Assertion response returned by the IdP using the “aaa saml idp attributes” command.
If no IdP is enabled, all available IdPs will be displayed for the user to select for authentication.
idp_name                         This parameter specifies the name of the existing IdP specified by
                                 the “aaa saml idp name” command.
no aaa saml sp idp
This command is used to disable the specified IdP that has been enabled for the SAML SP. After
this command is executed, all available IdPs will be displayed for the user to select for
authentication.
aaa saml idp metadata <idp_name> <url>
This command is used to import the metadata of the specified IdP to the SAML SP (AG). Please
note that if the metadata of the IdP has changed, you need to import the new metadata to the
SAML SP.
idp_name                         This parameter specifies the name of the existing IdP specified by
                                 the “aaa saml idp name” command.
url                              This parameter specifies the HTTP, HTTPS or FTP URL to obtain
                                 the metadata of the IdP. Its value must be a string of 1 to 900
                                 characters.
show aaa saml idp metadata <idp_name>
This command is used to display the imported metadata of the specified IdP.
aaa saml sp metadata
This command is used to list the URLs where the metadata of the SAML SP can be downloaded.
This metadata should be imported to the IdP enabled for the SAML SP. Please note that the SP
metadata on the IdP should be updated if the attributes configured using the “aaa saml idp
attributes” command or the binding types configured by the “aaa saml sp slo” command is
changed.
          Note: Because multiple IP addresses and domain names can be configured for a virtual
          site (via the commands “virtual site ip” and “virtual site domain”), there may be
          multiple URLs for the metadata of the SP server. The administrator can select the
2000-2018 Array Networks, Inc.
                                                                                                    134
All Rights Reserved.
                                                                                    Chapter 4 AAA
           metadata as required.
aaa saml idp attributes <idp_name> <username> [groupname] [external_acl]
[netpool]
This command is used to specify the attributes used to obtain the user identity information from a
SAML Assertion response returned by the specified IdP.
idp_name                           This parameter specifies the name of the existing IdP specified by
                                   the “aaa saml idp name” command.
username                           This parameter specifies the attribute to obtain the username from
                                   the SAML Assertion response. The obtained username will be used
                                   for further authorization. Its value must be a string of 1 to 900
                                   characters. Besides, the special value “subject.nameid” is also
                                   supported, indicating the NameID field in the SAML Assertion
                                   response.
groupname                          Optional. This parameter specifies the attribute to obtain the group
                                   name from the SAML Assertion response. The obtained group
                                   name will be used for further authorization. Its value must be a
                                   string of 1 to 900 characters. The default value is empty.
external_acl                       Optional. This parameter specifies the attribute to obtain the
                                   external ACL rule from the SAML Assertion response. The
                                   obtained external ACL rule will be used for further authorization Its
                                   value must be a string of 1 to 900 characters. The default value is
                                   empty.
netpool                            Optional. This parameter specifies the attribute to obtain the netpool
                                   from the SAML Assertion response. The obtained netpool will be
                                   used for further authorization. Its value must be a string of 1 to 900
                                   characters. The default value is empty.
aaa saml sp acs [type]
This command is used to specify the binding type of the Assertion Consumer Service (ACS) on
the SP. The binding type of the ACS will be included in the SP metadata, based on which the IdP
returns the SAML Assertion response to the ACS of the SP.
type                               This parameter specifies the binding type for the ACS. Its value
                                   must be:
                                       post: indicates the HTTP POST binding.
                                       artifact: indicates the HTTP Artifact binding.
2000-2018 Array Networks, Inc.
                                                                                                   135
All Rights Reserved.
                                                                                Chapter 4 AAA
                               The default value is “post”. For more details about SAML bindings,
                               please refer to http://docs.oasis-open.org/security/saml/v2.0/.
aaa saml sp slo [type]
This command is used to specify the binding type for the Single Logout (SLO) service on the SP.
The IdP uses the specified binding type when communicating with the SLO service on the SP.
type                           This parameter specifies the binding type for the SLO service.
                               Its value must be:
                                   redirect: indicates the HTTP redirect binding.
                                   post: indicates the HTTP POST binding.
                                   both: indicates both the HTTP redirect binding and the HTTP
                                    POST binding.
                               The default value is “both”.
         Note: The synchronous SOAP binding is not supported.
show aaa saml config
This command is used to display all the configurations of the SAML function.
clear aaa saml config
This command is used to reset all the configurations of the SAML function. After this command is
executed, the SAML function is disabled.
OAuth Authentication
aaa oauth enable
This command is used to enable OAuth authentication for the virtual site.
When OAuth authentication is enabled for the virtual site, a program of the OAuth client is started
for the virtual site in the system. To communicate with a third-party OAuth server, the OAuth
client should authenticate itself to the OAuth server. Therefore, you need to register the OAuth
client to obtain the Client ID and Secret and register the Redirection URL on the developer
platform of the OAuth server’s service provider. For information on how to register the OAuth
client and the Redirection URL, please contact the service provider of the OAuth server.
By default, OAuth authentication is disabled.
aaa oauth disable
This command is used to disable OAuth authentication for the virtual site.
2000-2018 Array Networks, Inc.
                                                                                               136
All Rights Reserved.
                                                                               Chapter 4 AAA
aaa oauth id <oauth_server_id>
This command is used to define an OAuth server.
oauth_server_id                This parameter specifies the ID of a third-party OAuth server.
                               Currently, its value must be:
                                   google: indicates the Google OAuth server.
                                   wechat: indicates the WeChat OAuth server.
When the Google OAuth server is defined, the system automatically adds the following
configurations:
aaa oauth tokenurl "google" "https://accounts.google.com/o/oauth2/token"
aaa oauth jwksurl "google" "https://www.googleapis.com/oauth2/v3/certs"
aaa oauth authenticatorurl "google" "https://accounts.google.com/o/oauth2/auth"
aaa oauth registration "google"
When the WeChat OAuth server is defined, the system automatically adds the following
configurations:
aaa oauth tokenurl "wechat" "https://api.weixin.qq.com/sns/oauth2/access_token"
aaa oauth authenticatorurl "wechat" "https://open.weixin.qq.com/connect/qrconnect"
aaa oauth resourceurl "wechat" "https://api.weixin.qq.com/sns/userinfo"
aaa oauth registration "wechat"
aaa oauth wechat serviceauthenticatorurl
"https://open.weixin.qq.com/connect/oauth2/authorize"
no aaa oauth id <oauth_server_id>
This command is used to delete a specified OAuth server.
aaa oauth authenticatorurl <oauth_server_id> <authenticator_url>
This command is used to set the URL of the specified OAuth server’s login page.
oauth_server_id                This parameter specifies an existing OAuth server.
authenticator_url              This parameter specifies the URL of the OAuth server’s login page.
                               Its value must be a string of 1 to 900 characters.
no aaa oauth authenticatorurl <oauth_server_id>
This command is used to delete the URL setting of the specified OAuth server’s login page.
aaa oauth tokenurl <oauth_server_id> <token_url>
This command is used to set the URL from which to obtain an access token from the specified
OAuth server.
2000-2018 Array Networks, Inc.
                                                                                                137
All Rights Reserved.
                                                                                 Chapter 4 AAA
oauth_server_id                 This parameter specifies an existing OAuth server.
token_url                       This parameter specifies the URL where the OAuth client obtains
                                the access token from the OAuth server. Its value must be a string
                                of 1 to 900 characters.
no aaa oauth tokenurl <oauth_server_id>
This command is used to delete the setting of the URL from which to obtain an access token from
the specified OAuth server.
aaa oauth jwksurl <oauth_server_id> <jwks_url>
This command is used to set the URL from which to obtain the JSON Web Key (JWK) set of the
specified OAuth server. This command needs to be configured only for the Google OAuth server
currently.
oauth_server_id                 This parameter specifies an existing OAuth server.
jwks_url                        This parameter specifies the URL where to obtain the JWK set of
                                the OAuth server. Its value must be a string of 1 to 900 characters.
no aaa oauth jwksurl <oauth_server_id>
This command is used to delete the setting of the URL from which to obtain the JWK set of the
specified OAuth server.
aaa oauth registerid <oauth_server_id><register_id>
This command is used to set the registered client ID for the OAuth client to communicate with the
specified OAuth server.
oauth_server_id                 This parameter specifies an existing OAuth server.
register_id                     This parameter specifies the registered client ID for the OAuth
                                client. Its value must be a string of 1 to 128 characters.
no aaa oauth registerid <oauth_server_id>
This command is used to delete the setting of the registered client ID for the OAuth client to
communicate with the specified OAuth server.
aaa oauth registersecret <oauth_server_id><register_secret>
This command is used to set the registered client secret for the OAuth client to communicate with
the specified OAuth server.
oauth_server_id                 This parameter specifies an existing OAuth server.
2000-2018 Array Networks, Inc.
                                                                                                  138
All Rights Reserved.
                                                                                  Chapter 4 AAA
register_secret                 This parameter specifies the registered client secret for the OAuth
                                client. Its value must be a string of 1 to 128 characters.
no aaa oauth registersecret <oauth_server_id>
This command is used to delete the setting of the registered client secret for the OAuth client to
communicate with the specified OAuth server.
aaa oauth redirecturl <oauth_server_id> <redirect_url>
This command is used to set the URL to which the specified OAuth server will redirect responses.
oauth_server_id                 This parameter specifies an existing OAuth server.
redirect_url                    This parameter specifies the URL to which the OAuth server will
                                redirect responses. Its value must be a string of 1 to 900 characters.
                                    For the Google OAuth server, its value must be the same as the
                                     Redirection URL
                                     (“https://<virtual_site_domain_name>/prx/000/http/localh/oaut
                                     h_code”) registered on Google’s third-party developer
                                     platform.
                                    For the WeChat OAuth server, its value must be its value must
                                     be in the format of
                                     “https://<virtual_site_domain_name>/prx/000/http/localh/oaut
                                     h_wechat_code” and its virtual site domain name must have
                                     been registered on WeChat’s developer platform.
no aaa oauth redirecturl <oauth_server_id>
This command is used to delete the setting of the URL to which the specified OAuth server will
redirect responses.
aaa oauth resourceurl <oauth_server_id> <resource_url>
This command is used to set the URL from which the OAuth client obtains the user information
from the specified OAuth server. This command needs to be configured only for the WeChat
OAuth server currently.
oauth_server_id                 This parameter specifies an existing OAuth server.
resource_url                    This parameter specifies the URL where the OAuth client obtains
                                the user information from the resource server. Its value must be a
                                string of 1 to 900 characters.
        Note: The Google OAuth server will return the user information in the Access Token
        responses and therefore this configuration is not required.
2000-2018 Array Networks, Inc.
                                                                                                 139
All Rights Reserved.
                                                                                 Chapter 4 AAA
no aaa oauth resourceurl <oauth_server_id>
This command is used to delete the setting of the URL from which the OAuth client obtains the
user information from the specified OAuth server.
aaa oauth registration <oauth_server_id>
This command is used to enable post-OAuth user registration for the specified OAuth server.
When this function is enabled, OAuth users are required to register to the system after passing the
OAuth authentication. During the user registration, users need to authenticate themselves to the
authentication server in the AAA method specified by the “aaa method register” command. After
the user passes the authentication, the system will bind the obtained OAuth user IDs (UIDs) with
the usernames used for registration. The usernames used for registration instead of the obtained
OAuth usernames will be used for further authorization and displayed on the welcome page.
By default, post-OAuth user registration is enabled.
oauth_server_id                 This parameter specifies an existing OAuth server.
no aaa oauth registration <oauth_server_id>
This command is used to disable post-OAuth user registration for the specified OAuth server.
When post-OAuth user registration is disabled, the obtained OAuth usernames (email accounts for
the Google OAuth server or nicknames for the WeChat OAuth server) will be used for
authorization. Therefore, the authorization server in the same AAA method as the OAuth server
should have accounts with the same usernames as the obtained OAuth usernames. Otherwise, the
authorization will fail. After the OAuth users pass the authorization, the OAuth usernames will be
displayed.
aaa oauth prefixasusername <oauth_server_id>
This command is used to enable the option of using an email account prefix as the OAuth
username for the specified OAuth server. By default, this option is disabled.
oauth_server_id                 This parameter specifies an existing OAuth server.
        Note: This option can be used when post-OAuth user registration is disabled.
no aaa oauth prefixasusername <oauth_server_id>
This command is used to disable the option of using an email account prefix as the OAuth
username for the specified OAuth server.
aaa oauth authorizationfilter <oauth_server_id> <authorization_filter>
This command is used to configure the post-OAuth authorization filter for the specified OAuth
server. The system will continue to perform authorization for an OAuth user after OAuth
authentication only when the OAuth username (email account for the Google OAuth server or
nickname for the WeChat OAuth server) matches the post-OAuth authorization filter.
2000-2018 Array Networks, Inc.
                                                                                               140
All Rights Reserved.
                                                                                 Chapter 4 AAA
If the post-OAuth authorization filter is not configured, the system will continue to perform
authorization for all users passing OAuth authentication.
oauth_server_id                 This parameter specifies an existing OAuth server.
authorization_filter            This parameter specifies the regular expression used to filter
                                usernames. Its value must be a string of 1 to 64 characters.
no aaa oauth authorizationfilter <oauth_server_id>
This command is used to delete the post-OAuth authorization filter configured for the specified
OAuth server.
To use a WeChat service account to provide the virtual site’s resources to end users, you also need
to configure the following advanced settings for successful WeChat OAuth authentication.
aaa oauth wechat serviceauthenticatorurl <service_authenticator_url>
This command is used to set the URL from which to authenticate service accounts for WeChat
OAuth authentication.
service_authenticator_url       This parameter specifies the URL where to authenticate service
                                accounts. Its value must be a string of 1 to 900 characters.
no aaa oauth wechat serviceauthenticatorurl
This command is used to delete the setting of the URL from which to authenticate service
accounts for the WeChat OAuth server.
aaa oauth wechat serviceregisterid <service_appid>
This command is used to set the registered AppID of the service account for WeChat OAuth
authentication.
service_appid                   This parameter specifies the registered AppID of the service
                                account for WeChat OAuth authentication. Its value must be a
                                string of 1 to 128 characters.
no aaa oauth wechat serviceregisterid
This command is used to delete the setting of the registered AppID of the service account for
WeChat OAuth authentication.
aaa oauth wechat serviceregistersecret <service_appsecret>
This command is used to set the registered AppSecret of the service account for WeChat OAuth
authentication.
service_appsecret               This parameter specifies the registered AppSecret of the service
                                account for WeChat OAuth authentication. Its value must be a
2000-2018 Array Networks, Inc.
                                                                                                 141
All Rights Reserved.
                                                                                Chapter 4 AAA
                               string of 1 to 128 characters.
no aaa oauth wechat serviceregistersecret
This command is used to delete the setting of the registered AppSecret of the service account for
WeChat OAuth authentication.
show aaa oauth config
This command is used to display the configurations related to OAuth authentication.
clear aaa oauth config
This command is used to clear the configurations related to OAuth authentication.
Method
aaa method name <method_name> [description]
This command is used to add a AAA method. AAA method specifies the AAA server(s) used for
authentication and the AAA server authorization. A maximum of five AAA methods can be
configured.
method_name                    This parameter specifies the name of the AAA method. Its value
                               must be a case-insensitive string of 1 to 32 characters enclosed by
                               double quotes when beginning with a non-alphabetical character.
description                    Optional. This parameter specifies the description of the method. Its
                               value must be a string of 1 to 127 characters enclosed by double
                               quotes when beginning with a non-alphabetical character. If this
                               parameter is not specified, the default description will be the value
                               of “method_name”.
no aaa method name <method_name>
This command is used to delete the specified AAA method.
show aaa method name
This command is used to display all AAA methods.
aaa method server <method_name> <authentication_server>
[authorization_server]
This command is used to configure the authentication and authorization server(s) for the specified
AAA method.
method_name                    This parameter specifies the name of the existing AAA method.
2000-2018 Array Networks, Inc.
                                                                                               142
All Rights Reserved.
                                                                                  Chapter 4 AAA
authentication_server          This parameter specifies the authentication server(s). A maximum
                               of three authentication servers can be configured for one AAA
                               method .These three authentication servers can be of the same type
                               or different types. If multiple authentication servers are configured,
                               they must be separated by comma(s) and enclosed by double
                               quotes.
authorization_server           Optional. This parameter specifies the authorization server. Its value
                               must be:
                                   authorization server: indicates that the virtual site uses the
                                    specified AAA server as authorization server.
                                   “none”: indicates that the virtual site skips the authorization.
                                   empty: indicates that the only authentication server will be
                                    used as the authorization server.
                               The default value is empty.
                               Note:
                                   When the “authentication_server” parameter specifies more
                                    than one authentication server, its value can only be a AAA
                                    server name or “none”. The authorization server will be the
                                    same as the authentication server.
                                   When the “authentication_server” parameter specifies only
                                    one authentication server, the default value is empty.
       Note: The authorization server cannot be specified as an SMX server.
no aaa method server <method_name>
This command is used to delete the configuration of the authentication and authorization servers
for the specified AAA method.
show aaa method server <method_name>
This command is used to display the authentication and authorization servers of the specified
AAA method.
        Note: Different AAA server scenarios can meet specific needs. Following are examples of
        how to configure AAA servers:
            Authentication server but no authorization server:
        aaa method server m1 radius none
2000-2018 Array Networks, Inc.
                                                                                                 143
All Rights Reserved.
                                                                                Chapter 4 AAA
           Authentication server and authorization server:
        aaa method server m1 radius ldap
           Authentication server same as authorization server:
        aaa method server m1 radius
           Multiple authentication servers and authorization server:
        aaa method server m1 “radius, ldap” localdb
           Multiple authentication servers but no authorization server:
        aaa method server m1 “radius, ldap” none
aaa method otp <method_name> <otp_server>
{authentication_server|authorization_server}
This command is used to configure the One-time password (OTP) server and the server from
which the mobile phone numbers of users will be obtained for the specified AAA method.
method_name                    This parameter specifies the name of the existing AAA method.
otp_server_name                This parameter specifies the name of an existing OTP server. The
                               OTP server must be the SMS server configured by the command
                               “aaa server name sms”.
authentication_server|author   This parameter specifies the name of an existing server from which
ization_server                 the mobile phone numbers of users will be obtained. The server
                               must be the one used for authentication or authorization configured
                               by the command “aaa method server” and the server type must be
                               LocalDB, LDAP, RADIUS or Certificate.
       Note: If the related authentication or authorization server is deleted by executing the
       command “no aaa method server”, this command configuration will also be deleted.
no aaa method otp <method_name>
This command is used to delete the OTP server and the authentication or authorization server
configured for the specified AAA method.
show aaa method otp <method_name>
This command is used to display the OTP server and the authentication or authorization server
configured for the specified AAA method.
Rank
aaa method rank include <method_name> <number>
2000-2018 Array Networks, Inc.
                                                                                                 144
All Rights Reserved.
                                                                                 Chapter 4 AAA
This command is used to add a AAA method to the rank list of AAA methods and set the rank
number of the AAA method in the rank list.
method_name                     This parameter specifies the name of the existing AAA method.
number                          This parameter specifies the rank number of the AAA method in the
                                rank list. Its value must be 1, 2, 3 or 4. The smaller the value, the
                                higher the rank. For example, the parameter value “1” indicates that
                                the AAA method ranks number 1 in the rank list.
no aaa method rank include <number>
This command is used to delete a specified AAA method from the rank list of AAA methods.
show aaa method rank
This command is used to display the current AAA rank configuration.
aaa method rank {on|off}
This command is used to enable or disable the AAA rank function. Before the AAA rank function
is enabled, please add the AAA method to the rank list of AAA methods by the “aaa method
rank include” command first. By default, the AAA rank function is disabled.
         Note: If the administrator deletes all AAA methods from the rank list, the AAA rank
         function will automatically become disabled.
Accounting
aaa accounting {on|off}
This command is used to enable or disable the RADIUS accounting function. By default, this
function is disabled.
aaa accounting server <server_name>
This command is used to configure the RADIUS server used for accounting.
server_name                     This parameter specifies an existing RADIUS server name.
no aaa accounting server
This command is used to delete the RADIUS server used for accounting.
aaa accounting login
This command is used to enable the sending of accounting records to the RADIUS server when
users login or logout.
no aaa accounting login
2000-2018 Array Networks, Inc.
                                                                                               145
All Rights Reserved.
                                                                              Chapter 4 AAA
This command is used to disable the sending of accounting records to the RADIUS server when
users login or logout.
aaa accounting vpn
This command is used to enable the sending of accounting records to the RADIUS server when
VPN tunnels are established or terminated.
no aaa accounting vpn
This command is used to disable the sending of accounting records to the RADIUS server when
VPN tunnels are established or terminated.
aaa accounting fail allowaccess
This command is used to enable the user access permission when the RADIUS accounting fails.
no aaa accounting fail allowaccess
This command is used to disable the user access permission when the RADIUS accounting fails.
Group Mapping
aaa map group <ext_grp_name> <int_grp_name>
This command is used to map an external group to an internal LocalDB group. The maximum
number of group mappings varies with the number of LocalDB groups.
ext_grp_name                  This parameter specifies the external group name. Its value must be
                              a string of 1 to 64 characters.
                              Note: This parameter value cannot contain spaces or characters like
                              “,”, “;” and “:”.
int_grp_name                  This parameter specifies the internal LocalDB group name.
                              Note: This parameter value cannot contain the character “:”.
no aaa map group <ext_grp_name> <int_grp_name>
This command is used to delete a mapping between an external group and an internal LocalDB
group.
show aaa map group [ext_grp_name]
This command is used to display the group mappings for the specified external group. If the
“ext_grp_name” parameter is not specified, all the mappings between external groups and internal
LocalDB groups will be displayed.
clear aaa map group
2000-2018 Array Networks, Inc.
                                                                                             146
All Rights Reserved.
                                                                                 Chapter 4 AAA
This command is used to delete all mappings between external groups and internal LocalDB
groups.
Hardware ID
aaa hardwareid {on|off}
This command is used to enable or disable the Hardware ID authorization function. By default, the
Hardware ID authorization function is disabled.
aaa hardwareid initmode activex
This command is used to set the initiation mode of the Hardware ID authorization component to
“ActiveX”.
aaa hardwareid initmode java
This command is used to set the initiation mode of the Hardware ID authorization component to
“Java”.
aaa hardwareid initmode autoswitch
This command is used to enable auto switch of the initiation mode for the Hardware ID
authorization component. When the auto switch of the initiation mode is enabled, the system will
switch to another initiation mode if it fails to start the Hardware ID authorization component using
the first initiation mode.
no aaa hardwareid initmode autoswitch
This command is used to disable auto switch of the initiation mode for the Hardware ID
authorization component.
localdb hardwareid email <email>
This command is used to set an email address for the administrator to receive Hardware ID
authorization requests from end users.
email                           This parameter specifies the email address. Its value must be a
                                string of 1 to 127 characters.
no localdb hardwareid email
This command is used to delete the configuration of the email address for the administrator to
receive Hardware ID authorization requests from end users.
show localdb hardwareid email
This command is used to display the email address configured for the administrator to receive
Hardware ID authorization requests from end users.
localdb hardwareid {on|off} <group_name>
2000-2018 Array Networks, Inc.
                                                                                                  147
All Rights Reserved.
                                                                                  Chapter 4 AAA
This command is used to enable or disable Hardware ID authorization for the specified LocalDB
group.
group_name                      This parameter specifies the name of an existing LocalDB group.
localdb hardwareid aggregation <group_name>
This command is used to enable the aggregation function for the specified LocalDB group. When
the aggregation function is enabled for a LocalDB group, administrators can configure the
Hardware ID rule to authorize all users of this group to use the specified client device to access the
virtual site. When the aggregation function is disabled for the group, administrators can configure
the Hardware ID rule to authorize only a specified user in the group to use this specified client
device to access the virtual site.
group_name                      This parameter specifies the name of an existing LocalDB group.
no localdb hardwareid aggregation <group_name>
This command is used to disable the aggregation function for the specified group.
localdb hardwareid group <status> <group_name> <hardware_id>
[host_name]
This command is used to configure a Hardware ID rule for the specified LocalDB group.
status                          This parameter specifies the status of the device. Its value must be:
                                    approve: indicates that the users in this group can use the
                                     device to access internal resources.
                                    pending: indicates that the users in this group can use the
                                     device to access internal resources only after the
                                     administrator’s approval.
                                    deny: indicates that the users in this group cannot use the
                                     device to access internal resources.
group_name                      This parameter specifies the name of an existing LocalDB group.
hardware_id                     This parameter specifies the hardware ID of the device. Its value
                                must be a string of 1 to 511 characters.
host_name                       Optional. This parameter specifies the host name corresponding to
                                the hardware ID. Its value must be a string of 1 to 511 characters.
                                The default value is “empty”.
2000-2018 Array Networks, Inc.
                                                                                                   148
All Rights Reserved.
                                                                               Chapter 4 AAA
       Note: For an external group, the administrator can map the external group to a LocalDB
       group using the “aaa map group” command. Then when the users in this external group
       access the virtual site, the Hardware ID rules for the mapping LocalDB group will work
       for these users.
no localdb hardwareid group <status> <group_name> <hardware_id>
This command is used to delete a Hardware ID rule configured for the specified LocalDB group.
localdb hardwareid policy <group_name> [mac_any|mac_all|machineid]
This command is used to set the Hardware ID matching policy for the specified LocalDB group.
group_name                    This parameter specifies the name of an existing LocalDB group.
mac_any|mac_all|machineid     Optional. This parameter specifies the Hardware ID matching
                              policy. Its value must be:
                                  mac_any: indicates that a Hardware ID rule will take effect
                                   when any of the client’s MAC address matches a MAC
                                   address in the rule.
                                  mac_all: indicates that a Hardware ID rule will take effect
                                   when all the client’s MAC addresses match the MAC
                                   addresses in the rule and the number of the client’s MAC
                                   addresses is equal to that of the MAC addresses in the rule.
                                  machineid: indicates that a Hardware ID rule will take effect
                                   when the client’s MachineID matches the MachineID in the
                                   rule.
                              The default value is “machineid”.
show localdb hardwareid rule [type] [status] [keyword] [match_mode] [offset]
[count] [orderby]
This command is used to display the configured Hardware ID rules.
type                          Optional. This parameter specifies the type of Hardware ID rules to
                              be displayed. Its value must be:
                                  account: indicates that Hardware ID rules configured for users
                                   will be displayed.
                                  group: indicates that Hardware ID rules configured for groups
                                   will be displayed.
                                  all: indicates that Hardware ID rules of both types will be
2000-2018 Array Networks, Inc.
                                                                                                 149
All Rights Reserved.
                                                                               Chapter 4 AAA
                                   displayed.
                              The default value is “all”.
status                        Optional. This parameter specifies the status of the Hardware ID
                              rules to be displayed. Its value must be “approve”, “pending”,
                              “deny” or “all”. The default status is “all”, indicating that Hardware
                              ID rules of all status will be displayed.
keyword                       Optional. This parameter specifies a string to match the hardware
                              ID, the user account name or LocalDB group name of the Hardware
                              ID rules. Its value must be a string of 0 to 256 characters. The
                              default value is “empty”, indicating all matching Hardware ID rules
                              will be displayed.
match_mode                    Optional. This parameter specifies the matching mode of Hardware
                              ID rules to be displayed. Its value must be:
                                  exact: indicates that the Hardware ID rules exactly matching
                                   the keyword string will be displayed.
                                  substring: indicates the Hardware ID rules partly matching the
                                   keyword string will be displayed.
                              The default value is “exact”.
offset                        Optional. This parameter specifies the start of Hardware ID rules
                              from which to be displayed. The default value is 0, indicating all
                              matching Hardware ID rules will be displayed.
count                         Optional. This parameter specifies the number of Hardware ID rules
                              to be displayed. The default value is 0, indicating all matching
                              Hardware ID rules will be displayed.
orderby                       Optional. This parameter specifies the order by which to display the
                              hardware ID rules. Its value must be “name”, “type”, “status”,
                              “hardwareid”, “hostname”, and “synced”. You can enter mulitple
                              values separated with commas. The default value is “name”. If you
                              want to display the hardware ID rules in reverse order, enter DESC
                              behind the value.
clear localdb hardwareid rule [type] [status] [keyword]
This command is used to delete the specified Hardware ID rules.
localdb hardwareid grouplimit <limit>
2000-2018 Array Networks, Inc.
                                                                                               150
All Rights Reserved.
                                                                                Chapter 4 AAA
This command is used to set the maximum number of Hardware ID rules with status “approve” for
every LocalDB group with the aggregation function enabled. If this command is not configured,
the default maximum number of Hardware ID rules for every LocalDB group with the aggregation
function enabled is 16.
limit                          This parameter specifies the maximum number of Hardware ID
                               rules. Its value must be an integer ranging from 0 to 65,535.
no localdb hardwareid grouplimit
This command is used to reset the maximum number of Hardware ID rules with status “approve”
for every LocalDB group with the aggregation function enabled to the default setting 16.
localdb hardwareid autocollect <group_name>
This command is used to enable the auto collect function for the specified LocalDB group. When
this function is enabled, the system automatically collects the MAC/MachineID with status set to
“pending” from clients even if no matching Hardware ID rule exists. To use this function, the
aggregation function must be enabled for the specified LocalDB group.
group_name                     This parameter specifies the name of an existing LocalDB group.
no localdb hardwareid autocollect <group_name>
This command is used to disable the auto collect function for the specified LocalDB group.
localdb hardwareid autoapprove <group_name>
This command is used to enable the auto approve function for the specified LocalDB group. When
this function is enabled, the system automatically approves the hardware ID with the status
“pending” set by the auto collect function. To use this function, the aggregation and auto collect
functions must be enabled for the specified LocalDB group.
group_name                     This parameter specifies the name of an existing LocalDB group.
no localdb hardwareid autoapprove <group_name>
This command is used to disable the auto approve function for the specified LocalDB group.
localdb hardwareid account <status> <account_name> <hardwareid_id>
[host_name]
This command is used to configure a Hardware ID rule for the specified user account.
status                         This parameter specifies the status of the device. Its value must be:
                                   approve: indicates that the user can use the device to access
                                    internal resources.
                                   pending: indicates that the user can use the device to access
2000-2018 Array Networks, Inc.
                                                                                               151
All Rights Reserved.
                                                                               Chapter 4 AAA
                                   internal resources only after the administrator’s approval.
                                  deny: indicates that the user cannot use the device to access
                                   internal resources.
account_name                  This parameter specifies the username of an existing user account.
hardware_id                   This parameter specifies the hardware ID of the device. Its value
                              must be a string of 1 to 511 characters.
host_name                     Optional. This parameter specifies the host name corresponding to
                              the hardware ID. Its value must be a string of 1 to 511 characters.
                              The default value is “empty”.
no localdb hardwareid account <status> <account_name> <hardware_id>
This command is used to delete a Hardware ID rule configured for the specified LocalDB account.
localdb hardwareid userlimit <limit>
This command is used to set the maximum number of Hardware ID rules with status “approve” for
every user belonging to the LocalDB group with the aggregation function disabled. If this
command is not configured, the default maximum number of Hardware ID rules with status
“approve” for every user belonging to the LocalDB group with the aggregation function disabled
is 1.
limit                         This parameter specifies the maximum number of Hardware ID
                              rules per user who do not belong to the aggregated group. Its value
                              must be an integer ranging from 0 to 255.
no localdb hardwareid userlimit
This command is used to reset the maximum number of Hardware ID rules with status “approve”
for every user belonging to the LocalDB group with the aggregation function disabled to the
default setting 1.
show localdb hardwareid userlimit
This command is used to display the maximum number of Hardware ID rules with status
“approve” for every user belonging to the LocalDB group with the aggregation function disabled.
show localdb hardwareid settings [group_name]
This command is used to display the settings of Hardware ID authorization for a specified
LocalDB group. If the “group_name” parameter is not configured, the settings of Hardware ID
authorization for all LocalDB groups will be displayed.
clear localdb hardwareid config [group_name]
2000-2018 Array Networks, Inc.
                                                                                                 152
All Rights Reserved.
                                                                               Chapter 4 AAA
This command is used to clear the configurations of Hardware ID authorization for a specified
LocalDB group. If the “group_name” parameter is not configured, all configurations of Hardware
ID will be cleared.
localdb hardwareid devicelimit <limit>
This command is used to set the maximum number of LocalDB accounts that can be bound to a
device with the aggregation function disabled. If this command is not configured, the default
maximum number of LocalDB accounts that can be bound to a device is 0 with the aggregation
function disabled.
limit                          This parameter specifies the maximum number of LocalDB
                               accounts that can be bound to a device. Its value must be an integer
                               ranging from 0 to 255. If the parameter value is set to “0”, LocalDB
                               accouts that can be bound to a device will not be limited.
no localdb hardwareid devicelimit
This command is used reset the maximum number of LocalDB accounts that can be bound to a
device with the aggregation function disabled to default.
show localdb hardwareid devicelimit
This command is used to display the maximum number of LocalDB accounts that can be bound to
a device with the aggregation function disabled.
localdb hardwareid sync {on|off}
This command is used to enable or disable the automatic Hardware ID synchronization function.
When the automatic Hardware ID synchronization is enabled, the Hardware ID rules specific to
user accounts in the “Approve” status will be synchronized to the Hardware ID synchronization
host (which is an external account management platform) in real time. If the status of a Hardware
ID rule specific to a user account is changed from “Approve” to “Pending” or “Deny” or one
Hardware ID rule specific to a user account is deleted, the corresponding Hardware ID rule
specific to this user account will be deleted from the Hardware ID synchronization host too.
To use this function, the Hardware ID synchronization host must be configured using the “localdb
hardwareid sync host” command and the HTTP request template must be configured using the
“localdb hardwareid sync req” command.
localdb hardwareid sync manual [account_name] [hardware_id]
This command is used to manually synchronize certain Hardware ID rules specific to user
accounts in the “Approve” status to the Hardware ID synchronization host (configured using the
“localdb hardwareid sync host”) command.
To use this function, the Hardware ID synchronization host must be configured using the “localdb
hardwareid sync host” command and the HTTP request templates must be configured using the
“localdb hardwareid sync req” command.
2000-2018 Array Networks, Inc.
                                                                                              153
All Rights Reserved.
                                                                                Chapter 4 AAA
account_name                  Optional. This parameter specifies the username of an existing user
                              account.
                                  If this parameter is specified, the Hardware ID rules of this
                                   user will be synchronized.
                                  If this parameter is not specified, the Hardware ID rules of all
                                   users will be synchronized.
                              The default value is empty.
hardware_id                   Optional. This parameter specifies the hardware ID of the device to
                              be synchronized. Its value must be a string of 1 to 511 characters.
                                  If this parameter is specified, the Hardware ID rules matching
                                   the Hardware ID will be synchronized.
                                  If this parameter is not specified, the Hardware ID rules
                                   matching all Hardware IDs will be synchronized.
                              The default value is empty.
localdb hardwareid sync host <sync_host> [port] [key] [timeout] [retries]
[tls_flag] [auth_code] [index]
This command is used to configure a Hardware ID synchronization host used to receive the
Hardware ID rules. This command can be also used to modify the settings of an existing Hardware
ID synchronization host. A maximum of three Hardware ID synchronization hosts can be
configured.
sync_host                     This parameter specifies the host name or IP address of the
                              Hardware ID synchronization host. For the host name, the value
                              must be a string of 1 to 900 characters. For the IP address, the value
                              must be an IPv4 address. Please note that the Hardware ID
                              synchronization host should be a Web host.
port                          Optional. This parameter specifies the port number of the Hardware
                              ID synchronization host. Its value must be an integer ranging from
                              1 to 65,535. The default value is 80.
key                           Optional. This parameter specifies the encryption key used to
                              encrypt the Hardware ID rules to be synchronized. Its value must be
                              a string of 1 to 18 characters. The default value is empty, indicating
                              the data will not be encrypted.
timeout                       Optional. This parameter specifies the timeout value of the
                              synchronization in seconds. Its value must be an integer ranging
2000-2018 Array Networks, Inc.
                                                                                               154
All Rights Reserved.
                                                                                     Chapter 4 AAA
                                   from 0 to 60. If the parameter value is set to 0, the system will keep
                                   waiting for the response from the synchronization host. The default
                                   value is 5.
retries                            Optional. This parameter specifies the retry times of the
                                   synchronization. Its value must be an integer ranging from 0 to 10.
                                   If the parameter value is set to 0, the system will keep trying to
                                   connect to the synchronization host. If the parameter value is set to
                                   1, the synchronization operation will be performed only one time.
                                   The default value is 3.
tls_flag                           Optional. This parameter specifies whether to access the Hardware
                                   ID synchronization host over the TLS protocol. Its value must be:
                                       “tls”: indicates that the Hardware ID synchronization host is
                                        accessed over the TLS protocol.
                                       empty: indicates the Hardware ID synchronization host is not
                                        accessed over the TLS protocol.
                                   The default value is empty.
auth_code                          Optional. This parameter specifies the username and password used
                                   for accessing the Hardware ID synchronization host. Its value must
                                   be a string of 1 to 64 characters. The username and password
                                   should be separated by a colon (:). The default value is empty,
                                   indicating the no authentication is required by the Hardware ID
                                   synchronization host.
index                              Optional. This parameter specifies the index of the Hardware ID
                                   synchronization host. Its value must be 1, 2 or 3. The default value
                                   is 1.
           Note: If the synchronization fails in the specified timeout and retry times, the system will
           try to synchronize the data again after the synchronization host is UP.
no localdb hardwareid sync host <index>
This command is used to delete a Hardware ID synchronization host with a specified index.
index                              This parameter specifies the index of the Hardware ID
                                   synchronization host to be deleted. Its value must be 1, 2 or 3.
localdb hardwareid sync req <type> <action> <url> [index]
2000-2018 Array Networks, Inc.
                                                                                                      155
All Rights Reserved.
                                                                               Chapter 4 AAA
This command is used to set the HTTP request template used to synchronize Hardware ID rules
for a specified Hardware ID synchronization host.
type                          This parameter specifies the type of the Hardware ID
                              synchronization operation. Its value must be “add” or “delete”.
action                        This parameter specifies the HTTP method. Its value must be “get”,
                              “post”, “put” and “delete”.
url                           This parameter specifies the request URL. Its value must be a string
                              of 1 to 900 characters and begin with “/”, such as
                              “/array/addhardwareid”.
index                         Optional. This parameter specifies the index of the Hardware ID
                              synchronization host. Its value must be 1, 2 or 3. The default value
                              is 1.
The following table describes the mapping relationship between the parameters “type” and
“action”.
                               Type                 Action
                                                      Get
                                Add                  Post
                                                      Put
                                                      Get
                               Delete                Post
                                                    Delete
For example:
vs(config)$localdb hardwareid sync req add post "/secsys/1.0/hardwareid" 1
vs(config)$localdb hardwareid sync req delete delete "/secsys/1.0/hardwareid" 2
You can also use the following example:
vs(config)$localdb hardwareid sync req add post "/secsys/1.0/addhardwareid" 1
vs(config)$localdb hardwareid sync req delete post "/secsys/1.0/deletehardwareid" 2
no localdb hardwareid sync req <index> <type>
This command is used to delete an HTTP request template of synchronizing Hardwar ID rule
configured for a specified t Hardware ID synchronization host.
index                         This parameter specifies the index of the Hardware ID
                              synchronization host. Its value must be 1, 2 or 3.
type                          This parameter specifies the type of the Hardware ID
                              synchronization operation. Its value must be “add”, “delete” or
2000-2018 Array Networks, Inc.
                                                                                                156
All Rights Reserved.
                                                                             Chapter 4 AAA
                              “all”. If the parameter value is set to “all”, all the HTTP request
                              templates for the Hardware ID synchronization host will be deleted.
show localdb hardwareid sync
This command is used to display the configurations of the Hardware ID synchronization.
clear localdb hardwareid sync
This command is used to clear the configurations of the Hardware ID synchronization.
2000-2018 Array Networks, Inc.
                                                                                            157
All Rights Reserved.
                                                                        Chapter 5 User Policy
Chapter 5 User Policy
Role Configuration
role name <role_name> [description] [priority]
This command is used to add a role. When the setting of “role_name” is an existing one, this
command is also used to update role information.
role_name                          This parameter specifies the name of the role. Its value must be a
                                   string of 1 to 63 characters.
description                        Optional. This parameter specifies the description of a role. Its
                                   value must be a string of 1 to 255 characters. The default value is
                                   empty.
priority                           Optional. This parameter specifies the priority of the role. Its
                                   value must be an integer ranging from 1 to 2000. The smaller the
                                   value, the higher the priority.
                                   Note:
                                       When matching more than 16 roles, the user obtains only
                                        the roles with the highest 16 priorities.
                                       When matching more than one role with available VPN
                                        Netpool resources, the user obtains only the VPN Netpool
                                        resources belonging to the role with the highest priority.
                                   The default value is 1.
no role name <role_name>
This command is used to delete a specified role.
show role name [role_name]
This command is used to display specified roles. If the “role_name” parameter is not specified, all
roles will be displayed.
clear role name
This command is used to clear all the roles.
role qualification <role_name> <qual_name> [description]
This command is used to add a qualification rule to a specified role.
2000-2018 Array Networks, Inc.
                                                                                                158
All Rights Reserved.
                                                                          Chapter 5 User Policy
role_name                          This parameter specifies the name of an existing role.
qual_name                          This parameter specifies the name of the qualification rule. Its
                                   value must be a string of 1 to 63 characters.
description                        Optional. This parameter specifies the description of the
                                   qualification rule. Its value must be a string of 1 to 255
                                   characters. The default value is empty.
no role qualification <role_name> <qual_name>
This command is used to delete a qualification rule from a specified role.
show role qualification [role_name] [qual_name]
This command is used to display the qualification rules for a specified role.
role_name                          Optional. This parameter specifies the name of an existing role.
                                       If this parameter is specified, the qualification rules of this
                                        role will be displayed.
                                       If this parameter is not specified, the qualification rules of
                                        all roles will be displayed.
                                   The default value is empty.
qual_name                          Optional. This parameter specifies the name of an existing
                                   qualification rule.
                                       If this parameter is specified, the qualification rules
                                        containing this qualification name will be displayed.
                                       If this parameter is not specified, the qualification rules
                                        containing any qualification name will be displayed.
                                   The default value is empty.
clear role qualification [role_name]
This command is used to clear all the qualification rules for a specified role. If the “role_name”
parameter is not specified, qualification rules of all roles will be cleared.
role condition <role_name> <qual_name> <condi_string>
This command is used to add a condition to the associated role and qualification rule. If multiple
conditions are configured for a qualification rule, users can obtain the role only when meeting all
the conditions in the associated qualification rule.
2000-2018 Array Networks, Inc.
                                                                                                   159
All Rights Reserved.
                                                                         Chapter 5 User Policy
role_name                          This parameter specifies the name of an existing role.
qual_name                          This parameter specifies the name of an existing qualification
                                   rule.
condi_string                       This parameter specifies a condition string defining the user
                                   characteristics. Its value must be a string of 1 to 511 uppercase
                                   characters enclosed by double quotes. Its format must be
                                   “condition string [IS|NOT] [value]”. For how to specify the
                                   “condition string” and “value”, please refer to the following
                                   table.
For example, suppose the administrator wants to assign a “stuff” role to all users who log in on the
1st day of every month. If this “stuff” role already has an associated “work” qualification rule, the
administrator can add the necessary condition rule to the “work” qualification with the following
command:
VS(config)$role condition stuff work “LOGINDAY IS 1”
The following table displays the supported condition strings:
                             Table 5-1 Supported Condition String
Condition String                         Meaning                                   Value
LOGINYEAR             The year when the end user logs in.               1970 to 2999.
LOGINMONTH            The month when the end user logs in.              1 to 12.
LOGINDAY              The day of month when the end user logs in.       1 to 31.
LOGINWEEK             The weekday when the end user logs in.            1 to 7.
                      The date when the end user logs in, including
LOGINDATE                                                               yyyyMMddhhmm
                      the year, month, day, hour and minute.
LOGINTIME             The time when the end user logs in.               00:00 to 23:59
                                                                        Alphanumeric, special
USERNAME              The user name.                                    printable ASCII characters
                                                                        and multi-byte characters.
                                                                        Alphanumeric, special
GROUPNAME             The group which the user name belongs to.         printable ASCII characters
                                                                        and multi-byte characters.
                                                                        Alphanumeric, special
AUTHMETHOD            The authentication method.                        printable ASCII characters
                                                                        and multi-byte characters.
                                                                        IPv4 or IPv6 address. For
                                                                        example:
SRCIP                 The source IP address of the user.                10.10.10.0/24
                                                                        10.10.10.0/255.255.255.0
                                                                        10.10.10.1
2000-2018 Array Networks, Inc.
                                                                                                 160
All Rights Reserved.
                                                                         Chapter 5 User Policy
Condition String                        Meaning                                      Value
                                                                         2012:1030::1
                                                                         2012:1030::1/64
no role condition <role_name> <qual_name> <condi_string>
This command is used to delete the condition associated with a specified role and qualification
rule.
show role condition [role_name] [qual_name]
This command is used to display the condition associated with a specified role and qualification
rule.
role_name                          Optional. This parameter specifies an existing role.
                                       If this parameter is specified, the conditions of this role will
                                        be displayed.
                                       If this parameter is not specified, the conditions of all roles
                                        will be displayed.
                                   The default value is empty.
qual_name                          Optional. This parameter specifies the name of an existing
                                   qualification rule.
                                       If this parameter is specified, the conditions associated with
                                        this qualification rule will be displayed.
                                       If this parameter is not specified, the conditions associated
                                        with all qualification rules will be displayed.
                                   The default value is empty.
clear role condition [role_name] [qual_name]
This command is used to clear the condition associated with a specified role and qualification rule.
role_name                          Optional. This parameter specifies an existing role.
                                       If this parameter is specified, the conditions of this role will
                                        be cleared.
                                       If this parameter is not specified, the conditions of all roles
                                        will be cleared.
                                       The default value is empty.
qual_name                          Optional. This parameter specifies the name of an existing
                                   qualification rule.
2000-2018 Array Networks, Inc.
                                                                                                  161
All Rights Reserved.
                                                                        Chapter 5 User Policy
                                      If this parameter is specified, the conditions associated with
                                       this qualification rule will be cleared.
                                      If this parameter is not specified, the conditions associated
                                       with all qualification rules will be cleared.
                                      The default value is empty.
role resource quicklink <role_name> <resource_id> <display_name> <path>
[position] [auto-permit] [FrontendSSO] [device_id]
This command is used to assign a QuickLink resource to a specified role.
role_name                         This parameter specifies the name of an existing role.
resource_id                       This parameter specifies the name of an existing QuickLink
                                  resource configured via the command “virtual site quicklink
                                  hostname” or “virtual site quicklink port”.
display_name                      This parameter specifies the name of the QuickLink resource
                                  displayed on the portal page. Its value must be a string of 1 to
                                  900 characters.
                                  This parameter supports HTML tags that can be used between
                                  <a> and </a>, such as “<b>…</b>”, “<font
                                  color=x>…</font>”, and “<i>…</i>”.
path                              Optional. This parameter specifies the path of the QuickLink
                                  resource. Its value must be a string of 1 to 512 characters. The
                                  default value is “/”.
position                          Optional. This parameter specifies the position of the link on the
                                  portal page. Its value must be an integer ranging from 1 to 1000.
                                  The QuickLink resources will be displayed in ascending order of
                                  the parameter value.
                                  The default value is 1000.
auto-permit                       Optional. This parameter specifies whether to enable
                                  auto-generation of the ACL “permit” configurations for this
                                  QuickLink resource.
                                      0: indicates that auto-generation of the ACL “permit”
                                       configurations is disabled.
                                      1: indicates that auto-generation of the ACL “permit”
2000-2018 Array Networks, Inc.
                                                                                                162
All Rights Reserved.
                                                                       Chapter 5 User Policy
                                       configurations is enabled.
                                  The default value is 0.
FrontendSSO                       Optional. This parameter specifies whether to enable Frontend
                                  SSO Post for this QuickLink resource.
                                      0: Disabled and AG-end SSO is used. The AG appliance
                                       will construct SSO Post requests and send them to the
                                       backend application server on behalf of users.
                                      1: Enabled. User clients’ browsers will construct SSO Post
                                       requests and send them to the AG appliance, and then the
                                       AG appliance forwards them to the backend application
                                       server.
                                  The default value is 0.
device_id                         Optional. This parameter specifies the machine ID field used to
                                  log into the backend server. Its value must be a string of 1 to 63
                                  characters. The default value is empty, indicating the machine ID
                                  field is not required to log into the backend server.
For example:
vs(config)$role resource quicklink "rn2" "p1" "<b>Test</b>" "/resource/test" 1000 1 0
vs(config)$role resource quicklink "rn2" "p1" "<i>Test</i>" "/resource/test" 1000 0 0
vs(config)$role resource quicklink "rn2" "p1" "<font color=red>Test</font>"
"/resource/test" 1000 0 0
vs(config)$role resource quicklink "rn2" "p1" "<b><font color=red>Test</font></b>"
"/resource/test" 1000 0 0
       Note:
           If “auto-permit” is set to 1, the system automatically executes the command “acl
            resourcegroup web <resource_group> [description]” to add a Web-type resource
            group named “auto_web_resgroup_for_<role_name>”, executes the command “acl
            resource <resource_group> <resource>” to add this QuickLink resource to this
            resource group, and executes the command “acl rule” to add an ACL permit rule
            with the priority 200 for this resource group.
           The Web-type resource group named “auto_web_resgroup_for_<role_name>”can
            only be generated by the system. If it has been added for the role earlier, then the
            system will reuse it to add ACL “permit” configurations later.
           For SSO methods other than SSO Post, only the AG appliance can perform the SSO
            operations. In this case, please use AG-end SSO and set the “FrontendSSO” to 0.
2000-2018 Array Networks, Inc.
                                                                                               163
All Rights Reserved.
                                                                       Chapter 5 User Policy
           Frontend SSO Post requires the “sso post” configuration, but not the “sso on”
            configuration.
           Frontend SSO Post requires that the value of the “post_host” and “hostname”
            parameters in the “sso post” configuration should be exactly the same.
           Frontend SSO Post requires that the value of the “path” parameter should be the same
            as that of the “login_url” parameter in the “sso post” configuration.
           Frontend SSO Post does not support the “bookmark” and “other_header_field”
            parameters of the “sso post” configuration.
           Frontend SSO Post cannot generate the cookie required by some backend servers for
            authentication.
           Frontend SSO Post cannot work for the Web resources which are accessed by using
            the portal URL input bar or the Web navigation tool.
no role resource quicklink <role_name> <resource_id> <url>
This command is used to delete a QuickLink resource from a specified role.
       Note: The auto-generated ACL “permit” configurations will be deleted when the
       QuickLink resource is deleted from a specified role.
role resource web <role_name> <url> <display_name> [position] [auto-permit]
[DirectLink] [FrontendSSO] [device_id]
This command is used to assign a WRM resource to a specified role.
role_name                        This parameter specifies the name of an existing role.
url                              This parameter specifies the URL link of the WRM resource. Its
                                 value must be a string of 1 to 512 characters.
display_name                     This parameter specifies the name of the WRM resource
                                 displayed on the portal page. Its value must be a string of 1 to
                                 900 characters.
                                 This parameter supports HTML tages that can be used between
                                 <a> and </a>, such as “<b>…</b>”, “<font
                                 color=x>…</font>”, and “<i>…</i>”.
position                         Optional. This parameter specifies the position of the link on the
                                 portal page. Its value must be an integer ranging from 1 to 1000.
                                 The WRM resources will be displayed in ascending order of the
                                 parameter value.
2000-2018 Array Networks, Inc.
                                                                                               164
All Rights Reserved.
                                                                    Chapter 5 User Policy
                              The default value is 1,000.
auto-permit                   Optional. This parameter specifies whether to enable
                              auto-generation of the ACL “permit” configurations for this Web
                              resource.
                                  0: indicates that auto-generation of the ACL “permit”
                                   configurations is disabled.
                                  1: indicates that auto-generation of the ACL “permit”
                                   configurations is enabled.
                              The default value is 0.
DirectLink                    Optional. This parameter specifies whether this Web resource is
                              a direct link.
                                  0: indicates that this Web resource is not a direct link. The
                                   AG appliances will rewrite the URL of this Web resource
                                   before allowing the user to access this Web resource.
                                  1: indicates that this Web resource is a direct link. The AG
                                   appliance allows the user to directly access this Web
                                   resource without rewriting.
                              The default value is 0.
FrontendSSO                   Optional. This parameter specifies whether to enable Frontend
                              SSO Post for this Web resource.
                                  0: Disabled and AG-end SSO Post is used. The AG
                                   appliance will construct the SSO Post requests and send
                                   them to the backend application server on behalf of users.
                                  1: Enabled. If “DirectLink” is set to “0”, user clients’
                                   browsers will construct the SSO Post requests and send
                                   them to the AG appliance, and then the AG appliance
                                   forwards them to the backend application server. If
                                   “DirectLink” is set to “1”, user clients’ browsers will
                                   construct the SSO Post requests and send them to the
                                   backend application server directly.
                              The default value is 0.
device_id                     Optional. This parameter specifies the machine ID field used to
                              log into the backend server. Its value must be a string of 1 to 63
                              characters. The default value is empty, indicating the machine ID
2000-2018 Array Networks, Inc.
                                                                                            165
All Rights Reserved.
                                                                        Chapter 5 User Policy
                                  field is not required to log into the backend server.
For example:
vs(config)$role resource web "rn2" "http://10.3.0.67" "<b>Test</b>" 1000 1 0 1 ""
vs(config)$role resource web "rn2" "http://10.3.0.67" "<i>Test</i>" 1000 0 0 0 ""
vs(config)$role resource web "rn2" "http://10.3.0.67" "<font color=red>Test</font>" 1000 0
0 1 ""
vs(config)$role resource web "rn2" "http://10.3.0.67" "<b><font
color=red>Test</font></b>" 1000 0 0 0 ""
       Note:
           If “auto-permit” is set to 1, the system automatically executes the command “acl
            resourcegroup web <resource_group> [description]” to add a Web-type resource
            group named “auto_web_resgroup_for_<role_name>”, executes the command “acl
            resource <resource_group> <resource>” to add this WRM resource to this
            resource group, and executes the command “acl rule” to add an ACL permit rule for
            this resource group with priority 200.
           The web type resource group named “auto_web_resgroup_for_<role_name>”can
            only be generated by the system. If it has been added for the role earlier, then the
            system will reuse it to add ACL “permit” configurations later.
           For SSO methods other than SSO Post, only the AG appliance can perfrom the SSO
            operations. In this case, please use AG-end SSO and set the “FrontendSSO” to 0.
           Frontend SSO Post requires the “sso post” configuration, but not the “sso on”
            configuration.
           Frontend SSO Post requires that the value of the “post_host” and “hostname”
            parameters in the “sso post” configuration should be exactly the same.
           Frontend SSO Post requires that the value of the parameter “url” equals to that of the
            “hostname + login_url” in the “sso post” configuration.
           Frontend SSO Post does not support the “bookmark” and “other_header_field”
            parameters of the “sso post” configuration.
           Frontend SSO Post cannot generate the cookie required by some backend servers for
            authentication.
           Frontend SSO Post cannot work for the Web resources which are accessed by using
            the portal URL input bar or the Web navigation tool.
no role resource web <role_name> <url>
This command is used to delete a WRM resource from a specified role.
2000-2018 Array Networks, Inc.
                                                                                                   166
All Rights Reserved.
                                                                        Chapter 5 User Policy
       Note: The auto-generated ACL “permit” configurations will be deleted only when the
       WRM resource is deleted from a specified role.
role resource aproxy <role_name> <url> <display_name> [position]
[auto_permit]
This command is used to assign an IPv6 Web (Aproxy) resource to a specified role.
role_name                          This parameter specifies the name of an existing role.
url                                This parameter specifies the URL of the Aproxy resource. Its
                                   value must be a string of 1 to 512 characters. The host part of the
                                   URL must be an IPv6 address enclosed by square brackets, for
                                   example “http://[2012:1082::6]/test/index.html/”.
display_name                       This parameter specifies the name displayed on the portal page.
                                   Its value must be a string of 1 to 900 characters.
                                   This parameter supports HTML tags that can be used between
                                   <a> and </a>, such as “<b>…</b>”, “<font
                                   color=x>…</font>”, and “<i>…</i>”.
position                           Optional. This parameter specifies the position of the link
                                   displayed on the portal page. Its value must be an integer ranging
                                   from 1 to 1000. The Aproxy resources will be displayed in
                                   ascending order of the parameter value.
                                   The default value is 1,000.
auto_permit                        Optional. This parameter specifies whether to enable
                                   auto-generation of the ACL “permit” configurations for the
                                   Aproxy resource.
                                       0: indicates that auto-generation of the ACL “permit”
                                        configurations is disabled.
                                       1: indicates that auto-generation of the ACL “permit”
                                        configurations is enabled.
                                   The default value is 0.
       Note:
             If “auto-permit” is set to 1, the system automatically executes the command “acl
              resourcegroup web <resource_group> [description]” to add an Aproxy-type
              resource group named “auto_gen_resgroup_for_<role_name>”, executes the
2000-2018 Array Networks, Inc.
                                                                                                 167
All Rights Reserved.
                                                                        Chapter 5 User Policy
            command “acl resource <resource_group> <resource>” to add this Aproxy
            resource to this resource group, and executes the command “acl rule” to add an ACL
            permit rule for this resource group with priority 200.
           The Aproxy-type resource group named “auto_gen_resgroup_for_<role_name>”can
            only be generated by the system. If it has been added for the role earlier, then the
            system will reuse it to add ACL “permit” configurations later.
For example:
vs(config)$role resource aproxy "r1" "http://[2012:1082::1]" "test1" 1000 1
vs(config)$role resource aproxy "r1" "http://[2012:1082::6]/test/index.html/" "test6" 1000 1
no role resource aproxy <role_name> <url>
This command is used to delete an Aproxy resource from a specified role.
       Note: The auto-generated ACL “permit” configurations will be deleted only when the
       Aproxy resource is deleted from a specified role.
role resource netpool <role_name> <pool_name>
This command is used to add a Netpool resource to a specified role.
This command must be configured if users need to access backend resources through the L3VPN
tunnel or Site2Site VPN tunnel.
role_name                         This parameter specifies the name of an existing role.
pool_name                         This parameter specifies the name of an existing Netpool
                                  resource.
no role resource netpool <role_name> <pool_name>
This command is used to delete a Netpool resource from a specified role.
role resource vpnresourcegroup <role_name> <resource_group>
This command is used to add a VPN resource group to a specified role.
This command must be configured if users need to access backend resources through the L3VPN
tunnel or Site2Site VPN tunnel.
role_name                         This parameter specifies the name of an existing role.
resource_group                    This parameter specifies the name of an existing resource group
                                  defined via the “vpn resource group” command.
no role resource vpnresourcegroup <role_name> <resource_group>
2000-2018 Array Networks, Inc.
                                                                                             168
All Rights Reserved.
                                                                       Chapter 5 User Policy
This command is used to delete a VPN resource group from a specified role.
role resource cifs <role_name> <cifs_url> <display_name> [position]
[auto-permit]
This command is used to add a Common Internet File Share (CIFS) resource to a specified role.
role_name                        This parameter specifies the name of an existing role.
cifs_url
                                 This parameter specifies the URL address of the CIFS resource
                                 provided by the CIFS server. Its value must be a string of 1 to
                                 512 characters. The format of the URL address can be “//<host
                                 IP>/<folder name>”, “//<host IP>/<folder name>/username” or
                                 “//<host IP>/<folder name>/<path>”, for example,
                                 “//10.3.0.233/test”, “//10.3.0.233/test/username” or
                                 “//10.3.0.233/test/test”. Please note that the URL address cannot
                                 contain the chracters “\”, “:”, “*”, “<”, “>”, “?”, “|” and “"” and
                                 end with “/”.
                                 When the administrator wants to allow the login users to access
                                 only the next-level subfolder named using their usernames of the
                                 shared folder, the format “//<host IP>/<folder name>/username”
                                 should be used.
                                 If both “//<host IP>/<folder name>/username” and “//<host
                                 IP>/<folder name>/<path>” are configured, the “//<host
                                 IP>/<folder name>/username” will take effect first.
                                 Note: If the URL address ends with “$”, the file share function
                                 might not work. For example, “//10.10.1.21/hirai$”.
display_name                     This parameter specifies the name displayed for this CIFS
                                 resource on the portal page. Its value must be a string of 1 to 900
                                 characters.
                                 This parameter supports HTML tages that c9an be used between
                                 <a> and </a>, such as “<b>…</b>”, “<font
                                 color=x>…</font>”, and “<i>…</i>”.
position                         Optional. This parameter specifies the position of the CIFS
                                 resource displayed on the portal. Its value must be an integer
                                 ranging from 1 to 1000. The CIFS resources will be displayed in
                                 ascending order of the parameter value.
                                 The default value is 1000.
2000-2018 Array Networks, Inc.
                                                                                               169
All Rights Reserved.
                                                                        Chapter 5 User Policy
auto-permit                       Optional. This parameter specifies whether to enable
                                  auto-generation of the ACL “permit” configurations for the CIFS
                                  resource.
                                      0: indicates that auto-generation of the ACL “permit”
                                       configurations is disabled.
                                      1: indicates that auto-generation of the ACL “permit”
                                       configurations is enabled.
                                  The default value is 0.
For example:
vs(config)$role resource cifs "rn2" "//10.3.75.1/3x" "<b>Test</b>" 1000 1
vs(config)$role resource cifs "rn2" "//10.3.75.1/3x" "<i>Test</i>" 1000 0
vs(config)$role resource cifs "rn2" "//10.3.75.1/3x" "<font color=red>Test</font>" 1000 0
vs(config)$role resource cifs "rn2" "//10.3.75.1/3x" "<b><font color=red>Test</font></b>"
1000 0
vs(config)$role resource cifs "rn2" "//10.3.75.1/3x/username" "<b>Test</b>" 1000 1
vs(config)$role resource cifs "rn2" "//10.3.75.1/3x/test" "<b>Test</b>" 1000 1
        Note:
             If “auto-permit” is set to 1, the system automatically executes the command “acl
              resourcegroup fileshare <resource_group> [description]” to add a fileshare-type
              resource group named “auto_fileshare_resgroup_for_<role_name>”, executes the
              command “acl resource <resource_group> <resource>” to add this CIFS resource
              to this resource group, and executes the command “acl rule” to add an ACL permit
              rule with priority 200 for this resource group.
             The fileshare-type resource group named
              “auto_fileshare_resgroup_for_<role_name>”can only be generated by the system. If
              it has been added for the role earlier, then the system will reuse it to add ACL
              “permit” configurations later.
no role resource cifs <role_name> <cifs_url>
This command is used to delete a CIFS resource from a specified role.
        Note: The auto-generated ACL “permit” configurations will be deleted when the CIFS
        resource is deleted from a specified role.
show role resource [role_name] [resource_type]
This command is used to display resources of a specified role.
role_name                         Optional. This parameter specifies the name of an existing role.
                                  The default value is empty, indicating resources of all roles will
2000-2018 Array Networks, Inc.
                                                                                                170
All Rights Reserved.
                                                                         Chapter 5 User Policy
                                   be displayed.
resource_type                      Optional. This parameter specifies the resource type. Its value
                                   must be “all”, “quicklink”, “netpool”, “vpnresourcegroup”,
                                   “web” and “aproxy”. The default value is “all”.
clear role resource [role_name] [resource_type]
This command is used to delete resources of a specified role.
role_name                          Optional. This parameter specifies the name of an existing role.
                                   The default value is empty, indicating resources of all roles will
                                   be deleted.
resource_type                      Optional. This parameter specifies the resource type. Its value
                                   must be are “all”, “quicklink”, “cifs”,“netpool”,
                                   “vpnresourcegroup”, “web” and “aproxy”. The default value is
                                   “all”.
role sessionpolicy <role_name> <policy_name>
This command is used to associate a custom session lifecycle policy (configured using the
“session lifecyclepolicy” command) with a role. The administrator can associate only one custom
session lifecycle policy with a role. If no custom session lifecycle policy is associated with a role,
the session timeout settings of the virtual site (if configured using the commands “session timeout
idle”, “session timeout lifetime”, “session timeout warning {on|off}” “session timeout warning
threshold” and “session timeout warning extension_lifetime”) will take effect for the role.
If the user has been assigned several roles:
    When the role with the highest priority is associated with a custom session lifecycle policy,
     this custom session lifecycle policy will take effect for the user.
    When the role with the highest priority is not associated with a custom session lifecycle
     policy, the session timeout settings of the virtual site will take effect for the user.
role_name                          This parameter specifies the name of an existing role
policy_name                        This parameter specifies the name of an existing custom session
                                   lifecycle policy.
no role sessionpolicy <role_name>
This command is used to disassociate the custom session lifecycle policy from a specified role.
show role sessionpolicy [role_name]
2000-2018 Array Networks, Inc.
                                                                                                 171
All Rights Reserved.
                                                                        Chapter 5 User Policy
This command is used to display the custom session lifecycle policy associated with a specified
role. If the “role_name” parameter is not specified, the custom session lifecycle policy associated
with every role will be displayed.
clear role sessionpolicy
This command is used disassociate the custom session lifecycle policy from every role.
show role config
This command is used to display the current role configurations.
ACL Configuration
acl resourcegroup web <resource_group> [description]
This command is used to add a “web” type resource group.
resource_group                     This parameter specifies the name of the “web” type resource
                                   group. Its value must be a string of 1 to 64 characters.
description                        Optional. This parameter specifies the description of the “web”
                                   type resource group. Its value must be a string of 1 to 512
                                   characters. The default value is empty.
acl resourcegroup network <resource_group> [description]
This command is used to add a “network” type resource group.
resource_group                     This parameter specifies the name of the “network” type
                                   resource group. Its value must be a string of 1 to 64 characters.
description                        Optional. This parameter specifies the description of the
                                   “network” type resource group. Its value must be a string of 1 to
                                   512 characters. The default value is empty.
acl resourcegroup fileshare <resource_group> [description]
This command is used to add a “fileshare” type resource group.
resource_group                     This parameter specifies the name of the “fileshare” type
                                   resource group. Its value must be a string of 1 to 64 characters.
description                        Optional. This parameter specifies the description of the
                                   “fileshare” type resource group. Its value must a string of 1 to
                                   512 characters. The default value is empty.
no acl resourcegroup <resource_group>
2000-2018 Array Networks, Inc.
                                                                                                 172
All Rights Reserved.
                                                                       Chapter 5 User Policy
This command is used to delete a specified resource group.
show acl resourcegroup
This command is used to display all the ACL resource groups.
clear acl resourcegroup
This command is used to clear all the ACL resource groups.
acl resource <resource_group> <resource>
This command is used to add a resource to an ACL resource group.
For Site2Site VPN, to make the subnets on the spokes and hubs accessible, you should configure
them as network resources and add them to the ACL resource group. If NAT rules are configured
for Site2Site VPN using the “vpn site2site forward” command, you should configure the virtual
subnet specified by the parameters “virtual_subnet_IP” and “virtual_subnet_netmask” as the
network resource instead of the real subnet on the spoke/hub.
resource_group                    This parameter specifies the name of an existing resource group.
resource                          This parameter specifies the resource to be added. Its value must
                                  be a string of 1 to 512 characters. The type of the entered
                                  resource must be the same as that of the resource group. Please
                                  note that both IPv4 and IPv6 resources are supported.
                                  For Site2Site VPN with NAT configured, the parameter value
                                  should set to the subnet specified by the parameters
                                  “virtual_subnet_IP” and “virtual_subnet_netmask”.
For example:
vs(config)$acl resource "web" "https://www.domain.com:443/*"
vs(config)$acl resource "web" "10.10.10.1/32:*/public/*"
vs(config)$acl resource "rg1" "10.10.10.0/24"
vs(config)$acl resource "rg2" "2012:1810::10:8:10:12/128"
vs(config)$acl resource "file" "\\10.10.10.1\directory"
no acl resource <resource_group> <resource>
This command is used to delete a resource from a specified resource group.
show acl resource [resource_group]
This command is used to display the resources of a specified resource group. If the
“resource_group” parameter is not specified, resources of all resource groups will be displayed.
clear acl resource [resource_group]
2000-2018 Array Networks, Inc.
                                                                                               173
All Rights Reserved.
                                                                         Chapter 5 User Policy
This command is used to clear the resources of a specified resource group. If the “resource_group”
parameter is not specified, resources of all resource groups will be cleared.
acl rule <target_name> <resource_group> <action> [priority] [target_type]
This command is used to add an ACL rule to permit or deny the access to a specified resource
group for a specified target, which can be a role, user, or group.
target_name                        This parameter specifies the name of an existing target. Its value
                                   must be the name of an existing role, user, or group.
resource_group                     This parameter specifies the name of an existing resource group.
action                             This parameter specifies the action (“permit” or “deny”) of the
                                   ACL rule. Its value must be “permit” or “deny”.
priority                           Optional. This parameter specifies the priority of the ACL rule.
                                   Its value must be an integer ranging from 0 to 1000. The default
                                   value is 1000. The smaller the value, the higher the priority.
target_type                        Optional. This parameter specifies the type of a specified target.
                                   Its value must be:
                                       R: indicates the role.
                                       U: indicates the user.
                                       G: indicates the group.
                                   The default value is R.
no acl rule <target_name> <resource_group> [target_type]
This command is used to delete the ACL rule associated with a specified resource group and a
specified target. If multiple types of targets have the same name, you need to specify the
“target_type” parameter to distinguish them. If it is not specified, the ACL rule associated with the
role-type target will be deleted.
show acl rule [target_name] [resource_group] [target_type]
This command is used to display the ACL rule associated with a specified resource group and a
specified target type.
target_name                        Optional. This parameter specifies the name of an existing target.
                                       If this parameter is specified, the ACL rules associated with
                                        a specified target will be displayed.
                                       If this parameter is not specified, the ACL rules associated
2000-2018 Array Networks, Inc.
                                                                                                174
All Rights Reserved.
                                                                       Chapter 5 User Policy
                                      with all targets will be displayed.
                                 The default value is empty.
resource_group                   Optional. This parameter specifies the name of an existing
                                 resource group.
                                     If this parameter is specified, the ACL rules associated with
                                      a specified resource group will be displayed.
                                     If this parameter is not specified, the ACL rules associated
                                      with all resource groups will be displayed.
                                 The default value is empty.
target_type                      Optional. This parameter specifies the type of the target. Its
                                 value must be:
                                     A: indicates all types.
                                     R: indicates the role.
                                     U: indicates the user.
                                     G: indicates the group.
                                 The default value is A.
clear acl rule [target_name] [resource_group]
This command is used to clear the ACL rules associated with a specified resource group and a
specified target.
target_name                      Optional. This parameter specifies the name of the target.
                                     If this parameter is specified, the ACL rules associated with
                                      a specified target will be cleared.
                                     If this parameter is not specified, the ACL rules associated
                                      with all targets will be cleared.
                                 The default value is empty.
resource_group                   Optional. This parameter specifies the name of an existing
                                 resource group.
                                     If this parameter is specified, the ACL rules associated with
                                      a specified resource group will be cleared.
                                     If this parameter is not specified, the ACL rules associated
2000-2018 Array Networks, Inc.
                                                                                                  175
All Rights Reserved.
                                                                       Chapter 5 User Policy
                                       with all resource groups will be cleared.
                                  The default value is empty.
acl dynamic {on|off}
This command is used to enable or disable the Dynamic ACL function. By default, this function is
disabled.
When this function is enabled, the system will accept dynamic ACLs generated by the clients.
Dynamic ACLs will be used for matching requests only when requests matching no external
ACLs or configured ACL rules.
acl denylog {on|off}
This commad is used to enable or disable logging for access denied by ACL rules. By default, this
function is disabled.
show acl config
This command is used to display the ACL configurations.
clear acl config
This command is used to reset the ACL configurations to default.
Session Management
Global Settings
virtual site session limit <virtual_site> <limit_number>
This global command is used to set the maximum concurrent session number for a specified
virtual site.
virtual_site                   This parameter specifies the name of an existing virtual site.
limit_number                   This parameter specifies the maximum concurrent session number.
                               Its value must be an integer ranging from 0 to 4,294,967,295. 0
                               indicates the AG appliance will not limit the maximum concurrent
                               session number for a specified virtual site.
no virtual site session limit <virtual_site>
This global command is used to delete the setting of the maximum concurrent session number for
a specified virtual site.
show virtual site session limit [virtual_site]
2000-2018 Array Networks, Inc.
                                                                                                176
All Rights Reserved.
                                                                          Chapter 5 User Policy
This global command is used to display the setting of the maximum concurrent session number for
a specified virtual site. If the “virtual_site” parameter is not specified, the settings of the maximum
concurrent session number for all virtual sites will be displayed.
virtual site session group name <group_name>
This global command is used to configure a session group. The session group function allows
multiple virtual sites to share the concurrent sessions permitted for the session group. To use this
function, the administrator should follow these steps:
    Define the session group first using “virtual site session group name” command
    Set the maximum number of concurrent sessions permitted for the session group using the
     “virtual site session group limit” command
    Associate virtual sites with the session group using the “virtual site session group member”
     command.
group_name                       This parameter specifies the name of a session group. Its value must
                                 be a string of 1 to 64 characters.
no virtual site session group name <group_name>
This global command is used to delete a specified session group.
show virtual site session group name
This global command is used to display session groups.
clear virtual site session group
This global command is used to clear all session groups.
virtual site session group limit <group_name> <limit_number>
This global command is used to set the maximum concurrent session number for a specified
session group.
group_name                       This parameter specifies the name of an existing session group.
limit_number                     This parameter specifies the maximum concurrent session number.
                                 Its value must be an integer ranging from 0 to 4,294,967,295. 0
                                 indicates the AG appliance will not limit the maximum concurrent
                                 session number.
no virtual site session group limit <group_name>
This global command is used to delete the setting of the maximum concurrent session number for
a specified session group.
show virtual site session group limit [group_name]
2000-2018 Array Networks, Inc.
                                                                                                  177
All Rights Reserved.
                                                                            Chapter 5 User Policy
This global command is used to display the setting of the maximum concurrent session number for
a specified session group. If the “group_name” parameter is not specified, the settings of the
maximum concurrent session number for all session groups will be displayed.
virtual site session group member <group_name> <virtual_site>
This global command is used to associate a virtual site with a session group.
group_name                       This parameter specifies the name of an existing session group.
virtual_site                     This parameter specifies the name of an existing virtual site.
no virtual site session group member <group_name> <virtual_site>
This global command is used to disassociate a virtual site from a specified session group.
show virtual site session group member [group_name]
This global command is used to display virtual sites associated with a specified session group. If
the “group_name” parameter is not specified, virtual sites associated with all session groups will
be displayed.
virtual site session reuse {on|off} <virtual_site>
This global command is used to enable or disable the session reuse function for a specified virtual
site. This function can be enabled for a specified virtual site only when the AAA function is
enabled for that virtual site. By default, this function is disabled.
virtual_site                     This parameter specifies the name of an existing virtual site.
        Note: When the session reuse function becomes enabled or disabled, all current sessions
        will be killed.
show virtual site session reuse [virtual_site]
This global command is used to display the status of the session reuse function for a specified
virtual site. If the “virtual_site” parameter is not specified, the status of the session reuse function
of all virtual sites will be displayed.
show virtual site session config
This global command is used to display session configurations of all virtual sites.
show maxsession
This global command is used to display the maximum number of concurrent user sessions in every
of the past 12 months.
show session usage [start_date] [end_date]
2000-2018 Array Networks, Inc.
                                                                                                     178
All Rights Reserved.
                                                                         Chapter 5 User Policy
This global command is used to display the daily maximum session usage records under the global
scope and each virtual site scope during a specified period in descending order.
start_date                     Optional. This parameter specifies the start date of the daily
                               maximum session usage records to be displayed. Its value must be a
                               string in the format of “yyyymmdd”.
                                   “yyyy” indicates the year. It must be an integer ranging from
                                    2000 to 2037.
                                   “mm” indicates the month. It must be an integer ranging from
                                    01 to 12.
                                   “dd” indicates the date. It must be an integer ranging from 01
                                    to 31.
                               If this parameter is not specified, the default start date will be the
                               date in which the device is put to use.
end_date                       Optional. This parameter specifies the end date of the daily
                               maximum session usage records to be displayed. Its value must be a
                               string in the format of “yyyymmdd”. The parameter value must be
                               equal to or larger than that of “start_date”.
                               If this parameter is not specified, the default end date is the current
                               date.
For example:
AN(config)#show session usage 20130903 20130903
2013-9-3: Global Maximum Sessions of the Day:   3(           0 from SSF)
        0( 0 from SSF) : vs
        0( 0 from SSF) : xn
        1( 0 from SSF) : vs_smx
        0( 0 from SSF) : shared
        0( 0 from SSF) : alias
        2( 0 from SSF) : mp1
show hourlysession [month_number]
This global command is used to display the hourly concurrent user session report for a specified
month of the current year.
month_number                   Optional. This parameter specifies the month for which the hourly
                               concurrent user session report will be displayed. Its value must be
                               an integer ranging from 0 to 12. The default value is 0, indicating
                               the last month.
2000-2018 Array Networks, Inc.
                                                                                                  179
All Rights Reserved.
                                                                        Chapter 5 User Policy
Per-VS Settings
session maxperuser <maximum_session>
This command is used to set the maximum sessions per user.
maximum_session                 This parameter specifies the maximum number of concurrent
                                sessions per user. Its value must be an integer ranging from 0 to
                                4,294,967,295. 0 indicates that the AG appliance will not limit the
                                session.
no session maxperuser
This command is used to delete the configuration of maximum sessions per user.
show session maxperuser
This command is used to display the configuration of maximum sessions per user.
session kill legacy [on|off]
This command is used to enable or disable the function of terminating a legacy session when the
session number of the end user has reached the maximum limit (configured using the “session
maxperuser” command). This function is disabled by default.
on|off                          Optional. This parameter enables or disables the function of
                                terminating a legacy session when the session number of the end
                                user has reached the maximum limit. Its value must be:
                                    on: enables the function of terminating a legacy session. AG
                                     will terminate a legacy session when the session number of the
                                     end user has reached the maximum limit.
                                    off: disables the function of terminating a legacy session. The
                                     end user will be directly denied login when the session number
                                     of the end user has reached the maximum limit.
                                The default value is “off”.
session cookie expire
This command is used to enable the cookie expire function, which inserts an “Expires” HTTP
header field into the HTTP response to set the expiration time of the session cookie. By default,
this function is disabled.
no session cookie expire
This command is used to disable the cookie expire function.
show session cookie expire
2000-2018 Array Networks, Inc.
                                                                                               180
All Rights Reserved.
                                                                            Chapter 5 User Policy
This command is used to display the configuration of the cookie expire function.
session cookie passthrough
This command is used to enable the session cookie passthrough function, which allows session
cookies to be passed from the requests to backend servers. By default, this function is disabled.
no session cookie passthrough
This command is used to disable the session cookie passthrough function.
show session cookie passthrough
This command is used to display the session cookie passthrough function.
session kill id <session_id>
This command is used to kill the active session with a specified session ID.
sessison_id                          This parameter specifies the session ID of the active sessions to
                                     be killed. Its value must be a string of 1 to 8 characters.
session kill user <username> [type]
This command is used to kill active sessions initiated by a specified user.
username                             This parameter specifies an existing username of the user
                                     whose active sessions will be killed.
type                                 Optional. This parameter specifies the type of the active
                                     sessions to be killed. Its value must be “mobilel2tp”,
                                     “mobileipsec”, “ssl” or “all”. The default value is “all”.
session kill deviceid <device_id>
This command is used to kill active sessions initiated by a specified device.
device_id                       This parameter specifies the DeviceID of a specified device whose
                                active sessions will be killed.
session kill status <auth_type>
This command is used to kill the active sessions in the specified status.
auth_type                            This parameter specifies the status of the active sessions to be
                                     killed. Its value must be:
                                         Auth: indicates authenticated active sessions.
                                         Unauth: indicates unauthenticated active sessions.
2000-2018 Array Networks, Inc.
                                                                                                  181
All Rights Reserved.
                                                                           Chapter 5 User Policy
session kill all [type]
This command is used to kill active sessions of a specified type.
type                                Optional. This parameter specifies the type of the active
                                    sessions to be killed. Its value must be “mobilel2tp”,
                                    “mobileipsec”, “ssl” or “all. The default value is “all”,
                                    indicating active sessions of all types will be killed.
session timeout idle <time>
This command is used to set session idle timeout (the amount of time that a session can remain
idle before it expires). The default session idle timeout value is 3600 seconds.
time                            This parameter specifies the maximum idle time in seconds. Its
                                value must be an integer ranging from 1 to 86,400.
no session timeout idle
This command is used to reset the session idle timeout value to default.
show session timeout idle
This command is used to display the setting of the session idle timeout value.
session timeout lifetime <time>
This command is used to set the session lifetime timeout value (the amount of time that a session
can exist before it expires). The default session lifetime timeout value is 86,400 seconds.
time                            This parameter specifies the maximum session lifetime in seconds.
                                Its value must be an integer ranging from 1 to 94,608,000.
        Note: If the Site2Site VPN function is used, the session lifetime timeout value should be
        set to the maximum value (94,608,000).
no session timeout lifetime
This command is used to reset the session lifetime timeout value to default.
show session timeout lifetime
This command is used to display the setting of the session lifetime timeout value.
session timeout unauth <time>
This command is used to set the session lifetime timeout value for unauthenticated sessions (the
amount of time that an unauthenticated session can exist before it expires or gets authenticated).
The session lifetime timeout value for unauthenticated sessions is 300 seconds.
2000-2018 Array Networks, Inc.
                                                                                                182
All Rights Reserved.
                                                                           Chapter 5 User Policy
time                              This parameter specifies the maximum unauthenticated session
                                  lifetime in seconds. Its value must be an integer ranging from 1 to
                                  86,400.
          Note: Unauthenticated sessions here include challenge and change-password sessions.
no session timeout unauth
This command is used to reset the session lifetime timeout value for unauthenticated sessions to
default.
show session timeout unauth
This command is used to display the setting of session lifetime timeout value for unauthenticated
sessions.
session timeout warning {on|off}
This command is used to enable or disable the Session Timeout Warning function for the virtual
site. By default, this function is disabled.
session timeout warning threshold [idle_warning] [lifetime_warning]
This command is used to set the amount of time that users will be warned prior to session timeout.
      When being warned of the session idle timeout, the user is provided with the option to reset
       the session idle timeout timer. The default time that users will be warned prior to session idle
       timeout is 300 seconds.
      When being warned of the session lifetime timeout, the user is provided with the option to
       extend the session lifetime. The amount of time by which the user can extend the session
       lifetime manually each time can be configured using the “session timeout warning
       extension_lifetime” command. The default time that users will be warned prior to session
       lifetime timeout is 300 seconds.
idle_warning                      Optional. This parameter specifies the amount of time that users
                                  will be warned prior to session idle timeout in seconds. Its value
                                  must be an integer ranging from 1 to 86,400. The default value is
                                  300.
lifetime_warning                  Optional. This parameter specifies the amount of time that users
                                  will be warned prior to session lifetime timeout in seconds. Its
                                  value must be an integer ranging from 1 to 94,608,000. The default
                                  value is 300.
session timeout warning extension_lifetime [extension_lifetime]
2000-2018 Array Networks, Inc.
                                                                                                   183
All Rights Reserved.
                                                                        Chapter 5 User Policy
This command is used to set the amount of time by which the user can extend the session lifetime
manually each time. The default time to be extended is 300 seconds.
extension_lifetime             Optional. This parameter specifies the amount of time to be
                               extended in seconds. Its value must be an integer ranging from 1 to
                               94,608,000. The default value is 300.
show session timeout warning
This command is used to display the settings of Session Timeout Warning function.
session lifecyclepolicy <policy_name> [idle_timeout] [life_timeout] [warning]
[idle_warning] [lifetime_warning] [extension_time]
This command is used to configure a custom session lifecycle policy. The custom session lifecycle
policy needs to be associated with the role using the “role sessionpolicy” command to take effect.
The custom session lifecycle policy has a higher priority than the session timeout settings of the
virtual site (configured using the commands “session timeout idle”, “session timeout lifetime”,
“session timeout warning {on|off}” “session timeout warning threshold” and “session timeout
warning extension_lifetime”). A maximum of 200 custom session lifecycle policies can be
configured.
policy_name                    This parameter specifies the name of the custom session lifecycle
                               policy. Its value must be a string of 1 to 63 characters.
idle_timeout                   Optional. This parameter specifies the time that a session can
                               remain idle before it expires, in seconds. Its value must be an
                               integer ranging from 1 to 86,400. The default value is 3600.
life_timeout                   Optional. This parameter specifies the time that a session can exist
                               before it expires, in seconds. Its value must be an integer ranging
                               from 1 to 94,608,000. The default value is 86,400.
warning                        Optional. This parameter specifies whether to enable the session
                               timeout warning function. Its value must be “on” or “off”. The
                               default value is “off”.
idle_warning                   Optional. This parameter specifies the time in seconds that users
                               will be warned prior to the session idle timeout. Its value must be
                               an integer ranging from 1 to 86,400. The default value is 300. If the
                               “warning” parameter is set to “on”, when being warned of the
                               session idle timeout, the user is provided with the option to reset the
                               session idle timeout timer.
lifetime_warning               Optional. This parameter specifies the time in seconds that users
                               will be warned prior to the session lifetime timeout. Its value must
2000-2018 Array Networks, Inc.
                                                                                                 184
All Rights Reserved.
                                                                        Chapter 5 User Policy
                                be an integer ranging from 1 to 94,608,000. The default value is
                                300. If the “warning” parameter is set to “on”, when being warned
                                of the session lifetime timeout, the user is provided with the option
                                to extend the session lifetime by the amount of time specified by
                                the “extention_time” parameter.
extention_time                  Optional. This parameter specifies the amount of time by which the
                                user can extend the session lifetime manually each time, in seconds.
                                Its value must be an integer ranging from 1 to 94,608,000. The
                                default value is 300.
no session lifecyclepolicy <policy_name>
This command is used to delete a specified custom session lifecycle policy.
show session lifecyclepolicy [policy_name]
This command is used to display a specified custom session lifecycle policy. If the “policy_name”
parameter is not specified, all configured custom session lifecycle policies will be displayed.
clear session lifecyclepolicy
This command is used to clear all configured custom session lifecycle policies.
show session settings
This command is used to display all the session settings.
clear session settings
This command is used to clear all the session settings.
show session count [username]
This command is used to display the number of active sessions for the specified user.
username                        Optional. This parameter specifies the username of the user for
                                whom the number of active sessions will be displayed. Its value
                                must be a string of 1 to 64 characters. The default value is empty,
                                indicating the number of active sessions for every user will be
                                displayed.
show session active [type] [username] [device_id] [start] [count]
This command is used to display the active sessions matching specified filter condition.
type                            Optional. This parameter specifies the type of active sessions to be
                                displayed. Its value must be “mobilel2tp”, “mobileipsec”, “ssl” or
                                “all”. The default value is “all”, indicating all types of sessions.
2000-2018 Array Networks, Inc.
                                                                                                185
All Rights Reserved.
                                                                      Chapter 5 User Policy
username                      Optional. This parameter specifies the name of the user for whom
                              active sessions will be displayed. Its value must be a string of 1 to
                              64 characters. The default value is empty, indicating active sessions
                              for all users will be displayed.
device_id                     Optional. This parameter specifies the DeviceID of the device for
                              which active sessions will be displayed. Its value must be a string of
                              1 to 64 characters. The default value is empty, indicating active
                              sessions for all devices will be displayed.
start                         Optional. This parameter specifies the sequence number of the
                              active session from which active sessions to be displayed. Its value
                              must be an integer ranging from 1 to 4,294,967,295. The default
                              value is 1.
count                         Optional. This parameter specifies the number of active sessions to
                              be displayed. Its value must be an integer ranging from 1 to
                              4,294,967,295. The default value is 1,000,000.
show session external acl [type] [username] [start] [number]
This command is used to display the sessions that match external ACLs.
type                          Optional. This parameter specifies the type of sessions to be
                              displayed. Its value must be “mobilel2tp”, “mobileipsec”, “ssl” or
                              “all”. The default value is “all”, indicating all types of sessions.
username                      Optional. This parameter specifies the name of the user for whom
                              sessions will be displayed. Its value must be a string of 1 to 64
                              characters. The default value is empty, indicating the matching
                              sessions of all users will be displayed.
start                         Optional. This parameter specifies the sequence number of the
                              session from which matching sessions will be displayed. Its value
                              must be an integer ranging from 1 to 4,294,967,295. The default
                              value is 1.
number                        Optional. This parameter specifies the number of sessions to be
                              displayed. Its value must be an integer ranging from 1 to
                              4,294,967,295. The default value is 1,000,000.
For example:
vs(config)$show session external acl
User Name Session Type Session ID         ACL
2000-2018 Array Networks, Inc.
                                                                                               186
All Rights Reserved.
                                                                        Chapter 5 User Policy
test012        ssl          A1E6A606       0 http:172.16.12.212/ AND ALL PERMIT
                                           0 file:172.16.12.212/ AND ALL PERMIT
                                           2 ip tcp:0.0.0.0:80 AND ALL PERMIT
                                           2 ip tcp:172.16.12.0/255.255.255.0 AND ALL
PERMIT
                                           1 ip udp:10.3.0.0/255.255.255.0 AND ALL PERMIT
                                           0 ip icmp:172.16.12.0/255.255.255.0 AND ALL
PERMIT
                                           1 ip icmp:10.3.0.0/255.255.255.0 AND ALL PERMIT
show session policy [type] [username] [start] [count]
This command is used to display targets (roles, users or groups) and ACL resources associated
with the active session of a specified type and username.
type                           Optional. This parameter specifies the type of the active sessions to
                               be displayed. Its value must be “mobilel2tp”, “mobileipsec”, “ssl”
                               or “all”. The default value is “all”.
username                       Optional. This parameter specifies the name of the user for whom
                               the active sessions will be displayed. Its value must be a string of 1
                               to 64 characters. The default value is “ ”, indicating all usernames.
start                          Optional. This parameter specifies the sequence number of the
                               session from which sessions will be displayed. Its value must be an
                               integer ranging from 1 to 4,294,967,295. The default value is 1.
count                          Optional. This parameter specifies the number of sessions to be
                               displayed. Its value must be an integer ranging from 1 to
                               4,294,967,295. The default value is 1,000,000.
2000-2018 Array Networks, Inc.
                                                                                                187
All Rights Reserved.
                                                                    Chapter 6 Access Method
Chapter 6 Access Method
Web Access
Web Access provides a clientless way to access internal Web resources with the standard web
browser. This section covers the commands for configuring this module.
QuickLink
virtual site quicklink hostname <hostname> <resource_id> <virtual_site>
This global command is used to configure a QuickLink resource in hostname mode for the
specified virtual site.
hostname                        This parameter specifies the public hostname used for mapping to
                                the internal Web resource. Its value must be a string of 5 to 64
                                characters.
resource_id                     This parameter specifies the name of the QuickLink resource. Its
                                value must be a string of 1 to 20 characters. Only 0-9, a-z, A-Z and
                                characters “_” and “-” are supported.
virtual_site                    This parameter specifies the name of the existing virtual site for
                                which the QuickLink rule is configured.
no virtual site quicklink hostname <hostname> <resource_id>
This global command is used to delete a specified QuickLink resource in hostname mode
configured for the specified virtual site.
show virtual site quicklink hostname [virtual_site]
This global command is used to display the QuickLink resources in hostname mode configured for
the specified virtual site. If the “virtual_site” parameter is not specified, the QuickLink resources
in hostname mode configured for all the virtual sites will be displayed.
clear virtual site quicklink hostname <virtual_site>
This global command is used to clear all the QuickLink resources in hostname mode configured
for the specified virtual site.
virtual site quicklink port <port> <resource_id> <virtual_site>
This global command is used to configure a QuickLink resource in port mode for the specified
virtual site.
port                            This parameter specifies the port used for mapping to the internal
                                Web resource. Its value must be an integer ranging from 1 to
2000-2018 Array Networks, Inc.
                                                                                                 188
All Rights Reserved.
                                                                    Chapter 6 Access Method
                                65,535. To avoid port conflict, it is recommended to set this
                                parameter to the value above 10,000.
resource_id                     This parameter specifies the name of the QuickLink resource. Its
                                value must be a string of 1 to 20 characters. Only 0-9, a-z, A-Z and
                                characters “_” and “-” are supported.
virtual_site                    This parameter specifies the name of the existing virtual site of with
                                the QuickLink rule configured.
no virtual site quicklink port <port> <resource_id>
This global command is used to delete a specified QuickLink resource in port mode for the
specified virtual site.
show virtual site quicklink port [virtual_site]
This global command is used to display the QuickLink resources in port mode of the specified
virtual site. If the “virtual_site” parameter is not specified, the QuickLink resources in port mode
of all the virtual sites will be displayed.
clear virtual site quicklink port <virtual_site>
This global command is used to clear all QuickLink resources in port mode of the specified virtual
site.
portal quicklink rule <backend_url> <resource_id> [rewrite_option1]
[rewrite_option2] [rewrite_option3] [rewrite_option4] [rewrite_option5]
This command is used to configure a QuickLink rule to map an internal Web resource to the
specified QuickLink resource.
backend_url                     This parameter specifies the URL of the internal Web resource. Its
                                value must be a string of 1 to 900 characters.
resource_id                     This parameter specifies the name of an existing QuickLink
                                resource. The parameter value must be the name predefined by the
                                command “virtual site quicklink hostname” or “virtual site
                                quicklink port”.
rewrite_option1                 Optional. This parameter specifies the rewrite option. Its value must
                                only be:
                                    “norewrite”: indicates that the web content will not be
                                     rewritten. By default, the web content will be rewritten.
                                    “rewriteexternal”: indicates that external URLs contained in
                                     the web content but not matching any QuickLink rules will be
2000-2018 Array Networks, Inc.
                                                                                                 189
All Rights Reserved.
                                                                  Chapter 6 Access Method
                                    rewritten into the WRM format. By default, external URLs
                                    will not be rewritten.
                                   “rewritexml”: indicates that the XML formatted web content
                                    will be rewritten. By default, the XML formatted web content
                                    will not be rewritten.
                                   “blockcookie”: indicates that cookies from backend servers
                                    will be blocked. By default, cookies from backend servers will
                                    not be blocked.
                                   “forwardheader”: indicates the HTTP header will be replaced
                                    by the new HTTP header of the QuickLink rule in hostname
                                    mode. By default, the HTTP header will not be replaced.
                               Note:
                               1. For OWA, “rewritexml” is a mandatory option while other
                               options (including “norewrite”, “rewriteexternal” “forwardheader”,
                               and “blockcookie”) cannot be configured.
                               2. The “norewrite” option and other options are mutually exclusive.
rewrite_option2                Optional. This parameter specifies the rewrite option. Its value must
                               only be “norewrite”, “rewriteexternal” “rewritexml”, “blockcookie”
                               or “forwardheader”.
rewrite_option3                Optional. This parameter specifies the rewrite option. Its value must
                               only be “norewrite”, “rewriteexternal” “rewritexml”, “blockcookie”
                               or “forwardheader”.
rewrite_option4                Optional. This parameter specifies the rewrite option. Its value must
                               only be “norewrite”, “rewriteexternal” “rewritexml”, “blockcookie”
                               or “forwardheader”.
rewrite_option5                Optional. This parameter specifies the rewrite option. Its value must
                               only be “norewrite”, “rewriteexternal” “rewritexml”, “blockcookie”
                               or “forwardheader”.
no portal quicklink rule <resource_id>
This command is used to delete a specified QuickLink rule.
show portal quicklink rule
This command is used to display all QuickLink rules under the virtual site scope.
clear portal quicklink rule
This command is used to clear all QuickLink rules under the virtual site scope.
2000-2018 Array Networks, Inc.
                                                                                              190
All Rights Reserved.
                                                                   Chapter 6 Access Method
show portal quicklink global
This command is used to display all QuickLink resources configured in the global scope.
portal quicklink alias <backend_url> <resource_id>
This command is used to configure a QuickLink alias rule for the specified QuickLink resource.
This allows administrators to define additional URLs that can be mapped to the same QuickLink
resource identified by the “resource_id” parameter.
backend_url                    This parameter specifies the additional URL of the internal Web
                               resource. Its value must be a string of 1 to 900 characters.
resource_id                    This parameter specifies the name of the QuickLink resource. The
                               parameter value must be the name predefined by the command
                               “virtual site quicklink hostname” or “virtual site quicklink port”.
no portal quicklink alias <backend_url>
This command is used to delete a specified QuickLink alias rule.
show portal quicklink alias
This command is used to display all QuickLink alias rules.
clear portal quicklink alias
This command is used to delete all QuickLink alias rules.
WRM
   General Settings
rewrite {on|off}
This command is used to enable or disable the Web Resource Mapping (WRM) function. By
default, this function is enabled.
show rewrite status
This command is used to display the status (enabled or disabled) of the WRM function.
show rewrite config
This command is used to display all configurations of the WRM function.
clear rewrite config
This command is used to delete all configurations of the WRM function.
   WRM Rule
rewrite param <rule_id> <parameter_name> {url|host} [separator] [index]
2000-2018 Array Networks, Inc.
                                                                                              191
All Rights Reserved.
                                                                 Chapter 6 Access Method
This command is used to configure a WRM rewrite rule.
rule_id                       This parameter specifies the ID of WRM rewrite rule. Its value
                              must be an integer ranging from 0 to 1024.
parameter_name                This parameter specifies the name obtained from the value of the
                              HTML “name” attribute in the HTML “param” tag.
url|host                      This parameter specifies the value type obtained from the HTML
                              “value” attribute of the HTML “param” tag. Its value must only be
                              “url” or “host”.
separator                     Optional. This parameter specifies the separator between multiple
                              URLs or hosts. The default value is empty.
index                         Optional. This parameter specifies the index of the URL or host to
                              be rewritten. Its value must be an integer ranging from 1 to
                              4,294,967,295. The default value is empty.
For example, if the HTML file of the backend Web server contains the HTML “param” tag
<param name = “param” value = “http://test.com”/>, the WRM rule should be:
vs(config)$ rewrite param 1 "param" "url"
no rewrite param <rule_id>
This command is used to delete a specified WRM rewrite rule.
show rewrite param
This command is used to display the configured WRM rewrite rules.
rewrite matchparam substring
This command is used to set the parameter matching mode to “substring”. In “substring” mode,
the WRM rewrite rule will be hit when the value of “parameter_name” parameter in the “rewrite
param” command matches a part of the value of the HTML “name” attribute in the HTML
“param” tag. By default, the “substring” mode is used for HTML parameter matching.
rewrite matchparam exact
This command is used to set the parameter matching mode to “exact”. In “exact” mode, the WRM
rewrite rule will be hit when the value of the “parameter_name” parameter in the “rewrite param”
command match exactly the value of the HTML “name” attribute in the HTML “param” tag.
show rewrite matchparam
This command is used to display the parameter matching mode.
rewrite relative
2000-2018 Array Networks, Inc.
                                                                                               192
All Rights Reserved.
                                                                    Chapter 6 Access Method
This command is used to enable the rewrite of the relative URLs. By default, this function is
disabled.
no rewrite relative
This command is used to disable the rewrite of the relative URLs.
show rewrite relative
This command is used to display the status (enabled or disabled) of the rewrite of the relative
URLs.
     URL Masking
rewrite urlmask [file_name]
This command is used to enable the URL masking function. To mask the internal URLs, the
“rewrite relative” command must be configured first. If the URL masking function is enabled, the
system will rewrite the URL with a pre-set algorithm to hide the backend server and path. By
default, this function is disabled.
file_name                       Optional. This parameter specifies the file name. Its value must
                                only be “filename” or its prefix. If this parameter is specified, the
                                name of file of the internal resource will also be masked. The
                                default value is empty.
no rewrite urlmask
This command is used to disable the URL masking function.
show rewrite urlmask
This command is used to display the status (enabled or disabled) of the URL masking function.
     URL Property
urlproperty mask wrm <url>
This command is used to add a URL to the list of URLs that will not be rewritten by the WRM
rewrite rule.
url                             This parameter specifies the URL that will not be rewritten by the
                                WRM rewrite rule. Its value must be a string of 9 to 1000
                                characters.
no urlproperty mask wrm <url>
This command is used to delete a URL from the list of URLs that will not be rewritten by the
WRM rewrite rule.
clear urlproperty mask wrm
2000-2018 Array Networks, Inc.
                                                                                                  193
All Rights Reserved.
                                                                   Chapter 6 Access Method
This command is used to clear the list of URLs that will not be rewritten by the WRM rewrite
rule.
urlproperty mask acceptencoding <url>
This command is used to disable the insertion of the “Accept Encoding” header for the specified
URL. This is used primarily for Web servers that are non-compliant with the HTTP RFC
standards.
url                            This parameter specifies the URL for which “Accept Encoding”
                               headers will be masked. Its value must be a string of 9 to 990
                               characters.
no urlproperty mask acceptencoding <url>
This command is used to enable the insertion of the “Accept Encoding” header for the specified
URL.
clear urlproperty mask acceptencoding
This command is used to enable the insertion of the “Accept Encoding” header for all URLs.
show urlproperty mask
This command is used to display all URL property mask configurations.
Custom Rewrite
rewrite custom {on|off}
This command is used to enable or disable the custom rewrite function. By default, this function is
enabled. To use this function, the administrator also needs to configure custom rewrite rules using
the “rewrite custom rules” command.
show rewrite custom status
This command is used to display the status (enabled or disabled) of the custom rewrite function.
rewrite custom rules <rule_id> <rewrite_position> <url_pattern> <script>
[flag]
This command is used to configure a custom rewrite rule.
rule_id                        This parameter specifies the ID of the custom rewrite rule. Its value
                               must be an integer ranging from 1 to 4,294,967,295.
rewrite_position               This parameter specifies when to execute the custom rewrite rule.
                               Its value must only be
                                   pre: indicates the custom rewrite rule will be first executed
2000-2018 Array Networks, Inc.
                                                                                                194
All Rights Reserved.
                                                                   Chapter 6 Access Method
                                    before the execution of the WRM rewrite rule.
                                   post: indicates the WRM rewrite rule will be first executed
                                    before the execution of custom rewrite rule.
url_pattern                    This parameter specifies the URL string used to match with the
                               URL. Its value must be a string of 1 to 900 characters.
                               This parameter also supports the prefix match. For example, if the
                               parameter value is set to xxx.yyy.zzz, all sub-URLs and files under
                               this path will be rewritten.
                               Besides, this parameter supports the wildcard “*”. For example, the
                               URL can be http://*.arraynetworks.com/.
script                         This parameter specifies the regular expression script used to
                               rewrite the URL. Its value must be a string of 1 to 512 characters.
flag                           Optional. This parameter specifies the flag of the custom rewrite
                               rule. Its value must be:
                                   “i”: indicates that the system will ignore the case sensitivity
                                    during URL matching.
                                   “n”: indicates that the URL will not be rewritten. This
                                    parameter value can be used only when the “rewrite_position”
                                    parameter is set to “pre”.
                               The default value is empty, indicating the system rewrites the URL
                               according to the configuration of this custom rewrite rule.
no rewrite custom rules <rule_id>
This command is used to delete a custom rewrite rule.
show rewrite custom rules
This command is used to display all custom rewrite rules.
URL Policy
AG provides the URL policies to allow the administrator to control end users’ access to the Web
resources through the virtual site according to the requested URL.
AG supports four types of URL policies:
      Internal
      External
2000-2018 Array Networks, Inc.
                                                                                                 195
All Rights Reserved.
                                                                     Chapter 6 Access Method
     Public
     Block
           Note: The public URL policy cannot be set as default URL policy.
urlpolicy external <priority> <url>
This command is used to configure an external URL policy. If the requested URL matches the
external URL policy, the external URL policy directly redirects the HTTP request to the external
URL. It neither requires end users to log into the virtual site, nor lets AG to rewrite the requests.
priority                         This parameter specifies the priority of the external URL policy. Its
                                 value must be an integer ranging from 0 to 65,535. The smaller the
                                 value, the higher the priority.
url                              This parameter specifies the URL keyword. Its value must be a
                                 string of 1 to 100 characters.
no urlpolicy external <priority>
This command is used to delete a specified external URL policy.
clear urlpolicy external
This command is used to clear all external URL policies.
urlpolicy internal <priority> <url>
This command is used to configure an internal URL policy. If the requested URL matches the
internal URL policy, the internal URL policy forces the end users to log into the virtual site first
and lets AG to rewrite the HTTP requests.
priority                         This parameter specifies the priority of the internal URL policy. Its
                                 value must be an integer ranging from 0 to 65,535. The lower the
                                 value, the higher the priority.
url                              This parameter specifies the URL keyword. Its value must be a
                                 string of 1 to 100 characters.
no urlpolicy internal <priority>
This command is used to delete a specified internal URL policy.
clear urlpolicy internal
This command is used to clear all internal URL policies.
urlpolicy block <priority> <url>
2000-2018 Array Networks, Inc.
                                                                                                  196
All Rights Reserved.
                                                                   Chapter 6 Access Method
This command is used to configure a block URL policy. If the requested URL matches the block
URL policy, the block URL policy blocks the end users’ access.
priority                        This parameter specifies the priority of the block URL policy. Its
                                value must be an integer ranging from 0 to 65,535. The smaller the
                                value, the higher the priority.
url                             This parameter specifies the URL keyword. Its value must be a
                                string of 1 to 100 characters.
For example:
vs(config)$urlpolicy block 2 a.b.com
After this command is executed, the AG appliance will block all accesses to the “a.b.com”.
vs(config)$urlpolicy block 0 a.b.com/test/index.html/
After this command is executed, the AG appliance will block the access to the
“a.b.com/test/index.html/”.
no urlpolicy block <priority>
This command is used to delete a specified block URL policy.
clear urlpolicy block
This command is used to clear all block URL policies.
urlpolicy public <priority> <url>
This command is used to configure a public URL policy. If a requested URL matches the public
URL policy, the public URL policy authorizes end users to access to these resources without
virtual site login and lets AG to rewrite the requests. Public URL policies authorize end users with
unrestricted access to internal resources. Therefore, it is recommended to use public URL policies
only to provide authorized access to internal resources embedded in custom login pages, logout
pages, and error pages.
priority                        This parameter specifies the priority of the public URL policy. Its
                                value must be an integer ranging from 0 to 65,535. The smaller the
                                value, the higher the priority.
url                             This parameter specifies the URL keyword. Its value must be a
                                string of 1 to 100 characters.
no urlpolicy public <priority>
This command is used to delete a specified public URL policy.
clear urlpolicy public
2000-2018 Array Networks, Inc.
                                                                                                197
All Rights Reserved.
                                                                     Chapter 6 Access Method
This command is used to clear all public URL policies.
show urlpolicy
This command is used to display all URL policies.
clear urlpolicy config
This command is used to clear all URL policies.
urlpolicy default external
This command is used to set the default URL policy as “external”. After this command is
configured, requested URLs not matching any URL policies will be treated as external URLs.
urlpolicy default internal
This command is used to set the default URL policy as “internal”, After this command is
configured, requested URLs not matching any URL policies will be treated as internal URLs.
urlpolicy default block
This command is used to set the default URL policy as “block”. After this command is configured,
requested URLs not matching any URL policies will be blocked.
no urlpolicy default
This command is used to reset the default URL policy to the default setting “internal”.
SSO
sso {on|off}
This command is used to enable or disable the SSO (Single Sign On) function for Web Access. By
default, this function is disabled. This function takes effect only when the portal login credential is
the same as the login credential of the Web application server.
sso kerberos realm name <realm_name>
This command is used to configure a Kerberos realm.
realm_name                       This parameter specifies the name of an existing Kerberos realm. Its
                                 value must be an uppercase string of 1 to 128 characters.
For example:
vs(config)$sso kerberos realm name EXAMPLE.COM
no sso kerberos realm name <realm_name>
This command is used to delete a Kerberos realm.
sso kerberos realm kdc <realm_name> <kdc_host_name> [kdc_port]
2000-2018 Array Networks, Inc.
                                                                                                  198
All Rights Reserved.
                                                                   Chapter 6 Access Method
This command is used to add a Key distribution center (KDC) to the specified Kerberos realm.
After KDCs are configured, the system sends the request to the KDC with the highest priority to
obtain the service ticket. The earlier the KDC is configured for the virtual site, the higher the
priority of the KDC will be. A maximum of three KDCs can be added to a Kerberos realm.
realm_name                     This parameter specifies the name of an existing Kerberos realm.
kdc_host_name                  This parameter specifies the hostname or IP address of the KDC. Its
                               value must be a string of 1 to128 characters. If its value is IP
                               address, it must be an IPv4 address enclosed by double quotes.
kdc_port                       Optional. This parameter specifies the port number that the KDC
                               listens to. Its value must be an integer ranging from 1 to 65535. The
                               default value is 88.
        Note: If the local DNS server under the global scope supports the service location SRV
        resource record, the system can find the KDC by itself, so this command and the “sso
        kerberos realm name” command do not need to be configured.
no sso kerberos realm kdc <realm_name> <kdc_host_name>
This command is used to delete a KDC from a specified Kerberos realm.
show sso kerberos realm [realm_name]
This command is used to display the settings of a specified Kerberos realm. If the “realm_name”
parameter is not specified, the settings of all Kerberos realms will be displayed.
clear sso kerberos realm
This command is used to clear the settings of all the Kerberos realms.
sso kerberos rule <service_host> <realm_name>
This command is used to configure a Kerberos SSO rule for the backend Web server.
service_host                   This parameter specifies the hostname or IP address of the backend
                               Web server in the realm specified by the “realm” parameter. Its
                               value must be a string of 1 to128 characters.
                               If its value is a hostname, it must be in any of the following format:
                                   .abc.com: indicates that all servers in the “.abc.com” domain
                                    are included.
                                   xxx.abc.com: indicates the server of which the hostname is
                                    “xxx.abc.com” or all servers in the “.xxx.abc.com” domain are
                                    included.
2000-2018 Array Networks, Inc.
                                                                                                199
All Rights Reserved.
                                                                   Chapter 6 Access Method
                                If its value is an IP address, it must be an IPv4 address enclosed by
                                double quotes.
                                Note: This backend Web server must be registered on the KDC
                                (usually on the Active Directory) in advance.
realm_name                      This parameter specifies the name of an existing Kerberos realm.
For example:
vs(config)$sso kerberos rule arraynetworks.com EXAMPLE.COM
vs(config)$sso kerberos rule www.arraynetworks.net EXAMPLE.COM
vs(config)$sso kerberos rule "10.8.6.160" EXAMPLE.COM
no sso kerberos rule <service_host>
This command is used to delete a specified Kerberos SSO rule.
show sso kerberos rule
This command is used to display all the configured Kerberos SSO rules.
clear sso kerberos rule
This command is used to clear all the configured Kerberos SSO rules.
sso post <hostname> <login_url> <username_field> <password_field>
[post_host] [post_url] [post_fields] [bookmark] [other_header_field]
This command is used to add an HTTP POST SSO rule. With this command, the administrator
specifies an application’s login URL used to post a user’s credentials. This function allows a user
to access multiple backend applications without re-entering their credentials.
hostname                        This parameter specifies the host name of the backend server. Its
                                value must be a string of 1 to 128 characters.
login_url                       This parameter specifies the URL of the login page. Its value must
                                be a string of 1 to 900 characters.
username_field                  This parameter specifies the field used to post the username for
                                authentication. Its value must be a string of 1 to 64 characters.
password_field                  This parameter specifies the field used to post the password for
                                authentication. Its value must be a string of 1 to 32 characters.
post_host                       Optional. This parameter specifies the POST target that includes the
                                port if needed. Its value must be a string of 1 to 128 characters. By
                                default, the value of the “hostname” parameter is used.
2000-2018 Array Networks, Inc.
                                                                                                200
All Rights Reserved.
                                                                 Chapter 6 Access Method
post_url                    Optional. This parameter specifies the URL to which the POST
                            request is directed. Its value must be a string of 1 to 900 characters.
                            By default, the value of the “login_url” parameter is used.
post_fields                 Optional. This parameter specifies a set of fields that are required
                            by the backend service in addition to the username and password.
                            Its value must be a string of 1 to 1024 characters. It can be a string
                            of only characters or a string containing multiple “field=value”
                            pairs. In addition, it supports tokens, which will be dynamically
                            replaced by actual values.
                            Meanings of supported tokens are as follows:
                                 <IP_ADDR_UINT>: Client IP address in the unsigned integer
                                  format, such as 1677920266
                                 <IP_ADDR_DOTDEC>: Client IP address in the dotted
                                  decimal format, such as 10.8.3.100
                                 <MAC_ADDR_NOSEP>: Client MAC address without any
                                  separator, such as F0DEF1E4FDD8
                                 <MAC_ADDR_DASH>: Client MAC address with “-” as the
                                  separator, such as F0-DE-F1-E4-FD-D8
                                 <MAC_ADDR_COLON>: Client MAC address with “:” as
                                  the separator, such as F0:DE:F1:E4:FD:D8
                            For example:
                            “domain=abc&deptname=xyz&ipaddress=<IP_ADDR_DOTDEC>
                            &macaddress=<MAC_ADDR_DASH>”
bookmark                    Optional. Its value must only be:
                                 “enable”: indicates that the end user can access the same
                                  backend application without re-entering their credentials when
                                  accessing the same Web resource again.
                                 “disable”: indicates that the end user needs to re-enter their
                                  credentials when accessing the same Web resource again.
                            The default value is “disable”.
other_header_field          Optional. This parameter specifies a set of HTTP header fields that
                            are required by the backend service for user authentication.
                            Multiple HTTP header fields must be separated by “\r\n”. Its value
                            should be a string of 1 to 1024 characters.
2000-2018 Array Networks, Inc.
                                                                                              201
All Rights Reserved.
                                                                  Chapter 6 Access Method
                               For example: “User-Agent: Mozilla/4.0 (compatible; MSIE 8.0;
                               Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR
                               3.0.4506.2152; .NET CLR 3.5.30729)\r\nCookie: PBack=0;\r\n”
no sso post <hostname> <login_url>
This command is used to delete an HTTP POST SSO rule.
show sso post
This command is used to display all HTTP POST SSO rules.
clear sso post
This command is used to delete all HTTP POST SSO rules.
show sso config
This command is used to display the configurations of the SSO function.
clear sso config
This command is used to clear all configurations of the SSO function.
Proxy
server proxy manual http <ip > <port> <username> <password> <domain>
This command is used to add an HTTP-type backend proxy server.
ip                             This parameter specifies the IP address of the backend proxy server.
                               Its value must be given in dotted decimal notation.
port                           This parameter specifies the port number of the backend proxy
                               server. Its value must be an integer ranging from 0 to 65,535.
username                       Optional. This parameter specifies the username used for passing
                               the backend proxy server’s authentication. This parameter needs to
                               be specified when the backend proxy server requires authentication.
                               Its value must be a string of 1 to 64 characters. The default value is
                               empty.
password                       Optional. This parameter specifies the password used for passing
                               the backend proxy server’s authentication. This parameter needs to
                               be specified when the backend proxy server requires authentication.
                               Its value must be a string of 1 to 32 characters. The default value is
                               empty.
2000-2018 Array Networks, Inc.
                                                                                                202
All Rights Reserved.
                                                                   Chapter 6 Access Method
domain                         Optional. This parameter specifies the domain of the backend proxy
                               server. This parameter needs to be specified when the backend
                               proxy server requires authentication. Its value must be a string of 1
                               to 64 characters. The default value is empty.
no server proxy manual http
This command is used to delete an HTTP-type backend proxy server.
server proxy manual https <ip> <port>
This command is used to add an HTTPS-type backend proxy server.
ip                             This parameter specifies the IP address of the backend proxy server.
                               Its value must be an IPv4 address.
port                           This parameter specifies the port number of the backend proxy
                               server. Its value must be an integer ranging from 0 to 65,535.
no server proxy manual https
This command is used to delete an HTTPS-type backend proxy server.
server proxy script <script_url> <username> <password> <domain>
This command is used to enable the use of an auto-configuration proxy script.
script_url                     This parameter specifies the URL from which the AG appliance
                               downloads a proxy auto-configuration script. Its value must be a
                               string of 1 to 1024 characters. A script in the required format must
                               be stored at this URL and this script should include the proxy server
                               information, such as IP address.
username                       Optional. This parameter specifies the username used for passing
                               the authentication of the backend proxy server determined by the
                               auto-configuration proxy script. Its value must be a string of 1 to 64
                               characters. The default value is empty.
password                       Optional. This parameter specifies the password used for passing
                               the authentication of the backend proxy server determined by the
                               auto-configuration proxy script. Its value must be a string of 1 to 32
                               characters. The default value is empty.
domain                         Optional. This parameter specifies the domain of the backend proxy
                               server determined by the auto-configuration proxy script. Its value
                               must be a string of 1 to 64 characters. The default value is empty.
2000-2018 Array Networks, Inc.
                                                                                                203
All Rights Reserved.
                                                                  Chapter 6 Access Method
no server proxy script
This command is used to disable the use of a proxy auto-configuration script.
show server proxy
This command is used to display the configurations of backend server proxies.
URL Filter
filter {on|off}
This command is used to enable or disable the URL filter function for Web access. This function
is used to prevent Cross Site Scripting (XSS) attacks. By default, this function is disabled.
filter url keyword deny <keyword>
This command is used to configure a URL-filter rule used to deny a URL with a specified
keyword.
keyword                        This parameter specifies a regular expression to match the request
                               URL. If the request URL matches the regular expression, the access
                               will be regarded as malicious and denied. Its value must be a string
                               of 1 to 31 characters.
For example:
vs(config)$ filter url keyword deny "cmd.exe"
no filter url keyword deny <keyword>
This command is used to delete a URL-filter rule used to deny a URL with a specified keyword.
show filter url keyword deny
This command is used to display all URL-filter rules used to deny URLs with specified keywords.
show filter config
This command is used to display the configurations of the URL-filter function.
clear filter config
This command is used to clear the configurations of the URL-filter function.
Statistics
show statistics web
This command is used to display Web traffic statistics.
clear statistics web
2000-2018 Array Networks, Inc.
                                                                                              204
All Rights Reserved.
                                                                    Chapter 6 Access Method
This command is used to clear Web traffic statistics.
Network Access and Array Client
General Settings
vpn clientupgrade {on|off}
This global command is used to enable or disable the auto upgrade function for the Array Client.
By default, this function is enabled.
show vpn clientupgrade
This global command is used to display the status of the auto upgrade function for the Array
Client.
show statistics vpn
This global command is used to display VPN statistics of all virtual sites.
clear statistics vpn
This global command is used to clear the VPN statistics of all virtual sites.
vpn {on|off}
This command is used to enable or disable the VPN function. By default, this function is disabled.
vpn clientisolate {on|off}
This command is used to enable or disable the client traffic isolation function. With this function
enabled, all the traffic between clients using SSL L3VPN will be blocked. By default, this
function is enabled.
        Note: For the Site2Site VPN function, the client traffic isolation function should be
        disabled.
vpn backend keepalive {on|off}
This command is used to enable or disable the L4VPN backend connection keepalive function.
With this function enabled, the backend TCP connection to the backend server will be kept alive
after TCP idle timeout. By default, this function is disabled.
vpn clientinfocollect {on|off}
This command is used to enable or disable L3VPN client information collection. This function is
used for the Array SDK. By default, this function is disabled. For details on Array SDK, please
contact Array Networks Customer Support.
show vpn active
This command is display the active VPN tunnel information.
2000-2018 Array Networks, Inc.
                                                                                                205
All Rights Reserved.
                                                                    Chapter 6 Access Method
show vpn config
This command is used to display the VPN configurations for the virtual site.
clear vpn config
This command is used to clear the VPN configurations for the virtual site.
show statistics vpn
This command is used to display VPN statistics for the virtual site.
clear statistics vpn
This command is used to clear the VPN statistics for the virtual site.
Netpool
    Basic Settings
vpn netpool name <netpool>
This command is used to define a Netpool for assigning VPN resources.
The administrator should configure this command whether accessing backend resources through
the L3VPN tunnel or Site2Site VPN tunnel.
netpool                         This parameter specifies the name of the Netpool. Its value must be
                                a string of 1 to 31 characters.
no vpn netpool name <netpool>
This command is used to delete a specified Netpool.
show vpn netpool name
This command is used to display all Netpools.
clear vpn netpool name
This command is used to clear all Netpools.
    Dynamic IP Assignment
The system can dynamically assign the IP address to the SSL VPN Client in either of the
following ways:
    Dynamic IP range: When an end user is assigned the Netpool with the dynamic IP range
     configured, the system will pick up an IP address from the dynamic IP range.
    DHCP server: When an end user is assigned the Netpool with the DHCP server configured,
     the system will communicate with the DHCP server to obtain the IP address.
For a Netpool, the dynamic IP range and the DHCP server are mutually exclusive.
2000-2018 Array Networks, Inc.
                                                                                              206
All Rights Reserved.
                                                                    Chapter 6 Access Method
vpn netpool iprange dynamic <netpool> <start_ip> <end_ip> [unit_name]
This command is used to configure a dynamic IPv4 range for the specified Netpool. When an end
user is assigned this Netpool, the VPN server will dynamically assigns an IPv4 address from the
dynamic IPv4 range to the SSL VPN Client of the end user.
netpool                           This parameter specifies the name of the existing Netpool.
start_ip                          This parameter specifies the first IPv4 address in the dynamic IPv4
                                  range.
end_ip                            This parameter specifies the last IPv4 address in the dynamic IPv4
                                  range.
unit_name                         Optional. This parameter specifies the name of an existing HA unit
                                  to which this dynamic IPv4 range belongs.
                                  This parameter needs to be specified only when the HA function is
                                  enabled.
                                  The default value is empty.
           Note: In the Active/Active scenario, the dynamic IPv4 range of the local unit should not
           overlap with that of the peer unit.
In HA environment, different configurations should be made in different scenarios:
    Active/Active scenario (each AG appliance is active for one or some VIPs of the virtual
     site)
In this scenario, you need to configure dynamic IP ranges specific to each unit on one AG
appliance and enable the HA runtime synconfig function on all AG appliances. The HA runtime
synconfig function can automatically synchronize the dynamic IP range configurations specific to
certain units to peer units.
For example:
On AG1:
vs(config)$:vpn netpool iprange dynamic "test" 192.168.0.1 192.168.0.25 "unit1"
vs(config)$:vpn netpool iprange dynamic "test" 192.168.0.26 192.168.0.50 "unit2"
After the configurations are finished, 25 IP addresses are available on each AG appliance and all
50 IP addresses can be used for the virtual site in total.
    Active/Standby scenario (only one AG appliance is active for the virtual site)
In this scenario, you need have two choices:
    Configure dynamic IP ranges not specific to any unit on all AG appliances.
2000-2018 Array Networks, Inc.
                                                                                                207
All Rights Reserved.
                                                                     Chapter 6 Access Method
For example:
On AG1:
vs(config)$vpn netpool iprange dynamic "test" 192.168.0.1 192.168.0.50
On AG2:
vs(config)$vpn netpool iprange dynamic "test" 192.168.0.1 192.168.0.50
After the configurations are finished, 50 IP addresses will be available for the virtual site on the
active AG appliance.
    Configure dynamic IP ranges specific to each unit on one AG appliance and enable HA
     runtime synconfig.
For example:
On AG1:
vs(config)$:vpn netpool iprange dynamic "test" 192.168.0.1 192.168.0.25 "unit1"
vs(config)$:vpn netpool iprange dynamic "test" 192.168.0.26 192.168.0.50 "unit2"
After the configurations are finished, each AG appliance uses its separate IP range of 25 IP
addresses when becoming active for the virtual site.
            Choice                            Advantage                         Disadvange
Configure dynamic IP ranges         IP addresses of all the
                                                                      IP conflicts may occur during
not specific to any unit on all     configured IP ranges can be
                                                                      HA failover.
AG appliances.                      used.
Configure dynamic IP ranges         Only IP addresses of the IP
                                                                      There is no IP conflict during
specifc to each unit on one AG      ranges specific to the active
                                                                      HA failover.
appliance                           unit can be used.
no vpn netpool iprange dynamic <netpool> < start_ip> <end_ip>
[unit_name]
This command is used to delete a dynamic IPv4 range configured for the specified Netpool.
vpn netpool iprange dynamic6 <netpool> <start_ip> <end_ip> [unit_name]
This command is used to configure a dynamic IPv6 range for the specified Netpool. When an end
user is assigned this Netpool, the VPN server will dynamically assigns an IPv6 address from the
dynamic IPv6 range to the SSL VPN Client of the end user.
netpool                           This parameter specifies the name of the existing Netpool.
start_ip                          This parameter specifies the first IPv6 address in the dynamic IPv6
                                  range.
end_ip                            This parameter specifies the last IPv6 address in the dynamic IPv6
                                  range.
2000-2018 Array Networks, Inc.
                                                                                                   208
All Rights Reserved.
                                                                    Chapter 6 Access Method
unit_name                       Optional. This parameter specifies the name of an existing HA unit
                                to which this dynamic IPv6 range belongs.
                                This parameter needs to be specified only when the HA function is
                                enabled.
                                The default value is empty.
          Note:
             The prefixes of IPv6 addresses in the dynamic IPv6 range must be the same. Besides,
              the prefix length should be equal or larger than 96 bits, indicating that the “start_ip”
              and “end_ip” can only be different in the last 32 bits.
             In the Active/Active scenario, the dynamic IPv6 range of the local unit should not
              overlap with that of the peer unit.
In HA environment, different configurations should be made for Active/Active and
Active/Standby scenario. For details, please refer to the command “vpn netpool iprange
dynamic”.
no vpn netpool iprange dynamic6 <netpool> < start_ip> <end_ip>
[unit_name]
This command is used to delete a dynamic IPv6 range configured for the specified Netpool.
show vpn netpool iprange dynamic <netpool>
This command is used to display all dynamic IPv4 and IPv6 ranges configured for the specified
Netpool.
clear vpn netpool iprange dynamic <netpool>
This command is used to clear all dynamic IPv4 and IPv6 ranges configured for the specified
Netpool.
vpn netpool iprange dhcp server <netpool> <server_ip>
This command is used to configure a DHCP server for the specified Netpool. A maximum of three
DHCP servers can be configured.
netpool                         This parameter specifies the name of the existing Netpool.
server_ip                       This parameter specifies the IP address of the DHCP server. Its
                                value must be an IPv4 address.
no vpn netpool iprange dhcp server <netpool> <server_ip>
This command is used to delete a DHCP server configured for the specified Netpool.
2000-2018 Array Networks, Inc.
                                                                                                  209
All Rights Reserved.
                                                                    Chapter 6 Access Method
show vpn netpool iprange dhcp server [netpool]
This command is used to display all DHCP servers configured for the specified Netpool. If the
“netpool” parameter is not specified, the DHCP servers configured for all Netpools will be
displayed.
clear vpn netpool iprange dhcp server [netpool]
This command is used to clear all DHCP servers configured for the specified Netpool. If the
“netpool” parameter is not specified, the DHCP servers configured for all Netpools will be
cleared.
vpn netpool iprange dhcp leasetime <netpool> <lease_time>
This command is used to set the lease time of the client IP address to be requested in the DHCP
request for the specified Netpool. After the lease time expires, the client IP address assigned by
the DHCP server cannot be used by the Netpool anymore.
netpool                         This parameter specifies the name of the existing Netpool.
lease_time                      This parameter specifies the desired lease time in minutes. Its value
                                must an integer ranging from 5 to 43,200.
no vpn netpool iprange dhcp leasetime <netpool>
This command is used to delete the lease time settings of the client IP address in the DHCP
request for the specified Netpool.
vpn netpool iprange dhcp subnet <netpool> <subnet> <netmask>
This command is used to set the subnet distributed by the DHCP server for the specified Netpool.
When an end user is assigned this Netpool, the DHCP server will dynamically assigns an IP
address to the SSL VPN Client of the end user.
netpool                         This parameter specifies the name of the existing Netpool.
subnet                          This parameter specifies the IP address of the subnet. Its value must
                                be an IPv4 address.
netmask                         This parameter specifies the netmask of the subnet.
no vpn netpool iprange dhcp subnet <netpool>
This command is used to delete the subnet to which the client IP address belongs in the DHCP
request for the specified Netpool.
vpn netpool iprange dhcp useclientmac <netpool>
2000-2018 Array Networks, Inc.
                                                                                                 210
All Rights Reserved.
                                                                   Chapter 6 Access Method
This command is used to enable the AG appliance to send the client PC’s MAC address as the
unique client ID to request the IP address from the DHCP server, when the end user is assigned
the specified Netpool.
netpool                         This parameter specifies the name of the existing Netpool.
no vpn netpool iprange dhcp useclientmac <netpool>
This command is used to enable the AG appliance to send an automatically generated unique
client ID to request the IP address from the DHCP server, when the end user is assigned the
specified Netpool.
show vpn netpool iprange dhcp config [netpool]
This command is used to display the DHCP configurations of the specified Netpool. If the
“netpool” parameter is not specified, the DHCP configurations of all Netpools will be displayed.
   Windows SSL VPN Client Options
vpn netpool initmode activex <netpool>
This command is used to set the initiation mode of the Web-launched Array Client to “activex” for
the specified Netpool. In this mode, the Web-launched Array Client is set up with ActiveX
components. After a Netpool is configured, the “activex” VPN initiation mode is set for this
Netpool by default.
netpool                         This parameter specifies the name of the existing Netpool.
vpn netpool initmode java <netpool>
This command is used to set the initiation mode of the Web-launched Array Client to “java” for
the specified Netpool. In this mode, the Web-launched Array Client is set up with Java
components.
netpool                         This parameter specifies the name of the existing Netpool.
vpn netpool initmode autoswitch <netpool>
This command is used to enable auto switch between the “activex” and “java “initiation mode of
the Web-launched Array Client for the specified Netpool. With this function enabled, the
Web-launched Array Client is set up with ActiveX or Java depending on which works best with
the user’s PC environment. After a Netpool is configured, this function is enabled by default.
netpool                         This parameter specifies the name of the existing Netpool.
          Note: For IE and IE-core browsers, both the “activex” and “java” initiation modes can be
          used. However, for non-IE-core browsers, only the “java” initiation mode can be used.
          Therefore, this command only works for IE and IE-core browsers.
2000-2018 Array Networks, Inc.
                                                                                              211
All Rights Reserved.
                                                                 Chapter 6 Access Method
no vpn netpool initmode autoswitch <netpool>
This command is used to disable auto switch between the “activex” and “java “initiation mode of
the Web-launched Array Client for the specified Netpool.
vpn netpool stayconnected <netpool>
This command is used to instruct the Web-launched Array Client to keep the VPN tunnel
connected for the specified Netpool after the browser windows closed.
netpool                        This parameter specifies the name of the existing Netpool.
no vpn netpool stayconnected <netpool>
This command is used to instruct the Web-launched Array Client to terminate the VPN tunnel for
the specified Netpool after the browser windows closed.
vpn netpool trayindicate <netpool>
This command is used to enable the display of the “red A” icon in the system task tray for the
specified Netpool when the Standalone Array VPN Client establishes the VPN tunnel with the AG
appliance. After a Netpool is configured, this function is enabled for this Netpool by default.
netpool                        This parameter specifies the name of the existing Netpool.
no vpn netpool trayindicate <netpool>
This command is used to disable the display of the red “A” icon in the system task tray for the
specified Netpool when the Standalone Array VPN Client establishes the VPN tunnel with the AG
appliance.
vpn netpool webindicate <netpool>
This command is used to enable the display of the red “A” icon in the system task tray for the
specified Netpool when the Web-lauched Array VPN Client establishes the VPN tunnel with the
AG appliance.
netpool                        This parameter specifies the name of the existing Netpool.
no vpn netpool webindicate <netpool>
This command is used to disable the display of the red “A” icon in the system task tray for the
specified Netpool when the Web-lauched Array VPN Client establishes the VPN tunnel with the
AG appliance.
   Automatic VPN Launch
vpn netpool autolaunch <netpool> [mode]
This command is used to instruct the SSL VPN Client to automatically launch the VPN for the
specified Netpool.
2000-2018 Array Networks, Inc.
                                                                                             212
All Rights Reserved.
                                                                   Chapter 6 Access Method
netpool                         This parameter specifies the name of the existing Netpool.
mode                            Optional. This parameter specifies whether to skip the Welcome
                                page when VPN auto launch fails. Its value must only be:
                                    “stoponerr”: indicates that the Welcome page will be skipped
                                     when VPN auto launch fails.
                                    empty: indicates that the Welcome page will not be skipped
                                     when VPN auto launch fails.
                                The default value is empty.
no vpn netpool autolaunch <netpool>
This command is used to instruct the VPN client to not start automatically for the specified
Netpool.
    NAT
vpn netpool nat <netpool> [mode]
This command is used to enable the VPN Netpool NAT function for the specified Netpool. By
default, this function is disabled.
netpool                         This parameter specifies the name of the existing Netpool.
mode                            Optional. This parameter specifies whether the NAT configurations
                                under the global scope or under the virtual site scope are used for
                                VPN NAT.
                                    “useglobal”: indicates that the NAT configurations under the
                                     global scope are used.
                                    empty: indicates that the NAT configurations under the site
                                     scope are used.
                                The default value is empty.
          Note:
             When the VPN Netpool NAT function is enabled and the administrator accesses the
              AG appliance through L3VPN, the AG appliance cannot initiatively communicate
              with the L3VPN client.
             To use the Site2Site VPN function, the VPN NAT function should be disabled.
          The following commands cannot be executed if the SCP/TFTP server is installed on the
          L3VPN client:
2000-2018 Array Networks, Inc.
                                                                                               213
All Rights Reserved.
                                                                     Chapter 6 Access Method
             write net scp
             write net tftp
             write net all scp
             write net all tftp
             configure net scp
             configure net tftp
             configure net http
             configure net all scp
             configure net all tftp
             configure net all http
          The following commands cannot be executed to ping or traceroute the L3 VPN client:
             ping
             ping6
             traceroute
             traceroute6
no vpn netpool nat <netpool>
This command is used to disable the VPN Netpool NAT function for the specified Netpool.
    IPSec over SSL
vpn netpool tunnelipsec <netpool>
This command is used to enable the IPSec over SSL function for the specified Netpool. By default,
this function is disabled.
netpool                            This parameter specifies the name of the existing Netpool.
no vpn netpool tunnelipsec <netpool>
This command is used to disable the IPSec over SSL function for the specified Netpool.
    Keep-alive Interval
vpn netpool keepalive <netpool> [interval]
This command is used to set the client keep-alive interval for the specified Netpool. During the
specified interval of VPN being inactive, the SSL VPN Client will send the VPN server a
“keepalive” packet to keep the VPN tunnel alive. After a Netpool is configured, the default
interval for this Netpool is 30.
2000-2018 Array Networks, Inc.
                                                                                                214
All Rights Reserved.
                                                                    Chapter 6 Access Method
netpool                         This parameter specifies the name of the existing Netpool.
interval                        This parameter specifies the interval that the VPN tunnel will be
                                kept alive while being inactive. Its value must be an integer ranging
                                from 1 to 60, in seconds.
no vpn netpool keepalive <netpool>
This command is used to reset the client keep-alive interval to its default value for the specified
Netpool.
    Routing
vpn netpool route gateway <netpool> <gateway_ip> [unit_name]
This command is used to configure a route gateway for the specified Netpool.
netpool                         This parameter specifies the name of the existing Netpool.
gateway_ip                      This parameter specifies the IP address of the route gateway. Its
                                value must be an IPv4 address.
unit_name                       Optional. This parameter specifies the name of an existing HA unit
                                for which this route gateway works.
                                This parameter needs to be specified only when the HA function is
                                enabled. If the HA function is disabled, this parameter setting will
                                be ignored.
                                The default value is empty.
           Note: This command works both for SSL VPN and Mobile VPN.
no vpn netpool route gateway <netpool> <gateway_ip> [unit_name]
This command is used to delete a route gateway of the specified Netpool.
vpn netpool route default <netpool>
This command is used to configure the default route using the route gateway (configured using the
“vpn netpool route gateway <netpool> <gateway_ip > [unit_name]” command) for the
specified Netpool. The default route for the Netpool will be used only when the received packet
sent by the SSL VPN Client does not match any route in the global routing table.
If this command is not configured for a Netpool, received packets will always be sent through the
route gateway configured for the Netpool using the “vpn netpool route gateway <netpool>
<gateway_ip> [unit_name]” command.
2000-2018 Array Networks, Inc.
                                                                                                  215
All Rights Reserved.
                                                                    Chapter 6 Access Method
If neither the route gateway nor the default route is configured for the Netpool, the received packet
will be sent based on the global routing table.
netpool                         This parameter specifies the name of the existing Netpool.
          Note: This command works both for SSL VPN and Mobile VPN.
no vpn netpool route default <netpool>
This command is used to delete the default route gateway for the specified Netpool.
    Client Subnet
vpn netpool clientsubnet <netpool>
This command is used to add a client subnet resource item to a specified Netpool. After this
command is configured, the traffic destined for the local subnet will not be sent through the SSL
VPN tunel. This function is useful when the SSL VPN tunnel contains the local subnet.
netpool                         This parameter specifies the name of the existing Netpool.
no vpn netpool clientsubnet <netpool>
This command is used to delete a client subnet resource item from a specified Netpool.
    VPN Traffic Logging
vpn netpool trafficlog <netpool>
This command is used to enable VPN traffic logging for the specified Netpool.
netpool                         This parameter specifies the name of the existing Netpool.
          Note: To use the Site2Site VPN function, the VPN traffic logging function should be
          disabled.
no vpn netpool trafficlog <netpool>
This command is used to disable VPN traffic logging for the specified Netpool.
    Windows Administrator Account
vpn netpool winadmin <netpool> <username> <password> [account_id]
This command is used to configure a Windows administrator account for the specified Netpool. If
the Netpool is authorized to a Windows user without administrator privileges, the Windows user
can use this Windows administrator account to install the Array Client. Otherwise, the Windows
user without administrator privileges cannot install the Array Client on Windows PCs. A
maximum of 255 Windows administrator accounts can be configured for a Netpool.
2000-2018 Array Networks, Inc.
                                                                                                216
All Rights Reserved.
                                                                   Chapter 6 Access Method
netpool                        This parameter specifies the name of the existing Netpool.
username                       This parameter specifies the username of the Windows
                               administrator account. Its value must be a case-insensitive string of
                               1 to 255 characters.
password                       This parameter specifies the password of the Windows
                               administrator account. Its value must be a case-insensitive string of
                               1 to 255 characters.
account_id                     Optional. This parameter specifies the ID that the Netpool assigns
                               to the Windows administrator account. Its value must be a string of
                               1 to 255 characters. When the administrator does not specify this
                               parameter for the first time, its value will be “1”; its value will be
                               increased by 1 each time this parameter is not specified.
                               The IDs of Windows administrator accounts for a Netpool must be
                               unique.
                               The default value is “1”.
no vpn netpool winadmin <netpool> <account_id>
This command is used to delete a Windows administrator account for the specified Netpool.
show vpn netpool winadmin [netpool]
This command is used to display the Windows administrator accounts for the specified Netpool. If
the “netpool” parameter is not specified, the Windows administrator accounts of all Netpools will
be displayed.
      Proxy
vpn netpool proxy <netpool> <type> <server_url>
This command is used to set the inside proxy server for the specified Netpool. This function works
for SSL VPN only. This function should be used when AG cannot connect to the backend server.
netpool                        This parameter specifies the name of the existing Netpool.
type                           This parameter specifies the type of the proxy server. Its value must
                               only be “manual” or “script”.
server_url
                               This parameter specifies the URL of the proxy server. Its value
                               must be a string of 1 to 256 characters. Its value must be:
                                   “proxy_server”: specifies the inside proxy server and is
2000-2018 Array Networks, Inc.
                                                                                                217
All Rights Reserved.
                                                                    Chapter 6 Access Method
                                     available only when “type” is set to “manual”. Its value must
                                     be in the format of “host: port” in which the “host” part can be
                                     either an IP address or a hostname.
                                    “script_url”: indicates the URL of the automatic configuration
                                     script used to determine the inside proxy server and is
                                     available only when “type” is set to “script”.
no vpn netpool proxy <netpool>
This command is used to delete the inside proxy server for the specified Netpool.
vpn netpool proxyrewrite on <netpool>
This command is used to enable the rewriting of the client proxy script for the specified Netpool.
By default, the rewriting of the client proxy script is enabled for every Netpool.
netpool                         This parameter specifies the name of the existing Netpool.
vpn netpool proxyrewrite off <netpool>
This command is used to disable the rewriting of the client proxy script for the specified Netpool.
netpool                         This parameter specifies the name of the existing Netpool.
      NetBIOS over TCP/IP
vpn netpool netbios {on|off} <netpool>
This command is used to enable or disable the Network Basic Input Output System (NetBIOS)
over TCP/IP function for the SSL VPN Client that is assigned the specified Netpool. By default,
this function is enabled for the SSL VPN Client. This function works for the SSL VPN Client on
the Windows OS for now.
netpool                         This parameter specifies the name of an existing Netpool.
      Command Execution on VPN Connection or Disconnection
vpn netpool launch command <netpool> <path>
This command is used to add a path of the application or file to be executed upon successful
launch of a VPN tunnel for the specified Netpool. After this command is configured, the specified
application or file will be automatically opened when the VPN tunnel is established.
netpool                         This parameter specifies the name of the existing Netpool.
path                            This parameter specifies the path of the application or file to be
                                launched. If the file path is specified, the filename should be
2000-2018 Array Networks, Inc.
                                                                                                 218
All Rights Reserved.
                                                                    Chapter 6 Access Method
                                specified. Its value must be a string of 1 to 256 characters.
For example:
vs(config)$vpn netpool launch command netpool1 c:\test\a.txt
After this command is executed, the file a.txt will be automatically opened when a VPN tunnel is
established.
no vpn netpool launch command <netpool> <path>
This command is used to delete a path of the application or file to be executed upon successful
launch of a VPN tunnel for the specified Netpool.
show vpn netpool launch command <netpool>
This command is used to display the list of applications or files to be executed upon successful
launch of a VPN tunnel for the specified Netpool.
clear vpn netpool launch command <netpool>
This command is used to clear the list of applications or files to be executed upon successful
launch of a VPN tunnel for the specified Netpool.
vpn netpool launch stoponerr <netpool>
This command is used to instruct the Array Client to terminate the VPN tunnel if the execution of
applications or files configured using the “vpn netpool launch command” command encounters
any error, when the end user is assigned the specified Netpool.
netpool                         This parameter specifies the name of the existing Netpool.
no vpn netpool launch stoponerr <netpool>
This command is used to instruct the Array Client to maintain a connection even if the execution
of applications or files configured using the “vpn netpool launch command” command
encounters any error, when the end user is assigned the specified Netpool.
vpn netpool disconnect command <netpool> <path>
This command is used to add a path of the application or file to be executed upon successful
disconnection of a VPN tunnel for the specified Netpool. After this command is configured, the
specified application or file will be automatically opened when the VPN tunnel is disconnected.
netpool                         This parameter specifies the name of the existing Netpool.
path                            This parameter specifies the path of the command to be launched.
                                Its value must be a string of 1 to 256 characters.
For example:
2000-2018 Array Networks, Inc.
                                                                                                  219
All Rights Reserved.
                                                                   Chapter 6 Access Method
vs(config)$vpn netpool disconnect command netpool1 c:\test\a.txt
After this command is executed, the file a.txt will be opened when a VPN tunnel is disconnected.
no vpn netpool disconnect command <netpool> <path>
This command is used to delete a path of the application or file to be executed upon successful
disconnection of VPN tunnel for the specified Netpool.
show vpn netpool disconnect command <netpool>
This command is used to display the list of applications or files to be executed upon successful
disconnection of a VPN tunnel for the specified Netpool.
clear vpn netpool disconnect command <netpool>
This command is used to clear the list of applications or files to be executed upon successful
disconnection of a VPN tunnel for the specified Netpool.
vpn netpool disconnect stoponerr <netpool>
This command is used to instruct the Array Client to maintain a connection if the execution of
applications or files configured using the “vpn netpool disconnect command” command
encounters any error, when the end user is assigned the specified Netpool.
netpool                         This parameter specifies the name of the existing Netpool.
no vpn netpool disconnect stoponerr <netpool>
This command is used to instruct the Array Client to drop a connection even if the execution of
applications or files configured using the “vpn netpool disconnect command” command
encounters any error, when the end user is assigned the specified Netpool.
    DNS Settings
vpn netpool dns hostmap <netpool> <hostname> [hostip]
This command is used to add a static IPv4 DNS record for the specified host name in the specified
Netpool. This function works for SSL VPN only.
netpool                         This parameter specifies the name of the existing Netpool.
hostname                        This parameter specifies the hostname of the DNS server. Its value
                                must be a string of 1 to 31 characters.
hostip                          Optional. This parameter specifies the IPv4 address of the DNS
                                server. The default value is “127.0.0.1”.
no vpn netpool dns hostmap <netpool> <hostname> [hostip]
This command is used to delete an IPv4 DNS host for the specified Netpool.
2000-2018 Array Networks, Inc.
                                                                                                  220
All Rights Reserved.
                                                                   Chapter 6 Access Method
vpn netpool dns hostmap6 <netpool> <hostname> <hostip>
This command is used to add a static IPv6 DNS record for the specified host name in the specified
Netpool. This function works for SSL VPN only.
netpool                         This parameter specifies the name of the existing Netpool.
hostname                        This parameter specifies the hostname of the DNS server. Its value
                                must be a string of 1 to 31 characters.
hostip                          This parameter specifies the IPv6 address of the DNS server.
no vpn netpool dns hostmap6 <netpool> <hostname> [hostip]
This command is used to delete an IPv6 DNS host record for the specified Netpool.
show vpn netpool dns hostmap <netpool>
This command is used to display all IPv4 and IPv6 DNS hosts for the specified Netpool.
clear vpn netpool dns hostmap <netpool>
This command is used to clear all IPv4 and IPv6 DNS hosts for the specified Netpool.
vpn netpool dns timeout local <netpool> <timeout>
This command is used to set the timeout of the local DNS server for the specified Netpool. After a
Netpool is configured, the default timeout of the local DNS server for this Netpool is 1000
milliseconds.
netpool                         This parameter specifies the name of the Netpool.
timeout                         This parameter specifies the timeout value in milliseconds. Its value
                                must be an integer ranging from 5 to 3,000.
          Note: This command works for the SSL VPN Client on Windows only.
no vpn netpool dns timeout local <netpool>
This command is used to reset the timeout of the local DNS server to its default value for the
specified Netpool.
vpn netpool dns timeout virtual <netpool> <timeout>
This command is used to set the timeout of the virtual DNS server (including global DNS servers
and site DNS servers) for the specified Netpool. After a Netpool is configured, the default timeout
of the virtual DNS server for this Netpool is 1000 milliseconds.
2000-2018 Array Networks, Inc.
                                                                                                 221
All Rights Reserved.
                                                                   Chapter 6 Access Method
netpool                         This parameter specifies the name of the existing Netpool.
timeout                         This parameter specifies the timeout value in milliseconds. Its value
                                must be an integer ranging from 5 to 3,000. Some network
                                environment, such as 3G/WIFI, has a very large round-trip time
                                (RTT). Administrators should increase the Netpool’s DNS timeout
                                value, if SSL VPN Client users’ network RTT is larger than virtual
                                site’s default DNS timeout.
          Note: This command works for the SSL VPN Client on Windows only.
no vpn netpool dns timeout virtual <netpool>
This command is used to reset the timeout of the virtual DNS server to its default value for the
specified Netpool.
vpn netpool dns timeout windows <netpool> <timeout>
This command is used to set the timeout of the Windows DNS server for the specified Netpool.
After a Netpool is configured, the default timeout of the Windows DNS server for this Netpool is
5000 milliseconds.
netpool                         This parameter specifies the name of the existing Netpool.
timeout                         This parameter specifies the timeout value in milliseconds. Its value
                                must be between 1,000 and 15,000.
no vpn netpool dns timeout windows <netpool>
This command is used to reset the timeout of the Windows DNS server to its default value for the
specified Netpool.
vpn netpool dns filter virtual <netpool> <host> <flag>
This command is used to configure a virtual DNS filter rule for the specified Netpool. After this
command is configured, when the hostname to be resolved by the SSL VPN Client matches the
“host” parameter specified by the virtual DNS filter rule, the SSL VPN Client will use only the
virtual DNS server (DNS server assigned by the virtual site) to perform the DNS resolution. When
the hostname does not match the virtual DNS filter rule, the Array SSL VPN Client will perform
DNS resolution according to the setting of the “flag” parameter.
Besides, if the hostname matches multiple virtual DNS filter rules, the SSL VPN Client will select
the longest matching virtual DNS filter rule.
netpool                         This parameter specifies the name of the existing Netpool.
2000-2018 Array Networks, Inc.
                                                                                                   222
All Rights Reserved.
                                                                   Chapter 6 Access Method
host                            This parameter specifies the hostname to be resolved. Its value must
                                be a string of 1 to 31 characters and in the format of xxx.yyy.zzz. If
                                the parameter value is set to “all”, indicating all hostnames.
                                Besides, the wildcard “*” is supported.
flag                            This parameter specifies the policy that the system will implement
                                for DNS queries that do not match the virtual DNS filter rule. Its
                                value must be:
                                    0: indicates that the SSL VPN Client will perform the normal
                                     DNS resolution process. Please refer to the ArrayOS AG User
                                     Guide for details.
                                    1: indicates that the SSL VPN Client will use only the local
                                     DNS server to perform the DNS resolution.
                                If the “host” parameter is set to “all”, the SSL VPN Client will use
                                only the virtual DNS server to perform the DNS resolution,
                                regardless of what the “flag” parameter is set to.
For example:
vs(config)#vpn netpool dns filter virtual pool "a.b.com" 0
vs(config)#vpn netpool dns filter virtual pool "*.a.com" 1
vs(config)#vpn netpool dns filter virtual pool "*.c.*" 1
no vpn netpool dns filter virtual <netpool> <host>
This command is used to delete the specified virtual DNS filter rule configured for the specified
Netpool.
vpn netpool dns filter local <netpool> <host> <flag>
This command is used to configure a local DNS filter rule for the specified Netpool. After this
command is configured, when the hostname to be resolved by the SSL VPN Client matches the
“host” parameter specified by the local DNS filter rule, the SSL VPN Client will use only the local
DNS server to perform the DNS resolution. When the hostname does not match the local DNS
filter rule, the SSL VPN Client will perform DNS resolution according to the setting of the “flag”
parameter.
Besides, if the hostname matches multiple local DNS filter rules, the SSL VPN Client will use the
longest matching local DNS filter rule.
netpool                         This parameter specifies the name of the existing Netpool.
host                            This parameter specifies the hostname to be resolved. Its value must
                                be a string of 1 to 31 characters and in the format of xxx.yyy.zzz. If
                                the parameter value is set to “all”, indicating all hostnames.
2000-2018 Array Networks, Inc.
                                                                                                223
All Rights Reserved.
                                                                     Chapter 6 Access Method
                                 Besides, the wildcard “*” is supported.
flag                             This parameter specifies the policy that the system will implement
                                 for DNS queries that do not match the local DNS filter rule. Its
                                 value must be:
                                     0: indicates that the SSL VPN Client will perform the normal
                                      DNS resolution process. Please refer to the ArrayOS AG User
                                      Guide for details.
                                     1: indicates that the SSL VPN Client will use only the virtual
                                      DNS server to perform the DNS resolution.
                                 If the “host” parameter is set to “all”, the SSL VPN Client will use
                                 only the local DNS server to perform the DNS resolution,
                                 regardless of what the “flag” parameter is set to.
For example:
vs(config)#vpn netpool dns filter local pool "a.b.com" 0
vs(config)#vpn netpool dns filter local pool "*.a.com" 1
vs(config)#vpn netpool dns filter local pool "*.c.*" 1
        Note:
              If no virtual or local DNS filter rule is configured, the SSL VPN Client will perform
               the normal DNS resolution process.
              If both the virtual and local DNS filter rules are configured:
              If the hostname matches one virtual DNS filter rule, the virtual DNS filter rule will
               take effect.
              If the hostname does not match any virtual DNS filter rule but match one local DNS
               filter rule, the local DNS filter rule will take effect.
              If the hostname does not match any virtual or local DNS filter rule, but one virtual
               DNS filter rule with flag=1 exists, this virtual DNS filter rule will take effect.
              If the hostname does not match any virtual or local DNS filter rule, but one virtual
               DNS filter rule with flag=0 exists, the Array SSL VPN Client will perform the normal
               DNS resolution process.
no vpn netpool dns filter local <netpool> <host>
This command is used to delete the specified local DNS filter rule configured for the specified
Netpool.
clear vpn netpool dns filter <netpool>
2000-2018 Array Networks, Inc.
                                                                                                  224
All Rights Reserved.
                                                                   Chapter 6 Access Method
This command is used to clear all virtual and local DNS filter rules configured for the specified
Netpool.
vpn netpool dns clientproxy {on|off} <netpool>
This command is used to enable or disable the client DNS proxy function for a specified Netpool.
This function works only for the SSL VPN Clients installed on Windows PC.
    With this function enabled, the SSL VPN Client will resolves all DNS queries by following a
     fixed DNS resolution process in which the DNS settings configured for the specified Netpool
     will be used first.
    With this function disabled, the SSL VPN Client resolves the DNS queries based on the DNS
     resolution process of the Windows TCP/IP protocol on the PC with the SSL VPN Client
     installed.
By default, this function is enabled.
netpool                         This parameter specifies the name of an existing Netpool.
          Note: The IPv6 DNS queries except those match IPv6 DNS hostmap (configured using the
          “vpn netpool dns hostmap6” command) cannot be processed by the client DNS proxy
          function.
show vpn netpool dns config [netpool]
This command is used to display the DNS configurations of the specified Netpool. If the “netpool”
parameter is not specified, the DNS server configurations of all DNS servers will be displayed.
    Multicast Forwarding
vpn netpool multicast <netpool>
This command is used to enable the multicast forwarding function for the specified Netpool.
netpool                         This parameter specifies the name of the existing Netpool.
no vpn netpool multicast <netpool>
This command is used to disable the multicast forwarding function for the specified Netpool.
show vpn netpool config [netpool]
This virtual command is used to display the configurations of a specified Netpool or all Netpools.
VPN Resourse/VPN Resource Group
vpn resource group <resource_group>
This command is used to define a VPN resource group.
2000-2018 Array Networks, Inc.
                                                                                                225
All Rights Reserved.
                                                                  Chapter 6 Access Method
The administrator should configure this command whether accessing backend resources through
the L3VPN tunnel or Site2Site VPN tunnel.
resource_group                 This parameter specifies the name of the VPN resource group. Its
                               value must be a string of 1 to 31 characters.
no vpn resource group <resource_group>
This command is used to delete a VPN resource group.
show vpn resource group [resource_group]
This command is used to display the specified VPN resource group. If the “resource_group”
parameter is not specified, all VPN resource groups will be displayed.
clear vpn resource group [resource_group]
This command is used to delete the specified VPN resource group and clear all related
configurations. If the “resource_group” parameter is not specified, all VPN resource groups and
related configurations will be cleared.
vpn resource groupitem network <resource_group> <net_resource> [type]
This command is used to add a network resource item to the specified VPN resource group. When
the L3VPN or Site2Site VPN tunnel is established, the traffic to the network resources specified
by the “net_resource” parameter will pass through the L3VPN tunnel or Site2Site VPN tunnel.
For Site2Site VPN, to make the subnets on the spokes and hubs accessible, you should configure
them as network resources. If NAT rules are configured for Site2Site VPN using the “vpn
site2site forward” command, you should configure the virtual subnet specified by the parameters
“virtual_subnet_IP” and “virtual_subnet_netmask” as the network resource instead of the real
subnet on the spoke/hub.
resource_group                 This parameter specifies the name of the existing VPN resource
                               group.
net_resource                   This parameter specifies the name of the network resource. Its value
                               must be a string of 7 to 127 characters in the format of
                               “[IP]/[Mask]:[Start Port]-[End Port]” or “[Start IP]-[End IP]:[Start
                               Port]-[End Port]”. For the “[Start IP]-[End IP]:[Start Port]-[End
                               Port]” format, a standard IP range should be used; otherwise the
                               configuration will fail to take effect. Please note that both IPv4 and
                               IPv6 network resources are supported. The [IP]/[Mask] or [Start
                               IP]-[End IP] part is mandatory while the “[Start Port]-[End Port]”
                               part is optional. When the “[Start Port]-[End Port]” part is not
                               contained, all the ports are included.
                               For Site2Site VPN with NAT configured, the parameter value
                               should set to the subnet specified by the parameters
2000-2018 Array Networks, Inc.
                                                                                               226
All Rights Reserved.
                                                                  Chapter 6 Access Method
                               “virtual_subnet_IP” and “virtual_subnet_netmask”.
type                           Optional. This parameter specifies the type of the services that can
                               use the network resource. Its value must be:
                                   “0”: indicates that this network resource is used for both L3
                                    and L4 services.
                                   “1”: indicates that this network resource is used for L3 or
                                    Site2Site services.
                                   “2”: indicates that this network resource is used for only L4
                                    services.
                               The default value is “1”.
                               Note: This parameter must be set to “1” for the Site2Site VPN
                               function.
For example:
vs(config)$vpn resource groupitem network "g1" "10.10.10.0/24"
vs(config)$vpn resource groupitem network "g2" "fe80:1001::/64:0-65535" 1
vs(config)$vpn resource groupitem network "g1" "172.16.2.1-172.16.2.127" 1
vs(config)$vpn resource groupitem network "g2" "172.16.0.1-172.16.3.255: 0-65535" 1
no vpn resource groupitem network <resource_group> <net_resource>
This command is used to delete a network resource item from the specified VPN resource group.
show vpn resource groupitem network [resource_group]
This command is used to display the network resource items for the specified VPN resource group.
If the “resource_group” parameter is not specified, all the network resource items of all VPN
resource groups will be displayed.
clear vpn resource groupitem network [resource_group]
This command is used to clear the network resource items for the specified VPN resource group.
If the “resource_group” parameter is not specified, all the network resource items of all VPN
resource groups will be cleared.
vpn resource groupexcludeditem network<resource_group>
<net_resource> [type]
This command is used to add a network resource item to the exclude list for the specified VPN
resource group. For L3VPN, when the L3VPN tunnel is established, clients cannot access the
network resources specified by the “net_resource” parameter through the L3VPN tunnel.
2000-2018 Array Networks, Inc.
                                                                                                  227
All Rights Reserved.
                                                                   Chapter 6 Access Method
resource_group                 This parameter specifies the name of the existing VPN resource
                               group.
net_resource                   This parameter specifies the name of the network resource. Its value
                               must be a string of 7 to 127 characters in the format of the
                               “[IP]/[Mask]: [Start Port]-[End Port]” or “[Start IP]-[End IP]:[Start
                               Port]-[End Port]”. For the “[Start IP]-[End IP]:[Start Port]-[End
                               Port]” format, a standard IP range should be used; otherwise the
                               configuration will fail to take effect. Please note that both IPv4 and
                               IPv6 network resources are supported. The [IP]/[Mask] or [Start
                               IP]-[End IP] part is mandatory while the “[Start Port]-[End Port]”
                               part is optional. When the “[Start Port]-[End Port]” part is not
                               contained, all the ports are included.
type                           Optional. This parameter specifies the type of the services that can
                               use the network resource. Its value must be:
                                   “0”: indicates that this network resource is excluded for both
                                    L3 and L4 services.
                                   “1”: indicates that this network resource is excluded for L3
                                    services.
                                   “2”: indicates that this network resource is excluded for only
                                    L4 services.
                               The default value is “1”.
        Note: If the default gateway is not configured for a client PC, the excluded list configured
        for the VPN network resource group will fail to take effect for the client PC.
For example:
vs(config)$vpn resource groupexcludeditem network "g1" "10.10.10.0/24"
vs(config)$vpn resource groupexcludeditem network "g2" "fe80:1001::/64:0-65535" 1
vs(config)$vpn resource groupexcludeditem network "g1" "172.16.2.1-172.16.2.127" 1
vs(config)$vpn resource groupexcludeditem network "g2" "172.16.0.1-172.16.3.255:
0-65535" 1
no vpn resource groupexcludeditem network<resource_group>
<net_resource>
This command is used to delete a network resource item from the excluded list for the specified
VPN resource group.
show vpn resource groupexcludeditem network [resource_group]
2000-2018 Array Networks, Inc.
                                                                                               228
All Rights Reserved.
                                                                   Chapter 6 Access Method
This command is used to display the list of excluded network resource items for the specified
VPN resource group. If the “resource_group” parameter is not specified, the lists of excluded
network resource items for all VPN resource groups will be displayed.
clear vpn resource groupexcludeditem network [resource_group]
This command is used to clear the entire list of excluded network resource items for the specified
VPN resource group. If the “resource_group” parameter is not specified, the lists of excluded
network resource items for all VPN resource groups will be cleared.
vpn resource groupitem appname <resource_group> <application_name>
<executable_name> [hash]
This command is used to add an application resource item to the specified VPN resource group.
resource_group                 This parameter specifies the name of the VPN resource group. Its
                               value must be a string of 1 to 31 characters.
application_name               This parameter specifies the application name. Its value must be a
                               string of 1 to 63 characters.
executable_name                This parameter specifies the image name of the application. Its
                               value must be a case-sensitive string of 1 to 256 characters.
hash                           Optional. This parameter specifies the MD5 hash value. Its value
                               must be a string of 1 to 32 characters.
                               If this parameter is specified, the SSL VPN client will verify the
                               MD5 hash value of the application. The packets can be sent through
                               the VPN tunnel only when the verification is successful.
                               The default value is “0”, indicating any MD5 value of the
                               application is acceptable.
no vpn resource groupitem appname <resource_group>
<application_name>
This command is used to delete an application resource item from the specified VPN resource
group.
show vpn resource groupitem appname [resource_group]
This command is used to display the application resource items for the specified VPN resource
group. If the “resource_group” parameter is not specified, application resource items of all VPN
resource groups will be displayed.
clear vpn resource groupitem appname [resource_group]
2000-2018 Array Networks, Inc.
                                                                                                 229
All Rights Reserved.
                                                                   Chapter 6 Access Method
This command is used to clear application resource items for the specified VPN resource group. If
the “resource_group” parameter is not specified, application resource items of all VPN resource
groups will be cleared.
vpn resource groupexcludeditem appname <resource_group>
<application_name> <executable_name>
This command is used to add an application resource item to the exclude list for the specified
VPN resource group.
resource_group                  This parameter specifies the name of a VPN resource group. Its
                                value must be a string of 1 to 31 characters.
application_name                This parameter specifies the application name. Its value must be a
                                string of 1 to 63 characters.
executable_name                 This parameter specifies the executable name. Its value must be a
                                string of 1 to 256 characters. This parameter is case-sensitive.
no vpn resource groupexcludeditem appname <resource_group>
<application_name>
This command is used to delete an application resource item from the exclude list of the specified
VPN resource group.
show vpn resource groupexcludeditem appname [resource_group]
This command is used to display the list of excluded application resource items for the specified
VPN resource group. If the “resource_group” parameter is not specified, the lists of excluded
application resource items for all VPN resource groups will be displayed.
clear vpn resource groupexcludeditem appname [resource_group]
This command is used to clear the list of excluded application resource items for the specified
VPN resource group. If the “resource_group” parameter is not specified, the lists of excluded
application resource items for all VPN resource groups will be cleared.
Speed Tunnel
The system supports three types of VPN Tunnels: TCP tunnel, UDP tunnel and DTLS tunnel. By
default, the TCP tunnel will be established after the VPN is connected.
vpn speedtunnel port <port> [type]
This command is used to enable or disable the UDP or DTLS Speed Tunnel. If this command is
not configured, both the UDP and DTLS Speed Tunnels are disabled.
port                            This parameter specifies the listening port for the UDP or DTLS
                                Speed Tunnel. Its value must be an integer ranging from 0 to
2000-2018 Array Networks, Inc.
                                                                                                  230
All Rights Reserved.
                                                                  Chapter 6 Access Method
                               65,535. 0 indicates that the UDP or DTLS Speed Tunnel is disabled.
                               1 to 65,535 indicates that the UDP or DTLS Speed Tunnel is
                               enabled and listens on the specified port.
type                           Optional. This parameter specifies the type of the Speed Tunnel. Its
                               value must be:
                                   0: indicates the DTLS Speed Tunnel.
                                   1: indicates the UDP Speed Tunnel.
                               The default value is 0.
vpn speedtunnel dispatch <mode>
This command is used to configure a default dispatch rule for the VPN data, including TCP data
and UDP data. If this command is not configured, all VPN data goes through the TCP Tunnel.
This command is useful only after both the TCP tunnel and Speed Tunnel (UDP tunnel or DTLS
tunnel) is enabled.
mode                           This parameter specifies how the VPN data is dispatched. Its value
                               must be:
                                   0: indicates that all VPN data goes through the TCP Tunnel.
                                   1: indicates that TCP data goes through the TCP Tunnel and
                                    UDP data goes through the Speed Tunnel.
                                   2: indicates that TCP data goes through the Speed Tunnel and
                                    UDP data goes through the TCP Tunnel.
                                   3: indicates that all VPN data goes through the Speed Tunnel.
vpn speedtunnel encryption {on|off}
This command is used to enable or disable the encryption function for the UDP Speed Tunnel.
When the encryption function is enabled, the traffic sent through the UDP Speed Tunnel will be
encrypted; otherwise, the traffic sent through the UDP Speed Tunnel will be in plain text. By
default, this function is enabled.
dtls settings protocol <protocol>
This command is used to set the Datagram Transport Layer Security (DTLS) protocol version
used to encrypt the DTLS Speed Tunnel. If this command is not configured, DTLS version 1.0 is
used to encrypt the DTLS Speed Tunnel.
protocol                       This parameter specifies the DTLS protocol version used to encrypt
                               the DTLS Speed Tunnel. Its value must only be “DTLSv1”,
                               indicating DTLS version 1.0.
2000-2018 Array Networks, Inc.
                                                                                              231
All Rights Reserved.
                                                                     Chapter 6 Access Method
dtls settings ciphersuite <cipher_suite>
This command is used to set the cipher suite(s) for the DTLS Speed Tunnel.
If this command is already configured, this command can also be used to update the existing
cipher suite(s) set for the DTLS Speed Tunnel.
cipher_suite                     This parameter specifies the cipher suite(s) for the DTLS Speed
                                 Tunnel. Its value must be “DES-CBC3-SHA”, “AES128-SHA” or
                                 “AES256-SHA”. If multiple cipher suites are configured, they must
                                 be separated by colons.
show dtls settings
This command is used to display the DTLS settings for the virtual site.
For example:
vs(config)$show dtls settings
Vhost name: "vs"
Public Key Length: 2048 bit
DTLS version: DTLSv1
Ciphersuite: DES-CBC3-SHA:AES128-SHA:AES256-SHA
show statistics dtls
This command is used to display the DTLS connection and session statistics.
For example:
vs(config)$show statistics dtls
DTLS Connection Statistics for "vs"
          Open DTLS connections      :0
          Accepted DTLS connections : 0
          Requested DTLS connections : 0
          5 minutes requested rate    : 0 connections/sec
clear statistics dtls
This command is used to clear the DTLS connection and session statistics.
VPN Valid Code
vpn validcode <validcode>
This command is used to enable the valid code function and set the valid code for the virtual site.
When this function is enabled, only the standalone VPN client can be used to access the virtual
site and the valid code passed from the standalone VPN client during authentication must be
identical to the valid code configured for the virtual site. If the two valid codes are not identical,
the user will fail the authentication and be rejected.
2000-2018 Array Networks, Inc.
                                                                                                   232
All Rights Reserved.
                                                                      Chapter 6 Access Method
validcode                        This parameter specifies the valid code. Its value must be a string of
                                 8 to 32 characters.
no vpn validcode
This command is used to disable the valid code function and clear the valid code.
Mobile VPN
virtual site ipsec <virtual_site> <ip> [type]
This global command is used to create an IPSec service for the specified virtual site.
virtual_site                     This parameter specifies the existing virtual site name.
ip                               This parameter specifies the IP address of the virtual site.
type                             Optional. This parameter specifies the type of the IPSec service. Its
                                 value must only be:
                                     “transport”: indicates that an L2TP over IPSec tunnel will be
                                      established between the mobile client and AG.
                                     “tunnel”: indicates that an IPSec tunnel will be established
                                      between the mobile client and AG. This type of tunnel is only
                                      used by MotionPro virtual sites.
                                 The default value is “tunnel”.
no virtual site ipsec <virtual_site> <ip>
This global command is used to delete the IPSec service of the specified virtual site.
show virtual site ipsec [virtual_site]
This global command is used to display the IPSec service of the specified virtual site. If the
“virtual_site” parameter is not specified, the IPSec services of all virtual sites will be displayed.
ipsec turbo {on|off}
This global command is used to enable or disable IPSec hardware acceleration. The system must
be restarted for this command to take effect. Please save configurations by executing the “write
memory” command before restarting. By default, IPSec hardware acceleration is disabled.
For Mobile VPN, IPSec (transport-mode) is in charge of providing security protection for the
tunnel packets. As data encryption is a high CPU-load task, the hardware acceleration card for
IPSec encryption is required.
2000-2018 Array Networks, Inc.
                                                                                                   233
All Rights Reserved.
                                                                      Chapter 6 Access Method
        Note: If IPSec hardware acceleration is enabled, half of the acceleration card’s
        computing resources are devoted to IPSec. Therefore the performance of Mobile VPN
        will be improved, while that of the SSL VPN may be affected.
show ipsec turbo
This global command is used to display the status of IPSec hardware acceleration.
clear virtual site ipsec [virtual_site]
This global command is used to delete the IPSec service of the specified virtual site. If the
“virtual_site” parameter is not specified, IPSec services of all virtual sites will be cleared.
show ipsec config
This global command is used to display global IPSec configurations.
clear ipsec config
This global command is used to clear global IPSec configurations.
show statistics ipsec [type]
This global command is used to display the IPSec statistics.
type                             Optional. This parameter specifies the type of the IPSec statistics to
                                 be displayed. Its value must only be:
                                     “ipsec”: indicates that only the IPsec statistics will be
                                      displayed.
                                     “esp”: indicates that only the Encapsulating Security Payload
                                      statistics will be displayed.
                                     “sa”: indicates that only the Security Association statistics will
                                      be displayed.
                                     “sp”: indicates that only the Security Policy statistics will be
                                      displayed.
                                     “all”: indicates that all IPSec statistics will be displayed.
                                 The default value is “all”.
clear statistics ipsec
This global command is used to clear all IPSec statistics.
Please note that the following commands can be executed only under the virtual site scope.
ipsec ikephase1 proposal <proposal_id>
2000-2018 Array Networks, Inc.
                                                                                                      234
All Rights Reserved.
                                                                   Chapter 6 Access Method
This command is used to create an IPSec Phase1 proposal. To start the IPsec service, at least one
IPSec Phase1 proposal must be configured.
proposal_id                    This parameter specifies the ID of the IPSec Phase1 proposal. Its
                               value must only be 1, 2, 3, or 4.
no ipsec ikephase1 proposal <proposal_id>
This command is used to delete the specified IPSec Phase1 proposal and associated
configurations.
show ipsec ikephase1 proposal
This command is used to display all IPSec Phase1 proposals and associated configurations.
ipsec ikephase1 psk [psk]
This command is used to set the IPSec pre-shared key in IPSec Phase1 negotiation. If this
command is not configured, the default IPSec pre-shared key in IPSec Phase1 negotiation is
“presharedkey”.
psk                            Optional. This parameter specifies the IPSec pre-shared key. Its
                               value must be a string of 1 to 16 characters. The default value is
                               “presharedkey”.
show ipsec ikephase1 psk
This command is used to display the IPSec pre-shared key in IPSec Phase1 negotiation.
ipsec ikephase1 encryption <proposal_id> <algorithm>
This command is used to set the IPSec Phase1 encryption algorithm for the specified IPSec
Phase1 proposal. After an IPSec Phase1 proposal is created, the default encryption algorithm
“aes” will be set for this IPSec Phase1 proposal.
proposal_id                    This parameter specifies the ID of the pre-defined IPSec Phase1
                               proposal.
algorithm                      This parameter specifies the algorithm used for IPSec Phase1
                               encryption. Its value must only be “3des” or “aes”.
ipsec ikephase1 hash <proposal_id> <algorithm>
This command is used to set the IPSec Phase1 Hash algorithm for the specified IPSec Phase1
proposal. After an IPSec Phase1 proposal is created, the default Hash algorithm “sha1” will be set
for this IPSec Phase1 proposal.
proposal_id                    This parameter specifies the ID of the pre-defined IPSec Phase1
2000-2018 Array Networks, Inc.
                                                                                                235
All Rights Reserved.
                                                                 Chapter 6 Access Method
                              proposal.
algorithm                     This parameter specifies the algorithm used for IPSec Phase1 Hash.
                              Its value must only be “md5” or “sha1”.
ipsec ikephase1 dhgroup <proposal_id> [group_number]
This command is used to define the group used for Diffie–Hellman exponentiations for the
specified IPSec Phase1 proposal. After an IPSec Phase1 proposal is created, the default group
“modp1024” used for Diffie–Hellman exponentiations will be set for this IPSec Phase1 proposal.
proposal_id                   This parameter specifies the ID of the pre-defined IPSec Phase1
                              proposal.
group_number                  Optional. This parameter specifies the group used for
                              Diffie–Hellman exponentiations. Its value must only be
                              “modp768”, “modp1024”, “modp1536”, “modp2048”,
                              “modp3072”, “modp4096”, “modp6144”, or “modp8192”. The
                              default value is “modp1024”.
ipsec expiretime phase1 [time]
This global command is used to set the maximum time allowed for completing the IPSec Phase1
negotiation.
time                          Optional. This parameter specifies the maximum time allowed for
                              completing the IPSec Phase1 negotiation. Its value must be an
                              integer ranging from 1 to 3600, in seconds. The default value is 15.
show ipsec expiretime phase1
This global command is used to display the maximum time allowed for completing the IPSec
Phase1 negotiation.
ipsec ikephase2 pfsgroup [group_number]
This command is used to define the group used for the Diffie–Hellman exponentiations in the
IPSec Phase2 negotiation. If this command is not configured, the default group used for the
Diffie–Hellman exponentiations in IPSec Phase2 negotiation is “modp1024”.
group_number                  Optional. This parameter specifies the group used for
                              Diffie–Hellman exponentiations. Its value can only be “modp768”,
                              “modp1024”, “modp1536”, “modp2048”, “modp3072”,
                              “modp4096”, “modp6144”, or “modp8192”. The default value is
                              “modp1024”.
2000-2018 Array Networks, Inc.
                                                                                              236
All Rights Reserved.
                                                                   Chapter 6 Access Method
ipsec ikephase2 encryption <algorithm>
This command is used to set the IPSec Phase2 encryption algorithm in the IPSec Phase2
negotiation. If this command is not configured, the default IPSec Phase2 encryption algorithm in
IPSec Phase2 negotiation is “all”, which includes both algorithms “3des” and “aes”.
algorithm                      This parameter specifies the algorithm used for IPSec Phase2
                               encryption. Its value must only be “3des”, “aes” or “all”.
ipsec ikephase2 authentication <algorithm>
This command is used to set the IPSec Phase2 authentication algorithm in the IPSec Phase2
negotiation. If this command is not configured, “hmac_sha1” will be used.
algorithm                      This parameter specifies the algorithm used for IPSec Phase2
                               authentication. Its value must only be “hmac_md5”, “hmac_sha1”
                               or “all”.
show ipsec ikephase2 config
This command is used to display IPSec Phase2 configurations.
ipsec expiretime phase2 [time]
This global command is used to set the maximum time allowed for completing the IPSec Phase2
negotiation.
time                           Optional. This parameter specifies the maximum time allowed for
                               completing the IPSec Phase2 negotiation. Its value must be an
                               integer ranging from 1 to 3600, in seconds. The default value is 10.
show ipsec expiretime phase2
This global command is used to display the maximum time allowed for completing the IPSec
Phase2 negotiation.
ipsec certificate activate server [cert_index]
This command is used to activate an imported IPSec certificate on the server side.
cert_index                     Optional. This parameter specifies the index of the certificate to be
                               activated. Its value must be 1, 2 or 3.
                               The certificate to be activated is generated by the “ssl csr”
                               command or imported using the “ssl import certificate” command.
                               The index can be obtained using the “show ssl certificate”
                               command.
2000-2018 Array Networks, Inc.
                                                                                                237
All Rights Reserved.
                                                                    Chapter 6 Access Method
                                The default value is 1.
no ipsec certificate activate server
This command is used to deactivate the activated IPSec certificate on the server side.
ipsec certificate activate rootca [cert_number]
This command is used to activate an imported IPSec trusted CA certificate.
cert_number                     Optional. This parameter specifies the serial number of the trusted
                                CA certificate to be activated. Its value must be an integer ranging
                                from 0 to 4,294,967,295.
                                The certificate to be activated is imported using the “ssl import
                                rootca” command.
                                The index can be obtained using the “show ssl rootca” command.
                                The default value is 0, indicating the default root CA certificate.
no ipsec certificate activate rootca
This command is used to deactivate the activated IPSec trusted CA certificate.
ipsec certificate activate interca <cert_index>
This command is used to activate one or more imported IPSec intermediate CA certificate.
cert_index                      This parameter specifies the index (es) of the intermediate CA
                                certificate to be activated. Its value must be a string of 1 to 128
                                characters. To activate more than one intermediate CA certificate,
                                use comma “,” to separate each other.
                                The certificate to be activated is imported using the “ssl import
                                interca” command.
                                The index can be obtained using the “show ssl interca” command.
no ipsec certificate activate interca
This command is used to deactivate the activated IPSec intermediate CA certificates.
show ipsec certificate
This command is used to display the IPSec certificate configurations.
ipsec natt {on|off}
2000-2018 Array Networks, Inc.
                                                                                                 238
All Rights Reserved.
                                                                  Chapter 6 Access Method
This command is used to enable or disable NAT traversal (NAT-T) function if the NAT device is
available between the mobile client and AG. By default, this function is enabled.
ipsec natt force
This command is used to forcibly enable NAT-T function.
show ipsec natt status
This command is used to display the NAT-T status.
ipsec natt keepalive [interval]
This global command is used to set the interval of sending NAT-T keep-alive packets.
interval                       Optional. This parameter specifies the interval of sending NAT-T
                               keep-alive packets, in seconds. Its value must be an integer ranging
                               from 5 to 3600. The default value is 20.
show ipsec natt keepalive
This global command is used to display the interval of sending NAT-T keep-alive packets.
ipsec profilename <name>
This command is used to create the iOS configuration profile.
name                           This parameter specifies the name of the iOS configuration profile.
                               Its value must be a string of 1 to 32 characters.
no ipsec profilename
This command is used to delete the iOS configuration profile.
show ipsec profilename
This command is used to display the iOS configuration profile.
ipsec tunnel vod <domain> <mode>
This command is used to add a VPN on Demand (VOD) domain. This command works only for
iOS Mobile Client.
domain                         This parameter specifies the domain name. Its value must be a
                               string of 1 to 64 characters.
mode                           This parameter specifies the mode of the domain. Its value must
                               only be “always”, “never” or “onretry”.
                                   “always”: indicates that the IPSec VPN will be started by
                                    accessing the domain.
2000-2018 Array Networks, Inc.
                                                                                                239
All Rights Reserved.
                                                                  Chapter 6 Access Method
                                   “never”: indicates that the IPSec VPN will not be started by
                                    accessing the domain.
                                   “onretry”: indicates that the IPSec VPN will be started only
                                    when the domain cannot be resolved via local DNS.
no ipsec tunnel vod <domain>
This command is used to delete the specified VOD domain.
show ipsec tunnel vod
This command is used to display the IPSec VOD domain configurations.
clear ipsec tunnel vod
This command is used to clear the IPSec VOD domain configurations.
ipsec tunnel splitdns <domain>
This command is used to add a DNS domain name that will be resolved by the DNS server for the
split IPSec tunnel. After this command is configured, only domains added to the split IPSec tunnel
will be resolved by the DNS server. If the “dns useglobal on” command is configured, the global
DNS servers will be used to resolve DNS domains added to the split IPSec tunnel; otherwise, the
site DNS servers will be used.
domain                         This parameter specifies the domain name. Its value must be a
                               string of 1 to 64 characters.
no ipsec tunnel splitdns <domain>
This command is used to delete the specified DNS domain name for the split IPSec tunnel.
show ipsec tunnel splitdns
This command is used to display the DNS configurations for the split IPSec tunnel.
clear ipsec tunnel splitdns
This command is used to clear the DNS configurations for the split IPSec tunnel.
ipsec tunnel deviceauth <auth_method>
This command is used to set the device authentication method.
auth_method                    This parameter specifies the device authentication method. Its value
                               must only be “psk” or “certificate”.
ipsec lifetime [time]
2000-2018 Array Networks, Inc.
                                                                                               240
All Rights Reserved.
                                                                     Chapter 6 Access Method
This command is used to set the IPSec tunnel lifetime. The IPsec tunnel will be disconnected after
this IPSec tunnel lifetime expires. If this command is not configured, the default IPSec tunnel
lifetime is 3000 seconds.
time                             Optional. This parameter specifies the IPSec tunnel lifetime in
                                 seconds. Its value must be an integer ranging from 60 to 3540. The
                                 default value is 3000.
show ipsec lifetime
This command is used to display the configurations of the IPSec tunnel lifetime.
show ipsec tunnel config
This command is used to display the configurations of the IPSec tunnel.
ipsec {start|stop}
This command is used to start or stop IPSec services for the virtual site. Before starting the IPSec
services, please create an IPSec Phase1 proposal using the “ipsec ikephase1 proposal” first.
show ipsec status
This command is used to display the status (start or stop) of IPSec services for the virtual site.
aaa method l2tp <method_name>
This command is used to set a AAA method for clients using the “transport” IPSec service.
method_name                      This parameter specifies the name of an existing AAA method.
no aaa method l2tp
This command is used to delete the AAA method configured for clients using the “transport”
IPSec service.
show aaa method l2tp
This command is used to display the AAA method for clients using the “transport” IPSec service.
aaa method ipsec <method_name>
This command is used to set the AAA method for clients using the IPSec service.
If this command is already configured, it can also be used to modify the AAA method for clients
using the IPSec service.
method_name                      This parameter specifies the name of an existing AAA method.
no aaa method ipsec
This command is used to delete the AAA method for clients using the IPSec service.
2000-2018 Array Networks, Inc.
                                                                                                     241
All Rights Reserved.
                                                                    Chapter 6 Access Method
show aaa method ipsec
This command is used to display the AAA method for clients using the IPSec service.
show ipsec config
This command is used to display site IPSec configurations.
clear ipsec config
This command is used to clear site IPSec configurations.
Site2Site VPN
The Site2Site VPN function is provided to establish the L3VPN tunnel between the spokes and
hub (AG). In the Site2Site function, the AG or vxAG appliance functions as the hub (VPN server)
and a physical or virtual CentOS 7 host with the Site2Site VPN client installed functions as the
spoke. A spoke uses a LocalDB account (configured using the “localdb account” command) to
establish the Site2Site VPN tunnel with the hub. The LocalDB account IP configured for the
LocalDB account using the “localdb ip account” command will be used as the tunnel IP for the
spoke.
The Site2Site VPN function shares certain concepts with the L3VPN, please refer to AG 9.3 User
Guide for usage guidelines of Site2Site VPN.
vpn site2site {on|off}
This command is used to enable or disable the Site2Site VPN function. With this function enabled,
the AG or vxAG appliance functions as the hub (VPN server) and the Site2Site VPN tunnel can be
established between the spoke and the hub. Clients on the subnets of this spoke can access the
subnets of the hub securely through the Site2Site VPN tunnel. By default, this function is disabled.
        Note:
            The Site2Site VPN tunnel should be an always-on tunnel. Therefore, the session
             lifetime timeout value (configured via the “session timeout lifetime” command)
             should be set to the maximum value (94,608,000).
            For the same virtual site, the Site2Site VPN function cannot be used together with the
             L3VPN function.
vpn site2site forward <subnet_ip> <netmask> <tunnel_ip> [virtual_subnet_ip]
[virtual_subnet_netmask]
This command is used to add a spoke or hub subnet to the Site2Site VPN. All these subnets will
constitute a virtual private network (VPN).
To avoid IP conflicts between spoke subnets and hub subnets, you can configure virtual subnets
for spoke subnets or hub subnets using the “virtual_subnet_ip” and “virtual_subnet_netmask”
parameters. In this way, the virtual subnets will be added to the Site2Site VPN in place of the real
2000-2018 Array Networks, Inc.
                                                                                                242
All Rights Reserved.
                                                                    Chapter 6 Access Method
spoke subnets or hub subnets. The mappings between the spoke subnets or hub subnets and virtual
subnets will also be used by spokes to translate the spoke subnet IPs or hub subnet IPs in the
packets to the virtual subnet IPs. Note that only the network portion of the IPs is translated and the
host portion is kept unchanged.
subnet_ip                       This parameter specifies the IPv4 address of the spoke subnet or
                                hub subnet.
netmask                         This parameter specifies the netmask of the spoke subnet or hub
                                subnet. Its value must be given in dotted decimal notation.
tunnel_ip                       This parameter specifies the IPv4 address assigned to the Site2Site
                                VPN tunnel.
                                    For the spoke subnet, the value of this parameter should be the
                                     same as one of the LocalDB account IP configured using the
                                     “localdb ip account” command.
                                    For the hub subnet, the value should be set to “0.0.0.0”.
virtual_subnet_ip               Optional. This parameter specifies the IPv4 address of the virtual
                                subnet.
                                Note: The virtual subnet should not be the same as any spoke or
                                hub subnet.
virtual_subnet_netmask          Optional. This parameter specifies the netmask of the virtual
                                subnet. Its value must be given in dotted decimal notation.
no vpn site2site forward <subnet_ip> <netmask> <tunnel_ip>
This command is used to delete a subnet from the Site2Site VPN.
show vpn site2site forward
This command is used to display all subnets in the Site2Site VPN.
clear vpn site2site forward
This command is used to clear all subnets from the Site2Site VPN.
HTTP Setting Commands
http buffer nomsglen {on|off}
This global command is used to enable or disable the function of caching non-RFC compliant
responses. After this function is enabled, the appliance will cache the responses that do not
possess an “end of response” HTTP message length indicator before forwarding the response to
2000-2018 Array Networks, Inc.
                                                                                                  243
All Rights Reserved.
                                                                   Chapter 6 Access Method
the client. By default, this function is enabled. Please contact Array customer support before
disabling this function.
show http buffer nomsglen
This global command is used to display the status of the function of caching the responses that do
not possess an “end of response” HTTP message length indicator.
http serverconnreuse {on|off}
This global command is used to enable or disable the function of reusing server connections to the
backend servers for multiple transactions. By default, this function is enabled.
show http serverconnreuse
This global command is used to display the status of the function of reusing server connections to
the backend servers for multiple transactions.
clear http serverconnreuse
This global command is used to restore the function of reusing server connections to the backend
servers for multiple transactions.
http serverpersist {on|off}
This global command is used to enable or disable the function of keeping persistent connections to
the backend servers. By default, this function is enabled.
show http serverpersist
This global command is used to display the status of the function of keeping persistent
connections to the backend servers.
clear http serverpersist
This global command is used to restore the function of keeping persistent connections to the
backend servers.
http shuntreset {on|off}
This global command is used to enable or disable the function of terminating non-reusable server
connections by sending RST packets. After this function is enabled, the appliance will send RST
packets to terminate non-reusable server connections. When this function is disabled, the
appliance closes server connections only after receiving FIN packets. By default, this function is
disabled.
show http shuntreset
This global command is used to display the status of handling non-reusable server connections.
http mask via {on|off}
This global command is used to enable or disable the function of hiding proxy information from
clients. After this function is enabled, the appliance will remove the “Via” header from the
2000-2018 Array Networks, Inc.
                                                                                                 244
All Rights Reserved.
                                                                    Chapter 6 Access Method
responses to clients, so that the clients are unaware of the proxy process on the appliance. By
default, this function is disabled.
http mask server {on|off}
This global command is used to enable or disable the function of hiding backend server
information from clients. After this function is enabled, the appliance will remove the “Server”
header from the responses to clients. By default, this function is disabled.
show http mask
This global command is used to display the status of the function of hiding backend server
information and proxy information from clients.
show http config
This global command is used to display all global HTTP Proxy configurations.
clear http config
This global command is used to reset all global HTTP Proxy configurations to the default values.
The following commands should be executed in the virtual site scope.
http redirect insecure
This command is used to enable redirecting of HTTP requests to HTTPS.
no http redirect insecure
This command is used to disable redirecting of HTTP requests to HTTPS.
show http redirect insecure
This command is used to display the status of redirecting of HTTP requests to HTTPS.
http redirect nocookie <url> [org_url_field]
This command is used to enable redirecting of HTTP requests without valid session cookies to the
specified URL.
url                             This parameter specifies the URL to which requests will be
                                redirected. Its value must be a string of 1 to 900 characters in the
                                format of “scheme://host/path”.
org_url_field                   Optional. This parameter specifies the field name of the URL to be
                                passed to the redirection URL. Its value must be a string of 1 to 16
                                characters. The default value is empty.
no http redirect nocookie
This command is used to disable redirecting of HTTP requests without valid session cookies to the
specified URL.
2000-2018 Array Networks, Inc.
                                                                                                  245
All Rights Reserved.
                                                                     Chapter 6 Access Method
show http redirect nocookie
This command is used to display the configuration for redirecting of HTTP requests without valid
session cookies to the specified URL.
http xforwardedfor off
This command is used to disable the function of inserting the “X-Forwarded-For” header into
HTTP requests.
http xforwardedfor on [mode] [custom_name]
This command is used to enable the function of inserting the “X-Forwarded-For” header into
HTTP requests. The “X-Forwarded-For” header contains the IP address of the client who
originated the request. After this function is enabled, the appliance will transfer client IP addresses
to backend servers. If an HTTP request already contains an “X-Forwarded-For” header, the AG
appliance will insert an additional one. By default, this function is disabled.
mode                             Optional. This parameter specifies the mode of transferring client IP
                                 addresses. Its value must be:
                                     header: indicates that an HTTP header will be inserted to
                                      transfer the client IP address.
                                     url: indicates that a URL query string will be inserted to
                                      transfer the client IP address.
                                     cookie: indicates that an HTTP cookie will be inserted to
                                      transfer the client IP address.
                                     all: indicates all of the methods above.
                                 The default value is “header”.
custom_name                      Optional. This parameter specifies the customized name for the
                                 client IP address in the inserted HTTP header, URL query string, or
                                 HTTP cookie. Its value must be a string of 1 to 32 characters.
                                 The default value is “X-Forwarded-For”.
show http xforwardedfor
This command is used to display the configurations of inserting the “X-Forwarded-For” header
into HTTP requests.
http xclientcert cert [header_name] [mode] [certificate_type]
This command is used to insert the client certificate into HTTP requests sent to the backend
server.
2000-2018 Array Networks, Inc.
                                                                                                   246
All Rights Reserved.
                                                                    Chapter 6 Access Method
header_name                     Optional. This parameter specifies the customized name for the
                                HTTP header used to transfer the client certificate to the backend
                                server. Its value must be a string of 1 to 128 characters. The default
                                value is “X-Client-Cert:”.
mode                            Optional. This parameter specifies the mode of inserting the client
                                certificate into HTTP requests. Its value must be:
                                    “header”: indicates that an HTTP header will be inserted to
                                     transfer the client certificate.
                                    “cookie”: indicates that an HTTP cookie will be inserted to
                                     transfer the client certificate.
                                The default value is “header”.
certificate_type                Optional. This parameter specifies the encoding format of the client
                                certificate content. Its value must be:
                                    PEM: indicates that the appliance encodes the certificate
                                     content using OpenSSL, which has the “-----BEGIN
                                     CERTIFICATE-----” and “-----END CERTIFICATE-----”
                                     line. Every 64 bits of the encoded certificate content is
                                     separated using “;”.
                                    body: indicates that the appliance encodes the certificate
                                     content using Base64.
                                The default value is “body”.
        Note: This function works for QuickLink only when the Client Authentication function is
        enabled.
no http xclientcert cert
This command is used to delete the configuration of inserting the client certificate into HTTP
requests sent to the backend server.
show http xclientcert cert
This command is used to display the configuration of inserting the client certificate into HTTP
requests sent to the backend server.
http xclientcert plaintext <mode> <field_name> [customized_name]
[format_opt]
This command is used to insert the specified certificate field into HTTP requests sent to the
backend server.
2000-2018 Array Networks, Inc.
                                                                                                  247
All Rights Reserved.
                                                                  Chapter 6 Access Method
mode                        This parameter specifies the mode of transferring the certificate
                            field to the backend server. Its value must be:
                                 header: inserts an HTTP header to transfer the certificate field.
                                 url: inserts a URL query string to transfer the certificate field.
                                 cookie: inserts an HTTP cookie to transfer the certificate field.
                                 all: indicates all of the three modes above.
field_name                  This parameter specifies the standard name of the certificate field.
                            Its value must be:
                                 “Subject”: transfers the subject DN of a client certificate to the
                                  backend server.
                                 “Issuer”: transfers the issuer DN of a client certificate to the
                                  backend server.
                                 “Validity”: transfers the certificate’s period of validity to the
                                  backend server. Its format is “From <NotBefore> To
                                  <NotAfter>”. For example, “From Dec 19 5:54:42 2007 GMT
                                  To Dec 19 5:54:42 2008 GMT”.
                                 “Serial”: transfers the certificate’s serial number to the
                                  backend server.
                                 “NotBefore”: transfers the certificate’s start date to the
                                  backend server.
                                 “NotAfter”: transfers the certificate’s expiry date to the
                                  backend server.
                                 “CommonName”: transfers the certificate’s subject common
                                  name to the backend server.
                                 “PublicKey”: transfers the public key of the certificate to the
                                  backend server. The public key is transferred in HEX mode.
                                  For example, the public key “0x00 0x43 0x78 0xed” is
                                  transferred to the backend server in the form of “00 43 78 ed”.
                                  When the filed name is specified as “PublicKey”, only the
                                  public key modulus is sent to the backend server.
                                 RDN: transfers the content specified by RDN to the backend
                                  server. RDN must be defined in the format of
                                  “<scope>.<symbol or OID>” or “<OID expression>”. For
                                  information about the value of “scope” and “symbol”, see the
                                  following tables.
2000-2018 Array Networks, Inc.
                                                                                                248
All Rights Reserved.
                                                                      Chapter 6 Access Method
                                  The parameter value is case-insensitive.
 For “scope”:
   Scope                                               Description
                   The value of the symbol or specific OID will be searched in the client certificate’s
   Subject
                   subject DN.
                   The value of the symbol or specific OID will be searched in the client certificate’s
   Issuer
                   issuer DN.
                   The value of the symbol or specific OID will be searched in the client certificate’s
     Ext
                   external field. The client certificate must be in the SSL v2.0 or SSL v3.0 version.
                   The value of the specific OID will be searched in the client certificate’s TBS (To
OID or <null>
                   Be Signed).
 For “symbol”:
     Symbol                          OID                                  Standard Name
        C                           2.5.4.6                Country Name
       ST                           2.5.4.8                State or Province Name
        L                           2.5.4.7                Locality Name
        O                          2.5.4.10                Organization Name
       OU                          2.5.4.11                Organizational Unit
       CN                           2.5.4.3                Common Name
       SN                           2.5.4.5                Serial Number
   dnQualifier                     2.5.4.46                DN Qualifier
   Pseudonym                       2.5.4.65                Pseudonym
      Title                        2.5.4.12                Title
       GQ                          2.5.4.44                Generation Qualifier
     Initials                      2.5.4.43                Initials
      Name                         2.5.4.41                Name
   givenName                       2.5.4.42                Given Name
    Surname                         2.5.4.4                Surname
       DC                0.9.2342.19200300.100.1.25        Domain Component
  emailAddress               1.2.840.113549.1.9.1          Email Address
{OID expression}                                           OID information, for example: 1.2.3.4
           Note: When there is more than one value to the same symbol in a specific scope, the
           appliance will transfer all of them to the backend server, and one digital number will be
           appended to the customized name from the second symbol. The digital number is increased
           from 1.
 The following commands are an example:
 AN(config)#http xclientcert plaintext cookie Subject.OU OU positive
 2000-2018 Array Networks, Inc.
                                                                                                   249
 All Rights Reserved.
                                                                   Chapter 6 Access Method
AN(config)#http xclientcert plaintext header Subject.2.5.4.11 2.5.4.11 positive
If the client certificate has the following subject DN (“OU” in the scope of “subject” has two
values: “Dev” and “AG”):
C=CN, ST=Beijing, L=Beijing, O=ArrayNetworks Inc., OU=Dev, OU=AG, CN=abc,
emailAddress=abc@arraynetworks.com
Then the backend server will receive the following cookie and headers (the integer “1” is added
after the second customized name “OU”):
2.5.4.11: Dev
2.5.4.111: AG
Cookie: OU=Dev, OU1=AG
customized_name                  Optional. This parameter specifies a customized name for the
                                 certificate field to be inserted into the HTTP header, URL query
                                 string, or HTTP cookie. If this parameter is not specified, the value
                                 of the “field_name” parameter will be used as the customized name.
format_opt                       Optional. This parameter specifies the format of the certificate field
                                 forwarded to the backend server. Its value is case-insensitive.
                                 When the “field_name” parameter is set to “Subject” or “Issuer”, the
                                 “format_opt” parameter defines the order for transferring the
                                 certificate field. Its value must be:
                                     positive: The transfer starts from the smallest to the largest
                                      scope. (See the following example.)
                                     reverse: The transfer starts from the largest to the smallest
                                      scope.
                                     original: The transfer follows the sequence as parsed from the
                                      client certificate.
2000-2018 Array Networks, Inc.
                                                                                                 250
All Rights Reserved.
                                                              Chapter 6 Access Method
                                                       Surname
                                                     Given Name
                                                          Name
                                                         Initials
                                                  Generation Qualifier
                                                    Serial Number
                                                    Email Address
                                                    Common Name
                              Positive                    Title                      Reverse
                                                      Pseudonym
                                                     DN Qualifier
                                                   Organization Unit
                                                     Organization
                                                        Locality
                                                   State Or Province
                                                  Domain Component
                                                        Country
                             Assuming that the Subject DN field of a client certificate is
                             “C=CN,O=Array,OU=AG,ST=BJ,CN=abc,EmailAddress=abc@arra
                             ynetworks.com”. When the “field_name” parameter is set to
                             “subject”:
                                 If the “format_opt” parameter is set to “positive”, the Subject
                                  DN field will be transferred in the following order:
                                  EmailAddress=abc@arraynetworks.com,CN=abc,OU=AG,O=A
                                  rray,ST=BJ,C=CN
                                 If the “format_opt” parameter is set to “reverse”, the Subject
                                  DN field will be transferred in the following order:
                                  C=CN,ST=BJ,O=Array,OU=AG,CN=abc,EmailAddress=abc@
                                  arraynetworks.com
                                 If the “format_opt” parameter is set to “original”, the Subject
                                  DN field will be transferred in the following order:
                                  C=CN,O=Array,OU=AG,ST=BJ,CN=abc,EmailAddress=abc@
                                  arraynetworks.com
                             When the “field_name” parameter is set to “Validity”, “NotBefore”,
                             or “NotAfter”, the “format_opt” parameter defines the date/time
                             format. Its value must be:
                                 digital: All date and time information is expressed using the
2000-2018 Array Networks, Inc.
                                                                                           251
All Rights Reserved.
                                                               Chapter 6 Access Method
                                  digital number, except the GMT expression.
                                 latin: Month will be expressed in English word. Other date and
                                  time information is expressed using the digital number.
                                 W3C: Standard time format. The local time zone information
                                  from the client certificate will be used.
                             The default value is “digital”.
                             The following are examples of the date and time when the
                             “field_name” parameter is set to “Validity”:
                                 When the “format_opt” parameter is set to “digital”, the date
                                  and time format is “Valid from 2008-01-01 20:01:01 GMT to
                                  2010-0101 20:01:00 GMT”.
                                 When the “format_opt” parameter is set to “latin”, the date and
                                  time format is “From Jan 31 15:35:5 2008 GMT To Jan 30
                                  15:35:5 2009 GMT”.
                                 When the “format_opt” parameter is set to “w3c”, the date and
                                  time format is “From 2008-01-31T15:35:05Z To
                                  2009-01-30T15:35:05Z”.
                             When the “field_name” parameter is set to “ext.<OID>”, the value of
                             the “format_opt” parameter must be “unparsed” or “parsed”.
                             Take the extension part of the X509 certificate as an example:
                             Extension::= SEQUENCE {
                             extnID     OBJECT IDENTIFIER,
                             critical   BOOLEAN DEFAULT FALSE,
                             extnValueOCTET STRING }
                             Among which, “extnID” indicates the extended OID; “critical”
                             indicates whether the extension is important; “extnValue” indicates
                             the extension value.
                                 unparsed: “extnValue” is encoded in DER, which is expressed
                                  by three parts: type, length and value. In the “unparsed” mode,
                                  the entire “extnValue” will be forwarded to the backend server.
                                 parsed: “extnValue” is also encoded in DER, which is expressed
                                  by three parts: type, length and value. In the “parsed” mode,
2000-2018 Array Networks, Inc.
                                                                                          252
All Rights Reserved.
                                                                Chapter 6 Access Method
                                  only the value part of “extnValue” will be forwarded to the
                                  backend server.
                             The default value is “unparsed”.
                             The following is an example of the transferred content when the
                             “field_name” parameter is set to “ext.<OID>”:
                             In this example, the extension OID is 0.1.2.3, and the value of
                             “extnValue” is “0x0c 0x06 0x36 0x35 0x34 0x33 0x32 0x31”. “0c”
                             represents the value type and “06” represents the value length.
                                 If “format_opt” is set to “unparsed”, “0x0c 0x06 0x36 0x35
                                  0x34 0x33 0x32 0x31” will be forwarded.
                                 If “format_opt” is set to “parsed”, “0x36 0x35 0x34 0x33 0x32
                                  0x31” will be forwarded.
                             The entire “extnValue” will be forwarded to the backend server when
                             the value of “extnValue” is one of the following types:
                                 SEQUENCE
                                 SET
                                 Untagged data
                             For example, the following is an extension of which the value type is
                             SEQUENCE:
                             404 30    31: SEQUENCE {
                             406 06     3: OBJECT IDENTIFIER issuerAltName (2 5 29 18)
                             411 04 24:       OCTET STRING, encapsulates {
                             413 30    22: SEQUENCE {
                             415 86    20: [6] 'http://www.nist.gov/'
                                   :              }
                                   :          }
                                   :      }
                             After the “http xclientcert plaintext header "ext.2.5.29.18" vs1
                             "url1" "parsed"” or “http xclientcert plaintext header
                             "ext.2.5.29.18" vs1 "url1" "unparsed"” command is executed, the
                             same result “0x30 0x22 0x86 0x20…” will be sent to the backend
                             server.
2000-2018 Array Networks, Inc.
                                                                                          253
All Rights Reserved.
                                                                         Chapter 6 Access Method
                                      When the value type of “extnValue” is a time string, the appliance
                                      will transfer it using either of the following formats:
                                          Generalized Time
                                          UTC time
           Note: Multiple transfer modes can be set for the same certificate field. However, only one
           customized name is allowed for the same certificate field. That is, the newest customized
           name of the certificate field will overwrite the customized name of the field in earlier “http
           xclientcert plaintext” configurations.
no http xclientcert plaintext <mode> <field_name>
This command is used to delete the configuration of inserting the specified certificate field into
HTTP requests sent to the backend server.
show http xclientcert plaintext
This command is used to display all configurations of inserting the certificate field into HTTP
requests sent to the backend server.
clear http xclientcert plaintext
This command is used to clear all configurations of inserting the certificate field into HTTP
requests sent to the backend server.
http xclientcert rdnsep [separator] [pre|post]
This command is used to configure the separator used to distinguish the RDN fields in the header,
cookie or URL when the certificate DN field to be transferred to the backend server contains
multiple RDN fields. If this command is not configured, the default separator used to distinguish
the RDN fields in the header, cookie or URL is “,” and the separator is placed after every RDN
field.
separator                         Optional. This parameter specifies the separator used to distinguish
                                  the DN fields. Its value must be a string of 1 character enclosed by
                                  double quotes. Letters (A to Z and a to z), numbers (0 to 9), and the
                                  “%” symbol are not supported. The default value is “,”.
pre|post                          Optional. This parameter specifies where to place the DN field
                                  separator. Its value must be:
                                         pre: places the separator before the DN field.
                                         post: places the separator after the DN field.
2000-2018 Array Networks, Inc.
                                                                                                   254
All Rights Reserved.
                                                                     Chapter 6 Access Method
                                The default value is “post”.
no http xclientcert rdnsep
This command is used to restore the configuration of the separator used to distinguish the RDN
fields in the header, cookie or URL when the certificate DN field to be transferred to the backend
server contains multiple RDN fields to default.
show http xclientcert rdnsep
This command is used to display the configuration of the separator used to distinguish the RDN
fields in the header, cookie or URL when the certificate DN field to be transferred to the backend
server contains multiple RDN fields.
http xclientcert dnencoding [encoding]
This command is used to set the encoding format for transferring the DN field in the client
certificate. If this command is not configured, the default encoding format for transferring the DN
field is “UTF-8”.
encoding                        Optional. This parameter specifies the encoding format for
                                transferring the DN field. Its value must be “UTF-8”, “GB2312”,
                                “GBK” or “GB18030”. The default value is “UTF-8”.
no http xclientcert dnencoding
This command is used to restore the configuration of the encoding format for transferring the DN
field in the client certificate to default.
show http xclientcert dnencoding
This command is used to display the configuration of the encoding format for transferring the DN
field in the client certificate.
http xclientcert oidname <oid> <customized_name>
This command is used to configure a customized name for the OID field in the client certificate.
oid                             This parameter specifies the OID field in the client certificate. Its
                                value must be enclosed by double quotes.
customized_name                 This parameter specifies the customized name for the OID field in
                                the client certificate. Its value must be a string of 1 to 32 characters.
2000-2018 Array Networks, Inc.
                                                                                                   255
All Rights Reserved.
                                                                     Chapter 6 Access Method
no http xclientcert oidname <oid>
This command is used to delete the configuration of the customized OID name for the specifed
OID field in the client certificate.
show http xclientcert oidname
This command is used to display configurations of customized names for all the OID fields in the
client certificate.
clear http xclientcert oidname
This command is used to clear configurations of customized names for all the OID fields in the
client certificate.
http xclientcert backendurl [backend_url]
This command is used to configure the backend URL accessed by the user that triggers the system
to send the client certificate (configured using the “http xclientcert cert” command) or certificate
fields (configured using the “http xclientcert plaintext” command) to the backend server. After
this command is configured, the client certificate or certificate fields will be inserted into HTTP
requests only when the user accesses the specified backend URL.
backend_url                     Optional. This parameter specifies the backend URL to be accessed.
                                Its value must be a string of 1 to 128 characters excluding the prefix
                                “http” or “https”. For example, “www.example.org/login.html”.
                                The default value is empty, indicating the client certificate or
                                certificate fields will be sent to all URLs.
show http xclientcert backendurl
This command is used to display the configuration of backend URL accessed by the user that
triggers the system to send the client certificate or certificate fields to the backend server.
show http xclientcert config
This command is used to display all the configurations related to transferring the client certificate
and certain fields to the backend server.
clear http xclientcert config
This command is used to restore all the configurations related to transferring the client certificate
and certain fields to the backend server.
http xusername
This command is used to enable the function of inserting an “X-SSO-USER” HTTP header field
to set the username into HTTP requests sent to the backend server.
no http xusername
2000-2018 Array Networks, Inc.
                                                                                                   256
All Rights Reserved.
                                                                   Chapter 6 Access Method
This command is used to disable the function of inserting the “X-SSO-USER” HTTP header to set
the username into HTTP requests sent to the backend server.
show http xusername
This command is used to display the configuration of inserting the “X-SSO-USER” HTTP header
to set the username into HTTP requests sent to the backend server.
http statefulredirect
This command is used to enable the HTTP stateful redirection function (or book marking
function). When enabled, end users who are required to re-login (for example, after session
timeout) will be redirected to their previous webpage after login.
no http statefulredirect
This command is used to disable the HTTP stateful redirection function.
show http statefulredirect
This command is used to display the configurations of the HTTP stateful redirection function.
http cookie expire passthrough
This command is used to enable transferring of the expire clause in the HTTP Set-Cookie header.
By default, this function is disabled.
no http cookie expire passthrough
This command is used to disable transferring of the expire clause in the HTTP Set-Cookie header.
show http cookie expire passthrough
This command is used to display the status (enabled or disabled) of transferring of the expire
clause in the HTTP Set-Cookie header.
http cookie httponly <on|off>
This command is used to enable or disable the HTTPOnly cookie attribute function. When this
function is enabled, the system will add the HTTPOnly cookie attribute to the Set-Cookie header
in the HTTP response. By default, this function is disabled.
on|off                          This parameter specifies whether to add the HTTPOnly cookie
                                attribute to the Set-Cookie header in the HTTP response. Its value
                                must be “on” or “off”.
show http cookie httponly
This command is used to display the status (enabled or disabled) of the HTTPOnly cookie
attribute function.
http nostore
2000-2018 Array Networks, Inc.
                                                                                                 257
All Rights Reserved.
                                                                    Chapter 6 Access Method
This command is used to disable the browser caching function. After this command is executed,
the response from the backend server will not be cached. By default, the browser caching function
is disabled.
no http nostore
This command is used to enable the browser caching function.
show http nostore
This command is used to display the status (enabled or disabled) of the browser caching function.
http hostcheck <on|off>
This command is used to enable or disable the function of checking whether the domain name is
in the virtual site domain list. When the function is enabled, if the domain name to be accessed is
not in the virtual site domain list, the HTTP 400 response will be returned by the system. If this
command is not configured, this function is disabled.
on|off                          This parameter specifies whether to enable the function of checking
                                whether the domain name is in the virtual site domain list. Its value
                                must be “on” or “off”.
show http hostcheck
This command is used to display the status (enabled or disabled) of the function of checking
whether the domain name is in the virtual site domain list.
http postcheck <on|off>
This command is used to enable or disable the function of checking the content of HTTP Post
request for a possible SQL injection attack. If this command is not configured, this function is
enabled.
type                            This parameter specifies whether to enable the function of checking
                                the content of HTTP Post request for a possible SQL injection
                                attack. Its value must be “on” or “off”.
show http config
This command is used to display all HTTP Proxy configurations.
clear http config
This command is used to reset all HTTP Proxy configurations to the default values.
File Share
fileshare cifs {on|off}
2000-2018 Array Networks, Inc.
                                                                                                   258
All Rights Reserved.
                                                                    Chapter 6 Access Method
This command is used to enable or disable the file share (CIFS) function for the current virtual site.
The file share function provides remote users with shared access to files shared by the CIFS server.
The files shared by the CIFS server are defined as CIFS resources for roles using the “role
resource cifs” command. By default, the CIFS function is disabled.
fileshare cifs workgroup default {domain_name|work_group}
This command is used to set the default domain name or work group of the CIFS server that
provides CIFS resources.
domain_name|work_group          This parameter specifies the default domain name or work group.
                                Its value must be a string of 1 to 256 characters.
no fileshare cifs workgroup default
This command is used to delete the setting of the default domain name or work group of the CIFS
server that provides CIFS resources.
show fileshare config
This command is used to display the configurations of the CIFS function, including status (on or
off) of this function and the setting of the default domain name or work group of the CIFS server
that provides CIFS resources.
2000-2018 Array Networks, Inc.
                                                                                                 259
All Rights Reserved.
                                                                          Chapter 7 Web Portal
Chapter 7 Web Portal
Web portal is the Web-based access point of the virtual site. It is consisted of the portal pages,
such as the login page and welcome page, and error pages that users will encounter when
accessing the virtual site.
By default, the default Web portal is provided for the virtual site. Also, the AG appliance allows
the administrator to customize the Web portal by any of the following ways:
    Portal custom: The portal custom function enables the administrator to customize portal
     pages and errors pages using external pages. This function can be used to customize only
     certain portal pages and all error pages.
    Portal theme: The portal theme function enables the administrator to create a custom portal
     theme or import a custom portal theme and activate it for the custom portal theme to take
     effect. This function can be used to customize all portal pages and all error pages.
The portal/error page customized using the portal custom function or the portal theme function has
a higher priority than the default portal/error page. In addition, the portal/error page customized
using the portal custom function has a higher priority than that customized by the portal theme
function.
Portal Configuration
This section covers the CLI commands for configuring the general settings for the Web portal or
other settings for certain portal pages.
portal language <language>
This command is used to set the language used by the Web portal. If this command is not
configured, the default language of the Web portal is “english”.
language                        This parameter specifies the language used by the Web portal. Its
                                value must be “english”, “chinese”, “chinese-Big5”,
                                “chinese-GB2312”, “chinese-traditional” and “japanese”. The
                                administrator can view the list of supported languages by executing
                                the “show portal languages” command.
no portal language
This command is used to reset the Web portal language to the default value.
show portal language
This command is used to display the language currently being used by the Web portal.
show portal languages
2000-2018 Array Networks, Inc.
                                                                                                     260
All Rights Reserved.
                                                                          Chapter 7 Web Portal
This command is used to display the available languages that the Web portal can use. Currently,
the following languages are supported:
VS(config)$show portal languages
english
chinese
chinese-Big5
chinese-GB2312
chinese-traditional
japanese
portal logo <url>
This command is used to import a custom logo image from a specific URL address. The logo
image format can be “gif”, “png”, “jpg”, or “bmp”. If this command is not configured, the default
logo image is the Array Networks’s logo.
url                             This parameter specifies the HTTP or FTP URL of the custom logo
                                image. Its value must be a string of 1 to 900 characters.
no portal logo
This command is used to reset the Web portal logo image to the default logo image.
show portal logo
This command is used to display the URL from which the custom logo image is imported.
portal charset <character_set>
This command is used to configure the character set for the Web portal.
If a character set has been configured, this command is used to modify the existing character set.
character_set                      This parameter specifies the character set. Its value must be a
                                   string of 1 to 64 characters.
no portal charset
This command is used to delete the configuration of the character set for the Web portal.
show portal charset
This command is used to display the configuration of the character set for the Web portal.
portal cookietest
This command is used to enable the check of whether the browser can support cookies. By default,
this function is enabled.
no portal cookietest
2000-2018 Array Networks, Inc.
                                                                                                261
All Rights Reserved.
                                                                        Chapter 7 Web Portal
This command is used to disable the check of whether the browser can support cookies.
show portal cookietest
This command is used to display whether or not the check of whether the browser can support
cookies is enabled.
portal configuration encoding <encoding>
This command is used to enable the encoding conversion method of the configuration input for the
Web portal. By default, this function is disabled.
encoding                          This parameter specifies the type of encoding conversion
                                  method. Its value must be a string of 1 to 64 characters. Its value
                                  can only be “html-to-binary”.
no portal configuration encoding
This command is used to disable the encoding conversion method of the configuration input for
the Web portal.
show portal configuration encoding
This command is used to display whether the encoding conversion method of the configuration
input is enabled for the Web portal.
portal message login <login_message>
This command is used to set the message displayed on the login page. After this command is
configured, a login message is displayed on the login page.
If a message has been configured for the login page, this command is used to modify the existing
message.
login_message                  This parameter specifies the login message. Its value must be a
                               string of 1 to 1024 characters.
                               This parameter supports HTML tags that can be used between
                               <div> and </div>, such as “<b>…</b>”, “<font
                               color=x>…</font>”, and “<i>…</i>”.
For example:
vs(config)$portal message login "<font color=blue>welcome</font>"
no portal message login
This command is used to delete the configuration of the message displayed on the login page.
show portal message login
This command is used to display the configuration of the message for the login page.
2000-2018 Array Networks, Inc.
                                                                                                262
All Rights Reserved.
                                                                        Chapter 7 Web Portal
portal credentials autocomplete
This command is used to enable the username auto-completion function for the browser used to
access the login page. When this function is enabled, the browser can cache the input usernames.
When this browser is used to access the login page again, the browser will prompt the
remembered username(s) matches the part of the username entered by the user. By default, this
function is disabled.
no portal credentials autocomplete
This command is used to disable the username auto-completion function for the browser used to
access the login page.
show portal credentials autocomplete
This command is used to display the status of the username auto-completion function for the
browser used to access the login page.
portal favorite {on|off}
This command is used to enable or disable the bookmark function for the login portal page. When
this function is enabled, the “Favorite” hyperlink is displayed on the login portal page. When the
user clicks this hyperlink, the browser can add the login portal page to bookmarks. By default, this
function is disabled.
show portal favorite
This command is used to display the status of the bookmark function for the login portal page.
portal message choose_site <choose_site_message>
This command is used to set the “Choose a Virtual Site” message for a shared virtual site. After
this command is configured, a message will be displayed on the choose_site page.
If a message has been configured for a shared virtual site, this command is used to modify the
existing message.
choose_site_message             This parameter specifies the content of the message. Its value must
                                be a string of 1 to 1024 characters.
                                This parameter supports HTML tags that can be used between
                                <div> and </div>, such as “<b>…</b>”, “<font
                                color=x>…</font>”, and “<i>…</i>”.
For example:
vs(config)$portal message choose_site "<font color=red>Choose a virtual site</font>"
no portal message choose_site
This command is used to delete the configuration of the message for a shared virtual site.
2000-2018 Array Networks, Inc.
                                                                                                 263
All Rights Reserved.
                                                                        Chapter 7 Web Portal
show portal message choose_site
This command is used to display the configuration of the current message for a shared virtual site.
portal otp message <message_string>
This command is used to set the message displayed on the OTP authentication portal page. After
this command is configured, an OTP message will be displayed on the OTP authentication page.
If the OTP authentication portal message has been configured, this command is used to modify the
existing OTP authentication message.
message_string                 This parameter specifies the message to be displayed on the OTP
                               authentication page. Its value must be a string of 1 to 1024
                               characters. It supports the regular expression “<PHONE>”,
                               indicating the mobile phone number.
For example:
vs(config)$portal otp message "The SMS message has been sent to <PHONE>"
no portal otp message
This command is used to delete the setting of the message displayed on the OTP authentication
page.
show portal otp message
This command is used to display the setting of the message displayed on the OTP authentication
page.
portal otp title <title_string>
This command is used to set the title of the OTP authentication page. After this command is
configured, a title will be displayed on the OTP authentication page.
If the title of the OTP authentication page has been configured, this command is used to modify
the existing title of the OTP authentication message.
title_string                   This parameter specifies the title of the OTP authentication page. Its
                               value must be a string of 1 to 128 characters.
no portal otp title
This command is used to delete the title of the OTP authentication page.
show portal otp title
This command is used to display the title of the OTP authentication page.
portal title <title_string>
2000-2018 Array Networks, Inc.
                                                                                               264
All Rights Reserved.
                                                                       Chapter 7 Web Portal
This command is used to set the welcome page title. If this command is not configured, the default
title is “welcome”.
If a welcome page title has been configured, this command is used to modify the existing welcome
page title.
title_string                   This parameter specifies the title of the welcome page. Its value
                               must be a string of 1 to 128 characters.
no portal title
This command is used to reset the welcome page title to the default value.
show portal title
This command is used to display the welcome page title.
portal message welcome <welcome_message>
This command is used to set the welcome message displayed on the welcome page. If this
command is not configured, the default welcome message is “Hello <user>, welcome to the Array
AG.”.
If a welcome message has been configured, this command is used to modify the existing welcome
message.
welcome_message                This parameter specifies the welcome message on the welcome
                               page. Its value must be a string of 1 to 1024 characters.
                               This parameter supports HTML tags that can be used between
                               <div> and </div>, such as “<b>…</b>”, “<font
                               color=x>…</font>”, and “<i>…</i>”.
For example:
vs(config)$portal message welcome "<i>HELLO</i>"
no portal message welcome
This command is used to reset the welcome message on the welcome page to the default value.
show portal message welcome
This command is used to display the configuration of the welcome message displayed on the
welcome page.
portal changeldbpassword
This command is used to enable the display of the “LocalDB password change” link on the
welcome page. When this function is enabled, the “Change Password” hyperlink is displayed on
2000-2018 Array Networks, Inc.
                                                                                               265
All Rights Reserved.
                                                                       Chapter 7 Web Portal
the welcome portal page. When the user clicks this hyperlink, a “Change Password” portal page
will be displayed for the user to change the password. By default, this function is disabled.
no portal changeldbpassword
This command is used to disable the display of the “LocalDB password change” link on the
welcome page.
show portal changeldbpassword
This command is used to display whether or not to display the “LocalDB password change” link
on the welcome page.
portal changeldappassword [withwarning]
This command is used to enable the display of the “LDAP password change” link on the welcome
page. When this function is enabled, the “Change Password” hyperlink is displayed on the
welcome portal page. When the user clicks this hyperlink, a “Change Password” portal page will
be displayed for the user to change the password. By default, this function is disabled.
withwarning                    Optional. This parameter specifies when to display the “LDAP
                               password change” link. If this parameter is specified, the “LDAP
                               password change” link will be displayed on the welcome page only
                               when the password expiry warning message configured using the
                               “aaa server ldap pwdexpirewarning” command starts to display.
                               The default value is empty, indicating that the “LDAP password
                               change” link will always be displayed on the welcome page.
no portal changeldappassword
This command is used to disable the display of the “LDAP password change” link on the welcome
page.
show portal changeldappassword
This command is used to display whether or not to display the “LDAP password change” link on
the welcome page.
portal urlbar
This command is used to enable the URL input bar on the welcome portal page. When this
function is enabled, the URL input bar will be displayed on the welcome portal page after portal
login. With the URL input bar, the user can access Web resources that are not displayed as Web
links on the welcome portal page. By default, this function is disabled.
no portal urlbar
This command is used to disable the URL input bar on the welcome portal page.
show portal urlbar
2000-2018 Array Networks, Inc.
                                                                                              266
All Rights Reserved.
                                                                       Chapter 7 Web Portal
This command is used to display whether or not the URL input bar is enabled on the welcome
page.
portal newwindows
This command is used to enable opening a new browser window when a portal link is accessed.
By default, this function is disabled.
no portal newwindows
This command is used to disable opening a new browser window when a portal link is accessed.
show portal newwindows
This command is used to display whether or not to open a new browser window when a portal link
is accessed.
portal navtool [nourlbar]
This command is used to enable the Web navigation panel for the pages of Web resources
accessed through the portal. If this command is configured, the Web navigation panel will appear
on the opened Web page after a portal link is clicked. By default, this function is disabled.
nourlbar                       Optional. This parameter specifies whether the navigation panel has
                               the URL input bar. Its value must be:
                                   “nourlbar”: indicates that the navigation panel does not have
                                    the URL input bar.
                                   empty: indicates that the navigation panel has the URL input
                                    bar. With the URL input bar, the user can access the desired
                                    URL directly from the current Web page.
                               The default value is “empty”.
no portal navtool
This command is used to disable the Web navigation panel for the pages of Web resources
accessed through the portal.
show portal navtool
This command is used to display whether the Web navigation panel is enabled for the pages of
Web resources accessed through the portal.
portal bookmark on
This command is used to enable the bookmark function on the welcome page. With this function,
end users can add the frequently accessed resources on the virtual portal as bookmark links and
access these resources conveniently by clicking these bookmark links in future. AG now supports
adding bookmarks for three types of resources: Web, File Share and Desktops. By default, this
function is disabled.
2000-2018 Array Networks, Inc.
                                                                                              267
All Rights Reserved.
                                                                        Chapter 7 Web Portal
portal bookmark off
This command is used to disable the bookmark function on the welcome page.
show portal bookmark status
This command is used to display the status of the bookmark function.
portal bookmark role <role_name> <resource_type> <url> <display_name>
[parameter]
This command is used to add a resource bookmark (that is, a bookmark for a resource) to the
welcome page for a specified role.
role_name                      This parameter specifies the name of an existing role.
resource_type                  This parameter specifies the type of the resource for which the
                               bookmark is added. Its value must be “web”, “fileshare” or
                               “desktop”.
url                            This parameter specifies the URL of the resource for which the
                               bookmark is added. Its value must be a string of 1 to 512 characters.
                                   If the resource type is “web”, the URL format should be
                                    http://www.example.com/.
                                   If the resource type is “fileshare”, the URL format should be a
                                    path, such as //10.8.2.88/ShareFolder.
                                   If the resource type is “desktop”, the URL format should be an
                                    IP address or host name, such as 10.8.2.88.
display_name                   This parameter specifies the name of the resource bookmark
                               displayed on the portal page. Its value must be a string of 1 to 900
                               characters.
                               This parameter supports HTML tages that can be used between <a>
                               and </a>, such as “<b>…</b>”, “<font color=x>…</font>”, and
                               “<i>…</i>”. When HTML tages are used, the parameter value
                               must be enclosed by double quotes.
parameter                      Optional. This parameter specifies the resource parameter. Its value
                               must be a string of 1 to 255 characters. The default value is empty.
For example:
vs(config)$portal bookmark role "r" "web" "http://10.3.6.57" "<b>Test</b>" ""
vs(config)$portal bookmark role "r" "fileshare" "//10.3.6.57/ShareFolder" "<b>File</b>"
""
vs(config)$portal bookmark role "r" "desktop" "http://10.3.6.57" "<b>Test</b>" ""
2000-2018 Array Networks, Inc.
                                                                                                 268
All Rights Reserved.
                                                                        Chapter 7 Web Portal
no portal bookmark role <role_name> <resource_type> <url>
This command is used to delete a resource bookmark from the welcome page for a specified role.
show portal bookmark role [role_name] [resource_type]
This command is used to display the bookmarks of a specific resource type added to the welcome
page for a specified role.
role_name                     Optional. This parameter specifies the name of an existing role.
                              If this parameter is specified, the resource bookmarks of the
                              specified role are displayed. If this parameter is not specified, the
                              resource bookmarks of all roles are displayed.
resource_type                 This parameter specifies the resource type of the bookmarks to be
                              displayed. Its value must be “web”, “fileshare” or “desktop”.
                              If this parameter is specified, the bookmarks of the specified
                              resource type are displayed. If this parameter is not specified, the
                              bookmarks of all resource types are displayed.
clear portal bookmark role [role_name] [resource_type]
This command is used to clear the bookmarks of a specific resource type from the welcome page
for a specified role.
role_name                     Optional. This parameter specifies the name of an existing role.
                              If this parameter is specified, the resource bookmarks of the
                              specified role are cleared. If this parameter is not specified, the
                              resource bookmarks of all roles are cleared.
resource_type                 This parameter specifies the resource type of the bookmarks to be
                              cleared. Its value must be “web”, “fileshare” or “desktop”.
                              If this parameter is specified, the bookmarks of the specified
                              resource type are cleared. If this parameter is not specified, the
                              bookmarks of all resource types are cleared.
portal message autolaunch <autolaunch_message> [escape]
This command is used to set the autolaunch message displayed on the autolaunch page. After this
command is configured, an autolaunch message will be displayed on the autolaunch page. To
allow users to see the autolaunch page, please specify the “mode” parameter using the “vpn
netpool autolaunch <netpool> [mode]” command.
2000-2018 Array Networks, Inc.
                                                                                                    269
All Rights Reserved.
                                                                        Chapter 7 Web Portal
If an autolaunch message has been configured, this command is used to modify the existing
autolaunch message.
autolaunch_message             This parameter specifies the autolaunch message. Its value must be
                               a string of 1 to 1024 characters.
escape                         Optional. “escape” means to escape the HTML characters
                               according to the HTML standard. The default value is empty, which
                               means not to escape the HTML characters.
no portal message autolaunch
This command is used to delete the configuration of the autolaunch message.
show portal message autolaunch
This command is used to display the configuration of the autolaunch message.
portal externalapp rdp proxy <url>
This command is used to configure an external RDP proxy server.
url                            This parameter specifies the HTTP or HTTPS URL of the external
                               RDP proxy server. Its value must be a string of 1 to 512 characters.
no portal externalapp rdp proxy
This command is used to delete the configured external RDP proxy server.
show portal externalapp rdp proxy
This command is used to display the configured external RDP proxy server.
portal externalapp rdp file <url>
This command is used to configure an external file proxy server.
url                            This parameter specifies the HTTP or HTTPS URL of the external
                               file proxy server. Its value must be a string of 1 to 512 characters.
no portal externalapp rdp file
This command is used to delete the configured external file proxy server.
show portal externalapp rdp file
This command is used to display the configured external file proxy server.
portal motionpro detect <prelogin|postlogin>
2000-2018 Array Networks, Inc.
                                                                                                270
All Rights Reserved.
                                                                       Chapter 7 Web Portal
This command is used to configure the MotionPro client detection function on the portal page.
This function allows the AG appliance to detect whether the MotionPro client has been installed
on the client PC.
If this command is not configured, the system will detect whether the MotionPro client has been
installed on the client PC on the welcome page.
prelogin|postlogin             This parameter specifies where the system detects whether the
                               MotionPro client has been installed on the client PC. Its value must
                               be:
                                   prelogin: indicates that the system detects whether the
                                    MotionPro client has been installed on the client PC on the
                                    login page.
                                   postlogin: indicates that the system detects whether the
                                    MotionPro client has been installed on the client PC on the
                                    welcome page.
show portal motionpro detect
This command is used to display the setting of the MotionPro client detection function on the
portal page.
portal motionpro hardwareid [type]
This command is used to set the ID type used by the MotionPro client when the Hardware ID
authorization is enabled.
type                           Optional. This parameter specifies the ID type used by the
                               MotionPro client when the Hardware ID authorization is enabled.
                               Its value must be:
                                   0: indicates the Hardware ID will be used.
                                   1: indicates the Device ID will be used.
                               The default value is 0.
show portal motionpro hardwareid
This command is used to display the setting of ID type used by the MotionPro client when the
Hardware ID authorization is enabled.
show portal config
This command is used to display the Web portal configurations, including the portal custom,
portal theme and DesktopDirect integration configurations.
clear portal config
2000-2018 Array Networks, Inc.
                                                                                                271
All Rights Reserved.
                                                                        Chapter 7 Web Portal
This command is used to clear all Web portal configurations, including the portal custom, portal
theme and DesktopDirect integration configurations.
Portal Customization
Portal Custom
The portal custom settings enable the administrator to customize the following portal pages using
external pages:
     Login page:
     Welcome page
     Change password page
     Change password ok page
     Logout page
     All error pages
portal custom login <url> [username] [password1] [securID] [password2]
This command is used to set a custom login page.
url                             This parameter specifies the URL of the custom login page. Its
                                value must be a string of 1 to 900 characters.
username                        Optional. This parameter specifies the name of POST field that will
                                contain the username value. Its value must be a string of 1 to 64
                                characters. The default value is “uname”.
password1                       Optional. This parameter specifies the name of the POST field that
                                will contain the password value. Its value must be a string of 1 to
                                64 characters. The default value is “pwd”.
securID                         Optional. This parameter specifies the name of the POST field that
                                will contain the securID token code value. Its value must be a string
                                of 1 to 64 characters. The default value is “token”.
password2                       Optional. This parameter specifies the name of the POST field that
                                will contain the second password value. Its value must be a string of
                                1 to 64 characters. The default value is “pwd2”.
no portal custom login
This command is used to delete the configuration of the custom login page.
2000-2018 Array Networks, Inc.
                                                                                                 272
All Rights Reserved.
                                                                       Chapter 7 Web Portal
show portal custom login
This command is used to display the configuration of the custom login page.
portal custom welcome <url>
This command is used to set a custom welcome page.
url                            This parameter defines the URL of the custom welcome page. Its
                               value must be a string of 1 to 900 characters.
no portal custom welcome
This command is used to delete the configuration of the custom welcome page.
show portal custom welcome
This command is used to display the configuration of the custom welcome page.
portal custom changepassword <auth_method> <url>
This command is used to set a custom password change page for the specified AAA method.
If a custom password change page has been configured for the AAA method, this command is
used to modify the existing custom password change page.
auth_method                      This parameter specifies an existing AAA method. Its value must
                                 be defined by the “aaa method name” command.
url                              This parameter specifies the URL of the custom password
                                 change page. Its value must be a string of 1 to 900 characters.
no portal custom changepassword [auth_method]
This command is used to delete the custom password change page for the specified AAA method.
If the “auth_method” parameter is not specified, the custom password change pages configured for
all AAA methods will be deleted.
show portal custom changepassword [auth_method]
This command is used to display the configuration of the custom password change page for the
specified AAA method. If the “auth_method” parameter is not configured, the configurations of
all custom password change pages for all AAA methods will be displayed.
portal custom passchangeok <url>
This command is used to set a custom “password change ok” page.
url                            This parameter defines the URL of the confirmation page after
                               successfully changing the password. Its value must be a string of 1
                               to 900 characters.
2000-2018 Array Networks, Inc.
                                                                                              273
All Rights Reserved.
                                                                        Chapter 7 Web Portal
no portal custom passchangeok
This command is used to delete the configuration of the custom “password change ok” page.
show portal custom passchangeok
This command is used to display the configuration of the custom “password change ok” page.
portal custom logout <url>
This command is used to set a custom logout page.
url                            This parameter specifies the URL of the custom logout page. Its
                               value must be a string of 1 to 900 characters.
no portal custom logout
This command is used to delete the configuration of the custom logout page.
show portal custom logout
This command is used to display the configuration of the custom logout page.
portal custom variant name <var_name> [var_filter]
This command is used configure the customized user variable included in the HTTP
authentication login request and set a single-variable parsing rule.
var_name                       This parameter specifies the name of the customized user variable
                               in the HTTP authentication login request. Its value must be a string
                               of 1 to 32 characters in the format of <an_xx>, such as
                               <an_param1>.
var_filter                     Optional. This parameter specifies the filter condition used to parse
                               the single variable included in the HTTP authentication login
                               request. Its value must be a string of 1 to 255 characters. The
                               default value is empty.
For example:
vs(config) portal custom variant name "<an_token>" "token=<an_token>&"
no portal custom variant name <var_name>
This command is used to delete a specified customized user variable included in the HTTP
authentication login request and the associated single-variable parsing rule.
portal custom variant profile <var_filter> [priority]
This command is used to set a multi-variable parsing rule for the HTTP authentication login
request. This command should be used together with the command “portal custom variant
name”.
2000-2018 Array Networks, Inc.
                                                                                               274
All Rights Reserved.
                                                                         Chapter 7 Web Portal
var_filter                     This parameter specifies the filter condition used to resolve the
                               multi-variable combination included in the HTTP authentication
                               login request. Its value must be a string of 1 to 255 characters.
priority                       Optional. This parameter specifies the priority of the rule. Its value
                               must be an integer ranging from 1 to 100. The lower the value, the
                               higher the priority. The default value is 50.
For example:
vs(config) portal custom variant name "<an_ip>"
vs(config) portal custom variant name "<an_type>"
vs(config) portal custom variant name "<an_phone>"
vs(config) portal custom variant profile
“deviceid=<an_ip>@@@<an_type>@@@<an_phone>&” 50
no portal custom variant profile <var_filter>
This command is used to delete a specified multi-variable parsing rule for the HTTP
authentication login request.
show portal custom variant
This command is used to display the configurations of customized user variables included in the
HTTP authentication login request and the associated variable parsing rules.
portal error <error_type> <url>
This command is used to set the custom error page of the specified type.
error_type                     This parameter specifies the type of the error page to be
                               customized. Please refer to the following table for the parameter
                               value.
url                            This parameter specifies the URL of the custom error page. Its
                               value must be a string of 1 to 900 characters.
The following table displays the types of the custom error pages that can be customized:
                              Table 3-1 Types of the Error Pages
 Error Page Type                                         Meaning
passwordchangefail     Change password failed
 newpasscheckfail      New password is not valid
           dns         Domain Name Service resolution failed
       revdns          Reverse Domain Name Service resolution failed
           https       HTTPS server is not configured
      cookies          Browser does not support cookies
2000-2018 Array Networks, Inc.
                                                                                                275
All Rights Reserved.
                                                                        Chapter 7 Web Portal
 Error Page Type                                        Meaning
  sessionexpired       Login session has expired
      request          Generic request error
       access          Access denied
     genlogin          Generic login error
    failedlogin        Login attempt failed
      internal         Generic internal error
      badacls          Account has invalid ACLs
no portal error <error_type>
This command is used to delete the configuration of the custom error page of a specified type.
show portal error
This command is used to display the configurations of all custom error pages.
clear portal error
This command is used to clear the configurations of all the custom error pages.
Portal Theme
A portal theme can be consisted of theme objects and theme errors. Theme objects are used to
customize the portal pages while theme errors are used to customize the error pages.
portal theme create <theme_name>
This command is used to create a portal theme.
no portal theme create <theme_name>
This command is used to delete the specified portal theme.
show portal theme create
This command is used to display all the created portal themes.
portal theme object <page_type> <theme_name> <object_name> <url>
<file_type> [flag]
This command is used to add a theme object to the specified portal theme and assign it to a
specified portal page to customize it.
page_type                      This parameter specifies the type of the portal page. For the valid
                               names supported by this parameter, see Table 3-3.
theme_name                     This parameter specifies the name of an existing portal theme.
object_name                    This parameter specifies the name of the theme object. Its value
2000-2018 Array Networks, Inc.
                                                                                                 276
All Rights Reserved.
                                                                          Chapter 7 Web Portal
                                must be a string of 1 to 20 characters.
url                             This parameter specifies the URL from which the custom portal
                                page is imported. Its value must be a string of 1 to 900 characters.
file_type                       This parameter specifies the file type of the custom portal page. Its
                                value must be “html”, “css”, “js”, “xml”, “htc”, “text” and “binary”.
flag                            Optional. This parameter specifies whether or not to rewrite the
                                URLs in the custom portal page. Its value must be:
                                    0: not rewrite.
                                    1: rewrites.
                                The default value is 1.
The following table shows the types of portal pages that can be customized:
                                       Table 3-2 Page Type
       Page Type                                          Content
       autolaunch       The page for auto-launching L3VPN
        challenge       The RADIUS challenge-response page
                        The page in which you can choose an alias virtual site, available for the
       choose_site
                        shared virtual site only
           info         The template page for information and error pages.
          login         The login page.
          logout        The logout page.
                        The RADIUS challenge-response page, in which you should input the next
       next_token
                        token code to login.
       passchange       The page for changing a user's LocalDB password.
  ldappasschange        The page for changing a user's LDAP password.
        welcome         The welcome portal page.
                        An arbitrary resource not associated with any default page. This custom
         custom
                        page can be referenced by other custom portal pages.
           sms          The page for SMS authentication.
           smx          The page for SMX authentication.
      client_security   The page for Client Security.
no portal theme object <theme_name> <object_name>
This command is used to delete a theme object from a specified portal theme.
portal theme assign <page_type> <theme_name> <object_name>
This command is used to reassign a portal theme object to a specified portal page.
2000-2018 Array Networks, Inc.
                                                                                                277
All Rights Reserved.
                                                                         Chapter 7 Web Portal
page_type                      This parameter specifies the type of the portal page. Please refer to
                               the “portal theme object” command for the parameter value.
theme_name                     This parameter specifies the name of an existing portal theme.
object_name                    This parameter specifies the name of an existing portal theme
                               object. Its value must be a string of 1 to 20 characters.
portal theme rewrite <theme_name> <object_name> [flag]
This command is used to change the rewrite flag for the specified portal theme object.
theme_name                     This parameter specifies the name of an existing portal theme.
object_name                    This parameter specifies the name of an existing portal theme
                               object.
flag                           Optional. This parameter specifies whether or not to rewrite the
                               URLs in the custom portal page for the portal theme object. For
                               details, please refer to the Chapter 6 Access Method. Its value must
                               be:
                                   0: indicates that the rewrite flag is disabled.
                                   1: indicates that the rewrite flag is enabled.
                               The default value is 1.
show portal theme object <theme_name> [object_name]
This command is used to display the portal page to which the specific theme object in the
specified portal theme is assigned. If the “object_name” parameter is not specified, the assignment
of all theme objects in the specified portal theme to all portal pages will be displayed.
portal theme error <theme_name> <error_type> <url>
This command is used to add a theme error page to the specified portal them to customize the
specified error page.
theme_name                     This parameter specifies the name of an existing portal theme..
error_type                     This parameter specifies the type of the error page to be
                               customized. Please refer to the “portal error” command for details.
url                            This parameter specifies the URL of the theme error page. Its value
                               must be a string of 1 to 900 characters.
2000-2018 Array Networks, Inc.
                                                                                                 278
All Rights Reserved.
                                                                          Chapter 7 Web Portal
no portal theme error <theme_name> <error_type>
This command is used to delete a theme error page from a specified portal theme.
show portal theme error <theme_name>
This command is used to display the configurations of the theme error pages in a specified portal
theme.
portal theme import <url> [theme_name] [flag]
This command is used to import a custom portal theme.
url                            This parameter specifies the HTTP or FTP URL of the portal theme
                               to be imported. Its value must be a string of 1 to 900 characters.
theme_name                     Optional. This parameter specifies the name of the portal theme to
                               be imported. Its value must be a string of 1 to 20 characters.
flag                           Optional. This parameter specifies whether or not to rewrite the
                               URLs in the custom portal page. Its value must be:
                                    0: indicates that the rewrite flag is disabled.
                                    1: indicates that the rewrite flag is enabled.
                               The default value is 1.
                               Note: This parameter only works for portal theme objects in the
                               imported portal theme but not for theme error pages in it.
portal theme active <theme_name>
This command is used to activate a created or imported custom portal theme. Only one custom
portal theme can be activated.
If a portal theme has been activated, this command is used to activate another portal theme.
theme_name                     This parameter specifies the name of the portal theme created or
                               imported.
no portal theme active
This command is used to deactivate the activated custom portal theme.
show portal theme active
This command is used to display the activated portal theme.
2000-2018 Array Networks, Inc.
                                                                                               279
All Rights Reserved.
                                                                         Chapter 7 Web Portal
DesktopDirect Integration
portal desktop off
This command is used to disable the DesktopDirect Integration function. When this function is
disabled, the Web portal will not integrate DesktopDirect resources. By default, this function is
disabled.
portal desktop embed
This command is used to enable the “embed” mode of DesktopDirect Integration, which indicates
that DesktopDirect resources will be displayed on the welcome page like Web, CIFS, and VPN
resources.
portal desktop newwindow
This command is used to enable the “hyperlink” mode of DesktopDirect Integration, which
indicates that the welcome page provides a hyperlink and DesktopDirect resources will be
displayed in the opened new window by clicking the hyperlink.
         Note: The “portal desktop off”, “portal desktop embed”, and “portal desktop
         newwindow” configurations are mutually exclusive.
portal desktop initmode activex
This command is used to set the DesktopDirect initiation mode as “activex” so that the
DesktopDirect client is set up with ActiveX components.
portal desktop initmode java
This command is used to set the DesktopDirect initiation mode as “java” so that the
DesktopDirect client is set up with Java components.
portal desktop initmode autoswitch
This command is used to enable the DesktopDirect initiation mode from “activex” to “java” when
the DesktopDirect client cannot be set up with ActiveX components in the user’s PC environment.
no portal desktop initmode autoswitch
This command is used to disable autoswitch of the DesktopDirect initiation mode.
portal desktop register <on|off>
This command is used to enable or disable the portal desktop registration function. When this
function is enabled, end users can register PCs as their portal desktop resources on the welcome
page by clicking the Register Local PC button. The registered local PC will be displayed in the
DesktopDirect resource list. By default, this function is disabled.
on|off                          This parameter specifies whether to enable the portal desktop
                                registration function. Its value must be “on” or “off”.
2000-2018 Array Networks, Inc.
                                                                                                280
All Rights Reserved.
                                                                          Chapter 7 Web Portal
show portal desktop config
This command is used to display the configurations related to the DesktopDirect Integration
function.
Application SSO
The Application SSO function enables application login credentials to be passed to the backend
application servers for the login users when the portal and application credentials are different.
This function works for Web, Fileshare and DesktopDirect applications. By default, this function
is disabled for Web, Fileshare and DesktopDirect applications.
To use this function, you also need to configure application login credentials for login users in the
LocalDB server using the “localdb sso account” command.
sso application web {on|off}
This command is used to enable or disable the Application SSO function for Web applications. By
default, this function is disabled for Web applications. For Web applications, the Application SSO
function supports the NT LAN Manager (NTLM), Basic HTTP authentication and Post methods.
sso application fileshare {on|off}
This command is used to enable or disable the Application SSO function for Fileshare applications.
By default, this function is disabled for Fileshare applications.
sso application desktopdirect {on|off}
This command is used to enable or disable the Application SSO function for DesktopDirect
applications. By default, this function is disabled for DesktopDirect applications.
2000-2018 Array Networks, Inc.
                                                                                                 281
All Rights Reserved.
                                                                    Chapter 8 High Availablity
Chapter 8 High Availablity
Cluster
cluster virtual ifname <interface_name> <virtual_cluster_id>
This command is used to add a virtual cluster to the specified interface.
interface_name                  This parameter specifies the name of the existing interface. Its value
                                must be a system interface, bond interface, MNET interface or
                                VLAN interface.
virtual_cluster_id              This parameter specifies the virtual cluster ID.
clear cluster virtual ifname <interface_name> <virtual_cluster_id>
This command is used to clear a virtual cluster from the specified interface.
interface_name                  This parameter specifies the name of the existing interface. Its value
                                must be a system interface, bond interface, MNET interface, VLAN
                                interface or “all”. “all” indicates virtual clusters of all interfaces
                                will be cleared.
virtual_cluster_id              This parameter specifies the virtual cluster ID.
cluster virtual vip <interface_name> <virtual_cluster_id> <virtual_ip>
This command is used to add a virtual IP address to the specified virtual cluster.
interface_name                  This parameter specifies the name of the existing interface. Its value
                                must be a system interface, bond interface, MNET interface or
                                VLAN interface.
virtual_cluster_id              This parameter specifies the existing virtual cluster ID.
virtual_ip                      This parameter specifies the virtual IP address of the virtual cluster.
no cluster virtual vip <interface_name> <virtual_cluster_id> <virtual_ip>
This command is used to delete the virtual IP address from the specified virtual cluster.
cluster virtual auth <interface_name> <virtual_cluster_id> <auth_flag>
<auth_password>
This command is used to configure the authentication method for the specified virtual cluster. By
default, authentication is not required for a virtual cluster.
2000-2018 Array Networks, Inc.
                                                                                                  282
All Rights Reserved.
                                                                     Chapter 8 High Availablity
interface_name                   This parameter specifies the name of the existing interface. Its value
                                 must be a system interface, bond interface, MNET interface or
                                 VLAN interface.
virtual_cluster_id               This parameter specifies the existing virtual cluster ID.
auth_flag                        This parameter specifies whether or not the authentication is
                                 required. Its value must be:
                                     0: indicates the authentication is not required.
                                     1: indicates the authentication is required.
auth_password                    Optional. This parameter specifies the authentication password. Its
                                 value must be a string of 1 to 8 characters.
                                 Please note that this parameter is required only when the
                                 “auth_flag” parameter is set to 1.
no cluster virtual auth <interface_name> <virtual_cluster_id>
This command is used to reset the configuration of an authentication method to default for the
specified virtual cluster.
cluster virtual priority <interface_name> <virtual_cluster_id> <priority>
[peer_host]
This command is used to set the priority of the specified virtual cluster. By default, the priority of
the virtual cluster is 100.
interface_name                   This parameter specifies the name of the existing interface. Its value
                                 must be a system interface, bond interface, MNET interface or
                                 VLAN interface.
virtual_cluster_id               This parameter specifies the existing virtual cluster ID.
priority                         This parameter specifies the priority of the virtual cluster. Its value
                                 must an integer ranging from 1 to 255. The larger the value, the
                                 higher the priority.
peer_host                        Optional. This parameter specifies the name of the synchronization
                                 local node or peer node. Its value must be
                                     “Primary”: indicates this command applies to the local node.
                                     peer node: indicates this command applies to the peer node
                                      specified by the “synconfig peer” command.
2000-2018 Array Networks, Inc.
                                                                                                    283
All Rights Reserved.
                                                                    Chapter 8 High Availablity
                                The default value is “Primary”.
no cluster virtual priority <interface_name> <virtual_cluster_id> [peer_host]
This command is used to reset the configuration of the priority to default for the specified virtual
cluster.
cluster virtual preempt <interface_name> <virtual_cluster_id>
<preempt_value>
This command is used to enable or disable the preemption mode for the specified virtual cluster.
After the preemption mode is enabled, the status of the virtual cluster with a higher priority
becomes the master. By default, the preemption mode is disabled.
interface_name                  This parameter specifies the name of the existing interface. Its value
                                must be a system interface, bond interface, MNET interface or
                                VLAN interface.
virtual_cluster_id              This parameter specifies the existing virtual cluster ID.
preempt_value                   This parameter specifies whether to enable the preemption mode.
                                Its value must be:
                                    0: indicates the preemption mode is enabled.
                                    1: indicates the preemption mode disabled.
no cluster virtual preempt <interface_name> <virtual_cluster_id>
This command is used to reset the preemption mode of the specified virtual cluster to default.
cluster virtual interval <interface_name> <virtual_cluster_id>
[advertisement_interval]
This command is used to set the advertisement interval for the specified virtual cluster. By default
the advertisement interval is 5 seconds.
interface_name                  This parameter specifies the name of the existing interface. Its value
                                must be a system interface, bond interface, MNET interface or
                                VLAN interface.
virtual_cluster_id              This parameter specifies the existing virtual cluster ID.
advertisement_interval          Optional. This parameter specifies the advertisement interval. Its
                                value must be an integer ranging from 3 to 60, in seconds. The
                                default value is 5.
no cluster virtual interval <interface_name> <virtual_cluster_id>
2000-2018 Array Networks, Inc.
                                                                                                 284
All Rights Reserved.
                                                                     Chapter 8 High Availablity
This command is used to reset the advertisement interval to default for the specified virtual
cluster.
cluster virtual arp interval <interval>
This command is used to set the interval of the gratuitous ARP.
interval                        This parameter specifies the broadcasting interval of the gratuitous
                                ARP advertisement. Its value must be 0 or an integer ranging from
                                30 to 65,535, in seconds. “0” indicates the gratuitous ARP
                                advertisement is sent only when a virtual cluster switches to
                                “master”.
show cluster virtual arp
This command is used to display the configuration of the interval of the gratuitous ARP.
cluster virtual {on|off} [virtual_cluster_id] [interface_name]
This command is used to enable or disable the virtual cluster on the specified interface.
virtual_cluster_id              Optional. This parameter specifies the existing virtual cluster ID.
                                The default value is 0, indicates that all virtual clusters on the
                                specified interface will be enabled.
interface_name                  Optional. This parameter specifies the name of the existing
                                interface. Its value must be a system interface, bond interface,
                                MNET interface, VLAN interface or “all”.
                                The default value is “all”, indicating that the virtual clusters on all
                                interfaces will be enabled.
show cluster virtual interface
This command is used to display all interfaces with virtual clusters configured.
show cluster virtual status [interface_name]
This command is used to display the status of the virtual cluster on the specified interface.
interface_name                  Optional. This parameter specifies the name of the existing
                                interface. Its value must be a system interface, bond interface,
                                MNET interface, VLAN interface or “all”.
                                The default value is “all”, indicating that the status for all interfaces
                                will be displayed.
show cluster virtual config [interface_name]
2000-2018 Array Networks, Inc.
                                                                                                   285
All Rights Reserved.
                                                                     Chapter 8 High Availablity
This command is used to display configurations of the virtual cluster on the specified interface.
interface_name                  Optional. This parameter specifies the name of the existing
                                interface. Its value must be a system interface, bond interface,
                                MNET interface, VLAN interface or “all”.
                                The default value is “all”, indicating that the configurations for all
                                interfaces will be displayed.
show cluster virtual transition [interface_name]
This command is used to display the last 10 transition logs of the virtual cluster on the specified
interface.
interface_name                  Optional. This parameter specifies the name of the existing
                                interface. Its value must be a system interface, bond interface,
                                MNET interface, VLAN interface or “all”.
                                The default value is “all”, indicating that the last 10 transition logs
                                for all interfaces will be displayed.
clear cluster virtual transition [interface_name] [virtual_cluster_id]
This command is used to clear the transition logs on the specified interface for the specified virtual
cluster.
interface_name                  Optional. This parameter specifies the name of the existing
                                interface. Its value must be a system interface, bond interface,
                                MNET interface, VLAN interface or “all”.
                                    If this parameter is specified, the transition logs on the
                                     specified interface will be cleared.
                                    If this parameter is not specified, the transition logs on all
                                     interfaces will be cleared.
                                The default value is “all”, indicating that transition logs on all
                                interfaces will be cleared.
virtual_cluster_id              Optional. This parameter specifies the existing virtual cluster ID.
                                    If this parameter is specified, the transition logs for the
                                     specified virtual cluster will be cleared.
                                    If this parameter is not specified, the transition logs for all
                                     virtual clusters will be cleared.
                                The default value is 0, indicates that the transition logs for all
2000-2018 Array Networks, Inc.
                                                                                                      286
All Rights Reserved.
                                                                      Chapter 8 High Availablity
                                 virtual clusters will be cleared.
show statistics cluster virtual [interface_name]
This command is used to display the statistics of the virtual cluster on the specified interface.
interface_name                   Optional. This parameter specifies the name of the existing
                                 interface. Its value must be a system interface, bond interface,
                                 MNET interface, VLAN interface or “all”.
                                 The default value is “all”, indicating that the statistics of the virtual
                                 cluster for all interfaces will be displayed.
clear statistics cluster virtual [interface_name] [virtual_cluster_id]
This command is used to clear the statistics on the specified interface for the specified virtual
cluster.
interface_name                   Optional. This parameter specifies the name of the existing
                                 interface. Its value must be a system interface, bond interface,
                                 MNET interface, VLAN interface or “all”.
                                     If this parameter is specified, the statistics on the specified
                                      interface will be cleared.
                                     If this parameter is not specified, the statistics on all interfaces
                                      will be cleared.
                                 The default value is “all”, indicating that the statistics on all
                                 interfaces will be cleared.
virtual_cluster_id               Optional. This parameter specifies the existing virtual cluster ID.
                                     If this parameter is specified, the statistics for the specified
                                      virtual cluster will be cleared.
                                     If this parameter is not specified, the statistics for all virtual
                                      clusters will be cleared.
                                 The default value is 0, indicates that the statistics for all virtual
                                 clusters will be cleared.
HA (High Availability)
The High Availability feature provides session synchronization and configuration synchronization
among HA units. All the HA CLI commands need to be executed under the global scope.
2000-2018 Array Networks, Inc.
                                                                                                         287
All Rights Reserved.
                                                                     Chapter 8 High Availablity
General Settings
ha unit <unit_id> <ip> [port]
This command is used to add an HA unit with a unique ID and IP address. An HA domain allows
at most 32 units.
unit_id                           This parameter specifies the unique ID of the HA unit. Its value
                                  ranges from 1 to 32.
ip                                This parameter specifies the IP address of the HA unit, which is
                                  used for primary link communication with other units. It can be an
                                  IPv4 or IPv6 address. The “ip” parameter must be set to the IP
                                  address of a system interface.
                                  To use the HA bootup and runtime configuration synchronization,
                                  the parameter value must be the same as the value of the parameter
                                  “peer_ip” specified in the “synconfig peer” command.
port                              Optional. This parameter specifies the port used for primary link
                                  communication with other units. Its value ranges from 1 to 65,535.
                                  The default value is 65,521.
          Note:
              Before configuring the local unit, you must have configured the local unit’s interface
               IP address. Otherwise, the local unit cannot be identified by the HA domain.
              The IP addresses of the units in an HA domain must be all IPv4 or all IPv6.
              After adding multiple units for an HA domain by executing the command “ha unit”,
               the system will establish primary link connections between each two units
               automatically.
no ha unit <unit_id>
This command is used to delete an HA unit from the HA domain.
          Note: If the local unit is deleted from the HA domain, all the “ha hc…” configurations on
          the local unit will also be deleted, and the “ha hc peerunit” configuration will be reset to
          the default value.
ha unitname <unit_id> <unit_name> [description]
This command is used to add the name and description to a specified HA unit.
2000-2018 Array Networks, Inc.
                                                                                                  288
All Rights Reserved.
                                                                 Chapter 8 High Availablity
unit_id                        This parameter specifies the unique ID of the HA unit.
unit_name                      This parameter specifies the name of the HA unit. Its value should
                               be a string of 1 to 15 characters.
                               To use the HA bootup and runtime configuration synchronization,
                               the parameter value must be the same as the value of the parameter
                               “peer_name” specified in the “synconfig peer” command.
description                    Optional. This parameter describes the HA unit. Its value should be
                               a string of 0 to 256 characters.
no ha unitname <unit_id> <unit_name>
This command is used to delete the name and description of a specified HA unit.
ha on
This command is used to enable the HA feature. The HA feature can be enabled only when both
the local unit and any peer unit have been configured.
ha off [force]
This command is used to disable the HA feature. By default, the HA feature is disabled.
force                          Optional. This parameter disables the HA function once a hang
                               occurs when a unit is joining the HA domain.
ha link network secondary <unit_id> <link_id> <ip> [port]
This command is used to configure a secondary link on an HA unit. At most 31 secondary links
can be established between two HA units.
unit_id                        This parameter specifies the ID of the HA unit.
link_id                        This parameter specifies the ID of the secondary link. Its value
                               ranges from 1 to 31. The ID of each secondary link between two
                               units should be unique.
ip                             This parameter specifies the IP address of the HA unit, which is
                               used for secondary link communication with another unit. It can be
                               an IPv4 or IPv6 address.
port                           Optional. This parameter specifies the port used for secondary link
                               communication with another unit. The default value is 65,521.
2000-2018 Array Networks, Inc.
                                                                                              289
All Rights Reserved.
                                                                  Chapter 8 High Availablity
Please be noted that to establish a secondary link between two units, you need to configure a
secondary link with the same ID on the two units respectively.
For example, the IP address of two HA units “1” and “2” are 192.168.1.1 and 192.168.10.1
respectively. To establish a secondary link “1” between the two units, the following two
commands must be executed on both units:
AN(config)#ha link network secondary 1 1 192.168.1.1 65521
AN(config)#ha link network secondary 2 1 192.168.10.1 65521
          Note:
             The IP addresses of secondary links must not be on the same network segment as the
              IP address of the primary link.
             The IP addresses of the two ends of a secondary link must be both IPv4 or both IPv6
              addresses.
no ha link network secondary <unit_id> <link_id>
This command is used to delete a secondary link between two HA units.
unit_id                         This parameter specifies the unique ID for the HA unit.
link_id                         This parameter specifies the unique ID for the secondary link.
clear ha link network secondary
This command is used to delete the configurations about all secondary links on the local unit.
ha ssf on
This command is used to enable the Stateful Session Failover (SSF) fucntion. By default,this
fucntion is disabled.
ha ssf off
This command is used to disable the SSF function.
ha synconfig bootup on
This command is used to enable bootup configuration synchronization. By default, bootup
configuration synchronization is disabled.
Bootup configuration synchronization will synchronize all configurations from the peer HA unit
that first joins the HA domain, except those configurations specific only to an HA unit or to be
implemented only on the specified HA unit.
All the configurations will be synchronized except those matching the following blacklist:
[Bootup Synconfig Blacklist]:
    ip address
2000-2018 Array Networks, Inc.
                                                                                                 290
All Rights Reserved.
                                                                  Chapter 8 High Availablity
    ip route
    bond
    hostname
    vlan
    access
    ssh ip
    webui ip
    webui port
    webwall
    ip redundant
    cluster virtual priority
    interface name
    ha on
    ha off
    ha log on
    ha log off
    passwd enable
       Note: Before using bootup configuration synchronization, the administrator needs to:
           Set the identical synconfig challenge code using the “synconfig challenge” command
            on each HA unit.
           Configure all HA units as synconfig peers using the “synconfig peer” command on
            each HA unit.
ha synconfig bootup off
This command is used to disable bootup configuration synchronization.
ha synconfig runtime on
This command is used to enable runtime configuration synchronization. By default, runtime
configuration synchronization is disabled.
When runtime configuration synchronization is enabled, all CLI commands executed on the local
unit will be synchronized to peer units for execution except the CLI commands that are specific to
the local unit and need to be executed only on the local unit.
The CLI commands matching the following blacklist but not matching the following whitelist will
not be synchronized. The CLI commands matching the following whitelist or not matching the
blacklist will be synchronized.
[Runtime Synconfig Whitelist]:
    Global:
         write memory ...
         ip dns ...
         no ip dns ...
         clear ip dns ...
2000-2018 Array Networks, Inc.
                                                                                              291
All Rights Reserved.
                                           Chapter 8 High Availablity
          clear config timeout ...
     Virtural Site:
          write memory ...
[Runtime Synconfig Blacklist]:
    Global:
         ha on ...
         ha off ...
         ha synconfig runtime off ...
         ha group enable ...
         ha group disable ...
         clear ha all ...
         switch ...
         enable ...
         configure ...
         engineering ...
         exit ...
         quit ...
         show ...
         write ...
         debug ...
         no debug ...
         synconfig ...
         no synconfig ...
         clear synconfig ...
         webui ip ...
         webui port ...
         webwall ...
         accessgroup ...
         accesslist ...
         no accessgroup ...
         no accesslist ...
         clear webui ip ...
         clear webui port ...
         ip ...
         no ip ...
         clear ip ...
         cluster virtual priority ...
         no cluster virtual priority ...
         ping ...
         traceroute ...
         nslookup ...
         vlan ...
         bond ...
2000-2018 Array Networks, Inc.
                                                                 292
All Rights Reserved.
                                                                     Chapter 8 High Availablity
          hostname ...
          no hostname ...
          passwd enable ...
          ssh ip ...
          no ssh ip ...
          admin reset configmode ...
          system fallback ...
          no system fallback ...
          system component ...
          system reboot ...
          system shutdown ...
          system console ...
          system dump ...
          system flexlicense ...
          system license ...
          no system license ...
          system interactive ...
          system serialnumber ...
          system test ...
          system update ...
          clear config ...
          art export ...
          support ...
          help ...
          who ...
          whoami ...
     Virtural Site:
          switch ...
          enable ...
          configure ...
          exit ...
          quit ...
          show ...
          write ...
          client security export ...
For example, “write ...” is in the blacklist while “write memory ...” is in the whitelist.
    When “write file/write net scp/write net tftp/write net all scp/write net all tftp” or other
     commands prefixed with “write” are executed, they will not be synchronized to peer units for
     execution because they match the blacklist entry “write ...” but not match any whitelist entry.
When the “write memory all” command is executed, it will be synchronized to peer units for
execution because it matches the whitelist entry “write memory ...”.
2000-2018 Array Networks, Inc.
                                                                                                293
All Rights Reserved.
                                                                    Chapter 8 High Availablity
           Note: The runtime configuration synchronization cannot synchronize the configurations of
           “art import users file” and “art import config file”.
ha synconfig runtime off
This command is used to disable runtime configuration synchronization.
ha synconfig module [module]
This command is used to set the module whose configurations will be synchronized by runtime
configuration synchronization.
module                           This parameter specifies the module whose configurations will be
                                 synchronized by runtime configuration synchronization. Its value
                                 must be:
                                     art: indicates that only ART module’s configurations will be
                                      synchronized.
                                     all: indicates that all modules’ configurations except those in
                                      the blacklist will be synchronized.
                                 The default value is all.
ha arp interval <interval>
This command is used to set the interval at which the local unit sends ARP broadcast packets.
interval                         This parameter specifies the interval of sending ARP broadcast
                                 packets, in seconds. Its value must be set to 0 or an integer ranging
                                 from 30 to 65,535. 0 indicates that the ARP broadcast packets will
                                 be sent only when the group status on local HA unit is switched to
                                 “Active”.
                                 The default value is 30.
ha rejoin on <time>
This command is used to enable the function of forcing HA units to rejoin the HA domain at
specified interval. This function works for the Active-Standby mode only and should be
configured on both active and standby units. After this function is enabled, the HA function will
be disabled and then enabled on the peer unit at the specified interval. By default, this function is
disabled.
time                             This parameter specifies the interval at which HA units will be
                                 forced to rejoin the HA domain. Its value must be a string of 1 to
                                 512 characters in the Crontab format, which consists of time
                                 information items including “minute”, “hour”, “day”, “month” and
2000-2018 Array Networks, Inc.
                                                                                                  294
All Rights Reserved.
                                                                     Chapter 8 High Availablity
                               “year”. The time information items must be separated with a space.
                               “*” and “/” are supported for the time information item. If the time
                               information item contains multiple values, the values should be
                               separated with “,”.
Value ranges of time information items are as the following table:
    Time Information Item                                  Value Range
             minute                                             0-59
              hour                                              0-23
              day                                               1-31
             month                                              1-12
           day-of-week                    0 to 6: “0” to “6” indicates Sunday to Saturday.
Example:
AN(config)# ha rejoin on "5 10 * * *"
After this command is executed, the HA function will be disabled and then enabled at 10:05 every
day on the peer unit.
AN(config)# ha rejoin on "5 10 * * 1,2"
After this command is executed, the HA function will be disabled and then enabled at 10:05 every
Monday and Tuesday on the peer unit.
AN(config)# ha rejoin on "*/5 * * * *"
After this command is executed, the HA function will be disabled and then enabled every five
minutes on the peer unit.
ha rejoin off
This command is used to disable the function of forcing HA units to rejoin the HA domain.
show ha rejoin
This command is used to display the configuration of the function of forcing HA units to rejoin
the HA domain.
ha log on
This command is used to enable the HA logging function. By default, this fucntion is disabled.
ha log off
This command is used to disable the HA logging function.
ha log level <log_level>
This command is used to set the level of the HA logs that the system generates.
2000-2018 Array Networks, Inc.
                                                                                               295
All Rights Reserved.
                                                                    Chapter 8 High Availablity
log_level                        This parameter specifies the level of HA logs. The valid values of
                                 “level” are emerg, alert, crit, err, warning, notice, info, and debug.
                                 The default value is info. Once the level of HA logs is specified, the
                                 message lower than this level will be ignored.
show ha log [line]
This command is used to display the HA log file.
line                             Optional. This parameter specifies how many lines of HA logs will
                                 be displayed. Its value ranges from 1 to 4,294,967,295. The default
                                 value is 100, indicating that the latest 100 lines of HA logs
                                 generated by the system will be displayed.
clear ha log
This command is used to clear all the HA logs.
show ha config
This command is used to display all HA configurations.
clear ha all
This command is used to clear all the HA configurations.
show ha status
This command is used to display the status of all units in the HA domain, including the domain
status, group status, synconfig status, whitelist and blacklist of runtime synconfig, link status and
so on.
HA Groups
ha group id <group_id>
This command is used to add a floating IP group for the local unit. A maximum of 256 groups can
be added for each unit.
group_id                         This parameter specifies the ID of the floating IP group, which
                                 ranges from 0 to 255.
no ha group id <group_id>
This command is used to delete the specified floating IP group from the local unit.
clear ha group id
This command is used to delete all the floating IP groups from the local unit.
2000-2018 Array Networks, Inc.
                                                                                                   296
All Rights Reserved.
                                                                     Chapter 8 High Availablity
ha group fip <group_id> <fip> [interface]
This command is used to configure a floating IP address for the specified floating IP group. The
total number of floating IP addresses and floating IP ranges configured for a floating IP group
cannot exceed 16.
group_id                         This parameter specifies the ID of the floating IP group, which
                                 ranges from 0 to 255.
fip                              This parameter specifies the floating IP address, which can be an
                                 IPv4 or IPv6 address.
interface                        Optional. This parameter specifies the interface to which the
                                 floating IP address is bound. Its value should be a string of 1 to 32
                                 characters.
no ha group fip <group_id> <fip>
This command is used to delete a floating IP address from the specified floating IP group.
clear ha group fip <group_id>
This command is used to delete all floating IP addressesfrom the specified floating IP group.
ha group fiprange <group_id> <start_fip> <end_fip> [interface]
This command is used to configure a floating IP range for the specified floating IP group, and bind
it to a specific system interface. Each floating IP range contains utmost 256 IP addresses. The total
number of floating IP addresses and floating IP ranges configured for a floating IP group cannot
exceed 16.
group_id                         This parameter specifies the ID of the floating IP group, which
                                 ranges from 0 to 255.
start_fip                        This parameter specifies the start IP address of the floating IP
                                 range, which can be an IPv4 or IPv6 address.
end_fip                          This parameter specifies the end IP address of the floating IP range,
                                 which can be an IPv4 or IPv6 address.
interface                        Optional. This parameter specifies the interface to which the
                                 floating IP address is bound. Its value should be a string of 1 to 32
                                 characters.
          Note:
             All the IP addresses in the floating IP range, including the start IP and the end IP,
2000-2018 Array Networks, Inc.
                                                                                                      297
All Rights Reserved.
                                                                       Chapter 8 High Availablity
                cannot be those assigned to specific interfaces by the command “ip address”.
               The scope of the floating IP range must be greater than or equal to that of any existing
                IP address pool.
no ha group fiprange <group_id> <start_fip> <end_fip>
This command is used to delete a floating IP range from the specified floating IP group.
clear ha group fiprange <group_id>
This command is used to delete all floating IP ranges from the specified floating IP group.
ha group priority <unit_id> <group_id> <priority>
This command is used to configure the priority of a specified floating IP group on the specified
HA unit.
unit_id                            This paramaeter specifies the name of the HA unit. It can be a local
                                   unit or a peer unit.
group_id                           This parameter specifies the ID of the floating IP group.
priority                           This parameter specifies the priority of the specified floating IP
                                   group on the specified unit. Its value ranges from 0 to 255. The
                                   larger the value, the higher the priority.
           Note: The administrator can also modify the priority of the floating IP group on the unit by
           executing this command. If the priority of a floating IP group is not specified on a unit, the
           group will not take effect on the unit, and the status of the group will always be “Init”.
no ha group priority <unit_id> <group_id>
This command is used to delete an HA group priority in an HA unit.
ha group preempt on <group_id>
This command is used to enable the preempt mode for a specified floating IP group or all floating
IP groups. With the preempt mode enabled, the status of a floating IP group on the available unit
with the highest group priority will be always kept as “Active”. By default, the preempt mode is
disabled for the floating IP group.
group_id                           This parameter specifies the ID of the floating IP group, which
                                   ranges from 0 to 256. “256” means enabling the preempt mode for
                                   all floating IP groups.
ha group preempt off <group_id>
2000-2018 Array Networks, Inc.
                                                                                                    298
All Rights Reserved.
                                                                   Chapter 8 High Availablity
This command is used to disable the preempt mode for a specified floating IP group or all floating
IP groups.
group_id                        This parameter specifies the ID of the floating IP group, which
                                ranges from 0 to 256. “256” means disabling the preempt mode for
                                all floating IP groups.
ha group enable <group_id>
This command is used to enable a specified floating IP group or all gloating IP groups on the local
unit.
group_id                        This parameter specifies the ID of the floating IP group, which
                                ranges from 0 to 256. “256” means enabling all the floating IP
                                groups on the local unit.
ha group disable <group_id>
This command is used to disable a specified floating IP group or all gloating IP groups on the
local unit.
group_id                        This parameter specifies the ID of the floating IP group, which
                                ranges from 0 to 256. “256” means disabling all the floating IP
                                groups on the local unit.
Health Check
ha hc peerunit [interval] [down_check_times]
This command is used to set the interval of sending heartbeat packets of the local unit to the peer
units through the primary link and secondary link(s). If no heartbeat response has been received
from the peer unit on any of the links for consecutive times (specified by “down_check_times”),
the status of the peer unit will be marked as “Down”. Otherwise, the status of the peer unit will be
marked as “Up”.
interval                        Optional. This parameter specifies the interval of sending the
                                heartbeat packets, in milliseconds (ms). The value of this parameter
                                ranges from 1000 to 10,000. The default value is 1000.
down_check_times                Optional. This parameter specifies the number of consecutive times
                                (that have not received heartbeat response from the peer unit) for
                                marking a peer unit as “Down”. Its value ranges from 3 to 1000.
                                The default value is 3.
2000-2018 Array Networks, Inc.
                                                                                                  299
All Rights Reserved.
                                                                Chapter 8 High Availablity
ha hc gateway <unit_id> <ip> <condition_name> [interval] [up_check_times]
[down_check_times]
This command is used to configure a gateway health check condition for a specified HA unit.
unit_id                       This parameter specifies the ID of an HA unit, which can be the
                              local unit or a peer unit.
ip                            This parameter specifies the gateway IP address of the specified HA
                              unit. It can be an IPv4 or IPv6 address.
condition_name                This parameter specifies the condition name for this gateway health
                              check. The value of this parameter ranges from GATEWAY_1 to
                              GATEWAY_32.
interval                      Optional. This parameter specifies the interval, in ms, at which the
                              health check is performed. The value of this parameter ranges from
                              1000 to 10,000. The default value is 1000.
up_check_times                Optional. This parameter specifies the number of consecutive times
                              (that the health check result is “Up”) for marking the gateway is
                              “Up”. The value of this parameter ranges from 3 to 10. The default
                              value is 3.
down_check_times              Optional. This parameter specifies the number of consecutive times
                              (that the health check result is “Down”) for marking the gateway is
                              “Down”. The value of this parameter ranges from 3 to 10. The
                              default value is 3.
no ha hc gateway <unit_id> <ip>
This command is used to delete a gateway health check condition configured for a specified HA
unit.
clear ha hc gateway
This command is used to delete all configured gateway health check conditions.
ha hc cpu overheat <temperature> [interval] [up_check_times]
[down_check_times]
This command is used to configure the CPU overheat health check condition for the local HA
unit.
temperature                   This parameter specifies the temperature threshold for CPU
                              overheat, in ℃. The value of this parameter ranges from 1 to 100.
2000-2018 Array Networks, Inc.
                                                                                              300
All Rights Reserved.
                                                                 Chapter 8 High Availablity
interval                       Optional. This parameter specifies the interval, in ms, at which the
                               health check is performed. The value of this parameter ranges from
                               5000 to 1,000,000. The default value is 5000.
up_check_times                 Optional. This parameter specifies the number of consecutive times
                               (that the CPU temperature exceeds the threshold) for marking the
                               condition status as “Up”. The value of this parameter ranges from 3
                               to 10. The default value is 3.
down_check_times               Optional. This parameter specifies the number of consecutive times
                               (that the CPU temperature does not exceed the threshold) for
                               marking the condition status as “Down”. The value of this
                               parameter ranges from 3 to 10. The default value is 3.
no ha hc cpu overheat
This command is used to delete the CPU overheat health check condition configured for the local
HA unit.
ha hc cpu utilization <fatal_percent> [interval] [up_check_times]
[down_check_times]
This command is used to add the CPU utilization health check condition for the local HA unit.
fatal_percent                  This parameter specifies the threshold for the CPU utilization. The
                               value of this parameter ranges from 1 to 100, in %.
interval                       Optional. This parameter specifies the interval, in ms, at which the
                               health check is performed. The value of this parameter ranges from
                               5000 to 1,000,000. The default value is 5000.
up_check_times                 Optional. This parameter specifies the number of consecutive times
                               (that the CPU utilization does not exceed the threshold) for marking
                               the condition status as “Up”. The value of this parameter ranges
                               from 3 to 10. The default value is 3.
down_check_times               Optional. This parameter specifies the number of consecutive times
                               (that the CPU utilization exceeds the threshold) for marking the
                               condition status as “Down”. The value of this parameter ranges
                               from 3 to 10. The default value is 3.
no ha hc cpu utilization
This command is used to delete the CPU utilization health check condition configured for the
local HA unit.
2000-2018 Array Networks, Inc.
                                                                                                301
All Rights Reserved.
                                                                 Chapter 8 High Availablity
clear ha hc cpu all
This command is used to delete all the CPU health check conditions configured for the local HA
unit, including the CPU overheat health check conditions and CPU utilization health check
conditions.
ha hc memory atcpzone <zone_name> <fatal_percent> <condition_name>
[up_check_times] [down_check_times]
This command is used to configure a memory utilization health check condition for a specified
ATCP zone on the local HA unit.
zone_name                      This parameter specifies the name of an ATCP zone. The entered
                               ATCP zone name is case-sensitive and must be enclosed in double
                               quotes. It only supports the following predefined names:
                                   SSL record
                                   SSL poll items
                                   SSL HW
                                   SSL connection
                                   Proxy client
                                   Proxy cookie
                                   Proxy connection
                                   Proxy
                                   uProxy event
                                   TCP hash node
                                   TCP small pcb
                                   TCP pcb
fatal_percent                  This parameter specifies the threshold for the memory utilization of
                               the specified ATCP zone. The value of this parameter ranges from 1
                               to 100, in %.
condition_name                 This parameter specifies the name of the health check condition.
                               The value of this parameter ranges from ATCPZONE_1 to
                               ATCPZONE_64.
up_check_times                 Optional. This parameter specifies the number of consecutive times
                               (that the memory utilization of the specified ATCP zone does not
                               exceed the threshold) for marking the condition status as “Up”. The
2000-2018 Array Networks, Inc.
                                                                                              302
All Rights Reserved.
                                                                  Chapter 8 High Availablity
                               value of this parameter ranges from 3 to 10. The default value is 3.
down_check_times               Optional. This parameter specifies the number of consecutive times
                               (that the memory utilization of the specified ATCP zone exceeds the
                               threshold) for marking the condition status as “Down”. The value of
                               this parameter ranges from 3 to 10. The default value is 3.
no ha hc memory atcpzone <zone_name> <condition_name>
This command is used to delete a memory utilization health check condition configured for a
specified ATCP zone on the local HA unit.
clear ha hc memory atcpzone
This command is used to delete all the memory utilization health check conditions configured for
ATCP zones on the local HA unit.
ha hc memory mbuf <fatal_percent> [up_check_times] [down_check_times]
This command is used to configure an Mbuf utilization health check condition for the local HA
unit.
fatal_percent                  This parameter specifies the threshold for the Mbuf utilization. The
                               value of this parameter ranges from 1 to 100, in %.
up_check_times                 Optional. This parameter specifies the number of consecutive times
                               (that the Mbuf utilization does not exceed the threshold) for
                               marking the condition status as “Up”. The value of this parameter
                               ranges from 3 to 10. The default value is 3.
down_check_times               Optional. This parameter specifies the number of consecutive times
                               (that the Mbuf utilization exceeds the threshold) for marking the
                               condition status as “Down”. The value of this parameter ranges
                               from 3 to 10. The default value is 3.
no ha hc memory mbuf
This command is used to delete the Mbuf utilization health check condition configured for the
local HA unit.
ha hc memory mpool <mpool_name> <fatal_percent> <condition_name>
[up_check_times] [down_check_times]
This command is used to configure a memory utilization health check condition for a specified
memory pool (mpool) on the local HA unit.
mpool_name                     This parameter specifies the name of an mpool. The entered mpool
                               name is case-sensitive and must be enclosed in double quotes. It
2000-2018 Array Networks, Inc.
                                                                                                303
All Rights Reserved.
                                                                Chapter 8 High Availablity
                              only supports the following predefined names:
                                  userland events
                                  incomplete conns
                                  Cache Transactions
                                  IPC Transactions
                                  vpn_session
                                  vpn_tunnel
                                  vpn_conn
                                  proxy_t
                                  proxy_conn_data
                                  frame
                                  comp_scg
                                  ssl_crypto_data_t
fatal_percent                 This parameter specifies the threshold for the memory utilization of
                              the specified mpool. The value of this parameter ranges from 1 to
                              100, in %.
condition_name                This parameter specifies the name of the health check condition.
                              The value of this parameter ranges from MPOOL_1 to
                              MPOOL_16.
up_check_times                Optional. This parameter specifies the number of consecutive times
                              (that the memory utilization of the specified mpool does not exceed
                              the threshold) for triggering the “up” status. The value of this
                              parameter ranges from 3 to 10. The default value is 3.
down_check_times              Optional. This parameter specifies the number of consecutive times
                              (that the memory utilization of the specified mpool exceeds the
                              threshold) for triggering the “Down” status. The value of this
                              parameter ranges from 3 to 10. The default value is 3.
no ha hc memory mpool <mpool_name> <condition_name>
This command is used to delete a memory utilization health check condition configured for a
specified mpool on the local HA unit.
clear ha hc memory mpool
2000-2018 Array Networks, Inc.
                                                                                              304
All Rights Reserved.
                                                                 Chapter 8 High Availablity
This command is used to delete the memory utilization health check conditions configured for all
the mpools on the local HA unit.
ha hc memory system [free_space_threshold] [used_swap_threshold]
[up_check_times] [down_check_times]
This command is used to configure a system memory health check condition for the local HA unit.
The local unit will check both whether the free system space is smaller than the free space
threshold and whether the used swap space exceeds the threshold. During a health check, if the
free system space is smaller than the free space threshold and the swap space exceeds the
threshold, the health check result is “Down”.
free_space_threshold           Optional. This parameter specifies the threshold for the system free
                               space, in MB. The value of this parameter ranges from 0 to 8192.
                               The default value is 50. 0 indicates the system will not check
                               whether the free system space is smaller than the free space
                               threshold.
used_swap_threshold            Optional. This parameter specifies the threshold for the used swap
                               space, in MB. The value of this parameter ranges from 0 to 8192.
                               The default value is 0, indicating that the system will not check
                               whether the used swap space exceeds the threshold.
up_check_times                 Optional. This parameter specifies the number of consecutive times
                               (that the health check result is “Up”) for marking the condition
                               status as “Up”. The value of this parameter ranges from 3 to 10. The
                               default value is 3.
down_check_times               Optional. This parameter specifies the number of consecutive times
                               (that the health check result is “Down”) for marking the condition
                               status as “Down”. The value of this parameter ranges from 3 to 10.
                               The default value is 3.
no ha hc memory system
This command is used to delete the system memory health check condition configured for the
local HA unit.
ha hc memory interval [interval]
This command is used to configure the interval at which all types of memory health checks are
performed on the local HA unit. The interval takes effects for the following types of memory
health checks:
   Health check on the memory utilization of ATCP zones
   Mbuf utilization health check
2000-2018 Array Networks, Inc.
                                                                                              305
All Rights Reserved.
                                                                  Chapter 8 High Availablity
    Health check on the memory utilization of mpools
    System memory health check
interval                       Optional. This parameter specifies the interval, in ms, at which the
                               memory health check is performed. The value of this parameter
                               ranges from 5000 to 1,000,000. The default value is 5000.
clear ha hc memory all
This command is used to delete all types of memory health checks configured for the local HA
unit.
ha hc process <process_name> <condition_name>
This command is used to configure a health check condition for a specified process running on the
local HA unit. The local unit will check whether this process is running. When the specified
process is running, the condition status is marked as “Up”; whileas the specified process is not
running, the condition status is marked as “Down”.
process_name                   This parameter specifies the name of a process. The entered process
                               name is case-sensitive and supports only the following predefined
                               names:
                                   lcd (LCDs management daemon)
                                   certificate (Certificate management daemon)
                                   ipmanage (Cluster and HA IP management daemon)
                                   aaa (AAA daemon)
                                   session (Session management daemon)
                                   rewrite (Quicklink and Web Resource Mapping daemon)
                                   snmpinfo (SNMP information daemon)
                                   webui (WebUI management daemon)
                                   l2tp (L2TP management daemon)
                                   proxy (Proxy monitor daemon)
                                   ddserver (DesktopDirect server)
                                   vdi (DesktopDirect VDI agent)
                                   radius (RADIUS management daemon)
condition_name                 This parameter specifies the name of the process health check
                               condition. The value of this parameter ranges from PROCESS_1 to
2000-2018 Array Networks, Inc.
                                                                                               306
All Rights Reserved.
                                                                 Chapter 8 High Availablity
                               PROCESS_32.
no ha hc process <process_name> <condition_name>
This command is used to delete a health check condition configured for a specified process
running on the local HA unit.
clear ha hc process
This command is used to delete all the health check conditions configured for the processes
running on the local HA unit.
ha hc sslcard [interval] [up_check_times] [down_check_times]
This command is used to configure the SSL card health check condition for the local HA unit.
interval                       Optional. This parameter specifies the interval, in ms, at which the
                               health check is performed. The value of this parameter ranges from
                               300,000 to 3,600,000. The default value is 300,000.
up_check_times                 Optional. This parameter specifies the number of consecutive times
                               (that the SSL card works normally) for marking the condition status
                               as “Up”. The value of this parameter ranges from 3 to 10. The
                               default value is 3.
down_check_times               Optional. This parameter specifies the number of consecutive times
                               (that the SSL card works abnormally) for marking the condition
                               status as “Down”. The value of this parameter ranges from 3 to 10.
                               The default value is 3.
interval                       Optional. This parameter specifies the interval, in ms, at which the
                               health check is performed. The value of this parameter ranges from
                               300,000 to 3,600,000. The default value is 300,000.
up_check_times                 Optional. This parameter specifies the number of consecutive times
                               (that the SSL card works normally) for marking the condition status
                               as “Up”. The value of this parameter ranges from 3 to 10. The
                               default value is 3.
down_check_times               Optional. This parameter specifies the number of consecutive times
                               (that the SSL card works abnormally) for marking the condition
                               status as “Down”. The value of this parameter ranges from 3 to 10.
                               The default value is 3.
no ha hc sslcard
2000-2018 Array Networks, Inc.
                                                                                               307
All Rights Reserved.
                                                                   Chapter 8 High Availablity
This command is used to delete the SSL card health check condition configured for the local HA
unit.
ha hc vcondition name <vcondition_name> <condition_name> <logic>
This command is used to define a virtual condition (vcondition). A vcondition is a combination of
real health check conditions and the logic among them can be “AND” or “OR”.
vcondtion_name                  This parameter specifies the name of the vcondition. The maximum
                                length of the vcondition name is 128 characters.
condtion_name                   This parameter specifies the predefined condition name that is
                                associated with the vcondition. The value of this parameter ranges
                                from V_1 to V_32.
logic                           This parameter specifies the logical relationship among multiple
                                sub-conditions of the vcondition, which can be either “AND” or
                                “OR”. When “AND” is specified, the vcondition is met only if all
                                the sub-conditions are met. When “OR” is specified, the vcondition
                                is met if any sub-condition is met.
no ha hc vcondition name <vcondition_name>
This command is used to delete the specified vcondition from the local unit.
        Note:
        If the command “no ha hc vcondition name” is executed to delete a specified vcondition,
        the configurations related to this vcondition will also be deleted, including sub-conditions
        and related failover rules.
ha hc vcondition member <vcondition_name> <condtition_name>
This command is used to add a real condition or exsiting vcondition to a vcondition as a
sub-condition. A vcondition can comprise a maximum of 16 sub-conditions.
vcondtion_name                  This parameter specifies the name of a vcondition.
condtion_name                   This parameter specifies the name of a sub-condition, which can be
                                a real health check condition or a vcondition. Its value should be a
                                string of 1 to 128 characters.
no ha hc vcondition member <vcondition_name> <condtition_name>
This command is used to delete a sub-condition from a specified vcondition.
clear ha hc vcondition member <vcondition_name>
2000-2018 Array Networks, Inc.
                                                                                                308
All Rights Reserved.
                                                                     Chapter 8 High Availablity
This command is used to delete all sub-conditions from a specified vcondition.
clear ha hc vcondition all
This command is used to delete all vconditions from the local unit.
show ha condition [unit_id] [all]
This command is used to display the condition status of a unit or all units.
unit_id                         Optional. This parameter specifies the ID of a unit. Its value ranges
                                from 0 to 32. The default value is 0, indicating all units. 1 to 32
                                indicates a specific HA unit.
all                             Optional. This parameter is available only when the “unit_id”
                                parameter is specified. If it is specified, the status of all configured
                                conditions (including Port, Gateway, CPU Utilization, CPU
                                Temperature, Memory, Process, SSL Card, and Virtual Condition)
                                and Peer Unit will be displayed. If it is not specified, the status of
                                only all conditions will be displayed.
Decision
ha decision rule <condtition_name> <action_name> [group_id]
This command is used to configure a failover rule for a specified floating IP group. The failover
rule indicates the failover operation to be performed when the result of a specified health check is
“Down”. A health check condition can be used for configuring a maximum of eight failover rules.
condtion_name                   This parameter specifies the name of the health check condition.
                                The value of this parameter can be the name of a real health check
                                condition or a vcondition. The system supports the following
                                values:
                                    PORT_1~PORT_32: port health check conditions
                                    GATEWAY_1~GATEWAY_32: gateway health check
                                     conditions
                                    CPU_UTIL: CPU utilization health check condition
                                    CPU_TEMP: CPU overheat health check condition
                                    ATCPZONE_1~ATCPZONE_64: memory health check
                                     conditions of ATCP zones
                                    MBUF: Mbuf utilization health check condition
                                    MPOOL_1~MPOOL_16: Mpool utilization health check
2000-2018 Array Networks, Inc.
                                                                                                   309
All Rights Reserved.
                                                                    Chapter 8 High Availablity
                                     conditions
                                    SYS_MEM: system memory health check condition
                                    PROCESS_1~PROCESS_32: process health check conditions
                                    SSLCARD: SSL card health check condition
                                    User-defined vcondition names
action_name                     This parameter specifies the failover operation to be performed
                                when the result of a specified health check is “Down”. The value of
                                this parameter can only be “Unit_Failover”, “Group_Failover” or
                                “Reboot”.
group_id                        Optional. This parameter specifies the ID of the floating IP group
                                for which the failover rule takes effect. This parameter is available
                                only when the parameter “action_name” is set to “Group_Failover”.
                                Its value ranges from 0 to 256. 0 to 255 indicates a specified
                                floating IP group; 256 indicates all floating IP groups.
       Note:
            To ensure that every unit can obtain the running status of other peer units, the failover
             rules configured on all the units must be the same.
            The system provides predefined failover rules. You can view these predefined rules by
             running the command “show ha decision”. “condition_name” of these predefined
             rules are PORT_1~PORT_32, and the corresponding “action_name” are all
             “Group_Failover”. You can execute this command to modify “action_name” of these
             predefined rules.
no ha decision rule <condtition_name> <action_name> [group_id]
This command is used to delete a failover rule of a specified floating IP group.
       Note: If the parameter “condition_name” is set to a value from “PORT_1” to “PORT_32”,
       the system will reset “action_name” to “Group_Failover”.
show ha decision
This command is used to the failover rules of all floating IP groups on the local unit, including
both the predefined and customized rules.
AN(config)#show ha decision
ID         Condition_Name                          Action_Name                             Group_ID
0          PORT_1                                   Group_Failover                        -
1          PORT_2                                   Group_Failover                        -
2          PORT_3                                   Group_Failover                        -
2000-2018 Array Networks, Inc.
                                                                                                    310
All Rights Reserved.
                                                                   Chapter 8 High Availablity
3           PORT_4                                  Group_Failover                 -
4           PORT_5                                  Group_Failover                 -
5           PORT_6                                  Group_Failover                 -
6           PORT_7                                  Group_Failover                 -
7           PORT_8                                  Group_Failover                 -
8           PORT_9                                  Group_Failover                 -
9           PORT_10                                 Group_Failover                 -
10          PORT_11                                 Group_Failover                 -
11          PORT_12                                 Group_Failover                 -
12          PORT_13                                 Group_Failover                 -
13          PORT_14                                 Group_Failover                 -
14          PORT_15                                 Group_Failover                 -
15          PORT_16                                 Group_Failover                 -
16          PORT_17                                 Group_Failover                 -
17          PORT_18                                 Group_Failover                 -
18          PORT_19                                 Group_Failover                 -
19          PORT_20                                 Group_Failover                 -
20          PORT_21                                 Group_Failover                 -
21          PORT_22                                 Group_Failover                 -
22          PORT_23                                 Group_Failover                 -
23          PORT_24                                 Group_Failover                 -
24          PORT_25                                 Group_Failover                 -
25          PORT_26                                 Group_Failover                 -
26          PORT_27                                 Group_Failover                 -
27          PORT_28                                 Group_Failover                 -
28          PORT_29                                 Group_Failover                 -
29          PORT_30                                 Group_Failover                 -
30          PORT_31                                 Group_Failover                 -
31          PORT_32                                 Group_Failover                 -
32          SYS_MEM                                 Unit_Failover                  -
33          CPU_UTIL                                Group_Failover                  1
34          CPU_TEMP                                Reboot                         -
clear ha decision rule
This command is used to delete the failover rules of all floating IP groups.
2000-2018 Array Networks, Inc.
                                                                                         311
All Rights Reserved.
                                                                           Chapter 9 WebWall
Chapter 9 WebWall
This chapter covers the CLI commands used for configuring the WebWall function.
The system provides the WebWall function to filter the packets that need to pass through the AG
appliance. With the WebWall function enabled on a specified interface, when the packets reach
this interface of the AG appliance, the system will employ the Access Control List (ACL) permit
and deny rules associated with this interface to permit or deny the packets.
Access List
The system supports a maximum of 1024 ACL permit and deny rules. Every ACL permit or deny
rule has a unique ID. The ACL permit or deny rule will take effect only when it is associated with
a system interface, bond interface or VLAN interface using the “accessgroup” command.
accesslist permit icmp echorequest <source_ip>
{source_netmask|source_prefix} <destination_ip>
{destination_netmask|destination_prefix} <accesslist_id>
This command is used to configure an ACL permit rule to allow the specified ICMP echo request
packet to pass through the system.
source_ip                          This parameter specifies the IP address of the source subnet to
                                   which the ICMP echo request packet belongs. Its value must be
                                   an IPv4 or IPv6 address.
source_netmask|source_prefix       This parameter specifies the netmask or prefix length of the
                                   source IP address.
                                       “source_netmask” indicates the netmask of the IPv4
                                        address. Its value must be a dotted IP address or an integer
                                        ranging from 0 to 32.
                                       “source_prefix” indicates the prefix length of the IPv6
                                        address. Its value must be an integer ranging from 0 to 128.
destination_ip                     This parameter specifies the IP address of the destination subnet.
                                   Its value must be an IPv4 or IPv6 address.
destination_netmask|destination    This parameter specifies the netmask or prefix length of the
_prefix                            destination IP address.
                                       “destination_netmask” indicates the netmask of the IPv4
                                        address. Its value must be a dotted IP address or an integer
                                        ranging from 0 to 32.
                                       “destination_prefix” indicates the prefix length of the IPv6
2000-2018 Array Networks, Inc.
                                                                                                  312
All Rights Reserved.
                                                                          Chapter 9 WebWall
                                       address. Its value must be an integer ranging from 0 to 128.
accesslist_id                     This parameter specifies the ID of the ACL permit rule. Its value
                                  must be an integer ranging from 1 to 999.
accesslist permit icmp echoreply <source_ip>
{source_netmask|source_prefix} <destination_ip>
{destination_netmask|destination_prefix} <accesslist_id>
This command is used to configure an ACL permit rule to allow the specified ICMP echo reply
packet to pass through the system.
source_ip                         This parameter specifies the IP address of the source subnet to
                                  which the ICMP echo reply packet belongs. Its value must be an
                                  IPv4 or IPv6 address.
source_netmask|source_prefix      This parameter specifies the netmask or prefix length of the
                                  source IP address. For details, please refer to the
                                  “source_netmask|source_prefix” parameter in the “accesslist
                                  permit icmp echorequest” command.
destination_ip                    This parameter specifies the IP address of the destination subnet.
                                  Its value must be an IPv4 or IPv6 address.
destination_netmask|destination   This parameter specifies the netmask or prefix length of the
_prefix                           destination IP address. For details, please refer to the
                                  “destination_netmask|destination_prefix” parameter in the
                                  “accesslist permit icmp echorequest” command.
accesslist_id                     This parameter specifies the ID of the ACL permit rule. Its value
                                  must be an integer ranging from 1 to 999.
accesslist permit tcp <source_ip> {source_netmask|source_prefix}
<source_port> <destination_ip> {destination_netmask|destination_prefix}
<destination_port> <accesslist_id>
This command is used to configure an ACL permit rule to allow the specified TCP packet to pass
through the system.
source_ip                         This parameter specifies the IP address of the source subnet to
                                  which the TCP packet belongs. Its value must be an IPv4 or
                                  IPv6 address.
source_netmask|source_prefix      This parameter specifies the netmask or prefix length of the
                                  source IP address. For details, please refer to the
                                  “source_netmask|source_prefix” parameter in the “accesslist
2000-2018 Array Networks, Inc.
                                                                                                 313
All Rights Reserved.
                                                                          Chapter 9 WebWall
                                  permit icmp echorequest” command.
source_port                       This parameter specifies the source port number. Its value must
                                  be an integer ranging from 0 to 65535. “0” indicates all ports.
destination_ip                    This parameter specifies the IP address of the destination subnet.
                                  Its value must be an IPv4 or IPv6 address.
destination_netmask|destination   This parameter specifies the netmask or prefix length of the
_prefix                           destination IP address. For details, please refer to the
                                  “destination_netmask|destination_prefix” parameter in the
                                  “accesslist permit icmp echorequest” command.
destination_port                  This parameter specifies the destination port number. Its value
                                  must be an integer ranging from 0 to 65535. “0” indicates all
                                  ports.
accesslist_id                     This parameter specifies the ID of the ACL permit rule. Its value
                                  must be an integer ranging from 1 to 999.
accesslist permit udp <source_ip> {source_netmask|source_prefix}
<source_port> <destination_ip> {destination_netmask|destination_prefix}
<destination_port> <accesslist_id>
This command is used to configure an ACL permit rule to allow the specified UDP packet to pass
through the system.
source_ip                         This parameter specifies the IP address of the source subnet to
                                  which the UDP packet belongs. Its value must be an IPv4 or
                                  IPv6 address.
source_netmask|source_prefix      This parameter specifies the netmask or prefix length of the
                                  source IP address. For details, please refer to the
                                  “source_netmask|source_prefix” parameter in the “accesslist
                                  permit icmp echorequest” command.
source_port                       This parameter specifies the source port number. Its value must
                                  be an integer ranging from 0 to 65535. “0” indicates all ports.
destination_ip                    This parameter specifies the IP address of the destination subnet.
                                  Its value must be an IPv4 or IPv6 address.
destination_netmask|destination   This parameter specifies the netmask or prefix length of the
_prefix                           destination IP address. For details, please refer to the
                                  “destination_netmask|destination_prefix” parameter in the
2000-2018 Array Networks, Inc.
                                                                                                 314
All Rights Reserved.
                                                                          Chapter 9 WebWall
                                  “accesslist permit icmp echorequest” command.
destination_port                  This parameter specifies the destination port number. Its value
                                  must be an integer ranging from 0 to 65535. “0” indicates all
                                  ports.
accesslist_id                     This parameter specifies the ID of the ACL permit rule. Its value
                                  must be an integer ranging from 1 to 999.
accesslist permit esp <source_ip> {source_netmask|source_prefix}
<destination_ip> {destination_netmask|destination_prefix} <accesslist_id>
This command is used to configure an ACL permit rule to allow the specified ESP-encrypted
packet to pass through the system. (ESP is the short form for Encapsulating Security Payload.)
source_ip                         This parameter specifies the IP address of the source subnet to
                                  which the ESP-encrypted packet belongs. Its value must be an
                                  IPv4 or IPv6 address.
source_netmask|source_prefix      This parameter specifies the netmask or prefix length of the
                                  source IP address. For details, please refer to the
                                  “source_netmask|source_prefix” parameter in the “accesslist
                                  permit icmp echorequest” command.
destination_ip                    This parameter specifies the IP address of the destination subnet.
                                  Its value must be an IPv4 or IPv6 address.
destination_netmask|destination   This parameter specifies the netmask or prefix length of the
_prefix                           destination IP address. For details, please refer to the
                                  “destination_netmask|destination_prefix” parameter in the
                                  “accesslist permit icmp echorequest” command.
accesslist_id                     This parameter specifies the ID of the ACL permit rule. Its value
                                  must be an integer ranging from 1 to 999.
accesslist permit ah <source_ip> {source_netmask|source_prefix}
<destination_ip> {destination_netmask|destination_prefix} <accesslist_id>
This command is used to configure an ACL permit rule to allow the specified AH-encapsulated
packet to pass through the system. (AH is the short form for Authentication Header.)
source_ip                         This parameter specifies the IP address of the source subnet to
                                  which the AH-encapsulated packet belongs. Its value must be an
                                  IPv4 or IPv6 address.
2000-2018 Array Networks, Inc.
                                                                                                 315
All Rights Reserved.
                                                                          Chapter 9 WebWall
source_netmask|source_prefix      This parameter specifies the netmask or prefix length of the
                                  source IP address. For details, please refer to the
                                  “source_netmask|source_prefix” parameter in the “accesslist
                                  permit icmp echorequest” command.
destination_ip                    This parameter specifies the IP address of the destination subnet.
                                  Its value must be an IPv4 or IPv6 address.
destination_netmask|destination   This parameter specifies the netmask or prefix length of the
_prefix                           destination IP address. For details, please refer to the
                                  “destination_netmask|destination_prefix” parameter in the
                                  “accesslist permit icmp echorequest” command.
accesslist_id                     This parameter specifies the ID of the ACL permit rule. Its value
                                  must be an integer ranging from 1 to 999.
accesslist deny icmp echorequest <source_ip>
{source_netmask|source_prefix} <destination_ip>
{destination_netmask|destination_prefix} <accesslist_id>
This command is used to configure an Access Control List (ACL) deny rule to disallow the
specified ICMP echo request packet to pass through the system.
source_ip                         This parameter specifies the IP address of the source subnet to
                                  which the ICMP echo request packet belongs. Its value must be
                                  an IPv4 or IPv6 address.
source_netmask|source_prefix      This parameter specifies the netmask or prefix length of the
                                  source IP address. For details, please refer to the
                                  “source_netmask|source_prefix” parameter in the “accesslist
                                  permit icmp echorequest” command.
destination_ip                    This parameter specifies the IP address of the destination subnet.
                                  Its value must be an IPv4 or IPv6 address.
destination_netmask|destination   This parameter specifies the netmask or prefix length of the
_prefix                           destination IP address. For details, please refer to the
                                  “destination_netmask|destination_prefix” parameter in the
                                  “accesslist permit icmp echorequest” command.
accesslist_id                     This parameter specifies the ID of the ACL permit rule. Its value
                                  must be an integer ranging from 1 to 999.
2000-2018 Array Networks, Inc.
                                                                                                 316
All Rights Reserved.
                                                                          Chapter 9 WebWall
accesslist deny icmp echoreply <source_ip>
{source_netmask|source_prefix} <destination_ip>
{destination_netmask|destination_prefix} <accesslist_id>
This command is used to configure an Access Control List (ACL) deny rule to disallow the
specified ICMP echo reply packet to pass through the system.
source_ip                         This parameter specifies the IP address of the source subnet to
                                  which the ICMP echo reply packet belongs. Its value must be an
                                  IPv4 or IPv6 address.
source_netmask|source_prefix      This parameter specifies the netmask or prefix length of the
                                  source IP address. For details, please refer to the
                                  “source_netmask|source_prefix” parameter in the “accesslist
                                  permit icmp echorequest” command.
destination_ip                    This parameter specifies the IP address of the destination subnet.
                                  Its value must be an IPv4 or IPv6 address.
destination_netmask|destination   This parameter specifies the netmask or prefix length of the
_prefix                           destination IP address. For details, please refer to the
                                  “destination_netmask|destination_prefix” parameter in the
                                  “accesslist permit icmp echorequest” command.
accesslist_id                     This parameter specifies the ID of the ACL permit rule. Its value
                                  must be an integer ranging from 1 to 999.
accesslist deny tcp <source_ip> {source_netmask|source_prefix}
<source_port> <destination_ip> {destination_netmask|destination_prefix}
<destination_port> <accesslist_id>
This command is used to configure an ACL deny rule to disallowthe specified TCP packet to pass
through the system.
source_ip                         This parameter specifies the IP address of the source subnet to
                                  which the TCP packet belongs. Its value must be an IPv4 or
                                  IPv6 address.
source_netmask|source_prefix      This parameter specifies the netmask or prefix length of the
                                  source IP address. For details, please refer to the
                                  “source_netmask|source_prefix” parameter in the “accesslist
                                  permit icmp echorequest” command.
source_port                       This parameter specifies the source port number. Its value must
                                  be an integer ranging from 0 to 65535. “0” indicates all ports.
2000-2018 Array Networks, Inc.
                                                                                                 317
All Rights Reserved.
                                                                          Chapter 9 WebWall
destination_ip                    This parameter specifies the IP address of the destination subnet.
                                  Its value must be an IPv4 or IPv6 address.
destination_netmask|destination   This parameter specifies the netmask or prefix length of the
_prefix                           destination IP address. For details, please refer to the
                                  “destination_netmask|destination_prefix” parameter in the
                                  “accesslist permit icmp echorequest” command.
destination_port                  This parameter specifies the destination port number. Its value
                                  must be an integer ranging from 0 to 65535. “0” indicates all
                                  ports.
accesslist_id                     This parameter specifies the ID of the ACL permit rule. Its value
                                  must be an integer ranging from 1 to 999.
accesslist deny udp <source_ip> {source_netmask|source_prefix}
<source_port> <destination_ip> {destination_netmask|destination_prefix}
<destination_port> <accesslist_id>
This command is used to configure an ACL deny rule to disallow the specified UDP packet to
pass through the system.
source_ip                         This parameter specifies the IP address of the source subnet to
                                  which the UDP packet belongs. Its value must be an IPv4 or
                                  IPv6 address.
source_netmask|source_prefix      This parameter specifies the netmask or prefix length of the
                                  source IP address. For details, please refer to the
                                  “source_netmask|source_prefix” parameter in the “accesslist
                                  permit icmp echorequest” command.
source_port                       This parameter specifies the source port number. Its value must
                                  be an integer ranging from 0 to 65535. “0” indicates all ports.
destination_ip                    This parameter specifies the IP address of the destination subnet.
                                  Its value must be an IPv4 or IPv6 address.
destination_netmask|destination   This parameter specifies the netmask or prefix length of the
_prefix                           destination IP address. For details, please refer to the
                                  “destination_netmask|destination_prefix” parameter in the
                                  “accesslist permit icmp echorequest” command.
destination_port                  This parameter specifies the destination port number. Its value
                                  must be an integer ranging from 0 to 65535. “0” indicates all
2000-2018 Array Networks, Inc.
                                                                                                 318
All Rights Reserved.
                                                                          Chapter 9 WebWall
                                  ports.
accesslist_id                     This parameter specifies the ID of the ACL permit rule. Its value
                                  must be an integer ranging from 1 to 999.
accesslist deny esp <source_ip> {source_netmask|source_prefix}
<destination_ip> {destination_netmask|destination_prefix} <accesslist_id>
This command is used to configure an ACL deny rule to disallow the specified ESP-encrypted
packet to pass through the system.
source_ip                         This parameter specifies the IP address of the source subnet to
                                  which the ESP-encrypted packet belongs. Its value must be an
                                  IPv4 or IPv6 address.
source_netmask|source_prefix      This parameter specifies the netmask or prefix length of the
                                  source IP address. For details, please refer to the
                                  “source_netmask|source_prefix” parameter in the “accesslist
                                  permit icmp echorequest” command.
destination_ip                    This parameter specifies the IP address of the destination subnet.
                                  Its value must be an IPv4 or IPv6 address.
destination_netmask|destination   This parameter specifies the netmask or prefix length of the
_prefix                           destination IP address. For details, please refer to the
                                  “destination_netmask|destination_prefix” parameter in the
                                  “accesslist permit icmp echorequest” command.
accesslist_id                     This parameter specifies the ID of the ACL permit rule. Its value
                                  must be an integer ranging from 1 to 999.
accesslist deny ah <source_ip> {source_netmask|source_prefix}
<destination_ip> {destination_netmask|destination_prefix} <accesslist_id>
This command is used to configure an ACL deny rule to disallow the specified AH-encapsulated
packet to pass through the system.
source_ip                         This parameter specifies the IP address of the source subnet to
                                  which the AH-encapsulated packet belongs. Its value must be an
                                  IPv4 or IPv6 address.
source_netmask|source_prefix      This parameter specifies the netmask or prefix length of the
                                  source IP address. For details, please refer to the
                                  “source_netmask|source_prefix” parameter in the “accesslist
2000-2018 Array Networks, Inc.
                                                                                                 319
All Rights Reserved.
                                                                          Chapter 9 WebWall
                                  permit icmp echorequest” command.
destination_ip                    This parameter specifies the IP address of the destination subnet.
                                  Its value must be an IPv4 or IPv6 address.
destination_netmask|destination   This parameter specifies the netmask or prefix length of the
_prefix                           destination IP address. For details, please refer to the
                                  “destination_netmask|destination_prefix” parameter in the
                                  “accesslist permit icmp echorequest” command.
accesslist_id                     This parameter specifies the ID of the ACL permit rule. Its value
                                  must be an integer ranging from 1 to 999.
The following commands are used to delete the configurations of the specified ACL permit or
deny rule.
no accesslist permit icmp echorequest <source_ip>
{source_mask|source_prefix} <destination_ip>
{destination_mask|destination_prefix} <accesslist_id>
no accesslist permit icmp echoreply <source_ip>
{source_mask|source_prefix} <destination_ip>
{destination_mask|destination_prefix} <accesslist_id>
no accesslist permit tcp <source_ip> {source_mask|source_prefix}
<source_port> <destination_ip> {destination_mask|destination_prefix}
<destination_port> <accesslist_id>
no accesslist permit udp <source_ip> {source_mask|source_prefix}
<source_port> <destination_ip> {destination_mask|destination_prefix}
<destination_port> <accesslist_id>
no accesslist permit esp <source_ip> {source_mask|source_prefix}
<destination_ip> {destination_mask|destination_prefix} <accesslist_id>
no accesslist permit ah <source_ip> {source_mask|source_prefix}
<destination_ip> {destination_mask|destination_prefix} <accesslist_id>
no accesslist deny icmp echorequest <source_ip>
{source_mask|source_prefix} <destination_ip>
{destination_mask|destination_prefix} <accesslist_id>
no accesslist deny icmp echoreply <source_ip>
{source_mask|source_prefix} <destination_ip>
{destination_mask|destination_prefix} <accesslist_id>
2000-2018 Array Networks, Inc.
                                                                                                 320
All Rights Reserved.
                                                                           Chapter 9 WebWall
no accesslist deny tcp <source_ip> {source_mask|source_prefix}
<source_port> <destination_ip> {destination_mask|destination_prefix}
<destination_port> <accesslist_id>
no accesslist deny udp <source_ip> {source_mask|source_prefix}
<source_port> <destination_ip> {destination_mask|destination_prefix}
<destination_port> <accesslist_id>
no accesslist deny esp <source_ip> {source_mask|source_prefix}
<destination_ip> {destination_mask|destination_prefix} <accesslist_id>
no accesslist deny ah <source_ip> {source_mask|source_prefix}
<destination_ip> {destination_mask|destination_prefix} <accesslist_id>
show accesslist
This command is used to display all ACL permit and deny rules.
clear accesslist
This command is used to clear all ACL permit and deny rules.
Access Group
accessgroup <accesslist_id> <interface>
This command is used to associate existing ACL permit or deny rules with a specified interface.
accesslist_id                  This parameter specifies the ID of an existing ACL permit or deny
                               rule.
interface                      This parameter specifies the interface with which the ACL permit or
                               deny rule is associated. Its value must be the name of a system
                               interface, bond interface, or VLAN interface.
Example:
AN(config)#accessgroup 250 port1
        Note: If an ACL permit or deny rule is deleted, the associations with this ACL rule and all
        interfaces will be also deleted.
no accessgroup <accesslist_id> <interface>
This command is used to delete the disassociation between ACL permit or deny rules and the
specified interface.
show accessgroup
This command is used to display all the associations between the ACL permit or deny rules and
the interfaces.
2000-2018 Array Networks, Inc.
                                                                                               321
All Rights Reserved.
                                                                          Chapter 9 WebWall
clear accessgroup
This command is used to clear all the associations between the ACL permit or deny rules and the
interfaces.
WebWall
webwall <interface> <on|off> [mode]
This command is used to enable or disable the WebWall function on a specified interface.
When the WebWall function is enabled on an interface, the system will allow a packet to pass
through the interface only when the packet explicitly matches an ACL permit rule. When the
packet matches both an ACL permit rule and an ACL deny rule, the ACL deny rule will take
effect. When the packet matches multiple ACL permit or deny rules, it will be matched in an
ascending order of the ID of the ACL permit or deny rule. If no ACL permit or deny rule is
associated with the interface, no TCP, UDP and ICMP packet is allowed to pass through the
interface.
When the WebWall function is disabled on an interface, all packets can pass through the interface.
For security considerations, it is strongly recommended that administrators disable the WebWall
function only for diagnostic purposes. By default, the WebWall function is disabled on every
interface.
interface                      This parameter specifies the interface name. Its value must be the
                               name of a system interface, bond interface, or VLAN interface.
on|off                         This parameter specifies whether to enable or disable WebWall
                               function. Its value must only be “on” or “off”.
mode                           Optional. This parameter controls the WebWall behavior.
                                   0: indicates the normal mode. In this mode, all the packets
                                    coming into the interface will be filtered by the ACL rules
                                    associated with the interface using the “accessgroup”
                                    command.
                                   1: indicates the ack mode. In this mode, The TCP packets with
                                    the ACK flag will be permitted by default.
                               The default value is 0.
         Note: When the WebWall function is disabled, the configurations of ACL permit or deny
         rules and the associated interfaces will still exist.
show webwall
This command is used to display the current configurations of the WebWall function.
2000-2018 Array Networks, Inc.
                                                                                               322
All Rights Reserved.
                                                                           Chapter 9 WebWall
show statistics webwall [interface]
This command is used to display the current WebWall statistics for a specified interface (with the
WebWall function enabled). If the “interface” parameter is not specified, this command will
display the statistics for all interfaces (with the WebWall function enabled).
clear statistics webwall [interface]
This command is used to clear the current WebWall statistics for a specified interface (with the
WebWall function enabled). If the “interface” parameter is not specified, this command will clear
the statistics for all interfaces (with the WebWall function enabled).
2000-2018 Array Networks, Inc.
                                                                                               323
All Rights Reserved.
                                                                   Chapter 10 Client Security
Chapter 10 Client Security
The Client Security function controls how to perform security scan on remote clients prior to the
authentication for virtual portal access. End users can access internal resources only from remote
client meeting required security requirements.
With the Client Security function, the system will classify the remote client into a certain device
class based on a set of host integrity checks and device attributes such as IP address, Registry and
OS, and then assign the corresponding level of access privileges to the client.
This chapter covers the commands using for configuring device class. Other configurations are
available only via the WebUI.
client security {on|off}
This command is used to enable or disable the Client Security function. By default, this function is
disabled.
client security postlogin enable [interval]
This command is used to enable the post-login client security function. When this function is
enabled, AG performs host integrity checks against the client at the specified interval after login
until the end user logs out the virtual site or disconnects the VPN.
When this command is not configured, this function is disabled by default.
interval                        Optional. This parameter specifies the interval at which AG
                                performs client security checks against the client after the end user
                                logs into the virtual site. Its value must be an integer ranging from 0
                                to 3600. When it is set to 0, AG performs client security checks
                                against the client only once after the end user logs into the virtual
                                site.
                                The default value is 300.
client security postlogin disable
This command is used to disable the post-login client security function.
client security default <level>
This command is used to configure the default Client Security level. The default Client Security
level will be assigned to the device class when it is defined (The device class can be configured
only via WebUI). Administrators can modify the level of the device class using the command
“client security device”.
If this command is not configured, the default Client Security level is “none”.
level                           This parameter specifies the default Client Security level. Its value
2000-2018 Array Networks, Inc.
                                                                                                 324
All Rights Reserved.
                                                                     Chapter 10 Client Security
                                 must be:
                                     “none”: indicates none privilege.
                                     “low”: indicates only the Web access privilege.
                                     “medium”: indicates the Web, DD and fileshare access
                                      privileges.
                                     “high”: indicates the Web, DD, VPN and fileshare access
                                      privileges.
                                     custom level: indicates custom privileges. This value can be
                                      used only when the custom level is predefined using the
                                      “client security level” command.
no client security default
This command is used to reset the default Client Security level to “none”.
show client security default
This command is used to display the default Client Security level.
client security device <device_name> <level>
This command is used to configure a device class rule. The earlier the device class rule is
configured, the higher the priority is. By default, the default device class rule with the device class
name “Default” is provided for the virtual site.
After the Client Security function is enabled, the system matches the client accessing the virtual
site with all device class rules sequentially in the descending order of the priority until one rule is
matched. When the client passes the host security checks defined for a device class rule, matches
the device attributes configured for the device class rule, or both conditions, the client matches
this device class rule.
If no device class rule is matched, the client will be rejected from reaching the login page.
If the client matches a device class rule, the client will be assigned the access privileges indicated
by the Client Security level after logging into the virtual site.
device_name                      This parameter specifies the name of the device class to be added to
                                 the virtual site. Its value must be a string of 1 to 32 characters.
level                            This parameter specifies the security level. Its value must be:
                                     “none”: indicates none privilege.
                                     “low”: indicates only the Web access privilege.
                                     “medium”: indicates the Web, DD and fileshare access
2000-2018 Array Networks, Inc.
                                                                                                    325
All Rights Reserved.
                                                                  Chapter 10 Client Security
                                     privileges.
                                    “high”: indicates the Web, DD, VPN and fileshare access
                                     privileges.
                                    custom level: indicates custom privileges. This value can be
                                     used only when the custom level is predefined using the
                                     “client security level” command.
         Note: If two-stage Client Security is enabled, the system only matches the client with
         the first two device class rules. The configurations of two-stage Client Security, host
         integrity and device attributes are available only via WebUI.
no client security device <device_name>
This command is used to delete the specified device class rule.
show client security device
This command is used to display all the device class rules.
show client security existeddevice
This command is used to display all the configured device classes.
client security level <level>
This command is used to define a custom Client Security level.
                               This parameter specifies the name of the custom Client Security
level
                               level. Its value must be a string of 1 to 64 characters.
no client security level <level>
This command is used to delete the specified custom Client Security level.
show client security level
This command is used to display the custom Client Security levels.
client security privilege web <level> [browse]
This command is used to associate the Web privileges with the specified custom Client Security
level.
level                          This parameter specifies the name of the existing custom Client
                               Security level defined by the “client security level” command.
browse                         Optional. This parameter specifies whether or not the client is
                               allowed to browse non-configured Web sites via the portal
                               navigation bar. This option is disabled by default.
2000-2018 Array Networks, Inc.
                                                                                                 326
All Rights Reserved.
                                                                   Chapter 10 Client Security
no client security privilege web <level>
This command is used to disassociate the Web privileges from the specified custom Client
Security level.
client security privilege dd <level>
This command is used to associate the DD privileges with the specified custom Client Security
level.
level                           This parameter specifies the name of the existing custom Client
                                Security level defined by the “client security level” command.
no client security privilege dd <level>
This command is used to disassociate the DD privileges from the specified custom Client Security
level.
client security privilege vpn <level>
This command is used to associate the VPN privileges with the specified custom Client Security
level.
level                           This parameter specifies the name of the existing custom Client
                                Security level defined by the “client security level” command.
no client security privilege vpn <level>
This command is used to disassociate the VPN privileges from the specified custom Client
Security level.
client security privilege file <level>
This command is used to associate the file share privileges with the specified custom Client
Security level.
level                           This parameter specifies the name of the existing custom Client
                                Security level defined by the “client security level” command.
no client security privilege file <level>
This command is used to disassociate the file share privileges from the specified custom Client
Security level.
show client security privilege [level]
This command is used to display the privileges associated with the specified custom Client
Security level. If the “level” parameter is not configured, privileges associated with all custom
Client Security levels will be displayed.
client security export scp <server_name> <user_name> <file_path>
2000-2018 Array Networks, Inc.
                                                                                                    327
All Rights Reserved.
                                                                    Chapter 10 Client Security
This command is used to export the Client Security configuration file to an SCP server.
server_name                     This parameter specifies the name of the remote SCP server to
                                which the Client Security configuration file will be exported. Its
                                value must be a string of 1 to 128 characters.
user_name                       This parameter specifies the name of the user on the remote SCP
                                server. Its value must be a string of 1 to 64 characters.
file_path                       This parameter specifies the file path of the Client Security
                                configuration file to be exported. The file path must include the file
                                name. Its value must be a string of 1 to 256 characters.
client security export tftp <server_ip> [file_name]
This command is used to export the Client Security configuration file to a TFTP server.
server_ip                       This parameter specifies the IP address of the remote TFTP server.
file_name                       Optional. This parameter specifies the file name of the Client
                                Security configuration file to be exported. The default name is
                                “setup.orig.xml”. Its value must be a string of 1 to 256 characters.
client security import <url> [lcc]
This command is used to import a Client Security configuration file to the virtual site.
url                             This parameter specifies the HTTP or FTP URL of the Client
                                Security configuration file. Its value must be a string of 1 to 512
                                characters.
lcc                             Optional. This parameter specifies the “lcc” mode. Its value must
                                be:
                                    “lcc”: indicates that after the remote client passes the client
                                     security check, the browser will ignore the “Success_URL”
                                     field, which was configured via WebUI for the specified
                                     device class, and will be redirected to the login page.
                                    empty: indicates that after the remote client passes the client
                                     security check, the browser will be redirected to the page
                                     specified by the “Success_URL” field, which was configured
                                     via WebUI for the specified device class.
                                The default value is empty.
show client security import [lcc]
2000-2018 Array Networks, Inc.
                                                                                                  328
All Rights Reserved.
                                                                  Chapter 10 Client Security
This command is used to display the configuration file import status.
show client security config
This command is used to display the configurations of Client Security.
clear client security config
This command is used to clear the configurations of Client Security.
2000-2018 Array Networks, Inc.
                                                                                        329
All Rights Reserved.
                                                              Chapter 11 System Monitoring
Chapter 11 System Monitoring
Graphic Monitoring
statmon {on|off}
This global command is used to enable or disable the status monitoring function. The status
monitoring function monitors and collects information regarding the system’s running status at
fixed intervals, such as the status of CPU utilization, system memory utilization and active
sessions. The administrator can view thestatus information in the form of graphs via WebUI. By
default, this function is disabled.
        Note: If the system time of an HA unit is not the current time, the graphs of the status
        information displayed on WebUI will be abnormal when this HA unit is added to the HA
        domain.
statmon clear
This global command is used to clear all existing statistic information collected by the status
monitoring function.
statmon purge [unused_days]
This global command is used to clear statistic information that was not used for a specified
number of days.
unused_days                     This parameter specifies the number of days. Its value must be an
                                integer ranging from 0 to 4,294,967,295. The default value is 730.
show statmon status
This global command is used to display the current status of the status monitoring function
(enabled or disabled).
Logging
General Settings
log {on|off}
This global command is used to enable or disable the logging function of the AG appliance. By
default, this function is disabled.
After the logging function is enabled, the system generates system log messages according to the
log level specified by the “log level” command, and sends the system log messages to the log
buffer and to the remote syslog hosts (if configured using the “log host” command).
2000-2018 Array Networks, Inc.
                                                                                                  330
All Rights Reserved.
                                                             Chapter 11 System Monitoring
log level <level>
This global command is used to set the log level. If this command is not configured, the default
log level is info.
level                          This parameter specifies the valid log level. Its value must be
                               “emerg”, “alert”, “crit”, “err”, “warning”, “notice”, “info”, or
                               “debug”, and these values are listed from the highest priority to
                               lowest. The higher the priority of the log level, the higher the
                               severity of the event. When the log level is set, the system generates
                               logs of only this level and higher levels. For details, please refer to
                               RFC.
log facility <facility_name>
This global command is used to set the log facility which sends the system log messages. If this
command is not configured, the default log facility is “LOCAL0”.
facility_name                  This parameter specifies the log facility. Its value must be
                               “LOCAL0”, “LOCAL1”, “LOCAL2”, “LOCAL3”, “LOCAL4”,
                               “LOCAL5”, “LOCAL6” or “LOCAL7”. For details, please refer to
                               RFC.
log source port <source_port>
This global command is used to set the source port for sending system log messages. If this
command is not configured, the default source port is 514.
source_port                    This parameter specifies the source port for sending the system log
                               messages. Its value must be an integer ranging from 1 to 65,535.
log timestamp {on|off}
This global command is used to enable or disable timestamp for system log messages. When
timestamp is enabled, time information (date and time) will be added to every system log message.
By default, this function is enabled.
log option logid {on|off}
This global command is used to enable or disable the option to append the log ID to log messages.
When this option is enabled, the log ID will be added to every system log message. By default,
this option is disabled.
log option levelinfo {on|off}
This global command is used to enable or disable the option to append the log level information to
log messages sent to the remote syslog hosts configured using the “log host” command. By
default, this function is disabled.
2000-2018 Array Networks, Inc.
                                                                                                331
All Rights Reserved.
                                                              Chapter 11 System Monitoring
log option uniqueid <on|off>
This command is used to enable or disable the option to append a unique ID (the hardware
signature code generated by the Array Client or a random code generated by the AG appliance if
no unique ID is sent to the AG appliance) to system log messages. After this option is enabled, the
unique ID will be added to the system log messages generated when end users perform operations
related to sessions, AAA authentication and VPN tunnel. By default, this option is disabled.
on|off                          This parameter specifies whether to enable the option to append
                                unique IDs to system log messages. Its value must be “on” or “off”.
show log buff backward [expression]
This global command is used to display the system log messages stored in the log buffer in the
backward sequence of time.
expression                      Optional. This parameter specifies the regular expression for
                                filtering the output of the system log messages. Its value must be a
                                string of 1 to 64 characters.
show log buff forward [expression]
This global command is used to display the system log messages stored in the log buffer in the
forward sequence of time.
expression                      Optional. This parameter specifies the regular expression for
                                filtering the output of the system log messages. Its value must be a
                                string of 1 to 64 characters.
clear log buffer
This global command is used to clear all the system log messages from the log buffer.
log test
This command is used to generate a test log message at the level “emerg”.
show log config
This global command is used to display all log configurations.
clear log config
This global command is used to reset all the log configurations to default.
Log Customization
log http {combined|common|squid} [vip_option] [host_option]
2000-2018 Array Networks, Inc.
                                                                                                 332
All Rights Reserved.
                                                               Chapter 11 System Monitoring
This global command is used to set the HTTP access logging format. The system supports the
HTTP access log formats “combined”, “common” and “squid”. Please refer to the RFC for details.
vip_option                      This parameter specifies whether or not the VIP (virtual IP) on
                                which the request is received is logged. Its value must be:
                                    vip: indicates the VIP is logged.
                                    novip/None: indicates the VIP is not logged.
                                The default value is “None”.
host_option                     This parameter specifies whether or not the host in the request is
                                logged.
                                    host: the host in the request is logged.
                                    nohost/None: the host in the request is not logged.
                                The default value is “None”.
                                Note: this parameter cannot take effect only when the
                                “vip|novip|none” parameter is set to “none”.
log http welf
This global command is used to set the HTTP access logging format to “welf”.
log http custom <format>
This global command is used to customize the HTTP access logging format.
format                          This parameter specifies the HTTP access logging format. Its value
                                must be a string of 1 to 256 characters enclosed by double quotes
                                and formed using the symbols listed below. Besides, any characters
                                that are not part of the symbols listed below can also be added to
                                the log message.
    Symbol                                              Meaning
         %a        Cache result
         %b        Bytes returned by proxy to client
         %c        Client IP address
         %d        Date stamp
         %e        HTTP MIME type information
         %f        “PROXY_LOG”, tag can be used to distinguish with other logs.
         %g        Time stamp (military format)
         %h        Host name as pulled from client host
         %i        User-agent
2000-2018 Array Networks, Inc.
                                                                                                  333
All Rights Reserved.
                                                             Chapter 11 System Monitoring
       %k           Session cookies
      %m            HTTP method
       %n           Full date/time stamp[MM/DD/YYYY:HH:MM:SS +/-0000]
       %o           Port of virtual service
       %p           Proxy IP address, VIP
       %q           A single double quote
       %r           HTTP return status code
       %s           Real Server IP address
       %t           Unix time stamp
       %u           Request URL
       %v           Protocol version
      %w            Referrer (from client Referrer:header)
      %B            Username
      %D            SSL session ID
      %N            Full date/time stamp [DD/MMM/YYYY:HH:MM:SS +/-0000]
       %P           Real Server port
      %R            Elapsed time, time-taken
      %T            Time format compatible with W3C (GMT)
      %U            Full URL
So, for example, the following custom HTTP logging format instructs the log system to record the
time stamp, elapsed time, client IP address, cache result, HTTP return status code, bytes returned
by proxy to client, HTTP method, request URL and real server IP address.
AN(config)#log http custom "AN_SQUID_LOG %t %R %c %a/%r %b %m %u C DIRECT/%s -"
A piece of the log will be as follows:
INFO     Jun 05 23:49:06 AN AN_SQUID_LOG 1338940146 0 110.52.84.41 TCP_MISS/200
1105 GET /Script/bottomSearch-1.0.js - DIRECT/58.83.194.202 -
This log format will be the same as the effect of the command “log http squid”.
no log http
This global command is used to disable HTTP access logging.
log http off
This global command is used to disable HTTP access logging function. The HTTP access logging
function records the logs of every HTTP request and response. By default, this function is enabled.
The default HTTP access logging format is “squid”.
Remote Syslog Host
log host <host_ip> [port] [protocol] [host_id] [log_level]
2000-2018 Array Networks, Inc.
                                                                                              334
All Rights Reserved.
                                                               Chapter 11 System Monitoring
This global command is used to configure a remote syslog host used for storing system log
messages of the specified log level(s). A maximum of 6 remote log hosts can be configured.
host_ip                          This parameter specifies the IP address of the remote syslog host.
                                 Its value must be an IPv4 or IPv6 address.
port                             Optional. This parameter specifies the port number of the remote
                                 syslog host. Its value must be an integer ranging from 1 to 65,535.
                                 The default value is 514.
protocol                         Optional. This parameter sets the protocol used to transmit system
                                 log messages. Its value must be “TCP” or “UDP”. The default value
                                 is “UDP”.
host_id                          Optional. This parameter specifies an identifier for the remote
                                 syslog host. Its value must be an integer ranging from 0 to 65,535.
                                 The default value is 0, indicating that all system log messages of the
                                 specified level(s) will be sent to the remote syslog host without any
                                 other filtering. If the host ID is set to a value larger than 0, system
                                 log messages of specified level(s) will first be filtered based on the
                                 configurations of log filter (configured via the “log filter”
                                 command) and then sent to the remote syslog host.
                                 Please note that the host ID “0” can be used by multiple remote
                                 systlog hosts, while the host ID larger than 0 must be unique among
                                 all remote syslog hosts.
log_level                        Optional. This parameter specifies the level(s) of the log. Its value
                                 must be one or multiple of the following levels: “emerg”, “alert”,
                                 “crit”, “err”, “warning”, “notice”, “info”, and “debug”. The default
                                 value is “all”, indicating all of the above levels are selected.
                                 Multiple levels in the parameter value must be separated by comma
                                 and enclosed by double quotes.
          Note: Before configuring a remote syslog host, please make sure that the remote syslog
          host is ready to receive system log messages.
For example:
AN(config)#log host 10.3.53.3 555 udp 0 all
AN(config)#log host 10.3.53.3 44 tcp 1 emerg
no log host <host_ip> <port> [protocol]
2000-2018 Array Networks, Inc.
                                                                                                  335
All Rights Reserved.
                                                               Chapter 11 System Monitoring
This global command is used to delete the remote syslog host of the specified protocol type. If the
“protocol” parameter is not specified, the remote log host of the “UDP” type will be deleted.
log filter <host_id> <filter_id> <filter_string>
This global command is used to set a log filter for the specified log host. A maximum of 64 log
filters can be configured for one log host.
host_id                         This parameter specifies an existing log host ID set via the “log
                                host” command.
filter_id                       This parameter specifies the ID of the log filter. Its value must be an
                                integer ranging from 1 to 64.
filter_string                   This parameter specifies the log filter string. Its value must be a
                                string of 1 to 40 case-insensitive characters.
no log filter <host_id> [filter_id]
This global command is used to delete the specified log filter for the specified log host. If the
“filter_id” parameter is not specified or set to “0”, all log filters will be deleted.
log filtermode [mode]
This command is used to set the mode of log filters. If this command is not configured, the default
mode of log filter is “whitelist”.
mode                                Optional. This parameter specifies the mode of log filters. Its
                                    value must be:
                                        whitelist: indicates that the system log messages that match
                                         the log filter strings specified by the parameter
                                         “filter_string” in the “log filter” command will be sent to
                                         the remote syslog hosts configured using the “log host”
                                         command.
                                        blacklist: indicates that the system log messages that match
                                         the log filter strings specified by the parameter
                                         “filter_string” in the “log filter” command will not be sent
                                         to the remote syslog hosts configured using the “log host”
                                         command. In turn, system log messages that do not match
                                         the log filter strings will be sent to the remote syslog hosts.
                                    The default value is “whitelist”.
2000-2018 Array Networks, Inc.
                                                                                                    336
All Rights Reserved.
                                                                 Chapter 11 System Monitoring
Disabling Individual System Log
log message disable <log_id>
This global command is used to disable a specified system log message. The disabled system log
message will be added to the disabled system log message list. By default, the disabled system log
message list is empty, that is to say, all system log message are enabled. A maximum of 128
system log message can be disabled.
log_id                           This parameter specifies the ID of a system log message.
                                 Administrators can check the system log message ID on WebUI:
                                 1. Select Admin Tools > Monitoring > Logging > Disabled Log
                                 under the global scope.
                                 2. In the Disabled Log area, click the Log ID List action link to
                                 view IDs of all system log messages.
no log message disable <log_id>
This global command is used to delete a specified system log message from the disabled system
log message list, that is to say, to enable the system log message.
show log message disable [log_id]
This global command is used to display a specified system log message in the disabled system log
message list. If the parameter “log_id” is not specified, all the system log messages in the disabled
system log message list will be displayed.
clear log message disable
This global command is used to clear all the system log messages from the disabled system log
message list, that is to say, to enable all the disabled system log messages.
Log Alert
log alert <rule_id> <expression> <email> <interval> [type]
This global command is used to configure a log alert rule. When a system log message matches
the log alert rule, a log alert email will be sent to the email address specified by the log alert rule.
rule_id                          This parameter specifies the log ID. Its value must be an integer
                                 ranging from 1 to 32.
                                 If a log alert rule with the same “log_id” already exists, the AG
                                 appliance will prompt the administrator for whether or not to
2000-2018 Array Networks, Inc.
                                                                                                     337
All Rights Reserved.
                                                               Chapter 11 System Monitoring
                                overwrite the log alert rule with this “log_id”.
expression                      This parameter specifies the regular expression used for log
                                matching. Its value must be a string of 1 to 64 characters.
email                           This parameter specifies the email address used to receive log alert
                                emails. Its value must be a string of 1 to 128 characters enclosed by
                                double quotes.
interval                        This parameter specifies the interval to send log alert emails. Its
                                value must be an integer ranging from 0 to 10,000, in minutes. 0
                                means sending the log alert email immediately after a system log
                                message matches this log alert rule.
type                            Optional. This parameter specifies the content type of the log alert
                                email. Its value must be
                                    data: indicates that the contents of the system log messages
                                     matched this log alert rule will be sent in the log alert email.
                                    count: indicates that the number of times that system log
                                     messages matched this log alert rule will be sent in the log
                                     alert email.
                                The default value is “data”.
no log alert <rule_id>
This global command is used to delete the specified log alert rule.
show log alert [rule_id]
This global command is used to display the specified log alert rule. If the “log_id” parameter is
not specified or set to 0, all log alert rules will be displayed.
clear log alert
This global command is used to clear all log alert rules.
SNMP Commands
General Settings
The Simple Network Management Protocol (SNMP) offers the communication rules between a
management device and the managed devices on the network. It defines a set of messages,
methods and syntax to implement the access and management from the management device to the
managed devices.
2000-2018 Array Networks, Inc.
                                                                                                  338
All Rights Reserved.
                                                            Chapter 11 System Monitoring
An SNMP managed network comprises primarily network management stations (NMSs) and an
agent. An NMS is a manager in an SNMP enabled network, whereas agents are managed by the
NMS. The NMS and agents exchange management information through the SNMP protocol.
The AG appliance acts as an SNMP agent and currently supports the SNMP GET requests, but not
SNMP SET requests. For details, refer to the following commands.
snmp on [version]
This global command is used to enable the SNMP agent of the AG appliance.
version                            This parameter specifies the SNMP version(s) that are
                                   supported by the SNMP agent of the AG appliance. Its value
                                   must be:
                                       default: indicates that the SNMP agent supports versions
                                        v1, v2c and v3.
                                       v3: indicates that the SNMP agent supports only version
                                        v3.
                                   The default value is “default”.
snmp off
This global command is used to disable the SNMP function. By default, this function is disabled.
show snmp
This global command is used to display all SNMP settings.
Example:
AN(config)#show snmp
snmp community reindeer
snmp location server room 6
snmp contact admin@example.com
snmp host 10.2.21.1 rudolph
snmp enable traps
clear snmp
This global command is used to reset the SNMP settings to default.
SNMP Request
snmp community <string>
This global command is used to configure the community string of the SNMP agent on the AG
appliance. This community string is used as the password to control the access from the NMS to
2000-2018 Array Networks, Inc.
                                                                                             339
All Rights Reserved.
                                                              Chapter 11 System Monitoring
the SNMP agent. If the SNMP requests sent by the NMS do not carry the correct community
string, the SNMP agent will reject the SNMP requests.
If this command is not configured, the default community string is “public”.
string                               This parameter specifies the community string. Its value must
                                     be a string of 1 to 32 characters. The parameter value can only
                                     be changed when the SNMP function is disabled.
           Note: For the sake of security, it is strongly recommended to modify the default SNMP
           community string to avoid possible system information interception.
Example:
AN(config)#snmp community reindeer
no snmp community
This global command is used to reset the community string to the default “public”.
snmp contact <contact_name>
This global command is used to configure the contact information of the administrator.
contact_name                         This parameter specifies the contact information of the
                                     administrator. Its value must be a string of 1 to 128 characters
                                     enclosed by double quotes.
For example:
AN(config)#snmp contact "admin@example.com"
no snmp contact
This global command is used to delete the contact information of the administrator.
snmp location <location>
This global command is used to configure the physical location of the SNMP agent.
location                             This parameter specifies the physical location of the AG
                                     appliance. Its value must be a string of 1 to 128 characters
                                     enclosed by double quotes.
For example:
AN(config)#snmp location "server room 6"
no snmp location
2000-2018 Array Networks, Inc.
                                                                                                    340
All Rights Reserved.
                                                             Chapter 11 System Monitoring
This global command is used to delete the setting of physical location configured for the SNMP
agent.
snmp v3user <user_name> <auth_password> [security_level]
[priv_password]
This global command is used to add one user into the SNMP v3 user database for GET request
authentication. This is to control SNMP GET requests following USM (User-based Security
Model). Please note that the system uses MD5 for SNMPv3 user authentication.
user_name                      This parameter specifies the username of the SNMP v3 user
                               account needed to be added into the SNMP v3 user database. Its
                               value must be a string of 1 to 32 characters.
auth_password                  This parameter specifies the password of the SNMP v3 user account
                               needed to be added into the SNMPv3 user database. Its value must
                               be a string of 8 to 32 characters.
security_level                 Optional. This parameter specifies the security level. Its value must
                               be:
                                   authNopriv: indicates the authentication is performed and data
                                    encryption is not provided.
                                   authPriv”: indicates both authentication and data encryption
                                    are performed.
                               The default value is “authNopriv”.
priv_password                  Optional. This parameter specifies the private password for data
                               encryption. Its value must be a string of 8 to 32 characters.
                               Note: This parameter needs to be specified only when the
                               “security_level” parameter is set to “authPriv”.
no snmp v3user <user_name>
This global command is used to delete the specified SNMP v3 user account from the SNMP v3
user database.
SNMP Access Control
snmp ipcontrol {on|off}
This global command is used to enable or disable the SNMP access control function. When this
function is enabled, only the SNMP GET requests coming from the subnets configured using the
2000-2018 Array Networks, Inc.
                                                                                               341
All Rights Reserved.
                                                             Chapter 11 System Monitoring
“snmp ippermit” command are permitted by the SNMP agent. By default, this function is disabled,
indicating all SNMP GET requests are permitted by the SNMP agent.
snmp ippermit <source_ip> <netmask>
This global command is used to add an SNMP access permit rule to permit the SNMP GET
requests coming from the specified subnet.
source_ip                      This parameter specifies the network IP address of the subnet. Its
                               value must be an IPv4 address.
netmask                        This parameter specifies the netmask of the subnet.
no snmp ippermit <source_ip> <netmask>
This global command is used to delete the specified SNMP access permit rule.
SNMP Traps
snmp enable traps
This global command is used to enable SNMP traps. SNMP traps enables the SNMP agent to
notify the NMS (configured using the “snmp host” command) of critical and important events
(such as SNMP agent start/termination). The supported traps are:
   agentStart: This trap is sent when the SNMP agent starts.
   agentStop: This trap is sent when the SNMP agent terminates.
   linkup: This trap is sent when the interface of the SNMP agent becomes “up”.
   linkdown: This trap is sent when the interface of the SNMP agent becomes “down”.
   caSyslog: This trap is sent when the system log level is larger than “err”.
no snmp enable traps
This global command is used to disable SNMP traps.
snmp host <host_ip> [trap_version] [user_name|community_name]
[engine_id] [auth_password] [security_level] [priv_password]
This global command is used to configure the remote SNMP host used as NMS for receiving the
SNMP traps.
host_ip                             This parameter specifies the IP address of the SNMP host. Its
                                    value must be an IPv4 address.
trap_version                        Optional. This parameter specifies the SNMP trap version. Its
                                    value must be “1”, “2” or “3”, indicating SNMP v1, SNMP v2
2000-2018 Array Networks, Inc.
                                                                                              342
All Rights Reserved.
                                                            Chapter 11 System Monitoring
                                  or SNMP v3.
                                      If this parameter is set to “1” or “2”, only the
                                       “user_name|community_name” parameter needs to be
                                       specified.
                                      If this parameter is set to “3”, the parameter
                                       “user_name|community_name”, “engine_id”,
                                       “auth_password” and “author_level” must be specified.
                                       Please note that the system uses MD5 for SNMPv3 user
                                       authentication.
                                  The default value is 2.
user_name|community_name          Optional. This parameter specifies the trap community string
                                  for SNMP v1 and v2 or the trap user for SNMP v3. The default
                                  value is “public”.
engine_id                         Optional. This parameter specifies the authoritative engine ID
                                  of the remote SNMP host for SNMP v3. Its value must be a hex
                                  number. The parameter length must be an even number and less
                                  than or equal to 24.
auth_password                     Optional. This parameter specifies the authentication password.
                                  Its value must be a string of 8 to 32 characters.
security_level                    Optional. This parameter specifies the security level. Its value
                                  must be:
                                      authNopriv: indicates the authentication is performed and
                                       data encryption is not provided.
                                      authPriv”: indicates both authentication and data
                                       encryption are performed.
                                  The default value is “authNopriv”.
priv_password                     Optional. This parameter specifies the private password for
                                  data encryption. Its value must be a string of 8 to 32 characters.
                                  Note: This parameter needs to be specified only when the
                                  security_level” parameter is set to “authPriv”.
no snmp host <host_ip>
This global command is used to delete an SNMP host.
2000-2018 Array Networks, Inc.
                                                                                              343
All Rights Reserved.
                                                            Chapter 11 System Monitoring
Troubleshooting Commands
ping {ipv4|host_name}
This global command is used to check the network connectivity to the specified IPv4 network host
by sending Internet Control Message Protocol (ICMP) echo requests.
ipv4|host_name                 This parameter specifies the IP address or name of the IPv4 network
                               host.
ping6 {ipv6|host_name}
This global command is used to check the network connectivity to the specified IPv6 network host
by sending Internet Control Message Protocol (ICMP) echo requests.
ipv6|host_name                 This parameter specifies the IP address or name of the IPv6 network
                               host.
ping {ipv4|host_name}
This command is used to check the network connectivity to the specified IPv4 network host by
sending Internet Control Message Protocol (ICMP) echo requests.
For this command, the virtual site will always use global DNS settings to resolve the host name.
ipv4|host_name                 This parameter specifies the IP address or name of the IPv4 network
                               host.
traceroute {ipv4|host_name}
This global command is used to trace the route to the specified IPv4 network host by sending three
packets to each intermediate node on this route. After this command is executed, the TTL, host
names and IP addresses of the intermediate nodes (routers or gateways), as well as the round-trip
time of each packet to every node will be displayed.
ipv4|host_name                 This parameter specifies the IP address or name of the IPv4 network
                               host.
traceroute6 {ipv6|host_name}
This global command is used to trace the route to the specified IPv6 network host by sending three
packets to each intermediate node on this route. After this command is executed, the TTL, host
names and IP addresses of the intermediate nodes (routers or gateways), as well as the round-trip
time of each packet to every node will be displayed.
ipv6|host_name                 This parameter specifies the IP address or name of the IPv6 network
2000-2018 Array Networks, Inc.
                                                                                              344
All Rights Reserved.
                                                             Chapter 11 System Monitoring
                                host.
traceroute {ipv4|host_name}
This command is used to trace the route to the specified IPv4 network host by sending three
packets to each intermediate node on this route. After this command is executed, the system will
display the TTL, host names and IP addresses of the intermediate nodes (routers or gateways), as
well as the round-trip time of each packet to every node.
For this command, the virtual site will always use global DNS settings to resolve the host name.
ipv4|host_name                  This parameter specifies the IP address or name of the IPv4 network
                                host.
nslookup {ip|host_name}
This global command is used to resolve the IPv4 address for the specified host name or vice versa.
After this command is executed, the IPv4 address resolved by the DNS server will be displayed
for the specified host name or vice versa.
ip|host_name                    This parameter specifies the host name or IPv4 address enclosed by
                                double quotes.
nslookup {ip|host_name}
This command is used to resolve the IPv4 address for the specified host name or vice versa. After
this command is executed, the IPv4 address resolved by the DNS server will be displayed for the
specified host name or vice versa.
For this command, if the “dns useglobal off” command is configured for the virtual site, the virtual
site will use its DNS settings to resolve the host name. If the “dns useglobal on” command is
configured for the virtual site, the virtual site will use global DNS settings to resolve the host
name.
ip|host_name                    This parameter specifies the host name or IPv4 address enclosed by
                                double quotes.
support <ip_address> <netmask|prefix>
This global command is used to configure a network segment, within which the users are allowed
to use the “test” account to log into the AG appliance via the SSH protocol or Console.
ip_address                      This parameter specifies the allowed IP address. Its value must be
                                an IPv4 or IPv6 address.
netmask|prefix                  This parameter specifies the netmask or prefix length of the IP
2000-2018 Array Networks, Inc.
                                                                                                  345
All Rights Reserved.
                                                             Chapter 11 System Monitoring
                                address.
                                    “netmask” is used for an IPv4 address. Its value must be a
                                     dotted IP address or an integer ranging from 0 to 32.
                                    “prefix” is used for an IPv6 address. Its value must be an
                                     integer ranging from 0 to 128.
no support <ip_address> <netmask|prefix>
This global command is used to delete the specified network segment, within which the users are
allowed to use the “test” account to log into the AG appliance via the SSH protocol or Console.
show support
This global command is used to display all the network segments, within which the users are
allowed to use the “test” account to log into the AG appliance via the SSH protocol or Console.
clear support
This global command is used to clear all the network segments, within which the users are
allowed to use the “test” account to log into the AG appliance via the SSH protocol or Console.
Debug Commands
General Settings
debug enable
This global command is used to enable the debug function. Once this function is enabled, the AG
appliance will first clean the old files (such as sys_debug.tar.gz and sys_core.tar.gz) used to
collect debugging data. Then, the AG appliance will create a new file (such as englog.
20161030_133513) to store debugging data and this collecting process will not stop until the
“debug disable” command is executed.
debug disable
This global command is used to disable the debug function. Once the debug function is disabled,
the AG appliance will first generate a file named sys_debug.tar.gz to store the collected debug
data. Then, the AG appliance will clean up the collected debug data in the system. The file
sys_debug.tar.gz can be downloaded via WebUI.
The following is the generated tar file that only contains the debug information collected from the
moment of executing the “debug enable” command to the moment of executing the “debug
disable” command.
/var/crash/sys_debug.tar.gz
tcpdump
ssldump
2000-2018 Array Networks, Inc.
                                                                                                  346
All Rights Reserved.
                                                               Chapter 11 System Monitoring
debug.tar.gz (including englog, pipe and loopback information)
show debug file
This global command is used to display the debugging files.
show debug output [subsystem_name]
This global command is used to display the debugging output for the specified subsystem.
subsystem_name                    Optional. This parameter specifies the name of the subsystem. The
                                  default value is “no_englog”.
Debug Snapshot
debug corefile [core_files_number]
This global command is used to set the number of system core files to be collected.
core_files_number                 Optional. This parameter specifies the number of system core files
                                  to be collected. Its value must be an integer ranging from 1 to 10.
                                  The default value is 1.
           Note: Administrators must first execute this command to set the number of core files to be
           collected before executing the “debug snapshot system” command to collect core files,
           such as sys_core.tar.gz and app_core.tar.gz. If no value is specified, the system will not
           collect any core file.
debug snapshot proxy [level]
This global command is used to take a snapshot of proxy activities. The output is saved into the
sys_debug.tar.gz file generated after the debug function is enabled using the “debug enable”
command. Please enable the debug function first before executing this command.
level                             This parameter specifies the quantity of the snapshot. Its value must
                                  be “1”, “2” or “3”. “1” indicates the least data while “3” indicates
                                  the most data.
debug snapshot system
This global command is used to take a snapshot of the system activities. The following four
categorized files might be generated after this command is executed:
       sys_snap.tar.gz.gpg
       sys_log.tar.gz.gpg
       sys_core.tar.gz.gpg
2000-2018 Array Networks, Inc.
                                                                                                 347
All Rights Reserved.
                                                              Chapter 11 System Monitoring
       app_core.tar.gz.gpg
The files “sys_snap.tar.gz.gpg”, “sys_log.tar.gz.gpg” “sys_core.tar.gz.gpg” or
“app_core.tar.gz.gpg” can be downloaded via WebUI.
Please note that the files “sys_core.tar.gz.gpg” and “app_core.tar.gz.gpg” can be generated only
when specific core files exist in the system.
debug snapshot all [level]
This global command is used to take a snapshot of both proxy and system activities. The output of
proxy is saved into the sys_debug.tar.gz file generated after the debug function is enabled using
the “debug enable” command and the system output is saved into the files “sys_snap.tar.gz.gpg”,
“sys_log.tar.gz.gpg” “sys_core.tar.gz.gpg” or “app_core.tar.gz.gpg”. Please enable the debug
function first before executing this command.
Please note that the files “sys_core.tar.gz.gpg” and “app_core.tar.gz.gpg” can be generated only
when specific core files exist in the system.
level                           This parameter specifies the quantity of the snapshot. Its value must
                                be “1”, “2” or “3”. “1” indicates the least data while “3” indicates
                                the most data.
Debug Trace
debug trace live event backward [regular_expression]
This global command is used to display the KDB (Kernel Debugger) events in the backward
sequence of time.
regular_expression              Optional. This parameter specifies the regular expression to match
                                the KDB events. Its value must be a string of 1 to 64 characters.
debug trace live event forward [regular_expression]
This global command is used to display the KDB events in the forward sequence of time.
regular_expression              Optional. This parameter specifies the regular expression to match
                                the KDB events. Its value must be a string of 1 to 64 characters.
debug trace live proxy [src_ip] [src_port] [dst_ip] [dst_port] [and|or]
[tcpdump_argument]
This global command is used to trace and display the proxy activities in real time.
src_ip                          Optional. This parameter specifies the source IP to be traced. Its
                                value must be an IPv4 address. The default value is 0.0.0.0,
2000-2018 Array Networks, Inc.
                                                                                                348
All Rights Reserved.
                                                             Chapter 11 System Monitoring
                               indicating all source IP addresses will be traced live.
src_port                       Optional. This parameter specifies the source port to be traced. Its
                               value must be an integer ranging from 0 to 65535. The default value
                               is 0, indicating all source ports will be traced live.
dst_ip                         Optional. This parameter specifies the destination IP to be traced.
                               Its value must be an IPv4 address. The default value is 0.0.0.0,
                               indicating all destination IP addresses will be traced live.
dst_port                       Optional. This parameter specifies the destination port to be traced.
                               Its value must be an integer ranging from 0 to 65535. The default
                               value is 0, indicating all destination ports will be traced live.
and|or                         Optional. This parameter specifies the relationship between the
                               configured parameters (source IP, source port, destination IP,
                               destination port). Its value must be:
                                   and: indicates only the activities match the exact parameters
                                    (source IP, source port, destination IP, destination port) will be
                                    displayed.
                                   or: indicates any activity matches any one of the given
                                    parameters will be displayed.
                               The default value is “or”.
tcpdump_argument               Optional. This parameter specifies the argument used to trace TCP
                               activities via tcpdump, which is a TCP packet analyzer. Its value
                               must be a string of 1 to 128 characters.
                               The default value is empty.
debug trace live ssl <interface_name> <virtual_site> [encrypt|plain]
[ssldump_argument]
This global command is used to trace and display SSL activities in real time.
interface_name                 This parameter specifies the existing interface name. It can be a
                               system interface, bond interface or VLAN interface.
virtual_site                   This parameter specifies the name of the existing virtual site. Its
                               value must be a string of 1 to 63 characters.
encrypt|plain                  Optional. This parameter specifies the display format of the data in
2000-2018 Array Networks, Inc.
                                                                                                349
All Rights Reserved.
                                                             Chapter 11 System Monitoring
                               SSL communication packets. Its value must be:
                                   encrypt: The encrypted data in SSL communication packets
                                    will be directly displayed on the screen.
                                   plain: The encrypted data in SSL communication packets will
                                    be decrypted first and then be displayed on the screen.
                               The default value is “encrypt”.
ssldump_argument               Optional. This parameter specifies the argument used to trace SSL
                               activities via ssldump, which is an SSL packet analyzer. Its value
                               must be a string of 1 to 128 characters enclosed by double quotes.
                               The default value is empty.
debug trace live tcp <interface_name> [tcpdump_argument]
This global command is used to trace and display TCP activities in real time.
interface_name                 This parameter specifies the existing interface name. It can be a
                               system interface, bond interface or VLAN interface.
tcpdump_argument               Optional. This parameter specifies the argument used to trace TCP
                               activities via tcpdump, which is a TCP packet analyzer. Its value
                               must be a string of 1 to 128 characters.
                               The default value is empty.
debug trace proxy
This global command is used to trace proxy activities. The output is saved into the
sys_debug.tar.gz file generated after the debug function is enabled using the “debug enable”
command. Please enable the debug function first before executing this command.
debug trace ssl [encrypt|plain] [ssldump_argument]
This global command is used to trace SSL activities. The output is saved into the sys_debug.tar.gz
file generated after the debug function is enabled using the “debug enable” command. Please
enable the debug function first before executing this command.
encrypt|plain                  Optional. This parameter specifies the display format of the data in
                               SSL communication packets. Its value must be:
                                   encrypt: indicates the encrypted data in SSL communication
                                    packets will be directly saved into the “englog” file.
                                   plain: indicates the encrypted data in SSL communication
2000-2018 Array Networks, Inc.
                                                                                               350
All Rights Reserved.
                                                             Chapter 11 System Monitoring
                                    packets will be decrypted first and then be saved into the
                                    “englog” file.
                               The default value is “encrypt”.
ssldump_argument               Optional. This parameter specifies the argument used to trace SSL
                               activities via ssldump, which is an SSL packet analyzer. Its value
                               must be a string of 1 to 128 characters enclosed by double quotes.
                               The default value is empty.
debug trace tcp loopback [tcpdump_argument]
This global command is used to trace TCP activities on the loopback interfaces. The output is
saved into a newly generated file (such as tcpdump_lo0.20161030_134410 included in the file
sys_debug.tar.gz). Please enable the debug function first before executing this command.
tcpdump_argument               Optional. This parameter specifies the argument used to trace TCP
                               activities via tcpdump, which is a TCP packet analyzer. Its value
                               must be a string of 1 to 128 characters.
                               The default value is empty.
debug trace tcp nic [tcpdump_argument]
This global command is used to trace TCP activities on all the NICs. The output is saved into a
newly generated file (such as tcpdump_port1. 20161030_134410 included in the file
sys_debug.tar.gz ). Please enable the debug function first before executing this command.
tcpdump_argument               Optional. This parameter specifies the argument used to trace TCP
                               activities via tcpdump, which is a TCP packet analyzer. Its value
                               must be a string of 1 to 128 characters.
                               The default value is empty.
debug trace tcp pipe0 [tcpdump_argument]
This global command is used to trace the TCP activities on pipe0. The output is saved into a
newly generated file (such as tcpdump_pipe0. 20161030_134410 included in the file
sys_debug.tar.gz ). Please enable the debug function first before executing this command.
tcpdump_argument               Optional. This parameter specifies the argument used to trace TCP
                               activities via tcpdump, which is a TCP packet analyzer. Its value
                               must be a string of 1 to 128 characters.
2000-2018 Array Networks, Inc.
                                                                                                 351
All Rights Reserved.
                                                              Chapter 11 System Monitoring
                               The default value is empty.
debug trace tcp all [tcpdump_argument]
This global command is used to trace TCP activities on all the interfaces. Please enable the debug
function first before executing this command.
tcpdump_argument               Optional. This parameter specifies the argument used to trace TCP
                               activities via tcpdump, which is a TCP packet analyzer. Its value
                               must be a string of 1 to 128 characters.
                               The default value is empty.
Debug Usage
debug usage mbuf
This global command is used to enable the function of tracking the usage of mbuf in the system.
no debug usage mbuf
This global command is used to disable the function of tracking the usage of mbuf by the system.
show debug usage mbuf
This global command is used to display the mbuf usage information. After the “show debug
usage mbuf” command is executed, the following output will be displayed:
AN#show debug usage mbuf
Mbuf usage Statistics
index: 1, app: 0x201993a8
Total mbufs: 2094848
Module Name         no of mbufs (col 1) no of mbufs (col 2)
ID_0:               2094847             2094847
ID_1:                    1                   0
ID_21:                   0                   1
Debug File Export
debug ftp <username> <remote_ftp_ip> <file_name>
This global command is used to export the files storing the debugging data to the specified remote
FTP server. A time stamp will be inserted into the name of each exported file to differentiate them
from other files on the FTP server.
username                       This parameter specifies the username to log into the remote FTP
                               server. Its value must be a string of 1 to 128 characters.
2000-2018 Array Networks, Inc.
                                                                                               352
All Rights Reserved.
                                                                Chapter 11 System Monitoring
remote_ftp_ip                   This parameter specifies the IP address of the remote FTP server. Its
                                value must be an IPv4 address.
file_name                       This parameter specifies the name of the file to be exported to the
                                FTP server (without the “.tar.gz.gpg” suffix). Its value must be
                                “sys_snap”, “sys_snap.0”, “sys_snap.1”, “sys_log”, “sys_log.0”,
                                “sys_log.1”, “sys_core”, “app_core”, “sys_debug”, “sslkeylog” or
                                “all”. If the parameter value is set to “all”, all the latest tarball files
                                (sys_snap, sys_log, sys_core, app_core and sys_debug) are
                                exported to the remote FTP server.
debug scp {username@remote_scp_ip|host} <file_name>
This global command is used to export the files storing the debugging data to the specified remote
SCP server. A time stamp will be inserted into the name of each exported file to differentiate them
from other files on the SCP server.
username@remote_scp_ip|host            This parameter specifies the username and the IP address or
                                       host name of the remote SCP server. Its value must be a
                                       string of 1 to 512 characters.
file_name                              This parameter specifies the name of the file to be to the
                                       remote SCP server (without the “.tar.gz” suffix). Its value
                                       must be “sys_snap”, “sys_snap.0”, “sys_snap.1”, “sys_log”,
                                       “sys_log.0”, “sys_log.1”, “sys_core”, “app_core”,
                                       “sys_debug”, “sslkeylog” or “all”. If the parameter value is
                                       set to “all”, all the latest tarball files (sys_snap, sys_log,
                                       sys_core, app_core and sys_debug) are exported to the
                                       remote SCP server.
Debug Monitor
debug monitor {on|off}
This global command is used to enable or disable the monitor function. Once this function is
enabled, it will trace and log (into a predefined file named “monitor.out0”) the status of the AG
appliance.
debug monitor export ftp <username> <remote_ftp_ip>
This global command is used to export the monitor result file to a remote FTP server. Please
disable the monitor module using the command “debug monitor off” before executing this
command.
username                        This parameter specifies the username to log into the remote FTP
2000-2018 Array Networks, Inc.
                                                                                                      353
All Rights Reserved.
                                                             Chapter 11 System Monitoring
                               server. Its value must be a string of 1 to 128 characters.
remote_ftp_ip                  This parameter specifies the IP address of the remote FTP server. Its
                               value must be an IPv4 address.
debug monitor export scp <username@remote_address:filepath>
This global command is used to export the monitor result file to a remote SCP server. Please
disable the monitor module using the command “debug monitor off” before executing this
command.
username@remote addres:filepath            This parameter specifies the username and the name or
                                           IP address of the remote host on the remote SCP server.
                                           Its value must be a string of 1 to 128 characters
                                           enclosed by double quotes, such as
                                           “test@172.16.13.12:/home/test”.
debug monitor import ftp <username> <ip_address> <file_path>
This global command is used to import a customized script from a remote FTP server. In the
customized script, administrators can enter the CLIs that display the system information they want
and then import the customized script. This way, they can collect the exact debugging information
that they want. Please disable the debug monitor function using the “debug monitor off”
command before executing this command.
username                       This parameter specifies the username to log into the remote FTP
                               server. Its value must be a string of 1 to 128 characters.
remote_ftp_ip                  This parameter specifies the IP address of the remote FTP server. Its
                               value must be an IPv4 address.
file_path                      This parameter specifies the path, which must include the file name,
                               to import the file from the FTP server. Its value must be a string of
                               1 to 256 characters.
debug monitor import scp <username@remote_address:filepath>
This global command imports a customized script from a remote server via SCP. On the
customized script, administrators can enter the CLIs which display the system information they
want and then import the customized script. This way, they can collect the exact debugging
information that they want. Please execute “debug monitor off” before executing this command.
username@remote_address:filepath           This parameter specifies the username and the name or
                                           IP address of the remote host on the remote SCP server.
                                           Its value must be a string of 1 to 128 characters
                                           enclosed by double quotes, such as
2000-2018 Array Networks, Inc.
                                                                                               354
All Rights Reserved.
                                                            Chapter 11 System Monitoring
                                           “test@172.16.13.12:/home/test”.
show debug monitor
This global command is used to display the monitor configurations including its status and
customized scripts imported by the users.
2000-2018 Array Networks, Inc.
                                                                                             355
All Rights Reserved.
                                                                     Chapter 12 Admin Tools
Chapter 12 Admin Tools
Administrators
Admin User and Admin Access
admin user <username> <password> [enable|config] [scope] [mode]
This global command is used to create a new administrator account. If the account already exists,
this global command is also used to update the account’s password and access privileges.
username                       This parameter specifies the administrator’s username. Its value
                               must be a string of 1 to 16 characters. Tabs, spaces, 8-bit characters
                               and special characters like “,”, “:”, “+”, “&”, “#”, “%”, “^”, “(”,
                               “)”, “!”, “@”, “~”, “*”, “?”, “"”, “<”, “>”, “=”, “|”, “\”, “/” are not
                               allowed. “$” can only appear in the end of the parameter value.
                               Besides, the parameter value must not begin with “-”.
password                       This parameter specifies the administrator’s password. Its value
                               must be a string of 1 to 256 characters. If the password begins with
                               a numeric character or includes any keystroke symbols such as “!”
                               or “$”, it must be enclosed by double quotes. If the parameter value
                               is set to “*”, this administrator is not allowed to login.
enable|config                  This parameter specifies the administrator’s access level. Its value
                               must be:
                                   enable: indicates that administrators are only allowed to run
                                    the commands of Enable mode, and cannot access the Config
                                    mode.
                                   config: indicates that administrators are allowed to run all
                                    commands on the AG appliance to make changes to any part
                                    of the appliance configuration.
scope                          Optional. This parameter sets the administrator’s access scope. Its
                               value must be:
                                   “virtual site name”: indicates that the site administrator can
                                    run commands only under a specified virtual site.
                                   global: indicates that the global administrator can run
                                    commands under the global scope and all virtual sites.
                               The default value is “global”.
2000-2018 Array Networks, Inc.
                                                                                                 356
All Rights Reserved.
                                                                     Chapter 12 Admin Tools
                                Note: If the parameter value is set to “global”, the “mode”
                                parameter can be set to “all” only.
mode                            Optional. This parameter specifies the management mode to access
                                and manage the AG appliance. Its value must be:
                                    webui: indicates the administrator can access and manage the
                                     AG appliance only through WebUI.
                                    all: indicates the administrator can access and manage the AG
                                     appliance through Console, SSH, XML-RPC or WebUI.
                                The default value is “all”.
no admin user <username>
This global command is used to delete a specified administrator account.
show admin users
This global command is used to display the list of current administrator accounts (including their
encrypted passwords).
clear admin users
This global command is used to clear all administrator accounts.
admin password <username> <password>
Under the global scope, this command is used to change an existing administrator’s password.
Under the virtual site scope, this command is used to change an existing administrator’s password.
username                        This parameter specifies the administrator’s username.
password                        This parameter specifies the administrator’s new password.
admin level <username> <enable|config>
This global command is used to change an existing administrator’s access level.
username                        This parameter specifies the administrator’s username.
enable|config                   This parameter specifies the new access level. Its value must be:
                                    enable: indicates that administrators are only allowed to run
                                     the commands of Enable mode, and cannot access the Config
                                     mode.
                                    config: indicates that administrators are allowed to run all
2000-2018 Array Networks, Inc.
                                                                                                    357
All Rights Reserved.
                                                                    Chapter 12 Admin Tools
                                    commands on the AG appliance to make changes to any part
                                    of the appliance configuration.
admin access <ip_address> <netmask>
This global command is used to add an IP address or a subnet to be authorized for administrator
access. The administrator can access the system only from the authorized subnets. When no
authorized IPs or subnets have been configured, administrators can log into the system from any
source IP address.
ip_address                     The parameter specifies the source IP address to be authorized for
                               access. Its value must be an IPv4 address.
netmask                        This parameter specifies the netmask. Its value must be in dotted
                               decimal notation.
        Note: After the “admin access” configurations are added or deleted, you need to restart the
        WebUI for the configuration changes to take effect for all WebUI sessions. Therefore,
        please execute the “webui restart” command after executing the “admin access”, “no
        admin access” or “clear admin access” command.
no admin access <ip_address> <netmask>
This global command is used to delete an IP address or subnet authorized for administrator access.
show admin access
This global command is used to display all the configurations of administrator access.
clear admin access
This global command is used to clear all the configurations of administrator access.
admin sitelock access [virtual_site]
This global command is used to deny administrator access from a specified virtual site.
virtual_site                   Optional. This parameter specifies the name of the virtual site. If
                               this parameter is not specified, the administrator access from all
                               virtual sites will be denied.
admin sitelock config [virtual_site]
This global command is used to deny administrator “Config” level access from a specified virtual
site. Administrators will still have “Enable” level access to the virtual site.
virtual_site                   Optional. This parameter specifies the name of the virtual site. If
                               this parameter is not specified, administrator “Config” level access
2000-2018 Array Networks, Inc.
                                                                                                358
All Rights Reserved.
                                                                         Chapter 12 Admin Tools
                                from all virtual sites will be denied.
no admin sitelock [virtual_site]
This global command is used to delete configurations of administrator sitelock for a specified
virtual site. If the “virtual_site” parameter is not configured, configurations of administrator
sitelock for all virtual sites will be deleted.
show admin sitelock [virtual_site]
This global command is used to display the configured access restriction for site administrators of
a specified virtual site. If the “virtual_site” parameter is not configured, configured access
restrictions for site administrators of all virtual sites will be displayed.
admin announce <message> [mode]
This global command is used to set the message that will be sent to the specified administrator(s).
message                         This parameter specifies the content of the message. Its value must
                                be a string of 1 to 60 characters.
mode                            Optional. This parameter specifies the administrators to whom the
                                message will be sent. Its value must be:
                                    global: indicates that the message will be sent to the global
                                     administrators.
                                    “virtual site name”: indicates that the message will be sent to
                                     the site administrators.
                                    “empty”: indicates that the message will be sent to both the
                                     global and site administrators.
                                The default value is empty.
admin permit <username> <virtual_site>
This global command is used to allow a specified administrator to manage a specified virtual site.
username                        This parameter specifies the administrator’s username.
virtual_site                    This parameter specifies the name of the virtual site.
no admin permit <username>
This global command is used to delete the administrator’s management privilege for a specified
virtual site.
2000-2018 Array Networks, Inc.
                                                                                                   359
All Rights Reserved.
                                                                      Chapter 12 Admin Tools
Role-based Privilege Management
admin role name <role_name> <scope>
This global command is used to add an administrator role.
role_name                       This parameter specifies the name of the administrator role. Its
                                value must be a string of 1 to 25 characters.
scope                           This parameter specifies the administrator’s access scope. Its value
                                must be:
                                    “virtual site name”: indicates that the site administrator can
                                     run commands only under a specified virtual site.
                                    global: indicates that the global administrator can run
                                     commands under the global scope and all virtual sites.
no admin role name <role_name>
This global command is used to delete a specified administrator role.
show admin role name [role_name]
This command is used to display the configuration of a specified administrator role. If the
“role_name” parameter is not specified, configurations of all administrator roles will be displayed.
clear admin role name
This global command is used to clear configurations of all administrator roles.
admin role delegate <username> <role_name>
This global command is used to associate a role with an administrator.
username                        This parameter specifies the name of the administrator.
role_name                       This parameter specifies the name of an administrator role.
no admin role delegate <username> <role_name>
This global command is used to delete the association between an administrator role and an
administrator.
show admin role delegate <username>
This global command is used to display the association between a specified administrator and
configured administrator roles.
clear admin role delegate <username>
2000-2018 Array Networks, Inc.
                                                                                                   360
All Rights Reserved.
                                                                        Chapter 12 Admin Tools
This global command is used to clear all associations between configured administrator roles and
a specified administrator.
admin role feature <role_name> <feature> <enable|config>
This global command is used to assign a feature to an administrator role.
role_name                       This parameter specifies the name of an administrator role.
feature                         This parameter specifies the feature to be assigned to the
                                administrator role. You can view all the available features by
                                executing the “show admin role feature list” command.
enable|config                   This parameter specifies the administrator’s access privilege. Its
                                value must be:
                                    enable: indicates that administrators assigned with this access
                                     privilege can only view the existing configurations of the
                                     feature.
                                    config: indicates that administrators assigned with this access
                                     privilege can view and change the configurations of the
                                     feature.
no admin role feature <role_name> <feature>
This global command is used to delete a feature from a specified administrator role.
show admin role feature <role_name|list>
This global command is used to display the features assigned to a specified administrator role.
role_name|list                  This parameter specifies how to list the available features. Its value
                                must be:
                                     “role name”: indicates the features assigned to the specified
                                      administrator role will be displayed.
                                     list: indicates all available features will be displayed.
clear admin role feature <role_name>
This global command is used to clear all features assigned to a specified administrator role.
show admin role settings [role_name]
This global command is used to display the settings configured for a specified administrator role.
If the “role_name” parameter is not specified, settings for all administrator roles will be displayed.
2000-2018 Array Networks, Inc.
                                                                                                  361
All Rights Reserved.
                                                                    Chapter 12 Admin Tools
Admin AAA
admin aaa {on|off}
This global command is used to enable or disable the Admin AAA function, which allows the
system to authenticate and authorize administrators using external AAA servers. By default, this
function is disabled.
admin aaa localuser alwayson
This global command is used to enable administrators to be authenticated using the local database
before using external AAA servers. When the administrators fail the authentication performed by
the local database, the system will use external AAA servers to authenticate administrators if the
Admin AAA function has been enabled. By default, this function is enabled.
no admin aaa localuser alwayson
This global command is used to disable administrators from being authenticated using the local
database before using external AAA servers. That is, the system will use external AAA servers to
authenticate the administrators first. If the external AAA servers return the “Accept” or “Deny”
response, the system will not use the local database to authenticate the administrators later.
However, if the system does not receive any response from the AAA servers, the system will then
use the local database to authenticate the administrators.
admin aaa method {ldap|radius} <rank>
This global command is used to add a AAA method and add the AAA method to the rank list for
Admin AAA.
Two AAA methods are supported:
      LDAP (ladp): indicates that the LDAP host(s) configured using the “admin aaa ldap host”
       command will be used for authentication and authorization.
      RADIUS (radius): indicates that the RADIUS host(s) configured using the “admin aaa
       radius host” command will be used for authentication and authorization.
rank                            This parameter specifies the rank number of the AAA method in the
                                rank list. Its value must be 1 or 2.
                                When the rank number of the AAA method “ladp” is 1, the rank
                                number of the AAA method “radius” can only be 2, and vice versa.
no admin aaa method {ldap|radius} <rank>
This global command is used to delete the LDAP or RADIUS AAA method and their rank setting.
admin aaa method rank {on|off}
2000-2018 Array Networks, Inc.
                                                                                              362
All Rights Reserved.
                                                                     Chapter 12 Admin Tools
This global command is used to enable or disable AAA rank for Admin AAA. By default, this
function is disabled.
When AAA rank is enabled for Admin AAA, the AAA method with rank 1 will be used for
authentication first. If an administrator fails the authentication using this AAA method, the system
will use the AAA method with rank 2 to authenticate the administrator. However, when AAA rank
is disabled for Admin AAA, only the AAA method with rank 1 can be used for authentication.
That is, if an administrator fails the authentication using this AAA method, the system will reject
the administrator.
admin aaa ldap host <ip> <port> <username> <password> <base>
<timeout> [index] [tls_flag]
This global command is used to configure an LDAP host for Admin AAA if the LDAP AAA
method is used. A maximum of three LDAP hosts can be configured.
ip                              This parameter specifies the IP address of the LDAP host. Its value
                                must be an IPv4 address.
port                            This parameter specifies the port of the LDAP host. Its value must
                                be an integer ranging from 1 to 65,535.
username                        This parameter specifies the username of the LDAP host
                                administrator.
password                        This parameter specifies the password of the LDAP host
                                administrator.
base                            This parameter specifies the Distinguished Name (DN) of the entry
                                at which to start the search for administrators. Its value must be a
                                string of 1 to 900 characters.
timeout                         This parameter specifies the idle timeout to allow search to run, in
                                seconds. Its value must be an integer ranging from 1 to 65,535.
index                           Optional. This parameter specifies the host index. Its value must be
                                1, 2 or 3. The default value is 1.
tls_flag                        Optional. This parameter specifies whether to access the LDAP
                                server over the TLS protocol. Its value must be:
                                    “tls”: indicates that the LDAP server is accessed over the TLS
                                     protocol.
                                    empty: indicates the LDAP server is not accessed over the
                                     TLS protocol.
2000-2018 Array Networks, Inc.
                                                                                                363
All Rights Reserved.
                                                                     Chapter 12 Admin Tools
                               The default value is empty.
no admin aaa ldap host <index>
This global command is used to delete a specified LDAP host for Admin AAA.
admin aaa ldap idletimeout [idle_time]
This global command is used to set the idle timeout value for the configured LDAP host(s). The
connection to an LDAP host will be terminated when the connection has been idle for a specified
timeout value.
idle_time                      Optional. This parameter specifies the idle timeout value in
                               seconds. Its value must be an integer ranging from 60 to 3000. The
                               default value is 600.
no admin aaa ldap idletimeout
This global command is used to delete the idle timeout setting for the configured LDAP host(s).
admin aaa ldap searchfilter <filter_string>
This global command is used to configure a search filter for the configured LDAP host(s). The
search filter plays an important role in authenticating and authorizing users through LDAP. For
the functions of the search filter in static and dynamic binding, please refer to the commands
“admin aaa ldap bind dynamic” and “admin aaa ldap bind static”.
filter_string                  This parameter specifies a filter string used to search for the LDAP
                               entries. Its value must be a string of 1 to 80 characters, which must
                               be enclosed by double quotes.
                               The filter string consists of:
                                   attribute: Common Name (cn), Distinguished Name (dn), User
                                    Id (uid), Organization Unit (ou) and so on.
                                   comparison operator: “>”, “<” or “=”.
                                   logical operator: “&” (and), “|” (or), “!” (not), “=” (equal to),
                                    or “*” (any).
                               Please refer to the RFC for details of the LDAP filter string.
                               The filter string can contain at most three tokens represented by
                               “<USER>”. For example, if the “filter_string” parameter is set to
                               “cn=<USER>”, the AG appliance will generate a search filter by
                               replacing “<USER>” with an administrator’s real username when
                               the administrator requests authentication.
2000-2018 Array Networks, Inc.
                                                                                                 364
All Rights Reserved.
                                                                     Chapter 12 Admin Tools
For example:
vs(config)#admin aaa ldap searchfilter “cn=<USER>”
vs(config)#admin aaa ldap searchfilter “(!(cn=<USER>))”
vs(config)#admin aaa ldap searchfilter
“(&(objectClass=Person)(|(sn=<USER>)(cn=<USER>*)))”
no admin aaa ldap searchfilter
This global command is used to delete the search filter configured for the configured LDAP
host(s).
admin aaa ldap attribute group <attribute>
This global command is used to specify an attribute used to obtain the external LDAP group of the
administrator from the LDAP entry.
attribute                       This parameter specifies the name of the attribute to be extracted
                                (from the LDAP entries) as the group information for the
                                administrators. Its value must be a string of 1 to 80 characters.
no admin aaa ldap attribute group
This global command is used to delete the configuration of the attribute used to obtain the external
LDAP group from the LDAP entry.
admin aaa group in dn
This global command is used to enable the function of extracting DN (Distinguished Name) as the
administrators’ group information. The part of the DN to be extracted as the group information is
configured using the “aaa group regex” command. By default, this function is disabled.
no admin aaa group in dn
This global command is used to disable the function of extracting DN (Distinguished Name) as
the administrators’ group information.
admin aaa group regex <expression>
This global command is used to specify a regular expression used to extract the administrators’
group information from the DN.
expression                      This parameter specifies the regular expression that defines the part
                                of the DN to be extracted as the group information. Its value must
                                be a string of 1 to 64 characters.
admin aaa ldap defaultgroup <group_name>
This global command is used to define the default group assigned to authenticated administrators
that do not belong to any other LDAP group when the LDAP AAA method is used.
2000-2018 Array Networks, Inc.
                                                                                                365
All Rights Reserved.
                                                                     Chapter 12 Admin Tools
group_name                      This parameter specifies the default group name for administrators
                                that do not belong to any other LDAP group. Its value must be a
                                string of 1 to 80 characters.
no admin aaa ldap defaultgroup
This global command is used to delete the setting of the default group for authenticated
administrators that do not belong to any other LDAP group when the LDAP AAA method is used.
admin aaa ldap bind dynamic
This global command is used to enable the “dynamic” LDAP Bind mode. In this case, the AG
appliance will fetch Distinguished Name (DN) from the LDAP host.
In dynamic LDAP bind mode, the system sends a Bind request containing the LDAP admin’s
username and password to the LDAP host and sends a Search request containing the search filter
string (configured by “aaa server ldap searchfilter”) to obtain the LDAP entry of the
administrator. The system obtains the first DN and sends it together with the password of the
administrator in another Bind request to the LDAP host. After the administrator passes the
authentication, the system reuses the obtained LDAP entry to authorize the administrator.
no admin aaa ldap bind dynamic
This global command is used to disable the “dynamic” LDAP Bind mode.
admin aaa ldap bind static <dn_prefix> <dn_suffix>
This global command is used to enable the “static” LDAP Bind mode. In this case, the AG
appliance will construct the administrator’s DN by concatenating the strings
<dn_prefix><USER><dn_suffix>. <USER> is the username used to log into the AG appliance.
In static LDAP Bind mode, the system sends the DN (<dn_prefix><USER><dn_suffix>) together
with the password of the administrator in a Bind request to the LDAP host. After the administrator
passes the authentication, the system sends a Search request containing the configured search filter
string to obtain the LDAP entry of this administrator. Then, it authorizes the administrator based
on the obtained LDAP entry.
dn_prefix                       This parameter specifies the DN prefix. Its value must be a string of
                                1 to 80 characters.
dn_suffix                       This parameter specifies the DN suffix. Its value must be a string of
                                1 to 80 characters.
no admin aaa ldap bind static
This global command is used to disable the “static” LDAP Bind mode.
admin aaa radius host <ip> <port> <secret> <retries> <timeout> [index]
2000-2018 Array Networks, Inc.
                                                                                                366
All Rights Reserved.
                                                                   Chapter 12 Admin Tools
This global command is used to configure a RADIUS host for Admin AAA if a RADIUS method
is used. A maximum of three RADIUS hosts can be configured.
ip                            This parameter specifies the IP address of the RADIUS host. Its
                              value must be an IPv4 address.
port                          This parameter specifies the port of the RADIUS host. Its value
                              must be an integer ranging from 1 to 65,535.
secret                        This parameter specifies the shared secret text string used by the
                              AG appliance and the RADIUS host to encrypt passwords and
                              exchange responses. Its value must be a string of 1 to 80 characters.
retries                       This parameter specifies the retry times to connect to the RADIUS
                              host. Its value must be an integer ranging from 1 to 65,535.
timeout                       This parameter specifies the timeout value of the search in seconds.
                              Its value must be an integer ranging from 1 to 65,535.
index                         Optional. This parameter specifies the host index Its value must be
                              1, 2 or 3. The default value is 1.
no admin aaa radius host <index>
This global command is used to delete a specified RADIUS host.
admin aaa radius attribute group <attribute>
This command is used to specify an attribute used to obtain the external RADIUS group of the
administrator from the RADIUS entry. Please note that individual attributes may vary depending
on the individual network requirements.
attribute                     This parameter specifies the ID of the attribute used to obtain the
                              external RADIUS group of the administrator from the RADIUS
                              entry. For example, use 25 for the “Class” attribute. Numbers for
                              other attributes are available in the RADIUS RFC (RFC 2865) and
                              are listed below.
1 User-Name
2 User-Password
3 CHAP-Password
4 NAS-IP-Address
5 NAS-Port
2000-2018 Array Networks, Inc.
                                                                                              367
All Rights Reserved.
                                  Chapter 12 Admin Tools
6 Service-Type
7 Framed-Protocol
8 Framed-IP-Address
9 Framed-IP-Netmask
10 Framed-Routing
11 Filter-Id
12 Framed-MTU
13 Framed-Compression
14 Login-IP-Host
15 Login-Service
16 Login-TCP-Port
17 (unassigned)
18 Reply-Message
19 Callback-Number
20 Callback-Id
21 (unassigned)
22 Framed-Route
23 Framed-IPX-Network
24 State
25 Class
26 Vendor Specific
27 Session Timeout
28 Idle-Timeout
29 Termination-Action
30 Called-Station-Id
31 Calling-Station-Id
32 NAS-Identifier
33 Proxy-State
34 Login-LAT-Service
35 Login-LAT-Node
2000-2018 Array Networks, Inc.
                                                     368
All Rights Reserved.
                                                                     Chapter 12 Admin Tools
36 Login-LAT-Group
37 Framed-AppleTalk-Link
38 Framed-AppleTalk-Network
39 Framed-AppleTalk-Zone
40-59 (rev. for accounting)
60 CHAP-Challenge
61 NAS-Port-Type
62 Port-Limit
63 Login-LAT-Port
no admin aaa radius attribute group
This global command is used to delete the configuration of the attribute used to obtain the external
RADIUS group of the user from the RADIUS entry.
admin aaa radius defaultgroup <group_name>
This global command is used to define the default group assigned to authenticated administrators
that do not belong to any other RADIUS group when the RADIUS AAA method is used.
group_name                      This parameter specifies the default group name for administrators
                                that do not belong to any other RADIUS group. Its value must be a
                                string of 1 to 80 characters.
no admin aaa radius defaultgroup
This global command is used to delete the setting of the default group for authenticated
administrators that do not belong to any other RADIUS group when the RADIUS AAA method is
used.
admin aaa radius nasip <nasip>
This global command is used to set the “NAS-IP-Address” (IP address of NAS, Network Access
Server) attribute in the RADIUS requests. If this command is not configured, the IP address of the
first active interface will be used.
nasip                           This parameter specifies the NAS IP address of the RADIUS server.
                                Its value must be an IPv4 address.
no admin aaa radius nasip
This command is used to delete the setting of the “NAS-IP-Address” attribute.
admin group <group_name> <access_level> [scope]
2000-2018 Array Networks, Inc.
                                                                                                369
All Rights Reserved.
                                                                      Chapter 12 Admin Tools
This global command is used to set the access privilege for a specified external administrator
group.
group_name                      This parameter specifies the name of an external administrator
                                group.
access_level                    This parameter specifies the access privilege assigned to the
                                external administrator group. Its value must be:
                                    enable: indicates that administrators are only allowed to run
                                     the commands of Enable mode, and cannot access the Config
                                     mode.
                                    config: indicates that administrators are allowed to run all
                                     commands on the AG appliance to make changes to any part
                                     of the appliance configuration.
scope                           Optional. This parameter specifies the access scope of the external
                                administrator group. Its value must be:
                                    “virtual site name”: indicates that the site administrator can run
                                     commands only under a specified virtual site.
                                    global: indicates that the global administrator can run
                                     commands under the global scope and all virtual sites.
                                The default value is “global”.
no admin group <group_name>
This global command is used to delete the setting of the access privilege for a specified external
administrator group.
show admin group
This global command is used to display settings of access privileges for all external administrator
groups.
clear admin group
This global command is used to clear settings of access privileges for all external administrator
groups.
show admin aaa config
This global command is used to display all configurations related to the Admin AAA function.
clear admin aaa config
This global command is used to clear all configurations related to the Admin AAA function.
2000-2018 Array Networks, Inc.
                                                                                                 370
All Rights Reserved.
                                                                     Chapter 12 Admin Tools
System Access
Console Access
system console reset
This global command is used to reset the system console.
pager <lines>
This global command is used to enable the pagination function for the command output and set the
number of lines in the command output that can be displayed in one page. If one page cannot
display the entire command output, you can press Enter to display one more line each time or
press Space to display one more page each time.
lines                          This parameter specifies the number of lines to be displayed in one
                               page. Its value must be an integer ranging from 0 to 255. If it is set
                               to 0, the lines that the current window can contain will be
                               displayed.
no pager
This global command is used to disable the display paging function. After this command is
executed, all outputs will be displayed without stopping.
show pager
This global command is used to display the setting for the display paging function.
WebUI Access
webui {on|off}
This global command is used to enable or disable the Web User Interface (WebUI).
webui restart
This global command is used to restart the WebUI.
webui ip <ip_address>
This global command is used to set the WebUI IP address. After this command is executed,
administrators can access the system via WebUI only through the specified IP address. Only one
IPv4 address and one IPv6 address can be set as the WebUI IP address.
ip_address                     This parameter specifies the IP address for WebUI access. It must
                               be an IPv4 or IPv6 address. The value of the WebUI IP address
                               must be an interface IP or a virutal site IP. Otherwise, the WebUI
2000-2018 Array Networks, Inc.
                                                                                                371
All Rights Reserved.
                                                                   Chapter 12 Admin Tools
                               may fail to work.
no webui ip <ip_address>
This global command is used to delete a specified WebUI IP address.
clear webui ip
This global command is used to clear the WebUI IP address setting. After executing this command,
users can access the WebUI through any interface IP or configured virtual site IP.
webui port <port>
This global command is used to set the port number for accessing the WebUI. If this command is
not configured, the default port number is 8888.
port                           This parameter specifies the port number for accessing the WebUI.
                               Its value must be an integer ranging from 1025 to 65,000.
clear webui port
This global command is used to reset the port number of WebUI to the default value.
webui language <login_language>
This global command is used to set the login language of WebUI. If this command is not
configured, the default login language of WebUI is English.
login_language                 This parameter specifies the login language of WebUI. Its value
                               must be “en” (English), “cn” (Simplified Chinese) or “jp”
                               (Japanese).
clear webui language
This global command is used to set the login language of WebUI to the default value.
webui idletimeout <timeout>
This global command is used to set the idle timeout value for WebUI. If this command is not
configured, the default idle timeout value is 15 minutes.
timeout                        This parameter specifies the idle timeout value for WebUI. Its value
                               must be an integer ranging from 1 to 65,535, in minutes.
clear webui idletimeout
This global command is used to reset the WebUI idle timeout value to the default value.
show webui settings
This global command is used to display the WebUI status.
2000-2018 Array Networks, Inc.
                                                                                              372
All Rights Reserved.
                                                                       Chapter 12 Admin Tools
WebUI SSL Settings
webui ssl import pem [url]
This command is used to import a PEM-format certificate for the WebUI in the copy-n-paste way
or from a remote FTP, TFTP or HTTP server. A PEM-format certificate file contains a Certificate
Authority (CA) certificate and the associated private key.
When the “url” parameter is not specified, you can import the certificate by coping and pasting the
contents of the PEM-format certificate into the CLI. The entering of “…” is required in the bottom
line following the certificate to mark the end of the import.
url                              Optional. This parameter specifies the FTP, TFTP or HTTP URL
                                 from which the PEM-format certificate is imported. Its value must
                                 be a string of 1 to 950 characters.
webui ssl import interca [url]
This command is used to import an intermediate certificate for the WebUI in the copy-n-paste way
or from a remote FTP, TFTP or HTTP server.
When the “url” parameter is not specified, you can import the certificate by copying and pasting
the contents of the intermediate certificate into the CLI to import the certificate. The entering of
“…” is required in the bottom line following the certificate to mark the end of the import.
url                              Optional. This parameter specifies the FTP, TFTP or HTTP URL
                                 from which the intermediate certificate is imported. Its value must
                                 be a string of 1 to 950 characters.
show webui ssl certificate
This command is used to display the certificate imported for the WebUI.
show webui ssl interca
This command is used to display the intermediate certificate imported for the WebUI.
clear webui ssl cert
This command is used to delete the certificate imported for the WebUI.
clear webui ssl interca
This command is used to delete the intermediate certificate imported for the WebUI.
SSH Access
ssh {on|off}
2000-2018 Array Networks, Inc.
                                                                                                  373
All Rights Reserved.
                                                                     Chapter 12 Admin Tools
This global command is used to enable or disable the SSH access function on the AG appliance.
By default, SSH access is enabled.
ssh ip <ip_address>
This global command is used to set the SSH IP address. After this command is executed,
administrators can access the system via SSH only through the specified IP address. If this
command is not configured, administrators can access the AG appliance via SSH at any available
IP address (including virtual site IP addresses) on the AG appliance.
ip_address                     This parameter specifies the IP address for SSH access. Its value
                               must be:
                                    “0.0.0.0”: indicates all the IPv4 addresses configured on the
                                     system.
                                    “::”: indicates all the IPv6 addresses configured on the system.
                               Please note that the value of the SSH IP address must be an
                               interface IP or a virtual site IP.
no ssh ip <ip_address>
This global command is used to delete a specified SSH IP address.
ssh idletimeout <minutes> [inputonly|inputoutput]
This global command is used to set the idle timeout value for SSH access. If this command is not
configured, the default idle timeout value is 9,999,999, indicating no SSH idle timeout.
minutes                        This parameter specifies the idle timeout value for SSH access. Its
                               value must be an integer ranging from 1 to 9,999,999, in minutes.
inputonly|inputoutput          Optional. This parameter indicates when the SSH session will be
                               considered as not idle.
                                    inputonly: indicates that the SSH session will be considered as
                                     not idle only when there is user input.
                                    inputoutput: indicates that the SSH session will be considered
                                     as not idle when there is user input or TTY output.
                               The default value is “inputonly”.
no ssh idletimeout
This global command is used to reset the idle timeout value for SSH access to the default setting,
9,999,999.
ssh auth passwd {on|off} <username>
2000-2018 Array Networks, Inc.
                                                                                                374
All Rights Reserved.
                                                                   Chapter 12 Admin Tools
This global command is used to enable or disable SSH password authentication for a specified
administrator. By default, this function is enabled for every administrator.
username                       This parameter specifies the existing administrator’s username
                               configured via the “admin user” command or the default
                               administrator’s username “array”.
ssh auth key {on|off} <username>
This global command is used to enable or disable SSH public key authentication for a specified
administrator. By default, this function is disabled for every administrator.
username                       This parameter specifies the existing administrator’s username
                               configured via the “admin user” command or the default
                               administrator’s username “array”.
ssh regenerate keys
This global command is used to regenerate host keys for the SSH server on the AG appliance.
After this command is executed, the SSH server will use the newly generated keys as its host key.
SSH clients will need to update with the new public keys of the SSH server in order to connect
with the server.
ssh import key <username> [url]
This global command is used to import an SSH public key for a specified administrator.
username                       This parameter specifies the existing administrator’s username
                               configured via the “admin user” command or the default
                               administrator’s username “array”.
url                            Optional. This parameter specifies the HTTP, FTP or TFTP URL
                               from which the SSH public key is imported. Its value must be a
                               string of 1 to 256 characters. The default value is empty.
no ssh key <username>
This global command is used to delete the SSH public key imported for a specified administrator.
show ssh key [username]
This global command is used to display the SSH public key imported for a specified administrator.
If the “username” parameter is not specified, SSH public keys imported for all administrators will
be displayed.
clear ssh key
This global command is used to clear SSH public keys imported for all administrators.
2000-2018 Array Networks, Inc.
                                                                                                375
All Rights Reserved.
                                                                    Chapter 12 Admin Tools
show ssh conf
This global command is used to display the SSH access status, the settings of the SSH IP address,
idle timeout, SSH public key authentication status and SSH password authentication status.
RESTful API Access
restapi on [port]
This command is used to enable RESTful API-based Web service. By default, this function is
disabled. RESTful API-based Web service uses the HTTPS protocol.
port                           Optional. This parameter specifies the port number at which the
                               RESTful API-based Web service listens. Its value must be an
                               integer ranging from 1025 to 65,000, but cannot be the same port
                               used by other services.
                               The default value is 9997.
restapi off
This command is used to disable RESTful API-based Web service.
show restapi
This command is used to display the configuration of RESTful API Web service.
XML-RPC Access
xmlrpc on [https|http]
This command is used to enable the XML-RPC function, which works by sending an HTTP-based
request (including the XML-RPC message) to the AG appliance. By default, the XML-RPC
function is disabled.
https|http                     Optional. This parameter specifies the protocol used to transmit the
                               XML-RPC messages. The default value is “https”.
xmlrpc off
This command is used to disable the XML-RPC function.
xmlrpc ip <ip_address>
This global command is used to set the XML-RPC IP address. After this command is executed,
administrators can access the system via XML-RPC only through the specified IP address. If this
command is not configured, 0.0.0.0 will be used as the default value and administrators can access
the AG appliance via XML-RPC at any available IPv4 address (including virtual site IP addresses)
on the AG appliance.
2000-2018 Array Networks, Inc.
                                                                                              376
All Rights Reserved.
                                                                    Chapter 12 Admin Tools
ip_address                    This parameter specifies the IP address for XML-RPC access. Its
                              value must be an IPv4 address configured in the system or 0.0.0.0,
                              indicating all the IPv4 addresses configured in the system.
no xmlrpc ip <ip_address>
This global command is used to delete a specified IP address configured for XML-RPC access.
xmlrpc port <port>
This command is used to configure the port number for XML-RPC access. If this command is not
configured, the default port number is 9999.
port                             This parameter specifies the port number for XML-RPC access.
                                 Its value must be an integer ranging from 1025 to 65,000.
xmlrpc authentication {on|off}
This global command is used to enable or disable the XML-RPC authentication function.
xmlrpc authentication user <username> <password>
This global command is used to configure the username and password for XML-RPC
authentication.
username                      This parameter specifies the username for XML-RPC
                              Authentication. Its value must be a string of 1 to 8 characters.
password                      This parameter specifies the password for XML-RPC
                              Authentication. Its value must be a string of 1 to 13 characters.
show xmlrpc
This global command is used to display configurations of the XML-RPC function and the
XML-RPC Authentication function, including the XML-RPC IP address, the designated
XML-RPC port, and the configured XML-RPC Authentication username and password.
clear xmlrpc
This command is used to reset the settings of the XML-RPC function, the XML-RPC
authentication function to default values.
System Management
System Information
show version
2000-2018 Array Networks, Inc.
                                                                                                  377
All Rights Reserved.
                                                                 Chapter 12 Admin Tools
This global command is used to display the basic information of the AG appliance, such as host
name, Array Networks software version, system CPU, available memory and total memory, latest
booting time, licensed features, and system up time.
Example:
AN(config)#show version
ArrayOS Rel.AG.9.4.0.94 build on Fri Jun 24 23:39:57 2017
         Host name    :   AN
       System CPU     :   Intel(R) Pentium(R) CPU          G6950       @ 2.80GHz
   System Module      :   X8SIE-LN4
      System RAM      :   3829948 kbytes.
  System boot time    :   Fri Aug 12 09:57:08 GMT (+0000) 2017
       Current time   :   Fri Aug 12 11:22:09 GMT (+0000) 2017
    System up time    :   1 day, 19:25
 Platform Bld Date    :   Fri Jun 24 23:39:57 CST 2017
           SSL HW     :   HW ( 1X4D ) Initialized
 Compression HW       :   No HW Available
      Power supply    :   1U, AC
 Network Interface    :   4 x Gigabit Ethernet copper
             Model    :   Array AG1100, RAM Limit: 4096 MB
     Serial Number    :   0437A33459211000002262016314154
Maximum Sessions      :   500
Maximum VPortals      :   256
 Licensed Features    :   WebWall Clustering SSL SwCompression VPNClient
                          HostCheck CacheCleaner WebApps SSF MobileClient
                          DesktopDirect AdvancedClient AdvancedDLP SSF_SM SMS
                          SWMaintenance MobileDirect
       License Key    :   kKwDxIWU-cLA0IQ0w-nU8nnX+V-P9g=#131-4d67d9a8-25cf122a
                          -6d67eaa3-feef0122-4d#7ebaa-fdaf1#dc-ba98765
       License Date   :   Expires on Sep 28 2018
Array Networks Customer Support
         Telephone : 1-877-992-7729 (1-877-99-ARRAY)
             Email : support@arraynetworks.net
            Update : please contact support for instructions
           Website : http://www.arraynetworks.net
Other Root Version
Rel.AG.9.4.0.30 build on Wed Mar 30 0:45:32 2017
show version
2000-2018 Array Networks, Inc.
                                                                                           378
All Rights Reserved.
                                                                      Chapter 12 Admin Tools
This command is used to display the basic information of the AG appliance, such as host name,
Array Networks software version, system CPU, available memory and total memory, latest
booting time, licensed features, and system up time.
System Resource Status
show memory
This global command is used to display the memory critical information relating to the AG
appliance.
Example:
The following lines describe system connection resource usage:
ITEM                           SIZE      LIMIT       USED      FREE            REQUESTS
TCP small pcb:                 64,       20000,       426,     19574,          4490795
TCP pcb:                        288,     20000,        1,      19999,           5219107
Each connection owns a “pcb” data structure. There are two kinds of “pcb” data structures. “small
pcb” is for TCP connections in “TIME_WAIT” state with size equal to 64 bytes. And, “pcb” is for
all the other TCP connections with larger size (288 bytes). The “LIMIT” column specifies the total
number of data structure items. “USED” refers to the number of items in use. “Free” indicates
items remaining that may be used. “REQUEST” is the accumulation of total usages and is always
incremented.
System License
system license <key> [validate|novalidate]
This global command is used to enter a license key for the AG appliance. Without a valid license
key, the AG appliance will not automatically reload configurations or run properly.
key                            This parameter specifies the license key value.
validate|novalidate            Optional. This parameter specifies whether to validate the entered
                               license key. If the parameter value is specified as “validate”, the
                               system will first validate the entered key. If the key is validated, the
                               system will import and save the license key. If specified as
                               “novalidate”, the system will import and save the license key
                               without any validation. The default value is “validate”.
System Reboot and Shutdown
system reboot [mode]
This global command is used to reboot the system. The last saved system configurations (using the
“write memory” command) will be loaded during the reboot process.
2000-2018 Array Networks, Inc.
                                                                                                  379
All Rights Reserved.
                                                                   Chapter 12 Admin Tools
mode                          Optional. This parameter specifies whether to interact with the AG
                              appliance. Its value must be:
                                  default: indicates that the default prompt will be displayed.
                                   The default prompt is:
                                   Unsaved configuration changes will be lost.
                                   This will reboot the system immediately.
                                   Type “YES” to continue:
                                  noninteractive: indicates that the default prompt will not be
                                   displayed, and the system will reboot immediately.
                              The default value is default.
system shutdown [halt|poweroff] [mode]
This global command is used to shut down the system.
halt|poweroff                     Optional. This parameter specifies the mode used for system
                                  shutdown. Its value must be:
                                      halt: indicates that the system halts but the power is not
                                       turned off. The system will automatically reboot when the
                                       power comes back after power off. This parameter value
                                       is very convenient when the AG appliance is remote to the
                                       administrator.
                                      poweroff: indicates that the system halts and the power is
                                       turned off.
                                  The default value is poweroff.
mode                              Optional. This parameter specifies whether to interact with the
                                  AG appliance. Its value must be:
                                      default: indicates that the default prompt will be
                                       displayed. The default prompt is:
                                       Unsaved configuration changes will be lost.
                                       This will reboot the system immediately.
                                       Type “YES” to continue:
                                      noninteractive: indicates that the default prompt will not
                                       be displayed, and the system will reboot immediately.
2000-2018 Array Networks, Inc.
                                                                                               380
All Rights Reserved.
                                                                    Chapter 12 Admin Tools
                                    The default value is default.
System Update and Fallback
system update <url>
This global command is used to update the software version running on the system. When this
command is executed, the system will import the new software package from the specified
HTTPS, HTTP or FTP URL and install the software package. The system will automatically
reboot immediately after the software package is installed and the new software version will take
effect after the reboot.
url                            This parameter specifies the HTTPS, HTTP or FTP URL used to
                               import the new software package. Its value must be a string of 1 to
                               256 characters.
Example:
AN(config)#system update http://192.168.10.10/Rel_AG_9_4_0_94.array
This will upgrade your system from http://192.168.10.10/Rel_AG_9_4_0_94.array
Power outages or other systems failures may corrupt the system.
It is highly recommended that you save your configuration on an
external system prior to upgrading or downgrading.
Any configuration changes that have not been "saved" will be lost.
After a successful patch the system will be rebooted.
Array Networks, Inc.
Type "YES" to confirm upgrade: YES
        Note: If this command is excuted via an SSH connection and the SSH connection is
        terminated during the update, the system will not be able to complete the update process.
        Do not disconnect the connections to the AG appliance during the system update process.
system package <url> [md5_value]
This command is used to import a system software package into the system.
url                            This parameter specifies the HTTPS, HTTP or FTP URL used to
                               import the new software package. Its value must be a string of 1 to
                               256 characters.
md5_value                      Optional. This parameter specifies the MD5 value of the new
                               software package. The MD5 value is used to validate the integrity
2000-2018 Array Networks, Inc.
                                                                                              381
All Rights Reserved.
                                                                  Chapter 12 Admin Tools
                              of the imported software package.
                              The default value is empty, indicating no MD5 integrity validation.
        Note: After the system software package is imported into the system, you can update the
        system using this package by executing the “system update” command with the “URL”
        parameter set to “/var/package/package_name”.
no system package <package_name>
This command is used to delete an imported system software package.
package_name                  This parameter specifies the name of the imported software
                              package to be deleted. You can view the names of imported
                              software packages by executing the “show system package”
                              command.
show system package [package_name]
This command is used to display imported system software packages.
package_name                  Optional. This parameter specifies the name of the imported
                              software package to be displayed.
                              The default value is empty, indicating that all imported system
                              software packages will be displayed.
system fallback
This global command is used to enable the system fallback function. After this comamnd is
executed, the system will boot from the other root partition on next reboot.
no system fallback
This global command is used to disable the system fallback function. The system will boot from
the current root partition on next reboot.
system component update <url>
This global command is used to update components on the AG appliance
url                           This parameter specifies the HTTPS, HTTP or FTP URL used to
                              import the component updating package. Its value must be a string
                              of 1 to 256 characters.
system component revert
This global command is used to revert the component to the previous version.
2000-2018 Array Networks, Inc.
                                                                                                382
All Rights Reserved.
                                                                     Chapter 12 Admin Tools
System Dump
system dump <on|off>
This global command is used to enable or disable the system dump function during a system panic.
When this feature is enabled, the system running information will be stored on the file system for
future usage.
on|off                         This parameter specifies whether to enable the system dump
                               function. Its value must be “on” or “off”.
show system dump
This global command is used to display the status of system dump function.
Configuration Management
Viewing Running Configuration and Startup Configuration
show running [display_mode] [expression]
This global command is used to display the current running system configurations for a specified
virtual site or the global scope.
display_mode                   Optional. This parameter specifies which running system
                               configurations will be displayed. Its value must be:
                                   “all”: indicates that running system configurations of both the
                                    global and all virtual sites will be displayed.
                                   “global”: indicates that running system configurations of the
                                    global will be displayed.
                                   virutal site name: indicates that running system configurations
                                    of a specified virtual site will be displayed.
                                   expression: indicates the running system configuration that
                                    matches the expression will be displayed.
                               The default value is empty, indicating that running system
                               configurations of both the global and all virtual sites will be
                               displayed.
expression                     Optional. This parameter specifies a regular expression string that is
                               used to match the running configuration. Its value must be a string
                               of 1 to 1024 characters. For example, if the parameter value is set to
                               “aaa”, only the AAA configurations will be displayed. The default
                               value is empty, indicating the entire running configuration will be
2000-2018 Array Networks, Inc.
                                                                                                 383
All Rights Reserved.
                                                                    Chapter 12 Admin Tools
                               displayed.
                               Please note that this parameter can take effect only when the
                               “display_mode” parameter is set to “all”, “global” or the virtual site
                               name.
show running [expression]
This command is used to display the current running system configurations.
expression                     Optional. This parameter specifies a regular expression string that is
                               used to match the running configuration. Its value must be a string
                               of 1 to 1024 characters. For example, if the parameter value is set to
                               “aaa”, only the AAA configurations will be displayed. The default
                               value is empty, indicating the entire running configuration will be
                               displayed.
show startup [expression]
Under the global scope, this command is used to display both the global and site configurations
saved in the startup configuration file by executing the “write memory” command.
Under the virtual site scope, this command is used to display the configurations saved in the
startup configuration file by executing the “write memory” command for a specified virtual site.
expression                     Optional. This parameter specifies a regular expression string that is
                               used to match the configurations saved in the startup configuration
                               file. Its value must be a string of 1 to 256 characters. For example,
                               if the parameter value is set to “aaa”, the AAA configurations of a
                               specified virtual site saved in the startup configuration file will be
                               displayed. The default value is empty, indicating the entire startup
                               configuration will be displayed.
Configuration Backup
        Note: The backup files are in the UTF-8 encoding format on the appliance’s disk, the
        remote SCP server or the remote TFTP server. To read or edit the backed up file, make
        sure that your file viewer or editor supports UTF-8 encoding.
write memory [mode]
This global command is used to save the global running configurations to the startup configuration
file.
2000-2018 Array Networks, Inc.
                                                                                               384
All Rights Reserved.
                                                                      Chapter 12 Admin Tools
mode                            Optional. This parameter specifies whether to save the virtual-site
                                configurations. Its value must be:
                                    empty: indicates that only the global running configurations
                                     will be saved.
                                    “all”: indicates both global and all the virtual-site running
                                     configurations will be saved.
                                The default value is empty.
write memory
This command is used to save the virtual site’s running configurations to the startup configuration
file.
write file <mode> [file_name]
This global command is used to back up the global running configurations to a backup file on the
appliance’s disk.
mode                            This parameter specifies whether to save the virtual-site
                                configurations. Its value must be:
                                    file name: indicates that only the global running configurations
                                     will be backed up.
                                    “all”: indicates both global and all the virtual-site running
                                     configurations will be backed up.
file_name                       Optional. This parameter specifies the name of the backup file. Its
                                value must be a string of 1 to 256 characters. This parameter needs
                                to be specified only when the “mode” parameter is set to “all”.
                                The default value is empty.
write file <file_name>
This command is used to back up the virtual site’s running configurations to a backup file on the
appliance’s disk.
file_name                       This parameter specifies the name of the backup file. Its value must
                                be a string of 1 to 256 characters.
no config <file_name>
Under the global scope, this command is used to delete a specified user-defined configuration file.
2000-2018 Array Networks, Inc.
                                                                                                     385
All Rights Reserved.
                                                                      Chapter 12 Admin Tools
Under the virtual site scope, this command is used to delete a specified user-defined configuration
file.
show config file [file_name] [regex]
Under the global scope, this command is used to display a specified backup file.
Under the virtual site scope, this command is used to display a specified backup file.
file_name                       Optional. This parameter specifies the name of the backup file. Its
                                value must be:
                                     empty: indicates all backup files will be displayed.
                                     backup file name: indicates configurations of a specified
                                      backup file will be displayed.
                                The default value is empty.
regex                           Optional. This parameter specifies the regular expression to match
                                the backup file. Its value must be a string of 1 to 256 characters. For
                                example, if the parameter value is set to “aaa”, the AAA
                                configurations of a specified virtual site in the backup file will be
                                displayed.
clear config file
Under the global scope, this command is used to clear all backup files for the global scope.
Under the virtual site scope, this command is used to clear all backup files for a specified virtual
site.
write net scp <server_name> <username> <file_path>
Under the global scope, this command is used to back up the global running configurations to a
specified remote SCP server.
Under the virtual site scope, this command is used to back up the virtual site’s running
configurations to a specified remote SCP server.
server_name                     This parameter specifies the host name or IP address of the SCP
                                server. Its value must be a string of 1 to 128 characters. If the IP
                                address is entered, it should be enclosed by double quotes.
username                        This parameter specifies the username to access the remote SCP
                                server. Its value must be a string of 1 to 64 characters. After the
                                username is entered, the password prompt for this SCP server will
                                appear.
2000-2018 Array Networks, Inc.
                                                                                                  386
All Rights Reserved.
                                                                     Chapter 12 Admin Tools
file_path                      This parameter specifies the path to save the configuration file. Its
                               value must be a string of 1 to 256 characters.
write net tftp <server_ip> [file_name]
This global command is used to back up the global running configurations to a specified remote
TFTP server.
server_ip                      This parameter specifies the IP address of the TFTP server. Its value
                               must be an IPv4 address.
file_name                      Optional. This parameter specifies the name of the configuration
                               file in which the configuration data is saved. Its value must be a
                               string of 1 to 256 characters. The default value is “ca.cfg”.
write net tftp <server_ip> <file_name>
This command is used to back up the virtual site’s running configurations to a specified remote
TFTP server.
server_ip                      This parameter specifies the IP address of the TFTP server. Its value
                               must be an IPv4 address.
file_name                      This parameter specifies the name of the configuration file in which
                               the configuration data is saved. Its value must be a string of 1 to
                               256 characters.
write net all scp <server_name> <username> <file_path>
This global command is used to back up all the running configurations including virtual-site
running configurations to a specified remote SCP server.
server_name                    This parameter specifies the host name or IP address of the SCP
                               server. Its value must be a string of 1 to 128 characters. If the IP
                               address is entered, it should be enclosed by double quotes.
username                       This parameter specifies the username to access the remote SCP
                               server. Its value must be a string of 1 to 64 characters. After the
                               username is entered, the password prompt for this SCP server will
                               appear.
file_path                      This parameter specifies the path to store the configuration file. Its
                               value must be a string of 1 to 256 characters.
write net all tftp <server_ip> [file_name]
2000-2018 Array Networks, Inc.
                                                                                                 387
All Rights Reserved.
                                                                       Chapter 12 Admin Tools
This global command is used to back up all the running configurations including virtual-site
running configurations to a specified remote TFTP server.
server_ip                       This parameter specifies the IP address of the remote TFTP server.
                                Its value must be an IPv4 address.
file_name                       Optional. This parameter specifies the name of the configuration
                                file in which the configuration data is saved. Its value must be a
                                string of 1 to 256 characters. The default value is
                                “AG_conf.all_cfg_tar”.
Configuraiton Restore
        Note: The files restored from the appliance’s disk, the remote SCP server, the remote
        TFTP server or the Web server must be in the UTF-8 encoding format. To read or edit the
        restored file, make sure that your file viewer or editor supports UTF-8 encoding.
configure memory [mode]
This global command is used to restore the global configurations from the startup configuration
file.
mode                            Optional. This parameter specifies whether to restore the virtual-site
                                configurations. Its value must be:
                                    empty: indicates only the global configurations will be
                                     restored.
                                    “all”: indicates both global and all the virtual-site
                                     configurations will be restored.
                                The default value is empty.
configure memory
This command is used to restore the virtual site’s configurations from the startup configuration
file.
configure file <mode> [file_name]
This global command is used to restore the global configurations from a specified backup file.
mode                            This parameter specifies whether to restore the virtual-site running
                                configurations. Its value must be:
                                    empty: indicates only the global configurations will be
2000-2018 Array Networks, Inc.
                                                                                                 388
All Rights Reserved.
                                                                       Chapter 12 Admin Tools
                                     restored.
                                    “all”: indicates both the global and all the virtual-site
                                     configurations will be restored.
file_name                       Optional. This parameter specifies the name of the backup file. Its
                                value must be a string of 1 to 256 characters. This parameter needs
                                to be specified only when the “mode” parameter is set to “all”.
        Note: Execution of the command “configure file all” will not clear the current
        configurations from the system. To replace all the current configurations with the loaded
        configurations, the administrator needs to execute the command “clear config all” first.
configure file <file_name>
This command is used to restore the virtual site’s configurations from a specified backup file.
file_name                       This parameter specifies the name of the backup file. Its value
                                should be a string of 1 to 256 characters.
configure net scp <server_name> <username> <file_path>
Under the global scope, this command is used to restore the global configurations from a specified
remote SCP server.
Under the virtual site scope, this command is used to restore the virtual site’s configurations from
a specified remote SCP server.
server_name                     This parameter specifies the host name or IP address of the SCP
                                server. Its value must be a string of 1 to 128 characters. If the IP
                                address is entered, it should be enclosed by double quotes.
username                        This parameter specifies the remote user account name. Its value
                                must be a string of 1 to 64 characters. After the username is entered,
                                the password prompt for this SCP server will appear.
file_path                       This parameter specifies the path of the configuration file saved on
                                the remote SCP server. Its value must be a string of 1 to 256
                                characters.
configure net tftp <server_ip> <file_name> [force_flag]
Under the global scope, this command is used to restore the global configurations from a specified
remote TFTP server.
Under the virtual site scope, this command is used to restore the virtual site’s configurations from
a specified remote TFTP server.
2000-2018 Array Networks, Inc.
                                                                                                  389
All Rights Reserved.
                                                                      Chapter 12 Admin Tools
server_ip                       This parameter specifies the IP address of the remote TFTP server.
                                Its value must be an IPv4 address.
file_name                       This parameter specifies the name of the configuration file. Its
                                value must be a string of 1 to 256 characters.
force_flag                      Optional. This parameter specifies whether to force the system to
                                restore the global configurations. This parameter only works under
                                the global scope. Its value must be:
                                    force: indicates the global configurations will be restored
                                     directly.
                                    empty: indicates a prompt will appear to confirm whether to
                                     display the configurations before restore them.
                                The default value is empty.
configure net http <url>
Under the global scope, this command is used to restore the global configurations from a specified
Web server.
Under the virtual site scope, this command is used to restore the virtual site’s configurations from
a specified Web server.
url                             This parameter specifies the URL address of the configuration file.
                                For example, http://www.xyz.com/array.conf. Its value must be a
                                string of 1 to 64 characters.
configure net all scp <server_name> <username> < file_path>
This global command is used to restore the entire configurations from a specified remote SCP
server.
server_name                     This parameter specifies the host name or IP address of the remote
                                SCP server. Its value must be a string of 1 to 128 characters. If the
                                IP address is entered, it should be enclosed by double quotes.
username                        This parameter specifies the username to access the remote SCP
                                server. Its value must be a string of 1 to 64 characters. After the
                                username is entered, the password prompt for this SCP server will
                                appear.
file_path                       This parameter specifies the path of the configuration file saved on
                                the remote SCP server. Its value must be a string of 1 to 256
2000-2018 Array Networks, Inc.
                                                                                                   390
All Rights Reserved.
                                                                    Chapter 12 Admin Tools
                               characters.
configure net all tftp <server_ip> <file_name>
This global command is used to restore the entire configurations from a specified remote TFTP
server.
server_ip                      This parameter specifies the IP address of the remote TFTP server.
                               Its value must be an IPv4 address.
file_name                      This parameter specifies the name of the configuration file. Its
                               value must be a string of 1 to 256 characters.
configure net all http <url>
This global command is used to restore the entire configurations from a specified Web server.
url                            This parameter specifies the URL address of the configuration file.
                               For example, http://www.xyz.com/array.conf. Its value must be a
                               string of 1 to 64 characters.
Configuration Clearance
clear config secondary [webui]
This global command is used to restore all the secondary AG settings like NAT, FWD, SNMP, log,
domain server, proxy server and so on. After this command is executed, please execute the “write
memory” command to save the current configuration, otherwise the system will be restored to the
original status after a system reboot.
webui                          Optional. This parameter specifies whether or not the WebUI
                               configurations will be restored. Its value must be:
                                   webui: indicates the WebUI configurations will be restored.
                                   nowebui: indicates the WebUI configurations will not be
                                    restored.
                               The default value is webui.
clear config primary
This global command is used to restore the basic network settings to default values (including
settings about IP address, cluster, access list, group, WebUI, “Enable” level password, “array”
user password and so on). Also, all administrator accounts except “array” will be deleted. After
2000-2018 Array Networks, Inc.
                                                                                                  391
All Rights Reserved.
                                                                        Chapter 12 Admin Tools
this command is executed, please execute the “write memory” command to save the current
configuration, otherwise the system will be restored to the original status after a system reboot.
This command cannot be executed if there are other configurations dependent on these basic
network settings. In this situation, please execute the command “clear config secondary” first to
delete the related configurations. Then, execute the command “clear config primary” again.
clear config all
Under the global scope, this command is used to clear all settings on the AG appliance.
Under the virtual site scope, this command is used to clear all settings of the virtual site.
Configuration Factory Reset
clear config factorydefault
This global command is used to reset the AG appliance to the factory default settings. After this
command is executed, the system will automatically reboot.
Configuration Synchronization
The Configuration Synchronization feature allows administrators to transfer configuration
information between AG appliances within the same network.
synconfig peer <peer_name> <peer_ip>
This global command is used to add a synchronization peer with a unique name and IP address.
peer_name                        This parameter specifies the name of the synchronization peer. Its
                                 value must be a string of 1 to 128 characters.
peer_ip                          This parameter specifies the IP address of the synchronization peer.
          Note: Synchronization peers must be configured on all synchronization nodes.
no synconfig peer <peer_name>
This global command is used to delete a specified synchronizing peer.
show synconfig peer
This global command is used to display all configured synchronization peers.
clear synconfig peer
This global command is used to clear all synchronization peers.
synconfig challenge <code>
2000-2018 Array Networks, Inc.
                                                                                                 392
All Rights Reserved.
                                                                     Chapter 12 Admin Tools
This global command is used to configure a challenge code for system configuration
synchronization. The challenge codes on synchronization nodes must be identical.
code                           This parameter specifies the challenge code. Its value must be a
                               string of 1 to 31 case-sensitive characters. The “$” character is also
                               supported.
no synconfig challenge
This global command is used to delete the configured challenge code.
show synconfig challenge
This global command is used to display the currently configured challenge code.
       Note: The challenge code is displayed in encrypted format. The administrator must
       securely record the original challenge code.
clear synconfig challenge
This global command is used to clear the configured challenge code.
synconfig to <peer_name>
This global command is used to manually synchronize running configurations from the local node
to a specified peer node. After this command is executed, prior to applying the new configurations,
the “clear config secondary” will be executed on the peer node. This will remove all the existing
configurations except for appliance-sepcific settings. The appliance-sepcific settings unaffected
include system IP addresses, SSH IP address, WebUI IP address, WebUI IP port, IP route, host
name, Bond, VLAN, WebWall, accesslist and accessgroup.
peer_name                      This parameter specifies the name of the synchronization peer. If
                               the parameter value is set to “all”, configurations will be
                               synchronized to all peer nodes defined using the “synconfig peer”
                               command.
synconfig from <peer_name>
This global command is used to manually synchronize configurations from a specified peer node
to the local node. This command can only synchronize the peer’s startup configuration rather than
the running configuration.
peer_name                      This parameter specifies the name of the synchronization peer.
synconfig rollback local <peer_name>
This global command is used to restore the system back to the configuration state before the
execution of the “synconfig from” command.
2000-2018 Array Networks, Inc.
                                                                                                393
All Rights Reserved.
                                                                     Chapter 12 Admin Tools
peer_name                       This parameter specifies the name of the synchronization peer. This
                                parameter must be specified in order to determine the configuration
                                state to be restored.
synconfig rollback peer <peer_name>
This global command is used to restore the configurations of a specified peer back to the
configuration state before the execution of the “synconfig to” command.
peer_name                       This parameter specifies the name of the synchronization peer. If
                                the parameter value is set to “all”, then all peers that have been
                                previously specified with the “synconfig to” command will be
                                rolled back.
show synconfig diff <peer_name>
This global command is used to display the configuration difference between the local node and a
specified peer.
peer_name                       This parameter specifies the name of the synchronization peer.
show synconfig status from [peer_ip]
This global command is used to display the results of synchronization from a specified peer node
to the local node. If the “peer_ip” parameter is not specified, the results of synchronization from
all peer nodes to the local node will be displayed.
show synconfig status history
This global command is used to display the history of synchronization events initiated on the AG
appliance.
synconfig copy file <file_name>
This global command is used to copy a file from the local node to the peer node in the backend.
file_name                       This parameter specifies the name of the file to be copied. Its value
                                must be a string of 1 to 256 characters.
synconfig delete file <file_name>
This global command is used to delete a file from the peer node in the backend.
file_name                       This parameter specifies the name of the file to be deleted.
synconfig copy directory <directory_name>
2000-2018 Array Networks, Inc.
                                                                                                 394
All Rights Reserved.
                                                                       Chapter 12 Admin Tools
This global command is used to copy a directory from the local node to the peer node in the
backend.
directory_name                    This parameter specifies the name of the directory to be copied. Its
                                  value must be a string of 1 to 256 characters.
synconfig delete directory <directory_name>
This global command is used to delete a directory from the peer node in the backend.
directory_name                    This parameter specifies the name of the directory to be deleted.
Remote Host Access
ssh remote <user@hostname>
This global command is used to create an SSH connection to a remote host. The system supports
all standard SSH parameters under the UNIX system. For details, please refer to the technical
documentation about OpenSSH command.
user@hostname                        This parameter specifies the username and the name or IP
                                     address of the remote host. Its value must be enclosed by double
                                     quotes.
                                     Note: If attributes need to be set for this parameter, this
                                     parameter and the attribute must be enclosed by single quotes
                                     first, and then enclosed by double quotes. For example, ssh
                                     remote “‘192.168.1.24 –p 8888’”.
Example:
AN#ssh remote "root@172.16.85.240"
root@172.16.85.240's password:
Linux server1 2.6.32-22-generic #33-Ubuntu SMP Wed Apr 28 13:27:30 UTC 2010 i686
GNU/Linux
Welcome to Ylmf_OS!
 * Information: http://www.ylmf.com/
0 packages can be updated.
0 updates are security updates.
Last login: Wed Apr 20 00:39:35 2011 from 10.3.46.1
root@ server1:~#
telnet <host port>
2000-2018 Array Networks, Inc.
                                                                                                  395
All Rights Reserved.
                                                                         Chapter 12 Admin Tools
This global command is used to create a Telnet connection to a remote host. The system supports
all standard Telnet parameters under the UNIX system. For details, please refer to the technical
documentation about Telnet commands.
host port                          This parameter specifies the IP address and the port of the remote
                                   host. Its value must be enclosed by double quotes.
                                   Note: If attributes need to be set for this parameter, this parameter
                                   and the attribute must be enclosed by single quotes first, and then
                                   enclosed by double quotes. For example, telnet “‘192.168.1.24 -l
                                   admin’”.
Example:
AN#telnet "'172.16.2.182 -4'"
Trying 172.16.2.182...
Connected to 172.16.2.182 -4.
Escape character is '^]'.
Trying SRA secure login:
User (root): array
Password:
[ SRA accepts you ].................succeed
2000-2018 Array Networks, Inc.
                                                                                                    396
All Rights Reserved.
                                               Chapter 13 Advanced System Operations
Chapter 13 Advanced System Operations
To configure the advanced system options such as RTS, Bond and NAT on the AG appliance, the
administrator must be in the global shell and in Config mode.
RTS
ip rts on <rts_mode>
This command is used to enable the RTS function. RTS ensures that all of the response packets
from a remote server can be directed to the link from which the corresponding request packets are
sent by a client.
rts_mode                       This parameter specifies the RTS mode. Its value can only be
                               “gateway” or “all”. “gateway” means that RTS records external
                               senders as configured gateways. “all” means that RTS records all
                               external senders that send packets to the unit. By default, the RTS
                               mode will be “all”.
ip rts off
This command is used to disable the RTS function.
ip rts expire [timeout]
This command is used to set the maximum period (in seconds) before an unused RTS entry times
out and expires. The parameter value ranges from 1 to 21474836. The default period is 60
seconds.
show ip rts
This command is used to display the RTS configuration.
clear ip rts
This command is used to reset the RTS configuration.
show statistics rts
This command is used to display the running RTS statistics.
       Note: The maximum number of RTS entries may vary according to the amount of system
       memory as shown in the following table. Each RTS entry uses about 264KB memory
       space.
                  Table 13-1 Relation between RTS Entry and System Memory
      System Memory                  Maximum RTS Entry                      Memory Usage
             1G                             10,000                               2.5M
2000-2018 Array Networks, Inc.
                                                                                               397
All Rights Reserved.
                                                Chapter 13 Advanced System Operations
      System Memory                   Maximum RTS Entry                       Memory Usage
             2G                               20,000                                5M
             4G                               40,000                               10M
clear statistics rts
This command is used to clear the RTS statistics.
Bond
bond name <bond_id> <bond_name>
This command assigns a name to the specified bond interface. The AG appliance supports at most
6 bond interfaces.
bond_id                         This parameter specifies the default bond interface ID (bond1,
                                bond2, bond3, bond4, bond5 and bond6) on the AG appliance.
bond_name                       This parameter specifies a network interface name specified by an
                                alphanumeric string. Its default values are respectively bond1,
                                bond2, bond3, bond4, bond5 and bond6.
bond interface <bond_name> <interface_name> [1|0]
This command is used to add a system interface to the specified bond interface. At most 12 system
interfaces can be added to a bond interface.
The optional “1|0” parameter sets the interface as either the primary (1) or backup (0) interface in
the bond. Multiple primary or backup interfaces can be set in the bond. When all the primary
interfaces in the bond fail, the backup interfaces will attempt to take over the work.
bond_name                       This parameter specifies a network interface name specified by an
                                alphanumeric string. Its default values are bond1, bond2, bond3 and
                                bond4.
interface_name                  This parameter specifies a network interface name specified by an
                                alphanumeric string. The default interface names are “port1”,
                                “port2”, “port3”…etc. The interface can be set by using the
                                “interface name” command.
1|0                             1: This is the default value and sets the interface as one of the
                                primary interfaces in the bond.
                                0: Sets the interface as one of the backup interfaces in the bond.
no bond interface <bond_name> <interface_name>
This command is used to remove the system interface from the bond interface.
2000-2018 Array Networks, Inc.
                                                                                                 398
All Rights Reserved.
                                                Chapter 13 Advanced System Operations
show bond [bond_name]
This command is used to display all the current system bond interface settings. If the bond
interface name is specified, the command will only display settings for the specified interface.
clear bond [bond_name]
This command resets the specified bond interface configuration to the default settings. If no bond
interface name is specified, the settings for all the bond interfaces are reset.
NAT
nat port <vip> <network_ip> <netmask> [timeout] [gateway]
This command is used to enable network address translation (NAT) along with port translation.
NAT converts the address of each server or device on the inside network into one IP address for
the Internet and vice versa. The AG appliance will check for subnet overlap or verify that the
configured virtual IP exists. Data packets will be NATTed if and only if:
     The source IP address is in the range of the configured “network_ip” and “netmask”.
     The configured “gateway” is the same as the route gateway. If the “gateway” is set to the
      default value (0.0.0.0), the “vip” and the route gateway should be within the same network
      segment.
Up to 512 NAT ports can be configured on one AG appliance.
vip                             This parameter specifies a supplied virtual IP address.
network_ip                      This parameter specifies the network IP to perform the network
                                translation on.
netmask                         This parameter specifies the netmask for the network performing
                                the NAT.
timeout                         Optional. This parameter specifies the timeout setting in seconds.
                                The default value is 60 seconds.
gateway                         Optional. This parameter specifies the gateway IP address to which
                                data packets are routed after being NATTed. The default is 0.0.0.0.
no nat port <vip>
This command is used to remove the specified virtual IP address from the NAT configurations.
show nat port
This command is used to display all NAT configurations.
clear nat port
2000-2018 Array Networks, Inc.
                                                                                                   399
All Rights Reserved.
                                                Chapter 13 Advanced System Operations
This command is used to stop and remove the NAT configurations.
nat static <vip> <network_ip> [timeout] [gateway]
This command is used to set a static NAT route. Data packets will be NATTed if and only if:
     The source IP address is in the range of the configured “network_ip”.
     The configured “gateway” is the same as the route gateway (The route gateway is configured
      by using the command “ip route default”). If the “gateway” is set to the default value
      (0.0.0.0), the “vip” and the route gateway should be within the same network segment.
Up to 512 NAT static routes can be configured on one AG appliance.
vip                             This parameter specifies a supplied virtual IP address.
network_ip                      This parameter specifies the network IP to perform the network
                                translation on.
timeout                         Optional. This parameter specifies the timeout value in seconds.
                                The default is 60 seconds.
gateway                         Optional. This parameter specifies the gateway IP address to which
                                data packets are routed after being NATTed. It defaults to 0.0.0.0.
no nat static <vip>
This command is used to remove the specified virtual IP address from the static NAT
configurations.
show nat static
This command is used to display all static NAT configurations.
clear nat static
This command is used to stop and remove the static NAT configurations.
show nat table
This command is used to display the existing network translations for incoming and outgoing
traffic.
HTTP Compression
http compression {on|off}
This global command is used to enable or disable the HTTP Compression function. By default,
this function is disabled. When this function is enabled, Text, XML and HTML will be
compressed by default. To compress other types of HTTP data, please configure HTTP
compression policies using the command “http compression policy useragent”.
2000-2018 Array Networks, Inc.
                                                                                              400
All Rights Reserved.
                                               Chapter 13 Advanced System Operations
show http compression status
This command is used to display the status of the HTTP Compression function.
http compression policy useragent <user_agent> <mime_type>
This global command is used to configure an HTTP compression policy to compress a specified
MIME type of data for a user agent.
user_agent                     This parameter specifies the name of the user agent. Its value
                               should be a string of 1 to 256 characters. It is recommended that the
                               parameter value should be enclosed in double quotes.
mime_type                      This parameter specifies the MIME media type which data
                               compression is used. Its value can only be:
                                   doc
                                   xls
                                   ppt
                                   js
                                   css
                                   pdf
http compression advanced useragent on
This global command is used to add the recommended HTTP compression policies. After this
command is executed, the following configurations will be added to the system:
http compression policy useragent "MSIE 6" "css"
http compression policy useragent "MSIE 6" "js"
http compression policy useragent "MSIE 7.0" "css"
http compression policy useragent "MSIE 7.0" "js"
http compression policy useragent "MSIE 8.0" "css"
http compression policy useragent "MSIE 8.0" "js"
http compression policy useragent "Mozilla/5.0" "css"
http compression policy useragent "Mozilla/5.0" "js"
That is, the system compresses JavaScript and CSS-type data for the following four types of
browsers (user agents): IE 6, IE 7, IE 8 and Mozilla 5.0.
no http compression policy useragent <user_agent> <mime_type>
This global command is used to delete an HTTP compression policy.
show http compression policy useragent
2000-2018 Array Networks, Inc.
                                                                                               401
All Rights Reserved.
                                              Chapter 13 Advanced System Operations
This global command is used to display all the configured HTTP compression policies including
recommended policies.
clear http compression policy useragent
This global command is used to clear all the configured HTTP compression policies including
recommended policies.
show http compression config
This global command is used to display the status of the HTTP Compression function and
configured HTTP compression policies.
clear http compression config
This global command is used to disable the HTTP Compression function and clear configured
HTTP compression policies.
show statistics compression [virtual_site_name]
This global command is used to display the statistics on HTTP compression under the specified
virtual site.
virtual_site_name             This parameter specifies the name of the virtual site. Its value can
                              be a virtual site name or all. “all” indicates that the statistics on
                              HTTP compression under all virtual sites will be displayed.
clear statistics compression
This global command is used to clear the statistics on HTTP compression.
http compression policy urlexclude <keyword>
This command is used to configure a URL-excluded compression policy to disable HTTP
compression for URLs matching the “keyword” setting under the virtual site.
keyword                       This parameter specifies a regular expression. Its value should be a
                              string of 1 to 255 characters.
no http compression policy urlexclude <keyword>
This command is used to delete a specified URL-excluded compression policy configured under
the virtual site.
show http compression policy urlexclude
This command is used to show all URL-excluded compression policies configured under the
virtual site.
clear http compression policy urlexclude
2000-2018 Array Networks, Inc.
                                                                                                402
All Rights Reserved.
                                             Chapter 13 Advanced System Operations
This command is used to clear all URL-excluded compression policies configured under the
virtual site.
2000-2018 Array Networks, Inc.
                                                                                           403
All Rights Reserved.
                                                                   Chapter 14 IPv6 Support
Chapter 14 IPv6 Support
To fulfil the IPv6 support for various modules, NDP (Neighbor Discovery Protocol) requires
configuration on AG to perform address transformation.
ipv6 ndp <ipv6_address> <mac_address>
This command is used to add a static NDP entry to the system.
ipv6_address                   This parameter specifies the IPv6 address of a remote host.
mac_address                    This parameter specifies the MAC address of the remote host.
no ipv6 ndp <ipv6_address>
This command is used to remove the static NDP entry of the specified IPv6 address.
show ipv6 ndp
This command is used to display all the static NDP entries.
clear ipv6 ndp
This command is used to clear all the static NDP entries.
2000-2018 Array Networks, Inc.
                                                                                              404
All Rights Reserved.
                                                                   Chapter 15 DesktopDirect
Chapter 15 DesktopDirect
Basic ART Commands
show art status [instance_name]
This global command is used to display the general ART status for an existing ART instance: the
number of registered users, the state of local name resolution and strict user policy, and the RDP
port.
instance_name                  Optional. This parameter specifies the name of the ART instance to
                               be displayed. If this parameter is not specified, all the configured
                               instances will be displayed.
show art tech
This global command is used to display all the ART configurations.
show art info <instance_name> [user_name]
This global command is used to display ART information of the specified user.
instance_name                  This parameter specifies the name of the ART instance to which the
                               user belongs. Its value should be a string of 1 to 50 characters.
user_name                      Optional. This parameter specifies the name of the user. Its value
                               should be a string of 1 to 100 characters. If this parameter is not
                               specified, information of all the users in the specified ART instance
                               will be displayed.
clear art configuration factorydefault
This global command is used to reset ART configurations to default factory settings.
Name Resolution
art name resolution local enabled <instance_name>
This global command is used to enable ART local name resolution for the specified ART instance.
instance_name                  This parameter specifies the name of the ART instance. Its value
                               should be a string of 1 to 50 characters.
no art name resolution local enabled <instance_name>
This global command is used to disable ART local name resolution for the specified ART
instance.
2000-2018 Array Networks, Inc.
                                                                                               405
All Rights Reserved.
                                                                      Chapter 15 DesktopDirect
instance_name                   This parameter specifies the name of the ART instance.
art name resolution local host <host_id> <host_ip>
This global command is used to create a new local host entry.
host_id                         This parameter specifies the ID of the host. Its value should be a
                                string of 1 to 255 characters.
host_ip
                                This parameter specifies the IP address of the host. Its value should
                                be given in dotted decimal notation.
no art name resolution local host <host_id>
This global command is used to delete an existing local host entry.
host_id                         This parameter specifies the ID of the host.
show art name resolution local hosts [host_id]
This global command is used to display the information of the specified local host.
host_id                         Optional. This parameter specifies the ID of the host. If this
                                parameter is not specified, information of all the local hosts will be
                                displayed.
clear art name resolution local hosts
This global command is used to delete all the existing local name service hosts. When this CLI
command is executed, the administrator needs to enter “Yes” to confirm this operation.
art name resolution local expiration <minute>
This global command is used to set the expiration timeout value of local host entries.
minute                          This parameter specifies the timeout value. Its value should be an
                                integer ranging from 1 to 4,294,967,295.
ART Instance
art create instance <instance_name>
This global command is used to create a new ART instance.
instance_name                   This parameter specifies the name of the ART instance. Its value
                                should be a string of 1 to 50 characters.
2000-2018 Array Networks, Inc.
                                                                                                 406
All Rights Reserved.
                                                                     Chapter 15 DesktopDirect
clear art instance <instance_name>
This global command is used to delete an existing ART instance and all the data associated with
the instance.
instance_name                   This parameter specifies the name of the ART instance.
art instance assign portal <instance_name>
This virtual site command is used to assign an ART instance to this virtual site.
instance_name                   This parameter specifies the name of the ART instance. Its value
                                should be a string of 1 to 50 characters.
no art instance assign portal
This virtual site command is used to reset the virtual site assignment to the default instance.
art policy strictuser <instance_name>
This global command is used to enable the strict user policy for the specified ART instance.
instance_name                   This parameter specifies the name of the ART instance. Its value
                                should be a string of 1 to 50 characters.
no art policy strictuser <instance_name>
This global command is used to disable the strict user policy for the specified ART instance.
instance_name                   This parameter specifies the name of the ART instance.
art proxy mode <instance_name> <ip>
This global command is used to set an ART instance to operate in proxy mode to listen on the
specified IP address.
instance_name                   This parameter specifies the name of the ART instance. Its value
                                should be a string of 1 to 50 characters.
ip                              This parameter specifies the remote ART server IP address. Its
                                value should be given in dotted decimal notation.
no art proxy mode <instance_name>
This global command is used to disable the proxy mode for an ART instance.
instance_name                   This parameter specifies the name of the ART instance.
show art proxy mode <instance_name>
2000-2018 Array Networks, Inc.
                                                                                                  407
All Rights Reserved.
                                                                   Chapter 15 DesktopDirect
This global command is used to display proxy mode information for an ART instance.
instance_name                  This parameter specifies the name of the ART instance.
show art proxy listen <instance_name>
This global command is used to display proxy listening information for an ART instance.
instance_name                  This parameter specifies the name of the ART instance.
art rdp port <instance_name> <port>
This global command is used to specify the default RDP port for the specified ART instance.
instance_name                  This parameter specifies the name of the ART instance. Its value
                               should be a string of 1 to 50 characters.
port                           This parameter specifies the port. Its value should be an integer
                               ranging from 1 to 65,535.
ART Users, Groups and Desktops
ART User
art user <instance_name> <user_name>
This global command is used to create a user for the specified ART instance.
instance_name                  This parameter specifies the name of the ART instance to which the
                               user belongs.
user_name                      This parameter specifies the name of the user. Its value should be a
                               string of 1 to 100 characters.
no art user <instance_name> <user_name>
This global command is used to delete an exsiting user from the specifid ART instance.
instance_name                  This parameter specifies the name of the ART instance to which the
                               user belongs.
user_name                      This parameter specifies the name of the user.
show art users <instance_name> [user_name]
This global command is used to display the information of a user in the specified instance.
2000-2018 Array Networks, Inc.
                                                                                               408
All Rights Reserved.
                                                                     Chapter 15 DesktopDirect
instance_name                  This parameter specifies the name of the ART instance to which the
                               user belongs.
user_name                      Optional. This parameter specifies the name of the user to be
                               displayed. If this parameter is not specified, a list of all the users in
                               this specified ART instance will be displayed.
art rename user <instance_name> <old_user> <new_user>
This global command is used to rename an existing user in the specified ART instance.
instance_name                  This parameter specifies the name of the ART instance to which the
                               user belongs.
old_user                       This parameter specifies the current name of the user.
new_user                       This parameter specifies the new name of the user.
ART Group
art group define <instance_name> <group_name>
This global command is used to create a group for the specified ART instance.
instance_name                  This parameter specifies the name of the ART instance to which the
                               group belongs to.
group_name                     This parameter specifies the name of the group. Its value should be
                               a string of 1 to 250 characters.
no art group define <instance_name> <group_name>
This global command is used to delete an exsiting group from the specified ART instance.
instance_name                  This parameter specifies the name of the ART instance to which the
                               group belongs to.
group_name                     This parameter specifies the name of the group.
show art group all [instance_name]
This global command is used to display the information of the groups in the specified ART
instance.
instance_name                  Optional. This parameter specifies the name of the ART instance. If
2000-2018 Array Networks, Inc.
                                                                                                   409
All Rights Reserved.
                                                                    Chapter 15 DesktopDirect
                               this parameter is not specified, all the groups will be displayed.
clear art group all
This global command is used to delete all the group information.
art group rename <instance_name> <old_group> <new_group>
This global command is used to rename an exsiting group in the specified ART instance.
instance_name                  This parameter specifies the name of the ART instance to which the
                               group belongs.
old_group                      This parameter specifies the current name of the group.
new_group                      This parameter specifies the new name of the group.
art group member <instance_name> <group_name> <user_name>
This global command is used to add a user to the specified group.
instance_name                  This parameter specifies the name of the ART instance to which the
                               group belongs.
group_name                     This parameter specifies the name of the group.
user_name                      This parameter specifies the name of the user.
no art group member <instance_name> <group_name> <user_name>
This global command is used to delete a user from the specified group.
instance_name                  This parameter specifies the name of the ART instance to which the
                               group belongs.
group_name                     This parameter specifies the name of the group.
user_name                      This parameter specifies the name of the user.
show art group members <instance_name> <group_name>
This global command is used to display all the users of the specified group.
instance_name                  This parameter specifies the name of the ART instance to which the
                               group belongs.
2000-2018 Array Networks, Inc.
                                                                                                410
All Rights Reserved.
                                                                   Chapter 15 DesktopDirect
group_name                     This parameter specifies the name of the group.
clear art group members <instance_name> <group_name>
This global command is used to delete the users from the specified group.
instance_name                  This parameter specifies the name of the ART instance to which the
                               group belongs.
group_name                     This parameter specifies the name of the group.
art group mapping ad <instance_name> <server> <base> <username>
<password>
This global command is used to configure external group mapping for Active Directory.
instance_name                  This parameter specifies the name of the ART instance.
server                         This parameter specifies the name of the AD server. Its value
                               should be a string of 1 to 255 characters.
base                           This parameter specifies the AD server host base string. Its value
                               should be a string of 1 to 255 characters.
username                       This parameter specifies the username for logging into the AD
                               server. Its value should be a string of 1 to 255 characters.
password                       This parameter specifies the password for logging into the AD
                               server. Its value should be a string of 1 to 255 characters.
no art group mapping ad <instance_name>
This global command is used to remove the external group mapping for Active Directory.
instance_name                  This parameter specifies the name of the ART instance.
show art group mapping ad [instance_name]
This global command is used to display the information of external group mapping for Active
Directory.
instance_name                  Optional. This parameter specifies the name of the ART instance.
2000-2018 Array Networks, Inc.
                                                                                               411
All Rights Reserved.
                                                                     Chapter 15 DesktopDirect
Desktop Publishing
art desktop define {host|ip} [description] [mac_address] [custom_para] [port]
This global command is used to define a desktop.
host|ip                          This parameter specifies the hostname or the IP address of the
                                 desktop. The value of the hostname should be a string of 1 to 250
                                 characters and the value of IP should be given in dotted decimal
                                 notation.
description                      Optional. This parameter specifies the description of the desktop.
                                 Its value should be a string of 1 to 250 characters.
mac_address                      Optional. This parameter specifies the MAC address. Its value
                                 should be a string of 1 to 255 characters without any spaces or
                                 dashes (for example, 112233445566 or aabbccddeeff).
custom_para                      Optional. This parameter specifies the administrator’s self-defined
                                 feature to be performed on the client. Its value should be a string of
                                 1 to 255 characters.
port                             Optional. This parameter specifies the RDP Port. Its value should
                                 be an integer ranging from 0 to 65535, and defaults to 0.
          Note: If hostnames of desktops cannot be resolved using the virtual site's DNS settings,
          the administrator needs to execute the “dns useglobal on” command to allow the virtual
          site to use the global DNS settings for hostname resolution. Otherwise, the virtual site
          cannot fetch the assigned desktops for users.
no art desktop define {host|ip}
This global command is used to delete an exsiting desktop.
host|ip                          This parameter specifies the hostname or the IP address of the
                                 desktop.
show art desktop all [host|ip]
This global command is used to display the specified desktop.
host|ip                          Optional. This parameter specifies the hostname or the IP address of
                                 the desktop. If this parameter is not specified, all the desktops
                                 defined will be displayed.
2000-2018 Array Networks, Inc.
                                                                                                   412
All Rights Reserved.
                                                                   Chapter 15 DesktopDirect
art desktop rename {host|ip} {new_host|new_ip} [description] [mac_add]
[custom_para] [port]
This global command is used to update the information of an exsiting desktop.
host|ip                        This parameter specifies the current hostname or the IP address of
                               the desktop.
new_host|new_ip                This parameter specifies the new hostname or IP address of the
                               desktop.
description                    Optional. This parameter specifies the new description of the
                               desktop.
mac_add                        Optional. This parameter specifies the new MAC address.
custom_para                    Optional. This parameter specifies the administrator’s new
                               self-defined feature to be performed on the client.
port                           Optional. This parameter specifies the new RDP Port.
art desktop assign group <instance_name> <group_name> {host|ip}
This global command is used to assign a desktop to the specified group.
instance_name                  This parameter specifies the name of the ART instance to which the
                               group belongs. Its value should be a string of 1 to 50 characters.
group_name                     This parameter specifies the name of the group to which the
                               desktop is assigned. Its value should be a string of 1 to 250
                               characters.
host|ip                        This parameter specifies the hostname or the IP address of the
                               desktop.
no art desktop assign group <instance_name> <group_name> {host|ip}
This global command is used to delete the assignment of the desktop to the specified group.
instance_name                  This parameter specifies the name of the ART instance to which the
                               group belongs.
group_name                     This parameter specifies the name of the group to which the
                               desktop is assigned.
2000-2018 Array Networks, Inc.
                                                                                                413
All Rights Reserved.
                                                                   Chapter 15 DesktopDirect
host|ip                        This parameter specifies the hostname or the IP address of the
                               desktop.
show art desktop group <instance_name> <group_name>
This global command is used to display the desktops assigned to the specified group.
instance_name                  This parameter specifies the name of the ART instance to which the
                               group belongs.
group_name                     This parameter specifies the name of the group to be displayed.
art desktop assign user <instance_name> <user_name> {host|ip}
This global command is used to assign a desktop to the specified user.
instance_name                  This parameter specifies the name of the ART instance to which the
                               user belongs.
user_name                      This parameter specifies the name of the user to which the desktop
                               is assigned. Its value should be a string of 1 to 100 characters.
host|ip                        This parameter specifies the hostname or the IP address of the
                               desktop.
no art desktop assign user <instance_name> <user_name> {host|ip}
This global command is used to delete the assignment of the desktop to the specified user.
instance_name                  This parameter specifies the name of the ART instance to which the
                               user belongs.
user_name                      This parameter specifies the name of the user to which the desktop
                               is assigned.
host|ip                        This parameter specifies the hostname or the IP address of the
                               desktop.
show art desktop user <instance_name> <user_name>
This global command is used to display the desktops assigned to the specified user.
instance_name                  This parameter specifies the name of the ART instance to which the
                               user belongs.
2000-2018 Array Networks, Inc.
                                                                                                414
All Rights Reserved.
                                                                   Chapter 15 DesktopDirect
user_name                      This parameter specifies the name of the user to be displayed.
show art desktop associate {host|ip}
This global command is used to display all the associations of the desktop.
host|ip                        This parameter specifies the hostname or the IP address of the
                               desktop to be displayed.
art reset desktop <instance_name> <user_name> <host|ip>
This global command is used to reset a desktop creation timestamp for the specified user.
instance_name                  This parameter specifies the name of the ART instance to which the
                               user belongs.
user_name                      This parameter specifies the name of the user to which the desktop
                               is assigned.
host|ip                        This parameter specifies the hostname or the IP address of the
                               desktop.
Power Management
art powermanagement wakeup desktop <instance_name> <user_name>
{host|ip}
This global command is used to wakeup the registered desktop for the specified user.
instance_name                  This parameter specifies the name of the ART instance to which the
                               user belongs. Its value should be a string of 1 to 50 characters.
user_name                      This parameter specifies the name of the user. Its value should be a
                               string of 1 to 100 characters.
host|ip                        This parameter specifies the hostname or IP address of the desktop.
                               The value of hostname should be a string of 1 to 250 characters and
                               the value of IP should be given in dotted decimal notation.
art powermanagement wakeup timeout <instance_name> <seconds>
This global command is used to set the timeout value. It is the maximum time to wait before a
wakeup attempt is regarded as failed.
instance_name                  This parameter specifies the name of the ART instance.
2000-2018 Array Networks, Inc.
                                                                                                415
All Rights Reserved.
                                                                   Chapter 15 DesktopDirect
seconds                        This parameter specifies the timeout value in seconds. Its value
                               should be an integer ranging from 1 to 4,294,967,295.
show art powermanagement wakeup timeout <instance_name>
This global command is used to display the settings of power management wakeup timeout for the
specified ART instance.
instance_name                  This parameter specifies the name of the ART instance.
art powermanagement ipbird enabled <instance_name>
This global command is used to enable the IPBird power management provider for the specified
ART instance.
instance_name                  This parameter specifies the name of the ART instance.
no art powermanagement ipbird enabled <instance_name>
This global command is used to disable the IPBird power management provider for the specified
ART instance.
instance_name                  This parameter specifies the name of the ART instance.
art powermanagement ipbird unit <instance_name> <unit_ip> <username>
<password>
This global command is used to add an IPBird unit for the specified ART instance.
instance_name                  This parameter specifies the name of the ART instance.
unit_ip                        This parameter specifies the IP address of the unit. Its value should
                               be given in dotted decimal notation.
username                       This parameter specifies the administrator username for logging
                               into the IPBird unit. Its value should be a string of 1 to 100
                               characters.
password                       This parameter specifies the administrator password for logging
                               into the IPBird unit. Its value should be a string of 1 to 100
                               characters.
no art powermanagement ipbird unit <instance_name> <unit_ip>
This global command is used to delete the specified IPBird unit from the specified ART instance.
2000-2018 Array Networks, Inc.
                                                                                               416
All Rights Reserved.
                                                                   Chapter 15 DesktopDirect
instance_name                  This parameter specifies the name of the ART instance.
unit_ip                        This parameter specifies the IP address of the unit.
show art powermanagement ipbird units <instance_name>
This global command is used to display all the configured IPBird units for the specified ART
instance.
instance_name                  This parameter specifies the name of the ART instance to be
                               displayed.
art powermanagement wol enabled <instance_name>
This global command is used to enable the Wake-On-LAN (WoL) power management provider
for the specified ART instance.
instance_name                  This parameter specifies the name of the ART instance.
no art powermanagement wol enabled <instance_name>
This global command is used to disable the WoL power management provider for the specified
ART instance.
instance_name                  This parameter specifies the name of the ART instance.
art powermanagement wol relay <instance_name>
This global command is used to enable the WoL Relay function for the specified ART instance.
This function allows the ART server to communicate with software agents located on different
subnets utilizing standard multicast messages, which in turn are converted to local subnet
broadcast messages.
instance_name                  This parameter specifies the name of the ART instance.
no art powermanagement wol relay <instance_name>
This global command is used to disable the WoL Relay function for the specified ART instance.
instance_name                  This parameter specifies the name of the ART instance.
art powermanagement wol multicast <instance_name> <multicast_ip>
<multicast_port>
This global command is used to set the IP address and port used for sending multicast messages to
WoL relay agents.
2000-2018 Array Networks, Inc.
                                                                                               417
All Rights Reserved.
                                                                  Chapter 15 DesktopDirect
instance_name                 This parameter specifies the name of the ART instance.
multicast_ip                  This parameter specifies the IP address used for sending multicast
                              messages. Its value should be given in dotted decimal notation.
multicast_port                This parameter specifies the port used for sending multicast
                              messages. Its value should be an integer ranging from 1 to 65,535.
art powermanagement wol agent <instance_name> <agent_ip>
This global command is used to add a WoL relay agent for the specified ART instance.
instance_name                 This parameter specifies the name of the ART instance.
agent_ip                      This parameter specifies the IP address of the relay agent. Its value
                              should be given in dotted decimal notation.
no art powermanagement wol agent <instance_name> <agent_ip>
This global command is used to delete a WoL relay agent from the specified ART instance.
instance_name                 This parameter specifies the name of the ART instance.
agent_ip                      This parameter specifies the IP address of the relay agent.
show art powermanagement wol agents <instance_name>
This global command is used to display all the configured WoL relay agents for the specified ART
instance.
instance_name                 This parameter specifies the name of the ART instance.
art powermanagement wol interface <instance_name> <interface_ip>
This global command is used to specify the interface through which the WoL Magic Packets are
sent.
instance_name                 This parameter specifies the name of the ART instance.
interface_ip                  This parameter specifies the IP address of the interface. Its value
                              should be given in dotted decimal notation.
no art powermanagement wol interface <instance_name> <interface_ip>
This global command is used to delete the interface through which the WoL Magic Packets are
sent.
2000-2018 Array Networks, Inc.
                                                                                               418
All Rights Reserved.
                                                                   Chapter 15 DesktopDirect
instance_name                  This parameter specifies the name of the ART instance.
interface_ip                   This parameter specifies the IP address of the interface.
show art powermanagement wol interface <instance_name>
This global command is used to display the WoL interface configurations for the specified ART
instance.
instance_name                  This parameter specifies the name of the ART instance.
show art powermanagement providers <instance_name> [enabled]
This global command is used to display the power management providers for the specified ART
instance.
instance_name                  This parameter specifies the name of the ART instance.
enabled                        Optional. If this parameter is specified, only enabled power
                               management providers will be displayed; otherwise, all the power
                               management providers will be displayed.
Device Based Identification
art device identification enabled <instance_name>
This global command is used to enable Device Based Identification for the specified ART
instance.
instance_name                  This parameter specifies the name of the ART instance. Its value
                               should be string of 1 to 50 characters.
no art device identification enabled <instance_name>
This global command is used to disable Device Based Identification for the specified ART
instance.
instance_name                  This parameter specifies the name of the ART instance.
art device identification device authorize <instance_name> <device_type>
[device_id] [user_name]
This global command is used to add a device to the list of authorized devices.
instance_name                  This parameter specifies the name of the ART instance.
2000-2018 Array Networks, Inc.
                                                                                             419
All Rights Reserved.
                                                                    Chapter 15 DesktopDirect
device_type                    This parameter specifies the type of the device. Its value should be
                               a string of 1 to 255 characters.
device_id                      Optional. This parameter specifies the DeviceID. Its value should
                               be a string of 1 to 255 characters. If this parameter is not specified,
                               this operation will apply to all the devices of the specified device
                               type.
user_name                      Optional. This parameter specifies the name of the user to which the
                               device is associated. Its value should be a string of 1 to 100
                               characters. If this parameter is not specified, this operation will
                               apply to all the users in the specified ART instance.
no art device identification device authorize <instance_name>
<device_type> [device_id] [user_name]
This global command is used to remove a device from the list of authorized devices.
instance_name                  This parameter specifies the name of the ART instance.
device_type                    This parameter specifies the type of the device.
device_id                      Optional. This parameter specifies the DeviceID.
user_name                      Optional. This parameter specifies the name of the user to which the
                               device is associated.
art device identification device enable <instance_name> <device_type>
[device_id] [user_name]
This global command is used to enable a previously disabled device.
instance_name                  This parameter specifies the name of the ART instance.
device_type                    This parameter specifies the type of the device.
device_id                      Optional. This parameter specifies the DeviceID.
user_name                      Optional. This parameter specifies the name of the user to which the
                               device is associated.
art device identification device disable <instance_name> <device_type>
[device_id] [user_name]
2000-2018 Array Networks, Inc.
                                                                                                 420
All Rights Reserved.
                                                                   Chapter 15 DesktopDirect
This global command is used to disable a previously enabled device. The disabled devices will
remain in the database and could be re-enabled later.
instance_name                  This parameter specifies the name of the ART instance.
device_type                    This parameter specifies the type of the device.
device_id                      Optional. This parameter specifies the DeviceID.
user_name                      Optional. This parameter specifies the name of the user to which the
                               device is associated.
clear art device identification device <instance_name> <device_type>
<device_id>
This global command is used to delete all the Device Based Identification authorization records
for a specified device.
instance_name                  This parameter specifies the name of the ART instance.
device_type                    This parameter specifies the type of the device.
device_id                      This parameter specifies the DeviceID.
clear art device identification user <instance_name> <user_name>
This global command is used to delete all the Device Based Identification authorization records
for a specified user.
instance_name                  This parameter specifies the name of the ART instance to which the
                               user belongs.
user_name                      This parameter specifies the name of the user.
clear art device identification all <instance_name>
This global command is used to delete all the Device Based Identification authorization records
for a specified instance.
instance_name                  This parameter specifies the name of the ART instance.
art device identification autoregistration enabled <instance_name>
This global command is used to enable Automatic Device Registration for the specified ART
instance.
2000-2018 Array Networks, Inc.
                                                                                              421
All Rights Reserved.
                                                                    Chapter 15 DesktopDirect
instance_name                   This parameter specifies the name of the ART instance.
no art device identification autoregistration enabled <instance_name>
This global command is used to disable Automatic Device Registration for the specified ART
instance.
instance_name                   This parameter specifies the name of the ART instance.
art device identification autoregistration peruser <instance_name>
This global command is used to enable per-user Automatic Device Registration for the specified
ART instance. This option is valid only when Automatic Device Registration is enabled. When
this function is enabled, device authorization requests are created to users who use the device for
login for the first time, no matter whether this device has been registered for other users before.
instance_name                   This parameter specifies the name of the ART instance.
no art device identification autoregistration peruser <instance_name>
This global command is used to disable per-user Automatic Device Registration for the specified
ART instance.
instance_name                   This parameter specifies the name of the ART instance.
art device identification autoregistration accept <instance.index>
This global command is used to accept a pending device registration request.
instance.index                  This parameter specifies the name of the ART instance and the
                                device index (For example, default.3523).
art device identification autoregistration reject <instance.index>
This global command is used to reject a pending device registration request.
instance.index                  This parameter specifies the name of the ART instance and the
                                device index.
art device identification autoregistration acceptall <instance_name>
This global command is used to automatically accept all the registration requests for the specified
ART instance.
instance_name                   This parameter specifies the name of the ART instance.
no art device identification autoregistration acceptall <instance_name>
2000-2018 Array Networks, Inc.
                                                                                                422
All Rights Reserved.
                                                                   Chapter 15 DesktopDirect
This global command is used to cancel automatically accepting all the registration requests for the
specified ART instance.
instance_name                   This parameter specifies the name of the ART instance.
art device identification compact <instance_name>
This global command is used to delete all the rejected device registration requests and disabled
authorizations for the specified ART instance.
instance_name                   This parameter specifies the name of the ART instance.
show art device identification devices all <instance_name>
This global command is used to display all the information about device registration requests and
device authorizations for the specified ART instance.
instance_name                   This parameter specifies the name of the ART instance.
The information will be displayed in the following format “<Index>. <State> <User name>
<Device Type> <DeviceID>”, where:
    Index – Unique index of the request or authorization.
    State – Empty (when authorization is enabled), Disabled, Pending or Rejected.
    User name – Empty if the record is not associated to any specific user.
    Device Type – The type of the device, such as iPhone or iPad.
    DeviceID – The UDID of the device.
For example:
1. iPad elgel-we089u7-slnklnsed
12. (Disabled) user1 iPhone sdoih-24kl23-kjbna7
20. (Pending) iPhone hosdh-ksjd9783-sdkjse
show art device identification devices user <instance_name>
<user_name>
This global command is used to display the information about device registration requests and
device authorizations for the specified user.
instance_name                   This parameter specifies the name of the ART instance to which the
                                user belongs.
user_name                       This parameter specifies the name of the user.
show art device identification devices search <instance_name> <udid>
2000-2018 Array Networks, Inc.
                                                                                                423
All Rights Reserved.
                                                                   Chapter 15 DesktopDirect
This global command is used to display the information about device registration requests and
device authorizations for the specified device.
instance_name                  This parameter specifies the name of the ART instance and the
                               device index (optional).
udid                           This parameter specifies the DeviceID.
show art device identification configuration <instance_name>
This global command is used to display the current settings of Device Based Identification for the
specified ART instance.
instance_name                  This parameter specifies the UDID of the device.
Host SSO
art hostsso <instance_name> <host> <username> <password>
This global command is used to create or modify a Host SSO entry for the specified ART
instance.
instance_name                  This parameter specifies the name of the ART instance. Its value
                               should be a string of 1 to 50 characters.
host                           This parameter specifies the hostname. Its value should be a string
                               of 1 to 250 characters.
username                       This parameter specifies the username for logging into the host. Its
                               value should be a string of 1 to 100 characters.
password                       This parameter specifies the password for logging into the host. Its
                               value should be a string of 1 to 100 characters.
no art hostsso <instance_name> <host>
This global command is used to delete a specified Host SSO entry from the ART instance.
instance_name                  This parameter specifies the name of the ART instance.
host                           This parameter specifies the hostname.
show art hostsso <instance_name>
This global command is used to display all the Host SSO entries for the specified ART instance.
2000-2018 Array Networks, Inc.
                                                                                                424
All Rights Reserved.
                                                                   Chapter 15 DesktopDirect
instance_name                  This parameter specifies the name of the ART instance.
Registration Policies
art registration policy desktopsperuser <instance_name> <max_number>
This global command is used to set the maximum number of desktops that can be registered by
each user in the specified ART instance.
instance_name                  This parameter specifies the name of the ART instance. Its value
                               should be a string of 1 to 50 characters.
max_number                     This parameter specifies the maximum number of desktops. Its
                               value should be an integer ranging from 0 to 4,294,967,295. “0”
                               means no limitation.
art registration policy multipleusers <instance_name>
{allowed|not-allowed|single}
This global command is used to specify whether a desktop can be registered by multiple users in
the specified ART instance.
instance_name                  This parameter specifies the name of the ART instance.
allowed|not-allowed|single     This parameter specifies whether the desktop can be registered by
                               multiple users. Its value can only be:
                                   allowed: indicates that the desktop can be registered by
                                    multiple users.
                                   not-allowed: indicates that the desktop cannot be registered by
                                    any users which belong to the specified instance.
                                   single: indicates that the desktop can only be registered by one
                                    user.
art registration policy registrationlifetime <instance_name> <days>
This global command is used to set the number of days for which the desktop remains available
after registration in the specified ART instance.
instance_name                  This parameter specifies the name of the ART instance.
days                           This parameter specifies the number of days the desktop remains
                               available after registration. Its value should be an integer ranging
                               from 0 to 4,294,967,295. “0” means that the desktop will always be
2000-2018 Array Networks, Inc.
                                                                                               425
All Rights Reserved.
                                                                     Chapter 15 DesktopDirect
                                available.
show art registration policy <instance_name>
This global command is used to display all the registration policy configurations for the specified
ART instance.
instance_name                   This parameter specifies the name of the ART instance.
SMX & VMView SSO
art vdiauth {on|off} <instance_name>
This global command is used to enable or disable the VDI authentication for the specified ART
instance.
instance_name                   This parameter specifies the name of the ART instance. Its value
                                should be a string of 1 to 50 characters.
art vdiauth account <instance_name> <user_name> <ad_user> <ad_pw>
This global command is used to configure a VDI authentication account for the specified user.
instance_name                   This parameter specifies the name of the ART instance to which the
                                user belongs.
user_name                       This parameter specifies the name of the user. Its value should be a
                                string of 1 to 100 characters.
ad_user                         This parameter specifies the username of the AD server. Its value
                                should be a string of 1 to 255 characters.
ad_pw                           This parameter specifies the password of the AD server. Its value
                                should be a string of 1 to 255 characters.
no art vdiauth account <instance_name> [user_name]
This global command is used to delete a VDI authentication account for the specified user.
instance_name                   This parameter specifies the name of the ART instance to which the
                                user belongs.
user_name                       Optional. This parameter specifies the name of the user. If this
                                parameter is not specified, the operation will apply to all the users
                                in the specified ART instance.
2000-2018 Array Networks, Inc.
                                                                                                 426
All Rights Reserved.
                                                                      Chapter 15 DesktopDirect
show art vdiauth account <instance_name> [user_name]
This global command is used to display VDI authentication account information for the specified
user.
instance_name                  This parameter specifies the name of the ART instance to which the
                               user belongs.
user_name                      Optional. This parameter specifies the name of the user. If this
                               parameter is not specified, the operation will apply to all the users
                               in the specified ART instance.
show art vdiauth conf
This global command is used to display all the VDI authentication information.
Replication
art replication enable
This global command is used to enable the Replication function.
no art replication enable
This global command is used to disable the Replication function.
art replication join <ip>
This global command is used to specify a member to join a replication group.
ip                             This parameter specifies the IP address of the member. Its value
                               should be given in dotted decimal notation.
art replication leave
This global command is used to leave the replication group.
art replication master enable
This global command is used to enable the replication as the master.
art replication peer define <ip>
This global command is used to specify a replication peer.
ip                             This parameter specifies the IP address of the peer. Its value should
                               be given in dotted decimal notation.
no art replication peer define <ip>
This global command is used to delete an existing replication peer.
2000-2018 Array Networks, Inc.
                                                                                                427
All Rights Reserved.
                                                                   Chapter 15 DesktopDirect
ip                             This parameter specifies the IP address of the peer.
clear art replication peer all
This global command is used to delete all replication peers.
show art replication status
This global command is used to display the current replication status.
Client Package
art client package import package <package_name> <url> [clean]
This global command is used to import a client package.
package_name                   This parameter specifies the name of the package. Its value should
                               be a string of 1 to 100 characters.
url                            This parameter specifies the URL of the package. Its value should
                               be a string of 1 to 255 characters.
clean                          Optional. If this parameter is specified, the temporary file generated
                               by importing the package will be deleted. Its value can only be
                               “clean”.
show art client package configuration [package_name]
This global command is used to display the client package configuration. If the parameter
“package_name” is not specified, a list of all the client packages will be displayed.
package_name                   Optional. This parameter specifies the name of the package to be
                               displayed.
clear art client package all
This global command is used to delete all the client packages.
Application Publishing
Terminal Server
art application terminalserver server define {host|ip} [port] [server_name]
This global command is used to create a new terminal server.
2000-2018 Array Networks, Inc.
                                                                                               428
All Rights Reserved.
                                                                     Chapter 15 DesktopDirect
host|ip                         This parameter specifies the hostname or the IP address of the
                                terminal server. The value of the hostmame should be a string of 1
                                to 255 characters and the value of the IP address should be given in
                                dotted decimal notation.
port                            Optional. This parameter specifies the RDP port configured on the
                                server. Its value should be an integer ranging from 1 to 65535, and
                                defaults to 3389.
server_name                     Optional. This parameter specifies the name of the terminal server.
                                Its value should be a string of 1 to 255 characters. If this parameter
                                is not specified, the hostname or IP address proided by the
                                administrator will be used as the terminal server name.
no art application terminalserver server define <server_name>
This global command is used to delete an exsiting terminal server and all the related settings.
server_name                     This parameter specifies the name of the terminal server.
art application terminalserver server enabled <server_name>
This global command is used to enable a terminal server.
server_name                     This parameter specifies the name of the terminal server.
no art application terminalserver server enabled <server_name>
This global command is used to disable a terminal server. The disabled terminal server remains in
the configuration, but it will not be used by any applications.
server_name                     This parameter specifies the name of the terminal server.
show art application terminalserver server [server_name]
This global command is used to display the application publishing configuration of a specified
terminal server.
server_name                     Optional. This parameter specifies the name of the terminal server
                                to be displayed. If this parameter is not specified, configurations of
                                all the terminal servers will be displayed.
art application terminalserver servergroup define <group_name>
This global command is used to create a terminal server group.
2000-2018 Array Networks, Inc.
                                                                                                  429
All Rights Reserved.
                                                                   Chapter 15 DesktopDirect
group_name                     This parameter specifies the name of the terminal server group. Its
                               value should be a string of 1 to 250 characters.
no art application terminalserver servergroup define <group_name>
This global command is used to delete an exsiting terminal server group.
group_name                     This parameter specifies the name of the terminal server group.
art application terminalserver servergroup rename <old_group_name>
<new_group_name>
This global command is used to rename an exsiting terminal server group.
old_group_name                 This parameter specifies the current name of the terminal server
                               group. Its value should be a string of 1 to 250 characters.
new_group_name                 This parameter specifies the new name of the terminal server group.
                               Its value should be a string of 1 to 250 characters.
art application terminalserver servergroup member <group_name>
<server_name>
This global command is used to add a terminal server to the specified terminal server group.
group_name                     This parameter specifies the name of the terminal server group.
server_name                    This parameter specifies the name of the terminal server.
no art application terminalserver servergroup member <group_name>
<server_name>
This global command is used to delete an exsiting terminal server from the specified terminal
server group.
group_name                     This parameter specifies the name of the terminal server group.
server_name                    This parameter specifies the name of the terminal server.
show art application terminalserver servergroup [group_name]
This global command is used to display the configuration of a specified terminal server group.
group_name                     Optional. This parameter specifies the name of the terminal server
                               group to be displayed. If this parameter is not specified,
                               configurations of all the terminal server groups will be displayed.
2000-2018 Array Networks, Inc.
                                                                                                 430
All Rights Reserved.
                                                                    Chapter 15 DesktopDirect
art application terminalserver application define <app_name>
This global command is used to create a terminal server based application.
app_name                        This parameter specifies the name of the application. Its value
                                should be a string of 1 to 255 characters.
no art application terminalserver application define <app_name>
This global command is used to delete an exsiting terminal server based application.
app_name                        This parameter specifies the name of the application.
art application terminalserver application rename <old_app_name>
<new_app_name>
This global command is used to rename an exsiting terminal server based application.
old_app_name                    This parameter specifies the current name of the application. Its
                                value should be a string of 1 to 255 characters.
new_app_name                    This parameter specifies the new name of the application. Its value
                                should be a string of 1 to 255 characters.
art application terminalserver application description <app_name>
<description>
This global command is used to add the description of the specified application.
app_name                        This parameter specifies the name of the application.
description                     This parameter specifies the description. Its value should be a string
                                of 1 to 255 characters.
no art application terminalserver application description <app_name>
This global command is used to delete the description of the specified application.
app_name                        This parameter specifies the name of the application.
art application terminalserver application location <app_name> <location>
This global command is used to set the location of the specified application. The location refers to
the path and the name of the executable application on the terminal server.
app_name                        This parameter specifies the name of the application.
2000-2018 Array Networks, Inc.
                                                                                                  431
All Rights Reserved.
                                                                    Chapter 15 DesktopDirect
location                        This parameter specifies the location of the application. Its value
                                should be a string of 1 to 255 characters.
art application terminalserver application directory <app_name>
<directory>
This global command is used to set the remote working directory of the specified application after
the user logs into the DD client.
app_name                        This parameter specifies the name of the application.
directory                       This parameter specifies the directory of the application. Its value
                                should be a string of 1 to 255 characters.
no art application terminalserver application directory <app_name>
This global command is used to delete the remote working directory of the specified application.
app_name                        This parameter specifies the name of the application.
art application terminalserver application folder <app_name> <folder>
This global command is used to set the folder where the specified application will be displayed
after the user logs into the DD client.
app_name                        This parameter specifies the name of the application.
folder                          This parameter specifies the folder of the application. Its value
                                should be a string of 1 to 255 characters. It can support multil-layer
                                folders separated by the “\” character. For example, “Daily\Office”
                                will display the application in the Office folder.
no art application terminalserver application folder <app_name>
This global command is used to delete the folder of the specified application.
app_name                        This parameter specifies the name of the application.
art application terminalserver application enabled <app_name>
This global command is used to enable the specified application.
app_name                        This parameter specifies the name of the application.
no art application terminalserver application enabled <app_name>
2000-2018 Array Networks, Inc.
                                                                                                 432
All Rights Reserved.
                                                                     Chapter 15 DesktopDirect
This global command is used to disable the specified application. A disabled application remains
in the configuration, but it will not be presented to the user.
app_name                        This parameter specifies the name of the application.
art application terminalserver application server <app_name>
{server|server_group}
This global command is used to add a server (or a group of servers) to the list of servers that host
the specified application. When the user selects to launch the application, DesktopDirect will
select one of the servers.
app_name                        This parameter specifies the name of the application.
server|server_group             This parameter specifies the name of the server or server group. Its
                                value should be a string of 1 to 255 characters.
no art application terminalserver application server <app_name>
{server|server_group}
This global command is used to delete an exsiting server (or a group of servers) from the list of
servers that host the specified application.
app_name                        This parameter specifies the name of the application.
server|server_group             This parameter specifies the name of the server or server group.
art application terminalserver application windowsize fullscreen
<app_name>
This global command is used to set the application to be displayed in a window that will cover the
length and width of the screen.
app_name                        This parameter specifies the name of the application.
art application terminalserver application windowsize custom
<app_name> <width> <height>
This global command is used to set the width and the height of the window where the application
will be displayed.
app_name                        This parameter specifies the name of the application.
width                           This parameter specifies the width of the window in pixels. Its
                                value should be an integer ranging from 1 to 65,535.
2000-2018 Array Networks, Inc.
                                                                                                  433
All Rights Reserved.
                                                                   Chapter 15 DesktopDirect
height                         This parameter specifies the height of the window in pixels. Its
                               value should be an integer ranging from 1 to 65,535.
art application terminalserver application refreshicon <app_name>
This global command is used to refresh the icon of the application by communicating with one of
the servers that host the application.
app_name                       This parameter specifies the name of the application.
show art application terminalserver application [app_name]
This global command is used to display the configuration of a specified application. If the
“app_name” parameter is not specified, configurations of all the applications will be displayed.
app_name                       Optional. This parameter specifies the name of the application to be
                               displayed.
clear art application terminalserver
This global command is used to delete all the terminal server based application configurations.
XenApp Definition
art application xenapp farm define <farm_name>
This global command is used to define a new XenApp server farm from which XenApp
applications will be launched.
farm_name                      This parameter specifies the name of the farm. Its value should be a
                               string of 1 to 255 characters.
no art application xenapp farm define <farm_name>
This global command is used to delete an existing XenApp server farm.
farm_name                      This parameter specifies the name of the farm.
art application xenapp farm rename <old_farm_name> <new_farm_name>
This global command is used to rename an existing XenApp farm.
old_farm_name                  This parameter specifies the current name of the farm. Its value
                               should be a string of 1 to 255 characters.
new_farm_name                  This parameter specifies the new name of the farm. Its value should
2000-2018 Array Networks, Inc.
                                                                                                  434
All Rights Reserved.
                                                                    Chapter 15 DesktopDirect
                              be a string of 1 to 255 characters.
art application xenapp farm enabled <farm_name>
This global command is used to enable a specified XenApp server farm.
farm_name                     This parameter specifies the name of the farm.
no art application xenapp farm enabled <farm_name>
This global command is used to disable a specified XenApp server farm. When disabled, the farm
retains the configuration but its applications will not be presented to the user.
farm_name                     This parameter specifies the name of the farm.
art application xenapp farm folder <farm_name> <folder>
This global command is used to set a XenApp server farm folder where applications of a specified
XenApp server farm will be presented to the user.
farm_name                     This parameter specifies the name of the farm.
folder                        This parameter specifies the folder (on the user portal) where
                              applications of a specified XenApp server farm will be presented to
                              the user. For example, if folder “HR” is specified, all applications
                              from the farm will be presented under the HR folder that is
                              presented at the root of the user’s portal. Its value should be a string
                              of 1 to 255 characters.
no art application xenapp farm folder <farm_name>
This global command is used to delete a XenApp server farm folder.
farm_name                     This parameter specifies the name of the farm.
art application xenapp farm server <farm_name> <host|ip:port> [order]
This global command is used to add a new XenApp server to the XenApp server farm.
farm_name                     This parameter specifies the name of the farm.
host|ip:port                  This parameter specifies the hostname or IP address of the server.
                              The value of the hostname should be a string of 1 to 255 characters.
                              The port number of an IP address is optional, and defaults to 80.
order                         Optional. This parameter specifies the position of the newly added
                              server in the server farm. If it is not specified or larger than the
2000-2018 Array Networks, Inc.
                                                                                                435
All Rights Reserved.
                                                                   Chapter 15 DesktopDirect
                              current number of servers in the farm, the server will be inserted as
                              the last one. Its value should be an integer ranging from 0 to
                              4,294,967,295, and defaults to 99,999.
no art application xenapp farm server <farm_name> <order>
This global command is used to delete an existing XenApp server from the XenApp server farm.
farm_name                     This parameter specifies the name of the farm.
order                         This parameter specifies the position of the server.
show art application xenapp farm [farm_name]
This global command is used to display the configuration of a XenApp server farm.
farm_name                     Optional. This parameter specifies the name of the farm to be
                              displayed. If this parameter is not specified, the configurations of
                              all XenApp server farms will be displayed.
clear art application xenapp
This global command is used to delete all XenApp related configuration.
Association
art application associate instance <app_or_farm> <instance_name>
This global command is used to associate a XenApp server farm or a Terminal Server based
application to a specified instance.
app_or_farm                   This parameter specifies the name of the XenApp server farm or the
                              Terminal Server based application. Its value should be a string of 1
                              to 255 characters.
instance_name                 This parameter specifies the name of the instance. Its value should
                              be a string of 1 to 50 characters.
no art application associate instance <app_or_farm> <instance_name>
This global command is used to disassociate a XenApp server farm or a Terminal Server based
application from a specified instance.
app_or_farm                   This parameter specifies the name of the XenApp server farm or the
                              Terminal Server based application.
2000-2018 Array Networks, Inc.
                                                                                               436
All Rights Reserved.
                                                                  Chapter 15 DesktopDirect
instance_name                 This parameter specifies the name of the instance.
art application associate group <app_or_farm> <instance_name>
<group_name>
This global command is used to associate a XenApp server farm or a Terminal Server based
application to a specified group.
app_or_farm                   This parameter specifies the name of the XenApp server farm or the
                              Terminal Server based application.
instance_name                 This parameter specifies the name of the instance to which the
                              group belongs.
group_name                    This parameter specifies the name of the group. Its value should be
                              a string of 1 to 250 characters.
no art application associate group <app_or_farm> <instance_name>
<group_name>
This global command is used to disassociate a XenApp server farm or a Terminal Server basd
application from a specified group.
app_or_farm                   This parameter specifies the name of the XenApp server farm or the
                              Terminal Server based application.
instance_name                 This parameter specifies the name of the instance to which the
                              group belongs.
group_name                    This parameter specifies the name of the group.
art application associate user <app_or_farm> <instance_name>
<user_name>
This global command is used to associate a XenApp server farm or a Terminal Server based
application to a specified user.
app_or_farm                   This parameter specifies the name of the XenApp server farm or the
                              Terminal Server based application.
instance_name                 This parameter specifies the name of the instance to which the user
                              belongs.
user_name                     This parameter specifies the name of the user. Its value should be a
                              string of 1 to 100 characters.
2000-2018 Array Networks, Inc.
                                                                                               437
All Rights Reserved.
                                                                   Chapter 15 DesktopDirect
no art application associate user <app_or_farm> <instance_name>
<user_name>
This global command is used to disassociate a XenApp server farm or a Terminal Server based
application from a specified user.
app_or_farm                    This parameter specifies the name of the XenApp server farm or the
                               Terminal Server based application. Its value should be a string of 1
                               to 255 characters.
instance_name                  This parameter specifies the name of the instance to which the user
                               belongs.
user_name                      This parameter specifies the name of the user.
show art application associate [app_name]
This global command is used to display the association-related configuration of an application.
app_name                       Optional. This parameter specifies the name of the application to be
                               displayed. If this parameter is not specified, association-related
                               configuration for all applications will be displayed.
clear art application associate <app_name>
This global command is used to delete all association-related configuration of an application.
app_name                       This parameter specifies the name of the application.
External Providers
art external provider create <provider_name> <provider_type>
This global command is used to create an external provider.
provider_name                  This parameter specifies the name of the external provider. Its value
                               should be a string of 1 to 250 characters.
provider_type                  This parameter specifies the type of the external provider. Its value
                               can only be “xendesktop”, “vmview” or “epapi”.
        Note: According to the XML specification, the characters “<”, “&”, “>”, “"” and “'”
        should not contained in the XML contents. Because the Xendesktop provider sends the
        HTTP Post request in XML format, please do not include those characters in the username
        or password when preparing an XML HTTP Post request.
2000-2018 Array Networks, Inc.
                                                                                                 438
All Rights Reserved.
                                                                  Chapter 15 DesktopDirect
art external provider rename <old_name> <new_name>
This global command is used to rename an existing external provider.
old_name                       This parameter specifies the current name of the external provider.
new_name                       This parameter specifies the new name of the external provider.
art external provider config xendesktop <provider_name> <host|ip> <port>
<domain>
This global command is used to configure a XenDesktop data collector for the specified external
provider.
provider_name                  This parameter specifies the name of the external provider.
host|ip                        This parameter specifies the hostname or IP address of the
                               XenDesktop data collector. Its value should be a string of 1 to 255
                               characters.
port                           This parameter specifies the port of the XenDesktop data collector.
                               Its value should be an integer ranging from 1 to 65,535, and
                               defaults to 80.
domain                         This parameter specifies the domain name of the XenDesktop data
                               collector. Its value should be a string of 1 to 255 characters.
no art external provider config xendesktop <provider_name> <host|ip>
<port>
This global command is used to remove the XenDesktop data collector configuration of the
specified external provider.
provider_name                  This parameter specifies the name of the external provider.
host|ip                        This parameter specifies the hostname or IP address of the
                               XenDesktop data collector.
port                           This parameter specifies the port of the XenDesktop data collector.
art external provider config vmview <provider_name> <host|ip> <port>
<domain> <timeout>
This global command is used to configure a VMView connection server for the specified external
provider.
2000-2018 Array Networks, Inc.
                                                                                              439
All Rights Reserved.
                                                                 Chapter 15 DesktopDirect
provider_name                This parameter specifies the name of the external provider.
host|ip                      This parameter specifies the hostname or IP address of the VMView
                             connection server. Its value should be a string of 1 to 255
                             characters.
port                         This parameter specifies the port of the VMView connection server.
                             Its value should be an integer ranging from 1 to 65,535, and
                             defaults to 443.
domain                       This parameter specifies the domain name of the VMView
                             connection server. Its value should be a string of 1 to 255
                             characters.
timeout                      This parameter specifies the timeout value of the connection
                             between AG and the VMView connection server. Its value should
                             be an integer ranging from 1 to 65,535.
no art external provider config vmview <provider_name> <host|ip> <port>
This global command is used to remove the VMView connection server configuration of the
specified external provider.
provider_name                This parameter specifies the name of the external provider.
host|ip                      This parameter specifies the hostname or IP address of the VMView
                             connection server.
port                         This parameter specifies the port of the VMView connection server.
art external provider config epapi <provider_name> <host|ip> <port>
This global command is used to configure an External Provider (EP) Application Programming
Interface (API) server for a specified external provider.
provider_name                This parameter specifies the name of the external provider.
host|ip                      This parameter specifies the hostname or IP address of the EP API
                             server. Its value should be a string of 1 to 255 characters.
port                         This parameter specifies the port of the EP API server. Its value
                             should be an integer ranging from 1 to 65,535.
no art external provider config epapi <provider_name> <host|ip> <port>
2000-2018 Array Networks, Inc.
                                                                                             440
All Rights Reserved.
                                                                   Chapter 15 DesktopDirect
This global command is used to remove the EP API server configuration of the specified external
provider.
provider_name                  This parameter specifies the name of the external provider.
host|ip                        This parameter specifies the hostname or IP address of the EP API
                               server.
port                           This parameter specifies the port of the EP API server.
art external provider assign instance <provider_name> <instance_name>
This global command is used to assign an external provider to a specified ART instance.
provider_name                  This parameter specifies the name of the external provider.
instance_name                  This parameter specifies the name of the ART instance to which the
                               external provider is assigned. Its value should be a string of 1 to 50
                               characters.
no art external provider assign instance <provider_name>
<instance_name>
This global command is used to delete the assignment of the external provider to the specified
ART instance.
provider_name                  This parameter specifies the name of the external provider.
instance_name                  This parameter specifies the name of the ART instance to which the
                               external provider is assigned.
show art external provider assignment instance <provider_name>
This global command is used to display assignments of the specified external provider by ART
instance.
provider_name                  This parameter specifies the name of the external provider.
art external provider assign group <provider_name> <instance_name>
<group_name>
This global command is used to assign an external provider to a specified group.
provider_name                  This parameter specifies the name of the external provider.
instance_name                  This parameter specifies the name of the ART instance to which the
2000-2018 Array Networks, Inc.
                                                                                                 441
All Rights Reserved.
                                                                    Chapter 15 DesktopDirect
                               group belongs.
group_name                     This parameter specifies the name of the group to which the
                               external provider is assigned. Its value should be a string of 1 to
                               250 characters.
no art external provider assign group <provider_name> <instance_name>
<group_name>
This global command is used to delete the assignment of the external provider to the specified
group.
provider_name                  This parameter specifies the name of the external provider.
instance_name                  This parameter specifies the name of the ART instance to which the
                               group belongs.
group_name                     This parameter specifies the name of the group to which the
                               external provider is assigned.
show art external provider assignment group <provider_name>
This global command is used to display assignments of the specific external provider by group.
provider_name                  This parameter specifies the name of the external provider.
art external provider assign user <provider_name> <instance_name>
<user_name>
This global command is used to assign an external provider to a specified user.
provider_name                  This parameter specifies the name of the external provider.
instance_name                  This parameter specifies the name of the ART instance to which the
                               user belongs.
user_name                      This parameter specifies the name of the user to which the external
                               provider is assigned. Its value should be a string of 1 to 100
                               characters.
no art external provider assign user <provider_name> <instance_name>
<user_name>
This global command is used to delete the assignment of the external provider to the specified
user.
2000-2018 Array Networks, Inc.
                                                                                                 442
All Rights Reserved.
                                                                     Chapter 15 DesktopDirect
provider_name                  This parameter specifies the name of the external provider.
instance_name                  This parameter specifies the name of the ART instance to which the
                               user belongs.
user_name                      This parameter specifies the name of the user to which the external
                               provider is assigned.
show art external provider assignment user <provider_name>
This global command is used to display assignments of the specific external provider by user.
provider_name                  This parameter specifies the name of the external provider.
show art external provider assignment name <provider_name>
This global command is used to display assignments of the specific external provider.
provider_name                  This parameter specifies the name of the external provider.
show art external provider name <provider_name>
This global command is used to display the external provider by the provider name.
provider_name                  This parameter specifies the name of the external provider.
show art external provider type <provider_type>
This global command is used to display the external providers by the provider type.
provider_type                  This parameter specifies the type of the external provider. Its value
                               can only be “xendesktop”, “vmview” or “epapi”.
show art external provider all
This global command is used to display all the external providers.
clear art external provider [provider_name]
This global command is used to delete the specified external provider. If the parameter
“provider_name” is not specified, all the external providers will be deleted.
provider_name                  Optional. This parameter specifies the name of the external
                               provider.
2000-2018 Array Networks, Inc.
                                                                                                443
All Rights Reserved.
                                                                   Chapter 15 DesktopDirect
Data Protection
art dataprotection default redirect <option>
This global command is used to enable a specified data protection redirection option. These
settings will apply to all users who do not have a custom policy assigned to them.
option                         This parameter specifies the option to be enabled. Its value can only
                               be:
                                   drive
                                   clipboard
                                   printer
                                   smartcard
                                   ports
                                   POS
no art dataprotection default redirect <option>
This global command is used to disable the specified data protection redirection option.
option                         This parameter specifies the option to be disabled.
art dataprotection custom define <policy_name>
This global command is used to create a custom data protection policy.
policy_name                    This parameter specifies the name of the policy. Its value should be
                               a string of 1 to 255 characters.
no art dataprotection custom define <policy_name>
This global command is used to delete a custom data protection policy.
policy_name                    This parameter specifies the name of the policy.
art dataprotection custom rename <old_policy> <new_policy>
This global command is used to rename an existing custom data protection policy.
old_policy                     This parameter specifies the current name of the policy to be
                               renamed.
new_policy                     This parameter specifies the new name of the policy.
2000-2018 Array Networks, Inc.
                                                                                               444
All Rights Reserved.
                                                                    Chapter 15 DesktopDirect
art dataprotection custom redirect <option> <policy_name>
This global command is used to enable the specified redirection option for the specified policy.
option                          This parameter specifies the option to be enabled. Its value can only
                                be:
                                    drive
                                    clipboard
                                    printer
                                    smartcard
                                    ports
                                    POS
policy_name                     This parameter specifies the name of the policy.
no art dataprotection custom redirect <option> <policy_name>
This global command is used to disable the specified redirection option for the specified policy.
option                          This parameter specifies the option to be disabled.
policy_name                     This parameter specifies the name of the policy.
art dataprotection assign instance <policy_name> <instance_name>
This global command is used to assign a data protection policy to a specified ART instance.
policy_name                     This parameter specifies the name of the policy.
instance_name                   This parameter specifies the name of the ART instance to which the
                                policy is assigned. Its value should be a string of 50 characters.
no art dataprotection assign instance <policy_name> <instance_name>
This global command is used to delete the assignment of the data protection policy to the specified
ART instance.
policy_name                     This parameter specifies the name of the policy.
instance_name                   This parameter specifies the name of the ART instance to which the
                                policy is assigned.
2000-2018 Array Networks, Inc.
                                                                                               445
All Rights Reserved.
                                                                   Chapter 15 DesktopDirect
art dataprotection assign group <policy_name> <instance_name>
<group_name>
This global command is used to assign a data protection policy to a specified group.
policy_name                    This parameter specifies the name of the policy.
instance_name                  This parameter specifies the name of the ART instance to which the
                               group belongs.
group_name                     This parameter specifies the name of the group to which the policy
                               is assigned. Its value should be a string of 250 characters.
no art dataprotection assign group <policy_name> <instance_name>
<group_name>
This global command is used to delete the assignment of the data protection policy to the specified
group.
policy_name                    This parameter specifies the name of the policy.
instance_name                  This parameter specifies the name of the ART instance to which the
                               group belongs.
group_name                     This parameter specifies the name of the group to which the policy
                               is assigned.
art dataprotection assign user <policy_name> <instance_name>
<user_name>
This global command is used to assign a data protection policy to a specified user.
policy_name                    This parameter specifies the name of the policy.
instance_name                  This parameter specifies the name of the ART instance to which the
                               user belongs.
user_name                      This parameter specifies the name of the user to which the policy is
                               assigned. Its value should be a string of 100 characters.
no art dataprotection assign user <policy_name> <instance_name>
<user_name>
This global command is used to delete the assignment of the data protection policy to the specified
user.
2000-2018 Array Networks, Inc.
                                                                                              446
All Rights Reserved.
                                                                    Chapter 15 DesktopDirect
policy_name                     This parameter specifies the name of the policy.
instance_name                   This parameter specifies the name of the ART instance to which the
                                user belongs.
user_name                       This parameter specifies the name of the user to which the policy is
                                assigned.
show art dataprotection policy [policy_name]
This global command is used to display the configuration of a policy. If the parameter
“policy_name” is not specified, all the configured policies and related information will be
displayed.
policy_name                     Optional. This parameter specifies the name of the policy.
Client Settings
art client settings set <set_name>
This global command is used to define a new client settings set.
set_name                        This parameter specifies the name of the set. Its value should be a
                                string of 1 to 100 characters.
no art client settings set <set_name>
This global command is used to delete an exsiting client settings set.
set_name                        This parameter specifies the name of the set.
show art client settings set [set_name]
This global command is used to display the client settings set configuration. If the parameter
“set_name” is not specified, a list of all the client settings sets will be displayed.
set_name                        Optional. This parameter specifies the name of the set to be
                                displayed.
art client settings custom <set_name> <platform> <custom_parameter>
<custom_value>
This global command is used to configure custom client settings. Administrators can define their
own feature and its corresponding value to be performed on the client with the specified platform.
2000-2018 Array Networks, Inc.
                                                                                                 447
All Rights Reserved.
                                                                  Chapter 15 DesktopDirect
set_name                      This parameter specifies the name of the set.
platform                      This parameter specifies the platform. Its value must only be:
                                  all
                                  windows
                                  macos
                                  iphone
                                  ipad
                                  android
custom_parameter              This parameter specifies the name of the feature. For the supported
                              parameter values, please refer to the following table for details.
custom_value                  This parameter specifies the value of the feature. For the supported
                              parameter values, please refer to the following table for details.
                    Table 15-1 Parameter Types of the Custom Parameter
       Note: The default values in the following table indicate the values that will be used by the
       system if this command is not executed.
   Custom Parameter                      Description                          Value
                             Determines whether to record         0: The sound is not recorded.
audiocapturemode             the sound on the local               1: The sound is recorded.
                             computer.
                                                              The default value is 0.
                                                                  0: The bulk compression is
                                                                   disabled.
                             Determines whether to enable
compression                                                       1: The bulk compression is
                             the bulk compression.
                                                                   enabled.
                                                              The default value is 1.
                                                                  0: The RDP efficient
                                                                   multimedia streaming is not
                             Determines whether the RDP            used for video playback.
                             efficient multimedia
videoplaybackmode                                                 1: The RDP efficient
                             streaming for video playback
                             will be used.                         multimedia streaming is used
                                                                   for video playback.
                                                              The default value is 1.
2000-2018 Array Networks, Inc.
                                                                                               448
All Rights Reserved.
                                                                Chapter 15 DesktopDirect
                                                                0: The font smoothing is
                            Determines whether to enable         disabled.
allow_font_smoothing        the font smoothing for the          1: The font smoothing is
                            remote session.                      enabled.
                                                            The default value is 1.
                            Determines whether to enable        0: The desktop composition is
                            the desktop composition              disabled.
allow_desktop_composition   (needed for Aero) when the          1: The desktop composition is
                            end user logs into the remote        enabled.
                            host.
                                                            The default value is 0.
                                                                0: The cursor blinking is
                            Determines whether to enable         enabled.
disable_cursor_setting      cursor blinking during a            1: The cursor blinking is
                            Terminal Services session.           disabled.
                                                            The default value is 0.
                            Determines whether to enable        0: The DirectX is disabled.
redirectdirectx             the DirectX for the remote          1: The DirectX is enabled.
                            session.
                                                            The default value is 1.
                                                                0: The client does not
                            Determines whether the client        automatically try to
                            will automatically try to            reconnect.
autoreconnection_enabled
                            reconnect to the remote host        1: The client automatically
                            if the connection is dropped.        tries to reconnect.
                                                            The default value is 0.
                            Determines whether a prompt         0: The saved credentials will
                            for credentials will be              be used and no prompt for
                            displayed when the end user          credentials will be displayed.
prompt_for_credentials
                            connects to a remote host for       1: The prompt for credentials
                            which the credentials have           will be displayed.
                            been previously saved.
                                                            The default value is 0.
                                                                0: The security layer
                            Determines whether the
                                                                 negotiation is disabled and
negotiate_security_layer    security layer negotiation is
                                                                 the session is started by using
                            enabled.
                                                                 SSL.
2000-2018 Array Networks, Inc.
                                                                                              449
All Rights Reserved.
                                                                Chapter 15 DesktopDirect
                                                                1: The security layer
                                                                 negotiation is enabled and the
                                                                 session is started by using
                                                                 x.224 encryption.
                                                            The default value is 1.
                                                                0: The authentication method
                            Determines whether the               will not be used.
                            authentication method will be
gatewayprofileusagemethod                                       1: The authentication method
                            used for the remote desktop
                            gateway.                             will be used.
                                                            The default value is 0.
                                                                0: The same credential will
                            Determines whether to use            not be used.
                            the same credential for both
promptcredentialonce                                            1: The same credential will be
                            the remote desktop gateway
                            and the remote host.                 used.
                                                            The default value is 0.
                                                                1: Set the connection speed to
                                                                 Modem (56 Kbps).
                                                                2: Set the connection speed to
                                                                 Low-speed broadband (256
                                                                 Kbps – 2 Mbps).
                                                                3: Set the connection speed to
                                                                 Satellite (2 Mbps – 16 Mbps
                                                                 with high latency).
                            Determines the connection
connection_type                                                 4: Set the connection speed to
                            speed of the client.
                                                                 High-speed broadband (2
                                                                 Mbps – 10 Mbps).
                                                                5: Set the connection speed to
                                                                 WAN (10 Mbps or higher
                                                                 with high latency).
                                                                6: Set the connection speed to
                                                                 LAN (10 Mbps or higher).
                                                            The default value is 2.
                            Determines how to use the           0: The remote desktop
gatewayusagemethod          remote desktop gateway               gateway server is not used.
                            server.                              The bypass remote desktop
                                                                 gateway server for local
2000-2018 Array Networks, Inc.
                                                                                           450
All Rights Reserved.
                                                                 Chapter 15 DesktopDirect
                                                                  address check box is cleared.
                                                                 1: The remote desktop
                                                                  gateway server is always
                                                                  used, even for local
                                                                  connections.
                                                                 2: The remote desktop
                                                                  gateway server is used if the
                                                                  end user cannot connect to
                                                                  the remote host directly (for
                                                                  example, bypass for local IP
                                                                  addresses).
                                                                 3: The default remote
                                                                  gateway settings are used.
                                                                 4: The remote desktop
                                                                  gateway server is not used.
                                                                  The bypass remote desktop
                                                                  gateway server for local
                                                                  address check box is cleared.
                                                             The default value is 4.
                                                                 0: The password is required
                                                                  (NTLM).
                            Specifies the credentials that
                            should be used to validate the       1: The smart card is used.
gatewaycredentialssource
                            connection to the remote
                                                                 4: Allow end users to select
                            desktop gateway.
                                                                  later.
                                                             The default value is 4.
                            Specifies the maximum
                            number of times the client       Its value is an integer ranging from
autoreconnect_max_retries   will try to reconnect to the     1 to 200.
                            remote host if the connection    The default value is 1.
                            is dropped.
                                                                 0: The multiple monitor is
                                                                  disabled.
                            Determines whether to
multimon                                                         1: The multiple monitor is
                            support the multiple monitor.
                                                                  enabled.
                                                             The default value is 0.
                            Determines whether the
smart_sizing                window size of the client PC         0: The window size of the
                            can be adaptively adjusted.           client PC cannot be
2000-2018 Array Networks, Inc.
                                                                                               451
All Rights Reserved.
                                                                  Chapter 15 DesktopDirect
                                                                   adaptively adjusted.
                                                                  1: The window size of the
                                                                   client PC can be adaptively
                                                                   adjusted.
                                                              The default value is 1.
                                                                  0: The RemoteApp
                                                                   capabilities of the remote host
                            Determines whether the                 will be checked.
                            RemoteApp capabilities of
disableremoteappcapscheck                                         1: The RemoteApp
                            the remote host will be
                            checked.                               capabilities of the remote host
                                                                   will not be checked.
                                                              The default value is 1.
                                                                  0: No new session is started.
                            Determines whether a new               The current active session
                            terminal server session is             will be used.
disableconnectionsharing
                            started every time the                1: A new login session is
                            RemoteApp is launched.                 started for the RemoteApp.
                                                              The default value is 1.
                                                                  0: Monitor spanning is not
                            Determines whether the                 enabled.
                            remote session window will
span                                                              1: Monitor spanning is
                            be spanned across multiple
                            monitors.                              enabled.
                                                              The default value is 0.
                                                                  0: The RDP file will not be
                                                                   displayed in temp.
                            Determines whether the RDP
showrdpfile                                                       1 - The RDP file will be
                            file will be displayed in temp.
                                                                   displayed in temp.
                                                              The default value is 0.
                                                                  0: Windows key
                                                                   combinations are applied on
                            Determines how Windows                 the local computer.
                            key combinations are applied          1: Windows key
keyboardhook
                            when you are connected to a            combinations are applied on
                            remote host.                           the remote computer.
                                                                  2: Windows key
                                                                   combinations are applied in
2000-2018 Array Networks, Inc.
                                                                                                452
All Rights Reserved.
                                                                 Chapter 15 DesktopDirect
                                                                  full-screen mode only (Only
                                                                  when using the full screen).
                                                             The default value is 1.
                                                                 0: The sound will be played
                                                                  on the local host.
                           Controls whether to play the          1: The sound will be played
audiomode                  sound, and where to play the           on the remote host.
                           sound.
                                                                 2: The sound will not be
                                                                  played.
                                                             The default value is 0.
                           Controls whether to allow
                           users to access the remote
                           desktop that they have
                           accessed previously by
                           double clicking the RDP file
                           generated when accessing the
                           remote desktop via the
                           DesktopDirect portal for the
                           first time.
                                                                 0: Yes.
                           Note: With this parameter
                           configured, if a wrong                1: No. Users can access the
                           username or password was               remote desktop only via the
securityrdp
                           entered previously, users              DesktopDirect portal.
                           cannot log into the remote             (recommended)
                           desktop even with the valid
                                                             The default value is 1.
                           username and password until
                           users log out and log in again.
                           Please note that if the SSO
                           function is enabled using the
                           “art client settings sso”
                           command, this issue will also
                           occur if a wrong username or
                           password was used to log into
                           the virtual site previously.
                                                                 0: The window size of the
                           Controls whether to allow              published application cannot
                           users to adjust the window             be adjusted.
validappsize
                           size of the published                 1: The window size of the
                           application.                           published application can be
                                                                  adjusted.
2000-2018 Array Networks, Inc.
                                                                                             453
All Rights Reserved.
                                                                    Chapter 15 DesktopDirect
                                                                   The default value is 0.
screen_mode_id                Controls how to decide the
                                                                    1: The size of the RDP
                              size of the RDP window.
                                                                     window will be decided by
                              This configuration can take
                                                                     the setting specified by the
                              effect only when the
                                                                     “art client settings
                              mult-monitor (configured by
                                                                     screensize” command.
                              using the “multimon” custom
                              parameter) is disabled.               2: The size of the RDP
                                                                     window is full screen no
                                                                     matter whether the “art client
                                                                     settings screensize”
                                                                     command is configured or
                                                                     not.
                                                              The default value is 1.
                                                                    0: If server authentication
                                                                     fails, connect without giving
                                                                     a warning.
                                                                    1: If server authentication
                                                                     fails, do not connect.
                              Determines what should
                                                                    2: If server authentication
authentication_level          happen when server
                                                                     fails, show a warning and
                              authentication fails.
                                                                     allow the user to connect or
                                                                     not.
                                                                    3: Server authentication is not
                                                                     required.
                                                              The default value is 2.
no art client settings custom <set_name> <platform> <custom_parameter>
This global command is used to remove the custom client settings.
set_name                      This parameter specifies the name of the set.
platform                      This parameter specifies the platform.
name                          This parameter specifies the name of the feature.
art client settings powermanagement <set_name> <platform>
{enabled|disabled}
This global command is used to enable or disable the power management function.
2000-2018 Array Networks, Inc.
                                                                                                   454
All Rights Reserved.
                                                                    Chapter 15 DesktopDirect
set_name                        This parameter specifies the name of the set.
platform                        This parameter specifies the platform.
enabled|disabled                This parameter specifies whether power management is enabled or
                                not.
art client settings sso <set_name> <platform> {enabled|disabled} [domain]
This global command is used to enable or disable the single-sign-on (SSO) function.
set_name                        This parameter specifies the name of the set.
platform                        This parameter specifies the platform.
enabled|disabled                This parameter specifies whether single-sign-on is enabled or not.
domain                          Optional. This parameter specifies the name of the domain to be
                                used when SSO is enabled. Its value should be a string of 1 to 255
                                characters.
art client settings keepalive <set_name> <platform> [second]
This global command is used to set the interval at which the clients are allowed to send
Keep-Alive packets to AG.
set_name                        This parameter specifies the name of the set.
platform                        This parameter specifies the platform.
second                          Optional. This parameter specifies the interval in seconds. Its value
                                should be an integer ranging from 1 to 60, and defaults to 60.
art client settings customdestinations <set_name> <platform>
{enabled|disabled}
This global command is used to enable or disable the ability for the users associated with the set to
access non-registered desktops.
set_name                        This parameter specifies the name of the set.
platform                        This parameter specifies the platform.
enabled|disabled                This parameter specifies whether the users can access
                                non-registered desktops or not.
2000-2018 Array Networks, Inc.
                                                                                                455
All Rights Reserved.
                                                                   Chapter 15 DesktopDirect
art client settings console <set_name> <platform> {enabled|disabled}
This global command is used to enable or disable console connections.
set_name                       This parameter specifies the name of the set.
platform                       This parameter specifies the platform.
enabled|disabled               This parameter specifies whether the console connections are
                               enabled or not.
art client settings screensize <set_name> <platform> <width> <height>
This global command is used to set the resolution of the remote desktop. The configuration can
take effect only when the multi-monitor (configured by using the “multimon” custom parameter in
the “art client settings custom” command) is disabled.
set_name                       This parameter specifies the name of the set.
platform                       This parameter specifies the platform.
width                          This parameter specifies the width that appears on the client. Its
                               value should be an integer ranging from 0 to 4,294,967,295.
height                         This parameter specifies the height that appears on the client. Its
                               value should be an integer ranging from 0 to 4,294,967,295.
art client settings colordepth <set_name> <platform> {0|8|16|24}
This global command is used to set the color depth of the remote desktop.
set_name                       This parameter specifies the name of the set.
platform                       This parameter specifies the platform.
0|8|16|24                      This parameter specifies the maximum number of colors supported
                               by a session. The higher the number the more bandwidth is
                               consumed. The default value is 0.
art client settings hideconnbar <set_name> <platform> {enabled|disabled}
This global command is used to display or hide the desktop connection bar on the top the window
when the user connects a desktop.
set_name                       This parameter specifies the name of the set.
2000-2018 Array Networks, Inc.
                                                                                                456
All Rights Reserved.
                                                                   Chapter 15 DesktopDirect
platform                        This parameter specifies the platform.
enabled|disabled                This parameter specifies whether the desktop connection bar will be
                                displayed or not.
art client settings rdpagent <set_name> <platform> <url> [proxy]
This global command is used to set the RDP agent.
set_name                        This parameter specifies the name of the set.
platform                        This parameter specifies the platform.
url                             This parameter specifies the URL where the installation package
                                can be downloaded. Its value should be a string of 1 to 255
                                characters.
proxy                           Optional. This parameter specifies the proxy address and port (for
                                example, 192.168.1.1:8080). Its value should be a string of 1 to 255
                                characters.
no art client settings rdpagent <set_name> <platform>
This global command is used to remove RDP agent settings.
set_name                        This parameter specifies the name of the set.
platform                        This parameter specifies the platform.
art client settings citrix <set_name> <platform> <url> [proxy]
This global command is used to set the Citrix client.
set_name                        This parameter specifies the name of the set.
platform                        This parameter specifies the platform.
url                             This parameter specifies the URL where the installation package
                                can be downloaded. Its value should be a string of 1 to 255
                                characters.
proxy                           Optional. This parameter specifies the proxy address and port (for
                                example, 192.168.1.1:8080). Its value should be a string of 1 to 255
                                characters.
2000-2018 Array Networks, Inc.
                                                                                               457
All Rights Reserved.
                                                                    Chapter 15 DesktopDirect
no art client settings citrix <set_name> <platform>
This global command is used to remove Citrix client settings.
set_name                        This parameter specifies the name of the set.
platform                        This parameter specifies the platform.
art client settings userexperience <set_name> <platform> <function>
{enabled|disabled}
This global command is used to configure RDP user experience related parameters.
set_name                        This parameter specifies the name of the set.
platform                        This parameter specifies the platform.
function                        This parameter specifies the function to be configured. Its value
                                must be:
                                    bitmapcaching
                                    desktopwallpaper
                                    fullwindowdrag
                                    menuanimation
                                    themes
enabled|disabled                This parameter specifies whether the function chosen is enabled or
                                not.
art client settings credential <set_name> <platform> {enabled|disabled}
This global command is used to allow or disallow the end users to store RDP login credentials on
the client PC. With this function enabled, a check box will be displayed on the client side so that
end users can decide whether to store their RDP login credentials by selecting this check box or
not. By default, this function is disabled.
set_name                        This parameter specifies the name of the set.
platform                        This parameter specifies the platform. Its value must be:
                                    windows: indicates that this function can be configured for the
                                     Windows platform.
                                    all: indicates that this function can be configured for all the
                                     platforms. Currently, the system only supports the Windows
2000-2018 Array Networks, Inc.
                                                                                                 458
All Rights Reserved.
                                                                     Chapter 15 DesktopDirect
                                     platform.
enabled|disabled                This parameter specifies whether to enable or disable the function.
                                Note: To support Network Level Authentication (NLA)
                                authentication, this parameter should be set to “Enabled”.
                                Otherwise, the remote PC will reject the RDP session from AG.
art client settings alerts <set_name> <platform> <idle> <lifetime>
This global command is used to set a timeout alert. The user will be warned when the idle time or
lifetime of a session is larger than the configured value.
set_name                        This parameter specifies the name of the set.
platform                        This parameter specifies the platform.
idle                            This parameter specifies the idle timeout value in seconds. Its value
                                must be an integer ranging from 0 to 4,294,967,295. If it is set to 0,
                                the idle timeout alert is disabled and will not affect a user’s session.
lifetime                        This parameter specifies the lifetime timeout value in seconds. Its
                                value must be an integer ranging from 0 to 4,294,967,295. If it is set
                                to 0, the lifetime timeout alert is disabled and will not affect a user’s
                                session.
art client settings associate instance <set_name> <instance_name>
This global command is used to associate the client settings with the specified instance.
set_name                        This parameter specifies the name of the set.
instance_name                   This parameter specifies the name of the instance. Its value should
                                be a string of 1 to 50 characters.
no art client settings associate instance <set_name> <instance_name>
This global command is used to disassociate the client settings with the specified instance.
set_name                        This parameter specifies the name of the set.
instance_name                   This parameter specifies the name of the instance.
art client settings associate group <set_name> <instance_name>
<group_name>
2000-2018 Array Networks, Inc.
                                                                                                   459
All Rights Reserved.
                                                                    Chapter 15 DesktopDirect
This global command is used to associate the client settings with the specified group.
set_name                        This parameter specifies the name of the set.
instance_name                   This parameter specifies the instance to which the group belongs.
group_name                      This parameter specifies the name of the group. Its value should be
                                a string of 1 to 250 characters.
no art client settings associate group <set_name> <instance_name>
<group_name>
This global command is used to disassociate the client settings with the specified group.
set_name                        This parameter specifies the name of the set.
instance_name                   This parameter specifies the instance to which the group belongs.
group_name                      This parameter specifies the name of the group.
art client settings associate user <set_name> <instance_name>
<user_name>
This global command is used to associate the client settings with the specified user.
set_name                        This parameter specifies the name of the set.
instance_name                   This parameter specifies the instance to which the user belongs.
user_name                       This parameter specifies the name of the user. Its value should be a
                                string of 1 to 100 characters.
no art client settings associate user <set_name> <instance_name>
<user_name>
This global command is used to disassociate the client settings with the specified user.
set_name                        This parameter specifies the name of the set.
instance_name                   This parameter specifies the instance to which the user belongs.
user_name                       This parameter specifies the name of the user.
2000-2018 Array Networks, Inc.
                                                                                               460
All Rights Reserved.
                                                                    Chapter 15 DesktopDirect
Client Verification
art clientverification rule define <rule> [url]
This global command is used to configure a client verification rule.
rule                            This parameter specifies the name of the rule. Its value should be a
                                string of 1 to 255 characters.
url                             Optional. This parameter specifies the URL of the rule. Its value
                                should be a string of 1 to 255 characters.
no art clientverification rule define <rule>
This global command is used to delete a client verification rule.
rule                            This parameter specifies the name of the rule.
art clientverification rule associate instance <rule> <instance_name>
This global command is used to associate a client verification rule with an instance.
rule                            This parameter specifies the name of the rule.
instance_name                   This parameter specifies the name of the instance. Its value should
                                be a string of 1 to 255 characters.
no art clientverification rule associate instance <rule> <instance_name>
This global command is used to disassociate a client verification rule with an instance.
rule                            This parameter specifies the name of the rule.
instance_name                   This parameter specifies the name of the instance.
art clientverification rule associate group <rule> <instance_name>
<group_name>
This global command is used to associate a client verification rule with a group.
rule                            This parameter specifies the name of the rule.
instance_name                   This parameter specifies the instance to which the group belongs.
group_name                      This parameter specifies the name of the group. Its value should be
                                a string of 1 to 255 characters.
2000-2018 Array Networks, Inc.
                                                                                                461
All Rights Reserved.
                                                                    Chapter 15 DesktopDirect
no art clientverification rule associate group <rule> <instance_name>
<group_name>
This global command is used to disassociate a client verification rule with a group.
rule                            This parameter specifies the name of the rule.
instance_name                   This parameter specifies the instance to which the group belongs.
group_name                      This parameter specifies the name of the group.
art clientverification rule associate user <rule> <instance_name>
<user_name>
This global command is used to associate a client verification rule with a user.
rule                            This parameter specifies the name of the rule.
instance_name                   This parameter specifies the instance to which the user belongs.
user_name                       This parameter specifies the name of the user. Its value should be a
                                string of 1 to 255 characters.
no art clientverification rule associate user <rule> <instance_name>
<user_name>
This global command is used to disassociate a client verification rule with a user.
rule                            This parameter specifies the name of the rule.
instance_name                   This parameter specifies the instance to which the user belongs.
user_name                       This parameter specifies the name of the user.
show art clientverification rule associate <rule>
This global command is used to display the client verification rule associations.
rule                            This parameter specifies the name of the rule to be displayed.
show art clientverification rule content <rule>
This global command is used to display the client verification rule configuration.
rule                            This parameter specifies the name of the rule to be displayed.
show art clientverification rule all
2000-2018 Array Networks, Inc.
                                                                                                 462
All Rights Reserved.
                                                                      Chapter 15 DesktopDirect
This global command is used to display the list of all the client verification rules.
clear art clientverification all
This global command is used to delete the entire client verification settings.
ART Import and Export
Import
           Note: The files imported from the local file system or the remote TFTP server must be in
           the UTF-8 encoding format. Otherwise, the importing might fail.
art import users file <instance_name> {add|skip} {refresh|append}
<file_name>
This global command is used to import the information of the users and their desktops from the
local file system to the database.
instance_name                    This parameter specifies the name of the ART instance.
add|skip                         This parameter specifies the option to deal with the non-existence
                                 user. Its value can only be:
                                     add: indicates that the non-existence users will be added to the
                                      instance.
                                     skip: indicates that the non-existence users will be ignored.
refresh|append                   This parameter specifies the option to deal with the desktops of the
                                 existing user. Its value can only be:
                                     refresh: indicates that all the exsiting desktops for the user will
                                      be deleted and the new desktops (from the file) will be added.
                                     append: indicates that the new desktops (from the file) will be
                                      added to the user while the old desktops still exsit.
file_name                        This parameter specifies the name of the file in the local file
                                 system. Its value should be a string of 1 to 255 characters.
art import users tftp <instance_name> {add|skip} {refresh|append} <ip>
<file_name>
This global command is used to import the information of the users and their desktops from the
remote TFTP server to the database.
2000-2018 Array Networks, Inc.
                                                                                                   463
All Rights Reserved.
                                                                   Chapter 15 DesktopDirect
instance_name                 This parameter specifies the name of the ART instance.
add|skip                      This parameter specifies the option to deal with the non-existence
                              user. Its value can only be:
                                  add: indicates that the non-existence users will be added to the
                                   instance.
                                  skip: indicates that the non-existence users will be ignored.
refresh|append                This parameter specifies the option to deal with the desktops of the
                              existing user. Its value can only be:
                                  refresh: indicates that all the exsiting desktops for the user will
                                   be deleted and the new desktops (from the file) will be added.
                                  append: indicates that the new desktops (from the file) will be
                                   added to the user while the old desktops still exsit.
ip                            This parameter specifies the TFTP server IP. Its value should be
                              given in dotted decimal notation.
file_name                     This parameter specifies the name of the file on the remote TFTP
                              server. Its value should be a string of 1 to 255 characters.
art import config file <file_name>
This global command is used to import ART configurations from the local file system to the
database.
file_name                     This parameter specifies the name of the file in the local file
                              system.
art import config tftp <ip> <file_name>
This global command is used to import ART configurations from the remote TFTP server to the
database.
ip                            This parameter specifies the TFTP server IP.
file_name                     This parameter specifies the name of the file on the remote TFTP
                              server.
2000-2018 Array Networks, Inc.
                                                                                                464
All Rights Reserved.
                                                                    Chapter 15 DesktopDirect
Export
        Note: The files exported to the local file system or the remote TFTP server are in the
        UTF-8 encoding format. To read or edit the exported file, make sure that your file viewer
        or editor supports UTF-8 encoding.
art export users file <instance_name> <file_name>
This global command is used to export the information of the users and their desktops from the
database to the local file system.
instance_name                  This parameter specifies the name of the ART instance.
file_name                      This parameter specifies the name of the file in the local file
                               system. Its value should be a string of 1 to 255 characters.
        Note: The information of users with no desktops assigned will not be exported from the
        database to the local file system.
art export users tftp <instance_name> <ip> <file_name>
This global command is used to export the information of the users and their desktops from the
database to the remote TFTP server.
instance_name                  This parameter specifies the name of the ART instance.
ip                             This parameter specifies the TFTP server IP.
file_name                      This parameter specifies the name of the file on the remote TFTP
                               server. Its value should be a string of 1 to 255 characters.
        Note: The information of users with no desktops assigned will not be exported from the
        database to the remote TFTP server.
art export config file <file_name>
This global command is used to export ART configurations from the database to the local file
system.
file_name                      This parameter specifies the name of the file in the local file
                               system.
art export config tftp <ip> <file_name>
2000-2018 Array Networks, Inc.
                                                                                                 465
All Rights Reserved.
                                                                     Chapter 15 DesktopDirect
This global command is used to export ART configurations from the database to the remote TFTP
server.
ip                              This parameter specifies the TFTP server IP.
file_name                       This parameter specifies the name of the file on the remote TFTP
                                server.
clear art export file <file_name>
This global command is used to delete a file that was previously exported to the local file system.
file_name                       This parameter specifies the name of the file in the local file
                                system.
show art export files
This global command is used to display all the files that were previously exported to the local file
system.
clear art export files
This global command is used to delete all the files that were previously exported to the local file
system.
2000-2018 Array Networks, Inc.
                                                                                                  466
All Rights Reserved.
                                                                         Chapter 16 MotionPro
Chapter 16 MotionPro
This chapter describes all the CLI commands used to configure the MotionPro feature. All
MotionPro CLI commands are available under the virtual site scope.
Basic Commands
show motionpro config
This command is used to display all the MotionPro CLI configurations.
clear motionpro resource
This command is used to delete all the MotionPro resources.
AAA
The commands listed below are used for DeviceID Authentication. For other User Authentication
and Certificate Authentication methods, please refer to Chapter 4 AAA.
aaa server name <type> <server_name> [description]
This command is used to define a AAA server of DeviceID..
type                            This parameter specifies the type of the AAA server. Its value must
                                only be “deviceid”
server_name                     This parameter specifies the name of the AAA server, which must
                                be unique among all servers in the same virtual site. Its value must
                                be a string of 1 to 32 characters.
description                     Optional. This parameter specifies the server description. Its value
                                must be a string of 1 to 127 characters. If it is not specified, the
                                default description will be the value of “server_name”.
aaa server deviceid rejectunregister <server_name>
This command is used to reject user login with devices that are not registered to the system for the
specified DeviceID server.
server_name                        This parameter specifies the name of an existing DeviceID
                                   server. Its value should be a string of 1 to 32 characters.
no aaa server deviceid rejectunregister <server_name>
This command is used to permit user login with devices that are not registered to the system for
the specified DeviceID server.
2000-2018 Array Networks, Inc.
                                                                                                 467
All Rights Reserved.
                                                                        Chapter 16 MotionPro
show aaa server deviceid rejectunregister <server_name>
This command is used to display whether to reject or permit the user login with devices that are
not registered to the system for the specified DeviceID server.
aaa server deviceid autoregister <server_name>
This command is used to enable automatic registration for the unregistered devices during user
login for the specified DeviceID server.
server_name                       This parameter specifies the name of an existing DeviceID
                                  server. Its value should be a string of 1 to 32 characters.
        Note: The “aaa server deviceid autoregister” configuration will not take effect if the
        “aaa server diviceid rejectunregister” command is configured for the same DeviceID
        server.
no aaa server deviceid autoregister <server_name>
This command is used to disable automatic registration for the unregistered devices during user
login for the specified DeviceID server.
aaa server deviceid autoapprove <server_name>
This command is used to enable automatic approval for registered devices for the specified
DeviceID server; otherwise, device status will be “pending” even after devices have been
registered successfully, and administrators need to approve the devices manually.
server_name                       This parameter specifies the name of an existing DeviceID
                                  server. Its value should be a string of 1 to 32 characters.
no aaa server deviceid autoapprove <server_name>
This command is used to disable automatic approval for registered devices for the specified
DeviceID server.
show aaa server deviceid autoapprove <server_name>
This command is used to display whether automatic approval is enabled or disabled for the
registered devices for the specified DeviceID server.
aaa server deviceid bindusername <server_name>
This command is used to enable the Bind Username function for the specified DeviceID server.
With this function enabled, the username and the device ID are registered in the system as a whole.
If a user accesses the portal with a device, other users who log in with this registered device need
to register the device again.
server_name                       This parameter specifies the name of an existing DeviceID
2000-2018 Array Networks, Inc.
                                                                                                468
All Rights Reserved.
                                                                          Chapter 16 MotionPro
                                   server. Its value should be a string of 1 to 32 characters.
        Note: The following two commands work only when this function is enabled.
no aaa server deviceid bindusername <server_name>
This command is used to the disable the Bind Username function for the specified DeviceID
server.
show aaa server deviceid bindusername <server_name>
This command is used to the display the status of the Bind Username function for the specified
DeviceID server.
aaa server deviceid devicelimit <server_name> <user_limit>
This command is used to set the user upper limit per device for the specified DeviceID server.
server_name                        This parameter specifies the name of an existing DeviceID
                                   server. Its value should be a string of 1 to 32 characters.
user_limit                         This parameter specifies the maximum users with which a
                                   device can be associated. Its value can be an integer ranging
                                   from 0 to 4,294,967,295. “0” means no upper limit on users.
no aaa server deviceid devicelimit <server_name>
This command is used to delete the setting of the user upper limit per device for the specified
DeviceID server.
show aaa server deviceid devicelimit <server_name>
This command is used to display the setting of the user upper limit per device for the specified
DeviceID server.
aaa server deviceid userlimit <server_name> <device_limit>
This command is used to set the device upper limit per user for the specified DeviceID server.
server_name                        This parameter specifies the name of an existing DeviceID
                                   server. Its value should be a string of 1 to 32 characters.
device_limit                       This parameter specifies the maximum devices that a user can
                                   have. Its value can be an integer ranging from 0 to
                                   4,294,967,295. “0” means no upper limit on devices.
no aaa server deviceid userlimit <server_name>
2000-2018 Array Networks, Inc.
                                                                                                   469
All Rights Reserved.
                                                                          Chapter 16 MotionPro
This command is used to delete the setting of the device upper limit per user for the specified
DeviceID server.
show aaa server deviceid userlimit <server_name>
This command is used to display the setting of the device upper limit per user for the specified
DeviceID server.
localdb deviceid account <account_name> <device_id> <device_name>
<status>
This command is used to configure a DeviceID rule for the specified LocalDB account.
account_name                    This parameter specifies the username of the LocalDB account.
device_id                       This parameter specifies the device ID. Its value should be a string
                                of 1 to 511 characters, which must be enclosed in double quotes.
device_name                     This parameter specifies the name to describe the device. Its value
                                should be a string of 1 to 256 characters.
status                          This parameter specifies the status of the device. The parameter
                                value can only be:
                                    approve: The LocalDB user can use the device to access
                                     internal resources.
                                    pending: The LocalDB user can use the device to access
                                     internal resources only after the administrator’s approval.
                                    deny: The LocalDB user cannot use the device to access
                                     internal resources.
no localdb deviceid account <account_name> <device_id>
This parameter is used to delete a DeviceID rule configured for the specified LocalDB account.
account_name                    This parameter specifies the username of the LocalDB account. If
                                the parameter value is set to “*”, all DeviceID rules configured for
                                all LocalDB accounts will be deleted.
device_id                       This parameter specifies the device ID.
show localdb deviceid account [account_name] [device_id]
This command is used to display a DeviceID rule configured for the specified LocalDB account.
account_name                    Optional. This parameter specifies the username of the LocalDB
2000-2018 Array Networks, Inc.
                                                                                                   470
All Rights Reserved.
                                                                       Chapter 16 MotionPro
                               account.
device_id                      Optional. This parameter specifies the device ID.
                               If this parameter is specified when the parameter “account_name”
                               is not specified, all the DeviceID rules containing this device ID
                               will be displayed.
                               If this parameter is not specified when the parameter
                               “account_name” is specified, all the DeviceID rules configured for
                               the specified LocalDB account will be displayed.
                               If both this parameter and the parameter “account_name” are not
                               specified, the DeviceID rules configured for every LocalDB
                               account will be displayed.
aaa method register <method_name>
This command is used to set the AAA method used for device registration or MotionProOTP
application registration. For device registration, when a AAA method is configured on the
MotionPro pilot for the first time, a AAA method named “DD_Register” will be added to the
system.
method_name                    This parameter specifies the name of the AAA method.
no aaa method register <method_name>
This command is used to delete the AAA method used for device registration or MotionProOTP
application registration.
show aaa method register
This command is used to display the AAA method used for device registration or MotionProOTP
application registration.
Role
motionpro role define <role_name>
This command is used to add a new role.
role_name                         This parameter specifies the name of the role. Its value should be
                                  a string of 1 to 255 characters.
no motionpro role define <role_name>
This command is used to delete an existing role.
2000-2018 Array Networks, Inc.
                                                                                              471
All Rights Reserved.
                                                                        Chapter 16 MotionPro
role_name                         This parameter specifies the name of the role.
show motionpro role define [role_name]
This command is used to display the specified role.
role_name                         Optional. This parameter specifies the name of the role. If this
                                  parameter is not specified, all the roles defined will be displayed.
motionpro role associate user <role_name> <user_name>
This command is used to associate a user with the specified role.
role_name                         This parameter specifies the name of the role.
user_name                         This parameter specifies the name of the user. Its value should be
                                  a string of 1 to 255 characters.
no motionpro role associate user <role_name> <user_name>
This command is used to disassociate a user from the specified role.
role_name                         This parameter specifies the name of the role.
user_name                         This parameter specifies the name of the user.
show motionpro role associate user <role_name> [user_name]
This command is used to display the association between the role and the user.
role_name                         This parameter specifies the name of the role.
user_name                         Optional. This parameter specifies the name of the user. If this
                                  parameter is not specified, all the user-association configurations
                                  of the role will be displayed.
Client Rule
motionpro client rule define <rule_name> [url]
This command is used to add a new MotionPro client rule.
rule_name                         This parameter specifies the name of the rule. Its value should be
                                  a string of 1 to 255 characters.
2000-2018 Array Networks, Inc.
                                                                                                472
All Rights Reserved.
                                                                        Chapter 16 MotionPro
url                               Optional. This parameter specifies the URL of the rule file. Its
                                  value should be a string of 1 to 511 characters.
no motionpro client rule define <rule_name>
This command is used to delete an existing MotionPro client rule.
rule_name                         This parameter specifies the name of the rule.
show motionpro client rule define [rule_name]
This command is used to display the specified MotionPro client rule.
rule_name                         Optional. This parameter specifies the name of the rule. If this
                                  parameter is not specified, all the rules defined will be displayed.
motionpro client rule associate role <rule_name> <role_name>
This command is used to associate a MotionPro client rule with the specified role.
rule_name                         This parameter specifies the name of the rule.
role_name                         This parameter specifies the name of the role.
no motionpro client rule associate role <rule_name> <role_name>
This command is used to disassociate a MotionPro client rule from the specified role.
rule_name                         This parameter specifies the name of the rule.
role_name                         This parameter specifies the name of the role.
show motionpro client rule associate role [role_name]
This command is used to display the MotionPro client rules associated with the specified role.
role_name                         Optional. This parameter specifies the name of the role. If this
                                  parameter is not specified, the rule-association configuration of
                                  all the roles will be displayed.
motionpro client rule associate user <rule_name> <user_name>
This command is used to associate a MotionPro client rule with the specified user.
rule_name                         This parameter specifies the name of the rule.
2000-2018 Array Networks, Inc.
                                                                                                 473
All Rights Reserved.
                                                                         Chapter 16 MotionPro
user_name                          This parameter specifies the name of the user.
no motionpro client rule associate user <rule_name> <user_name>
This command is used to disassociate a MotionPro client rule from the specified user.
rule_name                          This parameter specifies the name of the rule.
user_name                          This parameter specifies the name of the user.
show motionpro client rule associate user [user_name]
This command is used to display the rules associated with the specified user.
user_name                          Optional. This parameter specifies the name of the user. If this
                                   parameter is not specified, the rule-association configuration of
                                   all the users will be displayed.
motionpro client rule associate vsite <rule_name>
This command is used to associate a MotionPro client rule with the virtual site.
rule_name                          This parameter specifies the name of the rule.
no motionpro client rule associate vsite <rule_name>
This command is used to disassociate a MotionPro client rule from the virtual site.
rule_name                          This parameter specifies the name of the rule.
show motionpro client rule associate vsite [rule_name]
This command is used to display the specified rule associated with the virtual site.
rule_name                          Optional. This parameter specifies the name of the rule. If this
                                   parameter is not specified, all the rules associated with the
                                   virtual site will be displayed.
show motionpro client rule allnames
This command is used to display the names of all the MotionPro client rules.
motionpro client senddeviceid {on|off}
This command is used to enable or disable the DeviceID transmission to the RADIUS server.
After this function is enabled, the MotionPro client will pass the DeviceID to the RADIUS server
upon login. By default, this function is disabled.
2000-2018 Array Networks, Inc.
                                                                                                474
All Rights Reserved.
                                                                         Chapter 16 MotionPro
motionpro client {enable|disable} <device_type>
This command is used to enable or disable the access to the virtual site for the MotionPro client on
the specified type of device. By default, MotionPro clients on all types of devices are allowed to
access the virtual site.
device_type                     This parameter specifies the device type. Its value must be
                                “macos”, “iphone”, “ipad”, “windows”, “android”, “linux” or “all”.
                                “all” indicates all types of devices.
Web Resources
Web APP
motionpro webapp define <url> <description> [sso] [folder]
This command is used to add a new Web Application.
url                                This parameter specifies the URL of the Web Application. Its
                                   value should be a string of 1 to 255 characters.
description                        This parameter specifies the description of the Web Application.
                                   Its value should be a string of 1 to 255 characters.
sso                                Optional. This parameter specifies the SSO-related parameters.
                                   Its value should be a string of 1 to 255 characters.
folder                             Optional. This parameter specifies the name of the folder in
                                   which the Web Application will be displayed on the MotionPro
                                   Client. Its value should be a sting of 1 to 255 characters.
no motionpro webapp define <url>
This command is used to delete an existing Web Application.
url                                This parameter specifies the URL of the Web Application.
show motionpro webapp define [url]
This command is used to display the specified Web Application.
url                                Optional. This parameter specifies the URL of the Web
                                   Application. If this parameter is not specified, all the Web
                                   Applications defined will be displayed.
2000-2018 Array Networks, Inc.
                                                                                                  475
All Rights Reserved.
                                                                       Chapter 16 MotionPro
motionpro webapp associate role <url> <role_name>
This command is used to associate a Web Application with the specified role.
url                              This parameter specifies the URL of the Web Application.
role_name                        This parameter specifies the name of the role.
no motionpro webapp associate role <url> <role_name>
This command is used to disassociate a Web Application from the specified role.
url                              This parameter specifies the URL of the Web Application.
role_name                        This parameter specifies the name of the role.
show motionpro webapp associate role [role_name]
This command is used to display the Web Applications associated with the specified role.
role_name                        Optional. This parameter specifies the name of the role. If this
                                 parameter is not specified, the association configurations
                                 between all the roles and Web Applications will be displayed.
motionpro webapp associate user <url> <user_name>
This command is used to associate a Web Application with the specified user.
url                              This parameter specifies the URL of the Web Application.
user_name                        This parameter specifies the name of the user.
no motionpro webapp associate user <url> <user_name>
This command is used to disassociate a Web Application from the specified user.
url                              This parameter specifies the URL of the Web Application.
user_name                        This parameter specifies the name of the user.
show motionpro webapp associate user [user_name]
This command is used to display the Web Applications associated with the specified user.
user_name                        Optional. This parameter specifies the name of the user. If this
                                 parameter is not specified, the association configurations
                                 between all the users and Web Applications will be displayed.
2000-2018 Array Networks, Inc.
                                                                                              476
All Rights Reserved.
                                                                       Chapter 16 MotionPro
Native Applications
motionpro nativeapp define <app_name> <description> <os_type>
<app_type> [parameters] [app_id]
This command is used to add a new Native Application.
app_name                         This parameter specifies the name of the Native Application. Its
                                 value should be a string of 1 to 255 characters.
description                      This parameter specifies the description of the Native
                                 Application. Its value should be a string of 1 to 255 characters.
os_type                          This parameter specifies the Operating System type of the
                                 Native Application. Its value can only be “iOS” or “Android”.
app_type                         This parameter specifies the type of the Native Application. Its
                                 value can only be “built-in” or “third-party”.
                                     “built-in” refers to the applications integrating Application
                                      Tunnel API. All the data transmitted through this type of
                                      applications will be encrypted by the SSL L3VPN tunnel
                                      established by directly using the built-in application.
                                     “third-party” refers to the applications not integrating
                                      Application Tunnel API. In order to encrypt the data
                                      transmitted through this type of applications, SSL
                                      L3VPN/IPsec VPN tunnels need to be established using the
                                      VPN on Demand (VoD) function for accessing enterprise
                                      resources.
parameters                       Optional. This parameter is used to match the local applications.
                                 Its value should be a string of 1 to 255 characters. For iOS, this
                                 parameter must match the URL Scheme of the application, and if
                                 not specified, the application will not be displayed on the
                                 MotionPro Client.
app_id                           Optional. This parameter specifies the application ID. Its value
                                 should be an integer ranging from 0 to 2,147,483,647, and
                                 defaults to 0.
no motionpro nativeapp define <app_id>
This command is used to delete an existing Native Application.
2000-2018 Array Networks, Inc.
                                                                                               477
All Rights Reserved.
                                                                       Chapter 16 MotionPro
app_id                            This parameter specifies the application ID.
show motionpro nativeapp define [app_id]
This command is used to display the specified Native Application.
app_id                            Optional. This parameter specifies the application ID. If this
                                  parameter is not specified, all the Native Applications defined
                                  will be displayed.
motionpro nativeapp associate role <app_id> <role_name>
This command is used to associate a Native Application with the specified role.
app_id                            This parameter specifies the application ID.
role_name                         This parameter specifies the name of the role.
no motionpro nativeapp associate role <app_id> <role_name>
This command is used to disassociate a Native Application from the specified role.
app_id                            This parameter specifies the application ID.
role_name                         This parameter specifies the name of the role.
show motionpro nativeapp associate role [role_name]
This command is used to display the Native Applications associated with the specified role.
role_name                         Optional. This parameter specifies the name of the role. If this
                                  parameter is not specified, the association configurations
                                  between all the roles and Native Applications will be displayed.
motionpro nativeapp associate user <app_id> <user_name>
This command is used to associate a Native Application with the specified user.
app_id                            This parameter specifies the application ID.
user_name                         This parameter specifies the name of the user.
no motionpro nativeapp associate user <app_id> <user_name>
This command is used to disassociate a Native Application from the specified user.
2000-2018 Array Networks, Inc.
                                                                                               478
All Rights Reserved.
                                                                       Chapter 16 MotionPro
app_id                            This parameter specifies the application ID.
user_name                         This parameter specifies the name of the user.
show motionpro nativeapp associate user [user_name]
This command is used to display the Native Applications associated with the specified user.
user_name                         Optional. This parameter specifies the name of the user. If this
                                  parameter is not specified, the association configurations
                                  between all the users and Native Applications will be displayed.
MDM
motionpro mdm on
This command is used to enable the Mobile Device Management (MDM) function.
motionpro mdm off
This command is used to disable the MDM function.
motionpro mdm import apn <url>
This command is used to import an Apple Push Notification (APN) certificate.
url                               This parameter specifies the URL of the APN certificate. Its
                                  value should be a string of 1 to 255 characters starting with
                                  “http://”.
motionpro mdm apn interval <database_check_interval>
<ssl_tunnel_reconnect_interval>
This command is used to set the interval for MDM to check database and the interval of SSL
reconnection.
database_check_interval           This parameter specifies the interval for the MDM server to
                                  check the database for notification to be sent to mobile devices
                                  (Android) or APN (iOS) in seconds. Its value should be an
                                  integer ranging from 1 to 3600, and defaults to 3.
ssl_tunnel_reconnect_interval     This parameter specifies the interval of the SSL reconnection
                                  between the MDM server and the APN server in minutes. Its
                                  value should be an integer ranging from 1 to 10, and defaults to
                                  5.
show motionpro mdm apn interval
2000-2018 Array Networks, Inc.
                                                                                                  479
All Rights Reserved.
                                                                        Chapter 16 MotionPro
This command is used to display the interval for MDM to check database and the interval of SSL
reconnection.
motionpro mdm device check <device_check_interval>
<device_inactive_check_times>
This command is used to set the configuration of MDM checking the mobile device status.
device_check_interval             This parameter specifies the interval for the MDM server to
                                  check the mobile device status in minutes. Its value should be an
                                  integer ranging from 1 to 60, and defaults to 1.
device_inactive_check_times       This parameter specifies the maximum times of consecutive
                                  device checks for setting the mobile device status as inactive. Its
                                  value should be an integer ranging from 2 to 10, and defaults to
                                  3.
show motionpro mdm device check
This command is used to display the configuration of MDM checking the mobile device status.
show motionpro mdm config
This command is used to display all the MDM configurations.
motionpro mdm externalsetting <push_ip> <push_port> <service_url>
This command is used to enable the external MDM function. With this function enabled, when
logging into the MotionPro virtual site using the MotionPro client, the end user will be promoted
to join MDM.
push_ip                        This parameter specifies the push IP address or the domain name of
                               the MDM server. Its value must be a string of 1 to 63 characters and
                               must be enclosed by double quotes if the parameter value is set to
                               an IP address.
push_port                      This parameter specifies the push port of the MDM server. Its value
                               must be an integer ranging from 1 to 65535.
service_url                    This parameter specifies the URL that providing the MDM service.
no motionpro mdm externalsetting
This command is used to disable the external MDM function.
show motionpro mdm externalsetting
This command is used to display the configuration of the external MDM function.
2000-2018 Array Networks, Inc.
                                                                                                480
All Rights Reserved.
                                                                          Chapter 16 MotionPro
Backup and Restore
          Note:
          The files backed up to the remote TFTP server are in the UTF-8 encoding format. To read
          or edit the backed up file, make sure that your file viewer or editor supports UTF-8
          encoding.
          The files restored from the remote TFTP server must be in the UTF-8 encoding format. To
          read or edit the restored file, make sure that your file viewer or editor supports UTF-8
          encoding.
motionpro backup tftp <tftp_ip> <file_name>
This command is used to back up the MotionPro configurations to the remote TFTP server.
tftp_ip                          This parameter specifies the IP address of the TFTP server. Its value
                                 should be given in dotted decimal notation.
file_name                        This parameter specifies the name of the configuration file to be
                                 saved on the remote TFTP server. Its value should be a string of 1 to
                                 256 characters.
motionpro restore tftp <tftp_ip> <file_name>
This command is used to restore the MotionPro configurations from the remote TFTP server.
tftp_ip                          This parameter specifies the IP address of the TFTP server. Its value
                                 should be given in dotted decimal notation.
file_name                        This parameter specifies the name of configuration file saved on the
                                 remote TFTP server. Its value should be a string of 1 to 256
                                 characters.
Import and Export
          Note:
          The files imported from the appliance’s disk or the remote TFTP server must be in the
          UTF-8 encoding format. Otherwise, the importing might fail.
          The files exported to the appliance’s disk or the remote TFTP server are in the UTF-8
          encoding format. To read or edit the exported file, make sure that your file viewer or editor
          supports UTF-8 encoding.
2000-2018 Array Networks, Inc.
                                                                                                 481
All Rights Reserved.
                                                                        Chapter 16 MotionPro
localdb deviceid import file <file_name>
This command is used to import the device IDs from a configuration file on the appliance’s disk to
the virtual site’s database.
file_name                      This parameter specifies the name of the configuration file on the
                               appliance’s disk. Its value should be a string of 1 to 256 characters.
localdb deviceid export file <file_name>
This command is used to export the device IDs from the virtual site’s database to a configuration
file on the appliance’s disk.
file_name                      This parameter specifies the name of the configuration file on the
                               appliance’s disk. Its value should be a string of 1 to 256 characters.
localdb deviceid import tftp <tftp_ip> <file_name>
This command is used to import the device IDs from a configuration file on the specified remote
TFTP server to the virtual site’s database.
tftp_ip                        This parameter specifies the IP address of the TFTP server. Its value
                               must be an IPv4 address.
file_name                      This parameter specifies the name of the configuration file on the
                               remote TFTP server. Its value should be a string of 1 to 256
                               characters.
localdb deviceid export tftp <tftp_ip> <file_name>
This command is used to export the device IDs from the virtual site’s database to a configuration
file on the specified remote TFTP server.
tftp_ip                        This parameter specifies the IP address of the TFTP server. Its value
                               must be an IPv4 address.
file_name                      This parameter specifies the name of the configuration file on the
                               remote TFTP server. Its value should be a string of 1 to 256
                               characters.
motionpro import file <file_name>
This command is used to import the MotionPro CLI configurations from a configuration file on
the appliance's disk to the virtual site's database.
file_name                      This parameter specifies the name of the configuration file on the
2000-2018 Array Networks, Inc.
                                                                                                482
All Rights Reserved.
                                                                         Chapter 16 MotionPro
                                appliance's disk. Its value should be a string of 1 to 256 characters.
motionpro export file <file_name>
This command is used to export the MotionPro CLI configurations from the virtual site's database
to a configuration file on the appliance's disk.
file_name                       This parameter specifies the name of the configuration file on the
                                appliance's disk. Its value should be a string of 1 to 256 characters.
motionpro import tftp <tftp_ip> <file_name>
This command is used to import the MotionPro CLI configurations from a configuration file on
the specified remote TFTP server to the virtual site's database.
tftp_ip                         This parameter specifies the IP address of the TFTP server. Its value
                                must be an IPv4 address.
file_name                       This parameter specifies the name of the configuration file on the
                                remote TFTP server. Its value should be a string of 1 to 256
                                characters.
motionpro export tftp <tftp_ip> <file_name>
This command is used to export the MotionPro CLI configurations from the virtual site's database
to a configuration file on the specified remote TFTP server.
tftp_ip                         This parameter specifies the IP address of the TFTP server. Its value
                                must be an IPv4 address.
file_name                       This parameter specifies the name of the configuration file on the
                                remote TFTP server. Its value should be a string of 1 to 256
                                characters.
Portal Configuration
motionpro portal tabpage <tab_type> <display_mode>
This command is used to configure whether a specific tab page will be displayed on the
MotionPro portal. With this function, administrators can hide corresponding tab pages from end
users when the system does not have the specific feature licensed. By default, all the tab pages are
displayed.
tab_type                        This parameter specifies the type of the tab page. Its value can only
                                be “web”, “application” or “desktop”.
2000-2018 Array Networks, Inc.
                                                                                                  483
All Rights Reserved.
                                                                          Chapter 16 MotionPro
display_mode                    This parameter specifies the display mode of the tab. Its value can
                                only be “display” or “not_display”.
show motionpro portal tabpage
This command is used to display the MotionPro portal tab page setting.
clear motionpro portal tabpage
This command is used to clear the MotionPro portal tab page setting.
motionpro portal vpnpolicy <policy_name>
This command is used to configure the VPN policy for the MotionPro portal. When this command
is not configured, the default policy is used. That is, if DesktopDirect resources are configured, the
L4VPN tunnel will be established; otherwise, the SSL L3VPN tunnel will be established.
policy_name                     This parameter specifies the name of the VPN policy. Its value must
                                be:
                                    tcpproxy: indicates that the L4VPN tunnel will be established
                                     for end users.
                                    l3vpn: indicates that the SSL L3VPN tunnel will be
                                     established for end users.
                                    both: indicates that both the L4VPN tunnel and the SSL
                                     L3VPN tunnel will be established for end users. This VPN
                                     policy works only for MotionPro clients on PCs. Android and
                                     iOS MotionPro clients will still use the default policy.
                                    disable: indicates that neither L4VPN tunnel nor the SSL
                                     L3VPN tunnel will be established for end users. This policy
                                     works only for Andriod and iOS MotionPro clients. MotionPro
                                     clients on PCs will still use the default VPN policy.
no motionpro portal vpnpolicy
This command is used to delete the VPN policy configured for the MotionPro portal.
show motionpro portal vpnpolicy
This command is used to display the VPN policy configured for the MotionPro portal.
Synchronization
motionpro sync sql <sql_string>
This command is used to synchronize the MotionPro database by executing the PostgreSQL
commands.
2000-2018 Array Networks, Inc.
                                                                                                 484
All Rights Reserved.
                                                                       Chapter 16 MotionPro
sql_string                        This parameter specifies the PostgreSQL commands. Its value
                                  can be a string of 1 to 1024 characters.
        Note:
            For now, only update/insert/delete operations are supported.
            Single quotes (') in PostgreSQL commands must be replace by the ampersand (&).
2000-2018 Array Networks, Inc.
                                                                                           485
All Rights Reserved.
                                                            Appendix I System CLI Boundaries
Appendix I System CLI Boundaries
          Note: The maximum number of VPN Netpool Client IPs (per vsite) for vxAG (2G) is
          2048.
                                                     AG
                                                    1000/
                                                              AG     AG     AG     AG      AG
                                      Related        AG
Module           Limit Item                                  1100   1150   1200    1500    1600
                                       CLI          1000-
                                                             (4G)   (4G)   (8G)   (16G)   (16G)
                                                      T
                                                    (2G)
Virtual Site Scope
             Maximum number
                                     virtual site
             of virtual sites                       10       256    256    256    256     256
                                     name
             (affected by license)
             Maximum number          virtual site
                                                    1000     2000
             of virtual site IPs     ip
             Maximum number
                                     virtual site
             of virtual site                        1000
                                     domain
             domain names
                                     virtual site
                                     ip;
             Maximum vip-port
                                     virtual site
             pairs (including
                                     quicklink
             QuickLink port                         4000
                                     port;
             mode and http
                                     (vsite) http
             redirect insecure)
                                     redirect
Virtual
                                     insecure
Site
                                     virtual site
                                     ip;
             Maximum number
                                     virtual site
             of vip-port pairs
                                     quicklink
             (including                             64
                                     port;
             QuickLink port
                                     (vsite) http
             mode) per vsite
                                     redirect
                                     insecure
                                     virtual site
             Maximum number          ip;
             of ports per vip        virtual site
             (including quicklink    quicklink      1000
             port mode and http      port;
             redirect insecure)      (vsite) http
                                     redirect
2000-2018 Array Networks, Inc.
                                                                                            486
All Rights Reserved.
                                                         Appendix I System CLI Boundaries
                                   insecure
          Maximum number
                                   virutal site
          of QuickLink
                                   quicklink      1000
          hostname mode
                                   hostname
          definitions
          Maximum number
                                   role name      2000
          of roles
          Maximum number           role
          of qualifications (per   qualificati    32
          role)                    on
          Maximum number
                                   role
          of conditions (per                      32
                                   condition
          qualification)
          Maximum number           role
Role
          of QuickLink             resource       1000, totally 100,000
          resources (per vsite)    quicklink
          Maximum number           role
          of WRM resources         resource       1000, totally 100,000
          (per vsite)              web
          Maximum number           role           1000, totally 100,000
          of Fileshare             resource
          resources (per vsite)    cifs
          Maximum number
                                   acl rule       10,000
          of ACL rules
          Maximum number           acl
ACL       of ACL resource          resourcegr     1000; totally 10,000
          groups (per vsite)       oup
          Maximum number           acl                     15,00   50,00   125,0   360,00   640,0
                                                  1500
          of ACL resources         resource                0       0       00      0        00
          Maximum number
          of AAA servers (per      aaa server     3 for each server type
          vsite)
          Maximum number
                                   aaa
          of AAA methods                          5
                                   method
          (per vsite)
AAA                                aaa
          Maximum number
                                   method
          of AAA methods                          4
                                   rank
          ranks (per vsite)
                                   include
          Maximum number           aaa
          of AAA multi-factor      method         3
          authentication           server
2000-2018 Array Networks, Inc.
                                                                                             487
All Rights Reserved.
                                                           Appendix I System CLI Boundaries
          servers (per vsite)
          Maximum number
          of concurrent                                              10,00    25,00              128,0
                                                  300       3000                       72,000
          sessions (affected by                                      0        0                  00
Session   license)
                                   virtual site
          Maximum number
                                   session        128
          of session groups
                                   group
          Maximum number
                                   vpn
          of VPN Netpools                         1024      2048     2048     4096     8192      8192
                                   netpool
          (per vsite)
          Maximum number           vpn
          of VPN resource          resource       1024      2048     2048     4096     8192      8192
          groups (per vsite)       group
          Maximum number           vpn
          of VPN Netpool IP        netpool        1024      2048     2048     4096     8192      8192
          ranges (per Netpool)     iprange
          Maximum number
                                                            1310     1310     2621     524288    52428
          of VPN Netpool                          2048
                                                            72       72       44                 8
          Client IPs (per vsite)
          Maximum number           vpn
          of VPN Netpool           netpool
                                                  1024      2048     2048     4096     8192      8192
          DNS hostmaps (per        dns
SSL       Netpool)                 hostmap
VPN                                vpn
Client    Maximum number           resource
          of VPN application       groupitem      1024      2048     2048     4096     8192      8192
          resources (per vsite)    applicatio
                                   n
                                   vpn
          Maximum number
                                   resource
          of VPN network                          1024      2048     2048     4096     8192      8192
                                   groupitem
          resources (per vsite)
                                   network
                                                  maxi      maxi     maxi     maxi               maxi
                                                                                       maxim
                                                  mum       mum      mum      mum                mum
          Maximum number           vpn                                                 um
                                                  virtua    virtua   virtua   virtua             virtua
          of VPN network           resource                                            virtual
                                                  l site    l site   l site   l site             l site
          resources (per           groupitem                                           site
                                                  numb      numb     numb     numb               numb
          chassis)                 network                                             numbe
                                                  er*10     er*20    er*20    er*40              er*81
                                                                                       r*8192
                                                  24        48       48       96                 92
          Maximum number           portal
Portal                                            1000
          of portal themes         theme
2000-2018 Array Networks, Inc.
                                                                                                   488
All Rights Reserved.
                                                         Appendix I System CLI Boundaries
WRM       Maximum number          rewrite        500
          of custom rewrite       custom
          rules                   rule
          Maximum number
          of SSO POST
                                  sso post       64
          configurations (per
          vsite)
          Maximum number
Proxy     of URL policies (per    urlpolicy      3000
          vsite)
          Maximum number          filter url     50
          of URL deny rules       keyword
          (per vsite)             deny
          Maximum depth of a
                                                 9
          certificate chain
          Maximum number
                                  ssl settings
          of CDPs (CRL                           10
                                  crl offline
SSL       distribution point)
                                  ssl import
          Maximum number
                                  interca;
          of certificates                        no limit
                                  ssl import
          imported on Array
                                  rootca
          Maximum number
                                  localdb        10,00      200,0   200,0   200,0   500,00   500,0
          of LocalDB
                                  account        0          00      00      00      0        00
          accounts
          Maximum number          localdb                   10,00   10,00   10,00            50,00
                                                 1000                               50,000
          of LocalDB groups       group                     0       0       0                0
LocalD
          Maximum number
B
          of LocalDB groups       localdb
                                                 20
          that one account        member
          belongs to
          Maximum number          localdb
                                                 20
          of LocalDB backups      backup
          Maximum number
                                  dns host       1000
          of static DNS hosts
          Maximum number
          of DNS name                            3
DNS
          servers
          Maximum number
          of DNS search                          6
          domains
2000-2018 Array Networks, Inc.
                                                                                               489
All Rights Reserved.
                                                       Appendix I System CLI Boundaries
          Maximum number
System    of custom               write file    no limit
          configuration files
Global Scope
          Maximum number
          of NAT static                         512
          definitions
NAT
          Maximum number
          of NAT port                           512
          definitions
          Maximum number
                                                3
          of Bonds
Bond      Maximum number
          of physical                           12
          interfaces per Bond
          Maximum number
                                                250
          of VLANs
          Maximum number
VLAN
          of VLAN tags per                      250
          interface
          VLAN tag range                        1-4094
          Maximum number
Route                                           1
          of default routes
          Maximum number
                                                1024
          of syslog line
Syslog
          Maximum size of
                                                1024*1024
          syslog
          Maximum number
                                                255
          of VCIDs
          Maximum number
Cluster   of VIPs per interface                 255
          of each VCID
          Maximum number
                                                64
          of synconfig peers
          Maximum number
          of static DNS hosts
                                  ip dns host   1000
          (counted together
          with vsite)
DNS       Maximum number
          of DNS name                           3
          servers
          Maximum number
                                                6
          of DNS search
2000-2018 Array Networks, Inc.
                                                                                   490
All Rights Reserved.
                                                 Appendix I System CLI Boundaries
          domains
          Maximum number                          12,00   20,00   50,00   144,00   256,0
SSL                                       1200
          of SSL connections                      0       0       0       0        00
          Maximum number
Adminis                           admin
          of administrator                100     100     100     100     100      100
trator                            user
          accounts
2000-2018 Array Networks, Inc.
                                                                                     491
All Rights Reserved.
                                                               Appendix II SNMP OID List
Appendix II SNMP OID List
                                     SNMP OID List
.1.3.6.1.4.1.7564             This file defines the private CA SNMP MIB extensions.
.1.3.6.1.4.1.7564.4.1         Current total available memory in the system.
.1.3.6.1.4.1.7564.17.1        Number of HA groups.
.1.3.6.1.4.1.7564.17.15       A table of HA units.
.1.3.6.1.4.1.7564.17.15.1     An haUnitTable entry containing HA unit information.
.1.3.6.1.4.1.7564.17.15.1.1   Reference index for each HA unit.
.1.3.6.1.4.1.7564.17.15.1.2   Name of the HA unit.
.1.3.6.1.4.1.7564.17.15.1.3   The IP address type of haUnitIpAddress.
.1.3.6.1.4.1.7564.17.15.1.4   The IP address of HA unit.
                              The port used for the primary link to communicate with other
.1.3.6.1.4.1.7564.17.15.1.5
                              HA units.
.1.3.6.1.4.1.7564.17.15.1.6   Number of HA secondary links.
.1.3.6.1.4.1.7564.17.25       A table of HA groups.
.1.3.6.1.4.1.7564.17.25.1     An haGroupTable entry containing HA group information.
.1.3.6.1.4.1.7564.17.25.1.1   The HA group table index.
.1.3.6.1.4.1.7564.17.25.1.2   The HA group ID.
.1.3.6.1.4.1.7564.17.25.1.3   The priority of the HA group on the local HA unit.
                              Enabling status of Preemption, which is used to control whether
.1.3.6.1.4.1.7564.17.25.1.4
                              a higher-priority HA unit preempts a lower-priority HA unit.
                              The HA group status - disabled (0), incomplete (1), init (2),
.1.3.6.1.4.1.7564.17.25.1.5
                              standby (3) or active (4).
.1.3.6.1.4.1.7564.17.25.1.6   Enabling status of the HA group.
.1.3.6.1.4.1.7564.17.26       A table of HA floating IP address.
                              An haGroupFipTable entry containing HA floating IP address
.1.3.6.1.4.1.7564.17.26.1
                              information.
.1.3.6.1.4.1.7564.17.26.1.1   The index of the HA floating IP address table.
.1.3.6.1.4.1.7564.17.26.1.2   The HA group that contains this HA floating IP address.
.1.3.6.1.4.1.7564.17.26.1.3   The type of the HA floating IP address.
.1.3.6.1.4.1.7564.17.26.1.4   The floating IP addresses contained in the HA group.
                              Current maximum possible number of entries in the vrrpTable,
.1.3.6.1.4.1.7564.18.1.1      which is 255 * (number of interfaces for which a cluster is
                              defined). 255 is the max number of VIPs in a cluster.
.1.3.6.1.4.1.7564.18.1.2      Current number of entries in the vrrpTable.
.1.3.6.1.4.1.7564.18.1.3      A table containing cluster configurations.
                              An entry in the vrrpTable. Each entry represents a cluster VIP,
                              not the cluster itself. If a cluster has n VIPs, then there will be n
                              entries for the cluster in the vrrpTable (0 <= n <= 255). All the
.1.3.6.1.4.1.7564.18.1.3.1
                              entries in the vrrpTable belonging to a single cluster will have
                              the same values for all the fields except clusterVirIndex and
                              clusterVirAddr.
2000-2018 Array Networks, Inc.
                                                                                               492
All Rights Reserved.
                                                                   Appendix II SNMP OID List
                                       SNMP OID List
.1.3.6.1.4.1.7564.18.1.3.1.1    The cluster virtual table index.
.1.3.6.1.4.1.7564.18.1.3.1.2    The cluster identifier.
.1.3.6.1.4.1.7564.18.1.3.1.3    The current state of the cluster.
.1.3.6.1.4.1.7564.18.1.3.1.4    The interface name on which the cluster is defined.
.1.3.6.1.4.1.7564.18.1.3.1.5    A virtual IP address (VIP) in the cluster.
                                Type of authentication being used. none(0) - no authentication;
.1.3.6.1.4.1.7564.18.1.3.1.6    simple-text-password(1) - use password specified in cluster
                                virtual for authentication.
.1.3.6.1.4.1.7564.18.1.3.1.7    The password for authentication.
                                This is for controlling whether a higher priority Backup VRRP
.1.3.6.1.4.1.7564.18.1.3.1.8
                                virtual preempts a low priority Master.
.1.3.6.1.4.1.7564.18.1.3.1.9    VRRP advertisement interval.
.1.3.6.1.4.1.7564.18.1.3.1.10   Priority of the local node in the cluster.
.1.3.6.1.4.1.7564.20.1.2        Number of vhosts currently configured.
.1.3.6.1.4.1.7564.20.2.1        Total number of open SSL connections (all vhosts).
.1.3.6.1.4.1.7564.20.2.2        Total number of accepted SSL connections (all vhosts).
.1.3.6.1.4.1.7564.20.2.3        Total number of requested SSL connections (all vhosts).
.1.3.6.1.4.1.7564.20.2.4        SSL vhost statistics table.
.1.3.6.1.4.1.7564.20.2.4.1      SSL table entry for one vhost.
.1.3.6.1.4.1.7564.20.2.4.1.1    The SSL table index.
.1.3.6.1.4.1.7564.20.2.4.1.2    Name of the SSL vhost.
.1.3.6.1.4.1.7564.20.2.4.1.3    Open SSL connections for vhostName.
.1.3.6.1.4.1.7564.20.2.4.1.4    Number of accepted SSL connections for vhostName.
.1.3.6.1.4.1.7564.20.2.4.1.5    Number of requested SSL connections for vhostName.
.1.3.6.1.4.1.7564.20.2.4.1.6    Number of resumed SSL sessions for vhostName.
.1.3.6.1.4.1.7564.20.2.4.1.7    Number of resumable SSL sessions for vhostName.
.1.3.6.1.4.1.7564.20.2.4.1.8    Number of session misses for vhostName.
1.3.6.1.4.1.7564.21.1           Number of sessions by the security proxy.
1.3.6.1.4.1.7564.21.2           Number of successful login by the security proxy.
1.3.6.1.4.1.7564.21.3           Number of successful logout by the security proxy.
1.3.6.1.4.1.7564.21.4           Number of failed login by the security proxy.
1.3.6.1.4.1.7564.21.5           Number of total bytes in.
1.3.6.1.4.1.7564.21.6           Number of total bytes out.
1.3.6.1.4.1.7564.21.7           Maximum number of active sessions by the security proxy.
1.3.6.1.4.1.7564.21.8           Number of login errors by the security proxy.
                                Number of login failures due to the user lockout login by the
1.3.6.1.4.1.7564.21.9
                                security proxy.
1.3.6.1.4.1.7564.21.10          Number of total backend server bytes in.
1.3.6.1.4.1.7564.21.11          Number of total backend server bytes out.
.1.3.6.1.4.1.7564.22.1          Status of VIP statistics gathering - on or off.
                                The hostname that the VIP is representing (hostname of the
.1.3.6.1.4.1.7564.22.2
                                appliance).
2000-2018 Array Networks, Inc.
                                                                                             493
All Rights Reserved.
                                                                Appendix II SNMP OID List
                                     SNMP OID List
.1.3.6.1.4.1.7564.22.3        The current time in the format of MM/DD/YY HH:MM.
.1.3.6.1.4.1.7564.22.4        Total number of IP packets received on all VIPs.
.1.3.6.1.4.1.7564.22.5        Total number of IP packets sent out on all VIPs.
.1.3.6.1.4.1.7564.22.6        Total number of IP bytes received on all VIPs.
.1.3.6.1.4.1.7564.22.7        Total number of IP bytes sent out on all VIPs.
.1.3.6.1.4.1.7564.22.8        A table of VIP statistics.
.1.3.6.1.4.1.7564.22.8.1      An entry in the ipStatsTable which is created for each VIP.
.1.3.6.1.4.1.7564.22.8.1.1    The VIP statistics table index.
.1.3.6.1.4.1.7564.22.8.1.2    The VIP address.
.1.3.6.1.4.1.7564.22.8.1.3    Total number of IP packets received on the VIP.
.1.3.6.1.4.1.7564.22.8.1.4    Total number of IP bytes received on the VIP.
.1.3.6.1.4.1.7564.22.8.1.5    Total number of IP packets sent out on the VIP.
.1.3.6.1.4.1.7564.22.8.1.6    Total number of IP bytes sent out on the VIP.
.1.3.6.1.4.1.7564.22.8.1.7    The time statistics gathering was enabled for the VIP.
.1.3.6.1.4.1.7564.23.1        The number of network interfaces presented on this system.
                              The total accumulated number of octets received on all the
.1.3.6.1.4.1.7564.23.2
                              active interfaces (loopback is not included).
                              The total accumulated number of octets transmitted out on all
.1.3.6.1.4.1.7564.23.3
                              the active interfaces (loopback is not included).
                              A table of interface statistics. The number of entries is given by
.1.3.6.1.4.1.7564.23.4
                              the value of infNumber.
.1.3.6.1.4.1.7564.23.4.1      An infTable entry for one interface.
                              A unique value for each interface. Its value ranges between 1
                              and the value of infNumber. The value for each interface must
.1.3.6.1.4.1.7564.23.4.1.1
                              remain constant at least from one re-initialization of the entities
                              network management system to the next re- initialization.
.1.3.6.1.4.1.7564.23.4.1.2    Name of the interface.
.1.3.6.1.4.1.7564.23.4.1.3    The current operational state of the interface (up or down).
.1.3.6.1.4.1.7564.23.4.1.4    The interface's IP address.
                              The total number of octets received on the interface, including
.1.3.6.1.4.1.7564.23.4.1.5
                              framing characters.
                              The number of packets, delivered by this sub-layer to a higher
.1.3.6.1.4.1.7564.23.4.1.6    (sub-) layer, which were not addressed to a multicast or
                              broadcast address at this sub-layer.
                              The number of packets, delivered by this sub-layer to a higher
                              (sub-) layer, which were addressed to a multicast or broadcast
                              address at this sub-layer.
                              Discontinuities in the value of this counter can occur at
.1.3.6.1.4.1.7564.23.4.1.7
                              re-initialization of the management system, and at other times as
                              indicated by the value of ifCounterDiscontinuityTime.
                              This object is deprecated in favor of ifInMulticastPkts and
                              ifInBroadcastPkts.
2000-2018 Array Networks, Inc.
                                                                                             494
All Rights Reserved.
                                                             Appendix II SNMP OID List
                                    SNMP OID List
                              The number of inbound packets which were chosen to be
                              discarded even though no errors had been detected to prevent
                              them from being deliverable to a higher-layer protocol. One
                              possible reason for discarding such a packet could be to free up
.1.3.6.1.4.1.7564.23.4.1.8
                              buffer space.
                              Discontinuities in the value of this counter can occur at
                              re-initialization of the management system, and at other times as
                              indicated by the value of ifCounterDiscontinuityTime
                              For packet-oriented interfaces, the number of inbound packets
                              that contain errors preventing them from being deliverable to a
                              higher-layer protocol. For character- oriented or fixed-length
                              interfaces, the number of inbound transmission units that
.1.3.6.1.4.1.7564.23.4.1.9    contain errors preventing them from being deliverable to a
                              higher-layer protocol.
                              Discontinuities in the value of this counter can occur at
                              re-initialization of the management system, and at other times as
                              indicated by the value of ifCounterDiscontinuityTime.
                              For packet-oriented interfaces, the number of packets received
                              via the interface which were discarded because of an unknown
                              or unsupported protocol. For character-oriented or fixed-length
                              interfaces that support protocol multiplexing the number of
                              transmission units received via the interface which were
.1.3.6.1.4.1.7564.23.4.1.10   discarded because of an unknown or unsupported protocol. For
                              any interface that does not support protocol multiplexing, this
                              counter will always be 0.
                              Discontinuities in the value of this counter can occur at
                              re-initialization of the management system, and at other times as
                              indicated by the value of ifCounterDiscontinuityTime.
                              The total number of octets transmitted out of the interface,
                              including framing characters.
.1.3.6.1.4.1.7564.23.4.1.11   Discontinuities in the value of this counter can occur at
                              re-initialization of the management system, and at other times as
                              indicated by the value of ifCounterDiscontinuityTime.
                              The total number of packets that higher-level protocols request
                              to be transmitted, and which were not addressed to a multicast
                              or broadcast address at this sub-layer, including those that were
.1.3.6.1.4.1.7564.23.4.1.12   discarded or not sent.
                              Discontinuities in the value of this counter can occur at
                              re-initialization of the management system, and at other times as
                              indicated by the value of ifCounterDiscontinuityTime.
                              The total number of packets that higher-level protocols request
.1.3.6.1.4.1.7564.23.4.1.13   to be transmitted, and which were addressed to a multicast or
                              broadcast address at this sub-layer, including those that were
2000-2018 Array Networks, Inc.
                                                                                           495
All Rights Reserved.
                                                               Appendix II SNMP OID List
                                      SNMP OID List
                               discarded or not sent.
                               Discontinuities in the value of this counter can occur at
                               re-initialization of the management system, and at other times as
                               indicated by the value of ifCounterDiscontinuityTime.
                               This object is deprecated in favor of ifOutMulticastPkts and
                               ifOutBroadcastPkts.
                               For packet-oriented interfaces, the number of outbound packets
                               that could not be transmitted because of errors. For
                               character-oriented or fixed-length interfaces, the number of
                               outbound transmission units that could not be transmitted
.1.3.6.1.4.1.7564.23.4.1.14
                               because of errors.
                               Discontinuities in the value of this counter can occur at
                               re-initialization of the management system, and at other times as
                               indicated by the value of ifCounterDiscontinuityTime.
                               The number of Syslog notifications that have been sent. This
                               number can include notifications that were prevented from being
                               transmitted due to reasons such as resource limitations and/or
.1.3.6.1.4.1.7564.24.1.1       non-connectivity. If one is receiving notifications, one can
                               periodically poll this object to determine if any notifications
                               were missed. If so, a poll of the logHistoryTable might be
                               appropriate.
                               Indicates whether logMessageGenerated notifications will or
                               will not be sent when a Syslog message is generated by the
.1.3.6.1.4.1.7564.24.1.2
                               device. Disabling notifications does not prevent Syslog
                               messages from being added to the logHistoryTable.
                               Indicates which Syslog severity levels will be processed. Any
                               Syslog message with a severity value greater than this value will
.1.3.6.1.4.1.7564.24.1.3       be ignored by the agent. Note: the severity numeric values
                               increase as their severity decreases, e.g. error(4) is more severe
                               than debug(8).
                               The upper limit on the number of entries that the
                               logHistoryTable can contain. A value of 0 will prevent any
.1.3.6.1.4.1.7564.24.2.1
                               history from being retained. When this table is full, the oldest
                               entry will be deleted and a new one will be created.
                               A table of Syslog messages generated by this device. All
.1.3.6.1.4.1.7564.24.2.2       'interesting' Syslog messages (i.e. severity <= logMaxSeverity)
                               are entered into this table.
                               A Syslog message that was previously generated by this device.
.1.3.6.1.4.1.7564.24.2.2.1
                               Each entry is indexed by a message index.
                               A monotonically increasing integer for the sole purpose of
.1.3.6.1.4.1.7564.24.2.2.1.1   indexing messages. When it reaches the maximum value the
                               agent flushes the table and wraps the value back to 1.
.1.3.6.1.4.1.7564.24.2.2.1.2   The severity of the message.
2000-2018 Array Networks, Inc.
                                                                                              496
All Rights Reserved.
                                                               Appendix II SNMP OID List
                                      SNMP OID List
                               The text of the message. If the text of the message exceeds 255
                               bytes, the message will be truncated to 254 bytes and a '*'
.1.3.6.1.4.1.7564.24.2.2.1.3
                               character will be appended, indicating that the message has been
                               truncated.
                               When a syslogTrap message is generated by the device a
                               syslogTrap notification is sent. The sending of these
.1.3.6.1.4.1.7564.24.3.1
                               notifications can be enabled/disabled via the
                               logNotificationsEnabled object.
                               The number of times ClickTCP connections have made a direct
.1.3.6.1.4.1.7564.25.1
                               transition to the SYN-SENT state from the CLOSED state.
                               The number of times ClickTCP connections have made a direct
.1.3.6.1.4.1.7564.25.2
                               transition to the SYN-RCVD state from the LISTEN state.
                               The number of times ClickTCP connections have made a direct
                               transition to the CLOSED state from either the SYN-SENT state
.1.3.6.1.4.1.7564.25.3         or the SYN-RCVD state, plus the number of times TCP
                               connections have made a direct transition to the LISTEN state
                               from the SYN-RCVD state.
                               The number of times ClickTCP connections have made a direct
.1.3.6.1.4.1.7564.25.4         transition to the CLOSED state from either the ESTABLISHED
                               state or the CLOSE-WAIT state.
                               The number of ClickTCP connections for which the current
.1.3.6.1.4.1.7564.25.5
                               state is either ESTABLISHED or CLOSE-WAIT.
                               The total number of ClickTCP segments received, including
.1.3.6.1.4.1.7564.25.6         those received in error. This count includes segments received
                               on currently established connections.
                               The total number of ClickTCP segments sent, including those on
.1.3.6.1.4.1.7564.25.7         current connections but excluding those containing only
                               retransmitted octets.
                               The total number of segments retransmitted - that is, the number
.1.3.6.1.4.1.7564.25.8         of ClickTCP segments transmitted containing one or more
                               previously transmitted octets.
                               The total number of segments received in error (for example,
.1.3.6.1.4.1.7564.25.9
                               bad ClickTCP checksums).
                               The number of ClickTCP segments sent containing the RST
.1.3.6.1.4.1.7564.25.10
                               flag.
.1.3.6.1.4.1.7564.25.11        A table containing ClickTCP connection-specific information.
                               A conceptual row of the ctcpConnTable containing information
                               about a particular current TCP connection. Each row of this
.1.3.6.1.4.1.7564.25.11.1
                               table is transient, in that it ceases to exist when (or soon after)
                               the connection makes the transition to the CLOSED state.
.1.3.6.1.4.1.7564.25.11.1.1    A unique value for each ClickTCP connection.
                               The state of this TCP connection.
.1.3.6.1.4.1.7564.25.11.1.2
                               The only value which can be set by a management station is
2000-2018 Array Networks, Inc.
                                                                                              497
All Rights Reserved.
                                                               Appendix II SNMP OID List
                                     SNMP OID List
                              deleteTCB(12). Accordingly, it is appropriate for an agent to
                              return a 'badValue' response if a management station attempts to
                              set this object to any other value.
                              If a management station sets this object to the value
                              deleteTCB(12), then this has the effect of deleting the TCB (as
                              defined in RFC 793) of the corresponding connection on the
                              managed node, resulting in immediate termination of the
                              connection.
                              As an implementation-specific option, an RST segment can be
                              sent from the managed node to the other TCP endpoint (note
                              however that RST segments are not sent reliably).
                              The local IP address for this TCP connection. In the case of a
                              connection in the listen state which is willing to accept
.1.3.6.1.4.1.7564.25.11.1.3
                              connections for any IP interface associated with the node, the
                              value 0.0.0.0 is used.
.1.3.6.1.4.1.7564.25.11.1.4   The local port number for this TCP connection.
.1.3.6.1.4.1.7564.25.11.1.5   The remote IP address for this TCP connection.
.1.3.6.1.4.1.7564.25.11.1.6   The remote port number for this TCP connection.
.1.3.6.1.4.1.7564.28.1        Total number of bytes received.
.1.3.6.1.4.1.7564.28.2        Total number of bytes sent.
.1.3.6.1.4.1.7564.28.3        Number of bytes received per second.
.1.3.6.1.4.1.7564.28.4        Number of bytes sent per second.
.1.3.6.1.4.1.7564.28.5        Peak received bytes per second.
.1.3.6.1.4.1.7564.28.6        Peak sent bytes per second.
.1.3.6.1.4.1.7564.28.7        Number of currently active transaction.
.1.3.6.1.4.1.7564.30.1        Current percentage of CPU utilization.
.1.3.6.1.4.1.7564.30.2        Number of connections per second.
.1.3.6.1.4.1.7564.30.3        Number of requests per second.
                              The number of <Virtual Site ID, login, logout> combo pairs that
.1.3.6.1.4.1.7564.31.1.1
                              is involved in the virtual site.
1.3.6.1.4.1.7564.31.1.2       A table containing virtual site statistics.
1.3.6.1.4.1.7564.31.1.2.1     The entry in virtualSiteStatsTable.
                              Reference index for virtual site (Virtual Site ID, login, logout)
1.3.6.1.4.1.7564.31.1.2.1.1
                              combo.
1.3.6.1.4.1.7564.31.1.2.1.2   Virtual site name ID.
1.3.6.1.4.1.7564.31.1.2.1.3   Virtual site active sessions.
1.3.6.1.4.1.7564.31.1.2.1.4   Virtual site successful login.
1.3.6.1.4.1.7564.31.1.2.1.5   Virtual site failed login.
1.3.6.1.4.1.7564.31.1.2.1.6   Virtual site error login.
1.3.6.1.4.1.7564.31.1.2.1.7   Virtual site success logout.
1.3.6.1.4.1.7564.31.1.2.1.8   Number of bytes in per virtual site.
1.3.6.1.4.1.7564.31.1.2.1.9   Number of bytes out per virtual site.
2000-2018 Array Networks, Inc.
                                                                                             498
All Rights Reserved.
                                                                Appendix II SNMP OID List
                                      SNMP OID List
1.3.6.1.4.1.7564.31.1.2.1.10   Virtual site maximum active sessions.
1.3.6.1.4.1.7564.31.1.2.1.15   Virtual site user locked out upon login.
1.3.6.1.4.1.7564.31.1.2.1.16   Virtual site user rejected upon login.
1.3.6.1.4.1.7564.31.1.2.1.17   Virtual site IP list.
1.3.6.1.4.1.7564.31.1.2.1.18   Virtual site domain list.
1.3.6.1.4.1.7564.31.1.2.1.19   Number of backend server bytes in per virtual site.
1.3.6.1.4.1.7564.31.1.2.1.20   Number of backend server bytes out per virtual site.
                               The number of <Virtual Site ID, login, logout> combo pairs that
1.3.6.1.4.1.7564.32.1.1
                               is involved in the virtual site.
1.3.6.1.4.1.7564.32.1.2        A table containing virtual site statistics.
1.3.6.1.4.1.7564.32.1.2.1      The entry in vpnStatsTable.
1.3.6.1.4.1.7564.32.1.2.1.1    Reference index for VPN (Virtual Site ID, login, logout) combo.
1.3.6.1.4.1.7564.32.1.2.1.2    Virtual site ID.
1.3.6.1.4.1.7564.32.1.2.1.3    VPN tunnels open.
1.3.6.1.4.1.7564.32.1.2.1.4    VPN tunnels established.
1.3.6.1.4.1.7564.32.1.2.1.5    VPN tunnels rejected.
1.3.6.1.4.1.7564.32.1.2.1.6    VPN tunnels terminated.
1.3.6.1.4.1.7564.32.1.2.1.7    Number of bytes coming in.
1.3.6.1.4.1.7564.32.1.2.1.8    Number of bytes going out.
1.3.6.1.4.1.7564.32.1.2.1.9    Number of unauthorized packets in.
1.3.6.1.4.1.7564.32.1.2.1.10   Number of bytes of application inbound traffic.
1.3.6.1.4.1.7564.32.1.2.1.11   Number of bytes of application outbound traffic.
                               The number of <Virtual Site ID, AuthorizedReq,
1.3.6.1.4.1.7564.33.1.1        webUnauthorizedReq> combo pairs that is involved in the
                               virtual site.
1.3.6.1.4.1.7564.33.1.2        A table containing virtual site statistics.
1.3.6.1.4.1.7564.33.1.2.1      The entry in webStatsTable.
                               Reference index for Web (Virtual Site ID, AuthorizedReq,
1.3.6.1.4.1.7564.33.1.2.1.1
                               webUnauthorizedReq) combo.
1.3.6.1.4.1.7564.33.1.2.1.2    Virtual site name ID.
1.3.6.1.4.1.7564.33.1.2.1.3    Web authorized requests.
1.3.6.1.4.1.7564.33.1.2.1.4    Web unauthorized requests.
1.3.6.1.4.1.7564.33.1.2.1.5    Number of bytes in by web.
1.3.6.1.4.1.7564.33.1.2.1.6    Number of bytes out by web.
1.3.6.1.4.1.7564.33.1.2.1.7    Number of backend server bytes in by web.
1.3.6.1.4.1.7564.33.1.2.1.8    Number of backend server bytes out by web.
                               The number of <Group ID, session count, max session count>
1.3.6.1.4.1.7564.36.1.1
                               combo pairs that is involved in the virtualSiteGroup.
1.3.6.1.4.1.7564.36.1.2        A table containing virtual site group statistics.
1.3.6.1.4.1.7564.36.1.2.1      The entry in virtualSiteStatsTable.
                               Reference index for virtual site group (Group ID, session count,
1.3.6.1.4.1.7564.36.1.2.1.1
                               max session count) combo.
2000-2018 Array Networks, Inc.
                                                                                           499
All Rights Reserved.
                                                              Appendix II SNMP OID List
                                     SNMP OID List
1.3.6.1.4.1.7564.36.1.2.1.2   Virtual site group ID.
virtual Site Group Active
                              Virtual site group active sessions.
Sessions
1.3.6.1.4.1.7564.36.1.2.1.4   Virtual site group maximum active sessions.
.1.3.6.1.4.1.7564.251.1       This trap is sent when the agent starts.
.1.3.6.1.4.1.7564.251.2       This trap is sent when the agent terminates.
                              This trap is automatically sent to remind you of the license
.1.3.6.1.4.1.7564.251.3
                              remaining days.
                              A single precision floating-point number. The semantics and
                              encoding are identical for type 'single' defined in IEEE Standard
                              for Binary Floating-Point, ANSI/IEEE Std 754-1985. The value
                              is restricted to the BER serialization of the following ASN.1
                              type: FLOATTYPE ::= [120] IMPLICIT FloatType (note: the
                              value 120 is the sum of '30'h and '48'h) The BER serialization of
Float                         the length for values of this type must use the definite length,
                              short encoding form. For example, the BER serialization of
                              value 123 of type FLOATTYPE is '9f780442f60000'h. (The tag
                              is '9f78'h; the length is '04'h; and the value is '42f60000'h.) The
                              BER serialization of value '9f780442f60000'h of data type
                              Opaque is '44079f780442f60000'h. (The tag is '44'h; the length
                              is '07'h; and the value is '9f780442f60000'h.
                              The severity of a Syslog message. The enumeration values are
Synlogseverity                equal to the values that Syslog uses + 1. For example, with
                              Syslog, emergency=0.
2000-2018 Array Networks, Inc.
                                                                                             500
All Rights Reserved.