0% found this document useful (0 votes)

42 views888 pages

ZXSEC US CLI Reference Guide

ZTE Reference Guide

Uploaded by

Teodorescu Silviu

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

42 views888 pages

ZXSEC US CLI Reference Guide

ZTE Reference Guide

Uploaded by

Teodorescu Silviu

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 888

ZXSEC US

Command Line Interface (CLI)

Reference Guide

Version 1.0

ZTE CORPORATION
ZTE Plaza, Keji Road South,
Hi-Tech Industrial Park,
Nanshan District, Shenzhen,
P. R. China
518057
Tel: (86) 755 26771900 800-9830-9830
Fax: (86) 755 26772236
URL: http://support.zte.com.cn
E-mail: doc@zte.com.cn
LEGAL INFORMATION

Copyright © 2006 ZTE CORPORATION.

The contents of this document are protected by copyright laws and international treaties. Any reproduction or
distribution of this document or any portion of this document, in any form by any means, without the prior written
consent of ZTE CORPORATION is prohibited. Additionally, the contents of this document are protected by
contractual confidentiality obligations.

All company, brand and product names are trade or service marks, or registered trade or service marks, of ZTE
CORPORATION or of their respective owners.

This document is provided “as is”, and all express, implied, or statutory warranties, representations or conditions
are disclaimed, including without limitation any implied warranty of merchantability, fitness for a particular purpose,
title or non-infringement. ZTE CORPORATION and its licensors shall not be liable for damages resulting from the
use of or reliance on the information contained herein.

ZTE CORPORATION or its licensors may have current or pending intellectual property rights or applications
covering the subject matter of this document. Except as expressly provided in any written license between ZTE
CORPORATION and its licensee, the user of this document shall not acquire any license to the subject matter
herein.

The contents of this document and all policies of ZTE CORPORATION, including without limitation policies related to
support or training are subject to change without notice.

Revision History

Date Revision No. Serial No. Reason for Revision

July 22, 2008 R1.0 sjzl20082506 First edition
ZTE CORPORATION
Values Your Comments & Suggestions!
Your opinion is of great value and will help us improve the quality of our product
documentation and offer better services to our customers.
Please fax to: (86) 755-26772236; or mail to Documentation R&D Department,
ZTE CORPORATION, ZTE Plaza, A Wing, Keji Road South, Hi-Tech Industrial Park,
Shenzhen, P. R. China 518057.
Thank you for your cooperation!

Document
ZXSEC US CLI Reference Guide
Name
Document Revision
Product Version V1.0 R1.0
Number
Equipment Installation Date

Presentation:
(Introductions, Procedures, Illustrations, Completeness, Level of Detail, Organization,
Appearance)
Good Fair Average Poor Bad N/A

Your evaluation Accessibility:

of this
(Contents, Index, Headings, Numbering, Glossary)
documentation
Good Fair Average Poor Bad N/A

Intelligibility:
(Language, Vocabulary, Readability & Clarity, Technical Accuracy, Content)
Good Fair Average Poor Bad N/A

Please check the suggestions which you feel can improve this documentation:
Improve the overview/introduction Make it more concise/brief
Improve the Contents Add more step-by-step procedures/tutorials
Improve the organization Add more troubleshooting information
Include more figures Make it less technical
Your Add more examples Add more/better quick reference aids
suggestions for Add more detail Improve the index
improvement of
this Other suggestions
documentation __________________________________________________________________________
__________________________________________________________________________
__________________________________________________________________________
__________________________________________________________________________
__________________________________________________________________________
# Please feel free to write any comments on an attached sheet.

If you wish to be contacted regarding your comments, please complete the following:
Name Company
Postcode Address
Telephone E-mail
This page is intentionally blank.
Contents

About this Manual ........................................................ xvii

What is in This Manual ........................................................ xvii
Conventions ..................................................................... xviii
How to Get in Touch............................................................xix
What’s new ........................................................................ xx

Chapter 1.......................................................................... 1

Using the CLI.................................................................... 1

Overview ............................................................................. 1
CLI Command Syntax ......................................................1
Administrator Access .......................................................2
Connecting to the CLI ......................................................4
Connecting to the ZXSEC US Console....................................... 4
Setting Administrative Access on an Interface ........................... 5
Connecting to the ZXSEC US CLI using SSH .............................. 6
Connecting to the ZXSEC US CLI using Telnet ........................... 7
Connecting to the ZXSEC US CLI using the Web-based Manager .. 7
CLI Objects ....................................................................8
CLI Command Branches ...................................................9
Config Branch....................................................................... 9
Get Branch ........................................................................ 12
Show Branch...................................................................... 15
Execute Branch .................................................................. 16
Diagnose Branch................................................................. 16
Example Command Sequences ............................................. 16
CLI Basics .................................................................... 19
Command Help................................................................... 20
Command Completion ......................................................... 20
Recalling Commands ........................................................... 20
Editing Commands .............................................................. 20
Line Continuation ................................................................ 21
Command Abbreviation........................................................ 21
Environment Variables .........................................................21
Encrypted Password Support.................................................22
Entering Spaces in Strings ....................................................22
Entering Quotation Marks in Strings ....................................... 23
Entering a Question Mark (?) in a String ................................. 23
International Characters.......................................................23
Special Characters...............................................................23
IP Address Formats .............................................................24
Editing the Configuration File ................................................24
Setting Screen Paging ..........................................................25
Changing the Baud Rate .......................................................25
Using Perl Regular Expressions..............................................25

Chapter 2........................................................................ 29

Working with Virtual Domains ...................................... 29

Overview ...........................................................................29
Enabling virtual domain configuration .............................. 30
Accessing Commands in Virtual Domain Configuration ........ 30
Creating and Configuring VDOMs..................................... 31
Creating a VDOM.................................................................31
Assigning Interfaces to a VDOM.............................................31
Setting VDOM Operating Mode ..............................................32
Changing Back to NAT/Route Mode ........................................32
Configuring inter-VDOM routing ...................................... 33
Changing the management VDOM ................................... 34
Creating VDOM Administrators ........................................ 35
Troubleshooting ARP Traffic on VDOMs............................. 35
Duplicate ARP Packets..........................................................35
Multiple VDOMs Solution.......................................................36
Forward-domain Solution .....................................................36
Global ......................................................................... 37
Syntax ........................................................................ 37
VDOM ......................................................................... 40
Syntax...............................................................................41

Chapter 3........................................................................ 45

Alertemail....................................................................... 45
Overview ...........................................................................45
Setting ........................................................................ 45

Chapter 4........................................................................ 53

Antivirus......................................................................... 53
Overview ........................................................................... 53
Filepattern ................................................................... 53
Grayware..................................................................... 55
Heuristic ...................................................................... 57
Quarantine................................................................... 58
Quarfilepattern ............................................................. 62
Service ........................................................................ 63
How File Size Limits Work .................................................... 64

Chapter 5........................................................................ 67

Firewall........................................................................... 67
Overview ........................................................................... 67
Address, Address6 ........................................................ 68
Addrgrp, Addrgrp6 ........................................................ 70
Dnstranslation .............................................................. 71
GTP (US Carrier) ........................................................... 73
IP Macbinding Setting .................................................... 85
IP Macbinding Table ...................................................... 87
IP Pool......................................................................... 89
LDB-Monitor ................................................................. 90
Multicast-Policy............................................................. 92
Policy, Policy6............................................................... 94
Use the Following Steps to Configure NAT in Transparent Mode 110
Profile ....................................................................... 111
Schedule Onetime ....................................................... 175
Schedule Recurring ..................................................... 177
Service Custom .......................................................... 178
Service Group............................................................. 180
VIP ........................................................................... 182
VIP GRP..................................................................... 201

Chapter 6...................................................................... 205

GUI ............................................................................... 205

Overview ......................................................................... 205
Console ..................................................................... 205
Topology ................................................................... 206

Chapter 7......................................................................207

IMP2P...........................................................................207
Overview ......................................................................... 207
AIM-user ................................................................... 207
ICQ-user.................................................................... 208
MSN-user................................................................... 209
Old-version ................................................................ 210
Policy ........................................................................ 211
Yahoo-user ................................................................ 212

Chapter 8......................................................................215

IPS................................................................................215
Overview ......................................................................... 215
DoS .......................................................................... 215
Config Limit...................................................................... 216
Custom ..................................................................... 219
Decoder..................................................................... 220
Global ....................................................................... 220
Rule .......................................................................... 222
Sensor ...................................................................... 223

Chapter 9......................................................................229

LOG ...............................................................................229
Overview ......................................................................... 229
Custom-field .............................................................. 230
{disk | Usla | memory | syslogd | webtrends | Usservice}
filter.......................................................................... 231
Disk Setting ............................................................... 237
Usla Setting ............................................................... 242
Usservice Setting ........................................................ 243
Memory Setting .......................................................... 244
Memory Global Setting................................................. 245
Syslogd Setting .......................................................... 247
Webtrends Setting ...................................................... 249
Trafficfilter ................................................................. 250
Config Rule ...................................................................... 251
Report Customization .................................................. 252
Report Definition......................................................... 253
Report Filter ............................................................... 254
Report Output ............................................................ 255
Report Period ............................................................. 257
Report Schedule ......................................................... 258
Report Scope.............................................................. 259
Report Selection ......................................................... 261
Report Summary-layout ............................................... 262

Chapter 10.................................................................... 265

Notification (US Carrier).............................................. 265

Overview ......................................................................... 265
Notification ................................................................ 265

Chapter 11.................................................................... 267

Router........................................................................... 267
Overview ......................................................................... 267
Access-list.................................................................. 268
Aspath-list ................................................................. 271
Auth-path .................................................................. 272
BGP .......................................................................... 274
Config Router BGP ............................................................ 277
Config Admin-Distance ...................................................... 282
Config Aggregate-Address .................................................. 283
Config Neighbor................................................................ 284
Config Network................................................................. 290
Config Redistribute............................................................ 292
Community-list ........................................................... 293
Key-chain .................................................................. 296
Multicast .................................................................... 298
Sparse Mode .................................................................... 299
Dense Mode ..................................................................... 300
Syntax ............................................................................ 301
Config Router Multicast ...................................................... 302
Config Interface................................................................ 304
Config Pim-sm-global......................................................... 309
OSPF......................................................................... 314
Syntax............................................................................. 314
Config Router OSPF ........................................................... 317
Config Area ...................................................................... 321
Config Distribute-list .......................................................... 327
Config Neighbor ................................................................ 328
Config Network ................................................................. 329
Config OSPF-Interface........................................................ 329
Config Redistribute ............................................................ 334
Config Summary-Address ................................................... 335
Policy ........................................................................ 336
Prefix-list ................................................................... 340
RIP ........................................................................... 343
Config Router RIP.............................................................. 345
Config Distance................................................................. 347
Config Distribute-list .......................................................... 348
Config Interface ................................................................ 349
Config Neighbor ................................................................ 351
Config Network ................................................................. 352
Config Offset-list ............................................................... 353
Config Redistribute ............................................................ 354
Route-map................................................................. 355
Using Route Maps with BGP ................................................ 358
Static ........................................................................ 364
Static6 ...................................................................... 367

Chapter 12....................................................................369

Spamfilter.....................................................................369
Overview ......................................................................... 369
BWord ....................................................................... 369
Emailbwl.................................................................... 372
USshield .................................................................... 374
IPBWL ....................................................................... 376
IPTrust ...................................................................... 377
MHeader .................................................................... 379
Options ..................................................................... 381
DNSBL....................................................................... 382
Chapter 13.................................................................... 385

System ......................................................................... 385

Overview ......................................................................... 385
Accprofile................................................................... 387
Admin ....................................................................... 391
Alertemail .................................................................. 397
ARP-table................................................................... 399
Auto-install ................................................................ 400
Autoupdate Clientoverride ............................................ 401
Autoupdate Override ................................................... 402
Autoupdate Push-update .............................................. 403
Autoupdate Schedule................................................... 404
Autoupdate Tunneling.................................................. 406
Aux........................................................................... 407
Bug-report ................................................................. 408
Console ..................................................................... 409
DHCP Reserved-address............................................... 410
DHCP Server .............................................................. 411
DNS .......................................................................... 417
FIPS-CC..................................................................... 418
Usla, Usla2, Usla3 ....................................................... 419
Usservice ................................................................... 421
Usservice-log.............................................................. 427
GI-GK (US Carrier)...................................................... 428
Global ....................................................................... 428
GRE-tunnel ................................................................ 442
Ha ............................................................................ 444
Interface.................................................................... 466
Ipv6-tunnel ................................................................ 491
mac-address-table ...................................................... 492
Management-tunnel .................................................... 493
Npu........................................................................... 494
Proxy-arp................................................................... 495
Eplacemsg admin ........................................................ 497
Replacemsg alertmail................................................... 498
Replacemsg auth ........................................................ 500
Replacemsg Usservice-wf ............................................. 504
Replacemsg ftp........................................................... 505
Replacemsg http ......................................................... 507
Replacemsg im ........................................................... 509
Replacemsg mail......................................................... 511
Replacemsg mm1 (US Carrier)...................................... 514
Replacemsg mm3 (US Carrier)...................................... 518
Replacemsg mm4 (US Carrier)...................................... 519
Replacemsg mm7 (US Carrier)...................................... 522
Replacemsg nntp ........................................................ 526
Replacemsg spam ....................................................... 528
Replacemsg sslvpn ...................................................... 530
Replacemsg-group (US Carrier)..................................... 531
Replacemsg-image (US Carrier) .................................... 535
Session-helper............................................................ 536
Session-sync .............................................................. 537
Session-ttl ................................................................. 543
Settings..................................................................... 544
Snmp community........................................................ 549
Snmp sysinfo ............................................................. 553
Switch-interface.......................................................... 554
Tos-based-priority....................................................... 555
Vdom-link .................................................................. 556
Wireless mac-filter ...................................................... 558
Wireless settings......................................................... 559
Zone ......................................................................... 563

Chapter 14....................................................................565

User ..............................................................................565
Overview ......................................................................... 565
Configuring users for authentication .............................. 566
Adgrp........................................................................ 567
Dynamic-profile (US Carrier) ........................................ 568
Endpoint-bwl (US Carrier) ............................................ 571
Endpoint-ip-filter (US Carrier) ....................................... 573
Endpoint-translation (US Carrier) .................................. 574
Fase.......................................................................... 576
Group........................................................................ 578
Ldap ......................................................................... 585
Local ......................................................................... 588
Peer .......................................................................... 590
Peergrp ..................................................................... 592
Radius ....................................................................... 593
Settings..................................................................... 596
Tacacs+..................................................................... 597

Chapter 15.................................................................... 599

Vpn ............................................................................... 599

Overview ......................................................................... 599
Certificate ca .............................................................. 600
Certificate crl.............................................................. 601
Certificate local ........................................................... 602
Certificate ocsp ........................................................... 603
Certificate remote ....................................................... 604
Ipsec concentrator ...................................................... 605
Ipsec USDesktop......................................................... 606
Ipsec manualkey......................................................... 607
Ipsec manualkey-interface ........................................... 612
Ipsec phase1 .............................................................. 616
Ipsec phase1-interface................................................. 628
Ipsec phase2 .............................................................. 644
Ipsec phase2-interface................................................. 655
L2tp .......................................................................... 664
Pptp .......................................................................... 666
Ssl monitor ................................................................ 668
Ssl settings ................................................................ 668
Ssl web bookmarks ..................................................... 672
Ssl web bookmarks-group ............................................ 673
Ssl web favorite .......................................................... 674

Chapter 16.................................................................... 677

Webfilter ...................................................................... 677

Overview ......................................................................... 677
Bword ....................................................................... 677
Exmword ................................................................... 679
Usservice ................................................................... 681
Ussrv-local-cat ........................................................... 684
Ussrv-local-rating........................................................ 684
Ussrv-ovrd ................................................................. 685
Urlfilter...................................................................... 687

Chapter 17....................................................................691

Execute.........................................................................691
Overview ......................................................................... 691
Backup ...................................................................... 693
Batch ........................................................................ 695
CUS reload................................................................. 695
CUS save ................................................................... 696
Clear system arp table ................................................. 697
Cli status-msg-only ..................................................... 697
Cli check-template-status............................................. 698
Date ......................................................................... 698
Dhcp lease-clear ......................................................... 699
Dhcp lease-list............................................................ 699
Disconnect-admin-session ............................................ 699
Factoryreset ............................................................... 700
Formatlogdisk............................................................. 700
Usservice-log update ................................................... 700
Fsae refresh ............................................................... 701
Ha disconnect............................................................. 701
Ha manage ................................................................ 702
Ha synchronize ........................................................... 704
Interface dhcpclient-renew ........................................... 705
Interface pppoe-reconnect ........................................... 705
Log delete-all ............................................................. 706
Log delete-filtered....................................................... 706
Log delete-rolled ......................................................... 707
Log display ................................................................ 707
Log filter.................................................................... 708
Log USanalzyer test-connectivity................................... 710
Log list ...................................................................... 711
Log roll ...................................................................... 712
Modem dial ................................................................ 712
Modem hangup ........................................................... 712
Mrouter clear.............................................................. 712
Ping .......................................................................... 713
Ping-options ............................................................... 714
Ping6 ........................................................................ 716
Reboot ...................................................................... 716
Restore...................................................................... 717
Router clear bgp ......................................................... 719
Router clear bfd .......................................................... 720
Router clear ospf process ............................................. 720
Router restart............................................................. 720
Send-fds-statistics ...................................................... 721
Et-next-reboot............................................................ 721
Shutdown .................................................................. 721
Ssh ........................................................................... 722
Telnet ....................................................................... 722
Time ......................................................................... 722
Traceroute ................................................................. 723
Update-av.................................................................. 723
Update-ips ................................................................. 724
Update-now ............................................................... 724
Upd-vd-license ........................................................... 725
Usb-disk .................................................................... 725
Vpn certificate ca ........................................................ 725
Vpn certificate crl ........................................................ 727
Vpn certificate local ..................................................... 728
Vpn certificate remote ................................................. 731
Vpn sslvpn del-tunnel .................................................. 732
Vpn sslvpn del-web ..................................................... 733

Chapter 18.................................................................... 735

Get ................................................................................ 735

Overview ......................................................................... 735
Chassis Status ............................................................ 736
Firewall Service Predefined ........................................... 738
GUI Console Status ..................................................... 739
GUI Topology Status ................................................... 740
Hardware Status ......................................................... 740
IPS Decoder ............................................................... 741
IPS Rule .................................................................... 741
IPSec Tunnel List ........................................................ 742
Router Info BGP.......................................................... 743
Router Info BFD .......................................................... 746
Router Info Multicast ................................................... 746
Router Info OSPF ........................................................ 749
Router Info Protocols ................................................... 751
Router Info RIP........................................................... 752
Router Info Routing-table............................................. 753
System Admin List ...................................................... 753
System Admin Status .................................................. 754
System ARP ............................................................... 755
System Central-mgmt Status........................................ 756
System Checksum....................................................... 756
System CMDB Status................................................... 756
System Dashboard ...................................................... 757
System Usla-Connectivity............................................. 758
System Usservice-log-Service Status ............................. 758
System Usservice-service Status ................................... 759
System HA Status ....................................................... 759
About the HA cluster index and the execute ha manage command
...................................................................................... 764
System Info Admin SSH............................................... 768
System Info Admin Status............................................ 768
System Performance Status.......................................... 769
System Session List .................................................... 770
System Session Status ................................................ 772
System Status ............................................................ 773

Figures..........................................................................775

Tables ...........................................................................777

Index ............................................................................783
Chapter 1 About this Manual

About this Manual

This document describes how to use the ZXSEC US Command

Line Interface (CLI).

What is in This Manual

This Manual contains the following chapters:

TABLE 1 CHAPTER SUMM ARY

Chapter Summary
Chapter 1, Using the Describes how to connect to and use the
CLI ZXSEC US CLI.
Chapter 2, Working Describes how to create and administer
with Virtual Domains multiple VDOMs. It also explains how
enabling vdom-admin changes the way
you work with the CLI.
Chapter 3, Alertemail It is an alphabetic reference to the
commands used to configure alertemail.
Chapter 4, Antivirus It is an alphabetic reference to the
commands used to configure antivirus
features.
Chapter 5, Firewall It is an alphabetic reference to the
commands used to configure firewall
policies and settings.
Chapter 6, GUI It is an alphabetic reference to the
commands used to set preferences for the
web-based manager CLI console and
topology viewer.
Chapter 7, IMP2P IMP2P is an alphabetic reference to the
commands used to configure user access
to Instant Messaging and Person-to-Person
applications.
Chapter 8, IPS IPS is an alphabetic reference to the
commands used to configure intrusion
detection and prevention features.
Chapter 9, LOG Log is an alphabetic reference to the
commands used to configure logging.
Chapter 10, Notification It is an alphabetic reference to the
(US Carrier) commands used to configure US Carrier

Confidential and Proprietary Information of ZTE CORPORATION xvii

ZXSEC US CLI Reference Guide

Chapter Summary
event notification.
Chapter 11, Router Router is an alphabetic reference to the
commands used to configure routing.
Chapter 12, Spamfilter Spamfilter is an alphabetic reference to
the commands used to configure spam
filtering features.
Chapter 13, System system is an alphabetic reference to the
commands used to configure the
ZXSEC US system settings.
Chapter 14, User User is an alphabetic reference to the
commands used to configure authorized
user accounts and groups.
Chapter 15, Vpn VPN is an alphabetic reference to the
commands used to configure ZXSEC US
VPNs.
Chapter 16, Webfilter Webfilter is an alphabetic reference to the
commands used to configure web content
filtering.
Chapter 17, Execute Execute is an alphabetic reference to the
execute commands, which provide some
useful utilities such as ping and traceroute,
and some commands used for
maintenance tasks.
Chapter 18, Get Get is an alphabetic reference to
commands that retrieve status information
about the ZXSEC US unit.

Note:
Diagnose commands are also available from the ZXSEC US CLI.
These commands are used to display system information and for
debugging. Diagnose commands are intended for advanced
users only, and they are not covered in this document. Contact
USnet technical support before using these commands.

Conventions
Typographical ZTE documents employ the following typographical conventions.
Conventions
TABLE 2 TYPOGRAPHICAL CONVENTIONS

Typeface Meaning
Italics References to other Manuals and documents.
“Quotes” Links on screens.
Bold Menus, menu options, function names, input
fields, radio button names, check boxes, drop-
down lists, dialog box names, window names.

xviii Confidential and Proprietary Information of ZTE CORPORATION

Chapter 1 About this Manual

Typeface Meaning
CAPS Keys on the keyboard and buttons on screens
and company name.
Constant width Text that you type, program code, files and
directory names, and function names.
[] Optional parameters.
{} Mandatory parameters.
| Select one of the parameters that are delimited
by it.
Note: Provides additional information about a
certain topic.

Mouse TABLE 3 MOUSE OPERATION CONVENTIONS

Operation
Conventions Typeface Meaning
Click Refers to clicking the primary mouse button (usually
the left mouse button) once.
Double-click Refers to quickly clicking the primary mouse button
(usually the left mouse button) twice.
Right-click Refers to clicking the secondary mouse button
(usually the right mouse button) once.
Drag Refers to pressing and holding a mouse button and
moving the mouse.

How to Get in Touch

The following sections provide information on how to obtain
support for the documentation and the software.
Customer If you have problems, questions, comments, or suggestions
Support regarding your product, contact us by e-mail at
support@zte.com.cn. You can also call our customer support
center at (86) 755 26771900 and (86) 800-9830-9830.
Documentation ZTE welcomes your comments and suggestions on the quality
Support and usefulness of this document. For further questions,
comments, or suggestions on the documentation, you can
contact us by e-mail at doc@zte.com.cn; or you can fax your
comments and suggestions to (86) 755 26772236. You can also
browse our website at http://support.zte.com.cn, which contains
various interesting subjects like documentation, knowledge base,
forum and service request.

Confidential and Proprietary Information of ZTE CORPORATION xix

Administrator Access
The access profile you are assigned in your administrator
account controls which CLI commands you can access. You need
read access to view configurations and write access to make
changes. Access control in access profiles is divided into groups,
as follows:

T AB L E 4 AC C E S S P R O F I L E C O N T R O L O F AC C E S S T O CLI C OM M AN D S

Access control group Available CLI commands

Admin Users (admingrp) system admin system accprofile

2 Confidential and Proprietary Information of ZTE CORPORATION

Chapter 1 Using the CLI

Antivirus Configuration
antivirus
(avgrp)
Auth Users (authgrp) user
Firewall Configuration
firewall
(fwgrp)
USProtect Update system autoupdate execute update-av
(updategrp) execute update-ips execute update-now
IM, P2P & VoIP
Configuration imp2p
(imp2pgrp)
IPS Configuration
ips
(ipsgrp)
alertemail log
Log & Report (loggrp)
system Usla execute log
execute backup execute batch
Maintenance (mntgrp) execute formatlogdisk execute restore
execute usb-disk
Network Configuration system arp-table system dhcp system
(netgrp) interface system zone
execute clear system arp table
execute dhcp lease-clear execute dhcp
lease-list execute interface
Router Configuration router
(routegrp) execute mrouter execute router
Spamfilter Configuration spamfilter
(spamgrp)
System Configuration system except accprofile, admin, arp-
(sysgrp) table, autoupdate Usla, interface and
zone.
execute cus execute date execute deploy
execute disconnect-admin- session
execute factoryreset execute ha
execute ping execute ping6
execute ping-options execute reboot
execute set-next-reboot execute
shutdown
execute ssh execute telnet execute time
execute traceroute
VPN Configuration vpn
(vpngrp) execute vpn
Webfilter Configuration webfilter
(webgrp)

Confidential and Proprietary Information of ZTE CORPORATION 3

ZXSEC US CLI Reference Guide

Connecting to the CLI

You can use a direct console connection, SSH, Telnet or the
web-based manager to connect to the ZXSEC US CLI.
Connecting to the ZXSEC US console
Setting administrative access on an interface
Connecting to the ZXSEC US CLI using SSH
Connecting to the ZXSEC US CLI using Telnet
Connecting to the ZXSEC US CLI using the web-based
manager

Connecting to the ZXSEC US

Console
Only the admin administrator or a regular administrator of the
root domain can log in by connecting to the console interface.
You need:
a computer with an available communications port
a null modem cable, provided with your ZXSEC US unit, to
connect the ZXSEC US console port and a communications
port on your computer
terminal emulation software such as HyperTerminal for
Windows

Note:
The following procedure describes how to connect to the ZXSEC
US CLI using Windows HyperTerminal software. You can use any
terminal emulation program.
To connect to the CLI
1. Connect the ZXSEC US console port to the available
communications port on your computer.
2. Make sure the ZXSEC US unit is powered on.
3. Start HyperTerminal, enter a name for the connection, and
select OK.
4. Configure HyperTerminal to connect directly to the
communications port on the computer to which you have
connected the ZXSEC US console port.
5. Select OK.
6. Select the following port settings and select OK.
Bits per second 9600 (115200 for the ZXSEC US550)
Data bits 8

4 Confidential and Proprietary Information of ZTE CORPORATION

Chapter 1 Using the CLI

Parity None
Stop bits 1
Flow control None
7. Press Enter to connect to the ZXSEC US CLI.
A prompt similar to the following appears (shown for the
ZXSEC US550): ZXSEC US550 login:
8. Type a valid administrator name and press Enter.
9. Type the password for this administrator and press Enter.
The following prompt appears:
Welcome!
You have connected to the ZXSEC US CLI, and you can enter
CLI commands.

Setting Administrative Access on an

Interface
To perform administrative functions through a ZXSEC US
network interface, you must enable the required types of
administrative access on the interface to which your
management computer connects. Access to the CLI requires SSH
or Telnet access. If you want to use the web-based manager,
you need HTTPS or HTTP access.
To use the web-based manager to configure ZXSEC US
interfaces for SSH or Telnet access, see the ZXSEC US
Administration Guide.
To use the CLI to configure SSH or Telnet access
1. Connect and log into the CLI using the ZXSEC US console
port and your terminal emulation software.
2. Use the following command to configure an interface to
accept SSH connections:
config system interface
edit <interface_name>
set allowaccess <access_types>
end
Where <interface_name> is the name of the ZXSEC US interface
to be configured to allow administrative access and
<access_types> is a whitespace- separated list of access types
to enable.
For example, to configure the internal interface to accept HTTPS
(web-based manager), SSH and Telnet connections, enter:
config system interface

Confidential and Proprietary Information of ZTE CORPORATION 5

ZXSEC US CLI Reference Guide

edit <name_str>
set allowaccess https ssh telnet
end

Note:
Remember to press Enter at the end of each line in the
command example. Also, type end and press Enter to commit
the changes to the ZXSEC US configuration.
3. To confirm that you have configured SSH or Telnet access
correctly, enter the following command to view the access
settings for the interface:
get system interface <name_str>
The CLI displays the settings, including allowaccess, for the
named interface.
Other access methods
The procedure above shows how to allow access only for Telnet
or only for SSH.
If you want to allow both or any of the other management
access types you must include all the options you want to apply.
For example to allow PING, HTTPS and SSH access to an
interface, the set portion of the command is set allowaccess ping
https ssh.

Connecting to the ZXSEC US CLI

using SSH
Secure Shell (SSH) provides strong secure authentication and
secure communications to the ZXSEC US CLI from your internal
network or the internet. Once the ZXSEC US unit is configured to
accept SSH connections, you can run an SSH client on your
management computer and use this client to connect to the
ZXSEC US CLI.

Note:
A maximum of 5 SSH connections can be open at the same time.
To connect to the CLI using SSH
1. Install and start an SSH client.
2. Connect to a ZXSEC US interface that is configured for SSH
connections.
3. Type a valid administrator name and press Enter.
4. Type the password for this administrator and press Enter.
The ZXSEC US model name followed by a # is displayed.

6 Confidential and Proprietary Information of ZTE CORPORATION

Chapter 1 Using the CLI

You have connected to the ZXSEC US CLI, and you can enter
CLI commands.

Connecting to the ZXSEC US CLI

using Telnet
You can use Telnet to connect to the ZXSEC US CLI from your
internal network or the Internet. Once the ZXSEC US unit is
configured to accept Telnet connections, you can run a Telnet
client on your management computer and use this client to
connect to the ZXSEC US CLI.

Caution:
Telnet is not a secure access method. SSH should be used to
access the ZXSEC US CLI from the Internet or any other
unprotected network.

Note:
A maximum of 5 Telnet connections can be open at the same
time.
To connect to the CLI using Telnet
1. Install and start a Telnet client.
2. Connect to a ZXSEC US interface that is configured for Telnet
connections.
3. Type a valid administrator name and press Enter.
4. Type the password for this administrator and press Enter.
The following prompt appears:
Welcome!
You have connected to the ZXSEC US CLI, and you can enter CLI
commands.

Connecting to the ZXSEC US CLI

using the Web-based Manager
The web-based manager also provides a CLI console that can be
detached as a separate window.
To connect to the CLI using the web-based manager
1. Connect to the web-based manager and log in.
2. For information about how to do this, see the ZXSEC US
Administration Guide.

Confidential and Proprietary Information of ZTE CORPORATION 7

ZXSEC US CLI Reference Guide

3. Go to System > Status.

If you do not see the CLI Console display, select Add Content
> CLI Console.
4. Click in the CLI Console display to connect.

CLI Objects
The ZXSEC US CLI is based on configurable objects. The top-
level objects are the basic components of ZXSEC US
functionality.

TABLE 5 CLI OBJECTS

Alertemail sends email to designated recipients

== [ internal ]
name: internal
mode: static
ip: 192.168.20.200 255.255.255.0
status: up
netbios-forward: disable
type: physical ip6-address: ::/0
ip6-send-adv: disable
== [ external ]
name: external
mode: static
ip: 192.168.100.99 255.255.255.0
status: up
netbios-forward: disable
type: physical ip6-address: ::/0
ip6-send-adv: disable
...
Example
When you type get in the internal interface shell, the
configuration values for the internal interface are displayed.
edit internal
At the (internal)# prompt, type:
get
The screen displays:
name : internal
allowaccess : ping https ssh
arpforword : enable
cli_conn_status: 0
detectserver : (null)
gwdetect : disable
ip : 192.168.20.200 255.255.255.0
and so on.
Example
You are working in the config system global shell and want to
see information about the ZXSEC US interfaces.
At the (global)# prompt, type:
get system interface
The screen displays:

Confidential and Proprietary Information of ZTE CORPORATION 13

ZXSEC US CLI Reference Guide

== [ internal ]
name: internal
mode: static
ip: 192.168.20.200 255.255.255.0
status: up
netbios-forward: disable
type: physical ip6-address: ::/0
ip6-send-adv: disable
== [ external ]
name: external
mode: static
ip: 192.168.100.99 255.255.255.0
status: up
netbios-forward: disable
type: physical ip6-address: ::/0
ip6-send-adv: disable
...
Example
You want to confirm the IP address and netmask of the internal
interface from the root prompt.
At the # prompt, type:
get system interface internal
The screen displays:
name : internal
allowaccess : ping https ssh
arpforword : enable
cli_conn_status : 0
detectserver : (null)
gwdetect : disable
ip: 192.168.20.200 255.255.255.0
ip6-address: ::/0
ip6-default-life: 1800
...

14 Confidential and Proprietary Information of ZTE CORPORATION

Chapter 1 Using the CLI

Show Branch
Use show to display the ZXSEC US unit configuration. By default,
only changes to the default configuration are displayed. Use
show full-configuration to display the complete configuration.
You can use show within a config shell to display the
configuration of that shell, or you can use show with a full path
to display the configuration of the specified object.
To display the configuration of all objects, you can use show
from the root prompt. The root prompt is the ZXSEC US host or
model name followed by a #.
Example
When you type show and press Enter within the internal
interface shell, the changes to the default internal interface
configuration are displayed.
At the (internal)# prompt, type:
show
The screen displays:
config system interface
edit internal
set allowaccess ssh ping https
set ip 192.168.20.200 255.255.255.0
next
end
Example
You are working in the internal interface shell and want to see
the system global configuration. At the (internal)# prompt, type:
show system global
The screen displays:
config system global
set admintimeout 5
set authtimeout 15
set failtime 5
set hostname 'ZXSEC US550'
set interval 5
set lcdpin 123456
set ntpserver '132.246.168.148'
set syncinterval 60
set timezone 04
end

Confidential and Proprietary Information of ZTE CORPORATION 15

ZXSEC US CLI Reference Guide

Execute Branch
Use execute to run static commands, to reset the ZXSEC US unit
to factory defaults, to back up or restore ZXSEC US
configuration files. The execute commands are available only
from the root prompt.
The root prompt is the ZXSEC US host or model name followed
by a #.
Example
At the root prompt, type:
execute reboot
and press Enter to restart the ZXSEC US unit.

Diagnose Branch
Commands in the diagnose branch are used for debugging the
operation of the ZXSEC US unit and to set parameters for
displaying different levels of diagnostic information. The
diagnose commands are not documented in this CLI Reference
Guide.

Caution:
Diagnose commands are intended for advanced users only.
Contact USnet technical support before using these commands.

Example Command Sequences

Note:
Interface names vary for different ZXSEC US models. The
following examples use the interface names for a ZXSEC US550
unit.
To configure the primary and secondary DNS server addresses
1. Starting at the root prompt, type:
config system dns
and press Enter. The prompt changes to (dns)#.
2. At the (dns)# prompt, type ?
The following options are displayed.
set unset get show abort end
3. Type set ?

16 Confidential and Proprietary Information of ZTE CORPORATION

Chapter 1 Using the CLI

The following options are displayed.

primary secondary domain
dns-cache-limit
cache-not-found-responses
4. To set the primary DNS server address to 172.16.100.100,
type:
set primary 172.16.100.100
and press Enter.
5. To set the secondary DNS server address to 207.104.200.1,
type:
set secondary 207.104.200.1
and press Enter.
6. To restore the primary DNS server address to the default
address, type unset primary and press Enter.
7. To restore the secondary DNS server address to the default
address, type unset secondary and press Enter.
8. If you want to leave the config system dns shell without
saving your changes, type abort and press Enter.
9. To save your changes and exit the dns sub-shell, type end
and press Enter.
10. To confirm your changes have taken effect after leaving the
dns sub-shell, type get system dns and press Enter.
To add two secondary IP addresses to the internal interface
1. Starting at the root prompt, type:
config system interface
and press Enter. The prompt changes to (interface)#.
2. At the (interface)# prompt, type ?
The following options are displayed.
edit
delete
purge
rename
get
show
end
3. At the (interface)# prompt, type:
edit internal
and press Enter. The prompt changes to (internal)#.
4. At the (internal)# prompt, type ?

Confidential and Proprietary Information of ZTE CORPORATION 17

ZXSEC US CLI Reference Guide

The following options are displayed.

config set unset get show next abort end
5. At the (internal)# prompt, type:
config secondaryip
and press Enter. The prompt changes to (secondaryip)#.
6. At the (secondaryip)# prompt, type ?
The following options are displayed.
edit delete purge rename get show end
7. To add a secondary IP address with the ID number 0, type:
edit 0
and press Enter. The prompt changes to (0)#.
8. At the (0)# prompt, type ?
The following options are displayed.
set
unset
get
show
next
abort
end
9. Type set ?
The following options are displayed.
allowaccess
detectserver
gwdetect
ip
10. To set the secondary IP address with the ID number 0 to
192.168.100.100 and the netmask to 255.255.255.0, type:
set ip 192.168.100.100 255.255.255.0
and press Enter.
11.To add another secondary IP address to the internal interface,
type next and press Enter.
The prompt changes to (secondaryip)#.
12. To add a secondary IP address with the ID number 1, type:
edit 1
and press Enter. The prompt changes to (1)#.
13. To set the secondary IP address with the ID number 1 to
192.168.100.90 and the netmask to 255.255.255.0, type:

18 Confidential and Proprietary Information of ZTE CORPORATION

Chapter 1 Using the CLI

set ip 192.168.100.90 255.255.255.0

and press Enter.
14. To restore the secondary IP address with the ID number 1 to
the default, type unset ip and press Enter.
15. If you want to leave the secondary IP address 1 shell without
saving your changes, type abort and press Enter.
16. To save your changes and exit the secondary IP address 1
shell, type end and press Enter.
The prompt changes to (internal)#.
17. To delete the secondary IP address with the ID number 1,
type delete 1 and press Enter.
18. To save your changes and exit the internal interface shell,
type end and press Enter.
19. To confirm your changes have taken effect after using the
end command, type get system interface internal and press
Enter.

CLI Basics
This section includes:
Command help
Command completion
Recalling commands
Editing commands
Line continuation
Command abbreviation
Environment variables
Encrypted password support
Entering spaces in strings
Entering quotation marks in strings
Entering a question mark (?) in a string
International characters
Special characters
IP address formats
Editing the configuration file
Setting screen paging
Changing the baud rate
Using Perl regular expressions

Confidential and Proprietary Information of ZTE CORPORATION 19

ZXSEC US CLI Reference Guide

Command Help
You can press the question mark (?) key to display command
help.
Press the question mark (?) key at the command prompt to
display a list of the commands available and a description of
each command.
Type a command followed by a space and press the question
mark (?) key to display a list of the options available for that
command and a description of each option.
Type a command followed by an option and press the
question mark (?) key to display a list of additional options
available for that command option combination and a
description of each option.

Command Completion
You can use the tab key or the question mark (?) key to
complete commands.
You can press the tab key at any prompt to scroll through
the options available for that prompt.
You can type the first characters of any command and press
the tab key or the question mark (?) key to complete the
command or to scroll through the options that are available
at the current cursor position.
After completing the first word of a command, you can press
the space bar and then the tab key to scroll through the
options available at the current cursor position.

Recalling Commands
You can recall previously entered commands by using the Up
and Down arrow keys to scroll through commands you have
entered.

Editing Commands
Use the Left and Right arrow keys to move the cursor back and
forth in a recalled command. You can also use the Backspace
and Delete keys and the control keys listed in Table 3 to edit the
command.

20 Confidential and Proprietary Information of ZTE CORPORATION

Chapter 1 Using the CLI

TABLE 6 CONTROL KEYS FOR EDITING COMM ANDS

Function Key combination

Beginning of line CTRL+A
End of line CTRL+E
Back one character CTRL+B
Forward one character CTRL+F
Delete current CTRL+D
character
Previous command CTRL+P
Next command CTRL+N
Abort the command CTRL+C
If used at the root CTRL+C
prompt, exit the CLI

Line Continuation
To break a long command over multiple lines, use a \ at the end
of each line.

Command Abbreviation
You can abbreviate commands and command options to the
smallest number of non-ambiguous characters. For example, the
command get system status can be abbreviated to g sy st.

Environment Variables
The ZXSEC US CLI supports the following environment variables.
$USERFROM The management access type (SSH, Telnet and so
on) and the IP address of the logged in
administrator.
$USERNAME The user account name of the logged in
administrator.
$SerialNum The serial number of the ZXSEC US unit.
Variable names are case sensitive. In the following example, the
unit hostname is set to the serial number.
config system global
set hostname $SerialNum
end

Confidential and Proprietary Information of ZTE CORPORATION 21

ZXSEC US CLI Reference Guide

Encrypted Password Support

After you enter a clear text password using the CLI, the ZXSEC
US unit encrypts the password and stores it in the configuration
file with the prefix ENC. For example:
show system admin user1
lists the user1 administrator password as follows:
config system admin
edit "user1"
set accprofile "prof_admin"
set password ENC XXNFKpSV3oIVk
next
end
It is also possible to enter an already encrypted password. For
example, type:
config system admin
and press Enter.
Type:
edit user1
and press Enter.
Type:
set password ENC XXNFKpSV3oIVk
and press Enter.
Type:
end
and press Enter.

Entering Spaces in Strings

When a string value contains a space, do one of the following:
Enclose the string in quotation marks, "Security
Administrator", for example.
Enclose the string in single quotes, 'Security Administrator',
for example.
Use a backslash (“\”) preceding the space, Security\
Administrator, for example.

22 Confidential and Proprietary Information of ZTE CORPORATION

Expression Matches
a.c an a followed by any single character (not
newline) followed by a c
a\.c a.c exactly
[abc] any one of a, b and c
[Aa]bc either of Abc and abc
[abc]+ any (nonempty) string of a's, b's and c's
(such as a, abba, acbabcacaa)
[^abc]+ any (nonempty) string which does not
contain any of a, b and c (such as deUS)
\d\d any two decimal digits, such as 42; same
as \d{2}
/i makes the pattern case insensitive. For
example, /bad language/i
blocks any instance of “bad language”
regardless of case.
\w+ a "word": a nonempty sequence of
alphanumeric characters and low lines
(underscores), such as foo and 12bar8 and
foo_1
100\s*mk the strings 100 and mk optionally
separated by any amount of white space
(spaces, tabs, newlines)
abc\b abc when followed by a word boundary
(e.g. in abc! but not in abcd)
perl\B perl when not followed by a word
boundary (e.g. in perlert but not in perl
stuff)
\x tells the regular expression parser to
ignore white space that is neither
backslashed nor within a character class.
You can use this to break up your regular
expression into (slightly) more readable
parts.

Confidential and Proprietary Information of ZTE CORPORATION 27

ZXSEC US CLI Reference Guide

This page is intentionally blank.

28 Confidential and Proprietary Information of ZTE CORPORATION

Chapter 2

Working with Virtual

Domains

Overview
By default, the ZXSEC US unit has one virtual domain (root) and
one administrator (admin) with unrestricted access to the
system configuration. If you enable virtual domain configuration,
the super admin account can also:
Use the vdom command to create and configure additional
virtual domains.
Use the global command to create and assign administrators
to each virtual domain.
Use the global command to configure features that apply to
all virtual domains.
This section contains the following topics:
Enabling Virtual Domain Configuration
Accessing commands in virtual domain configuration
Creating and configuring VDOMs
Configuring inter-VDOM routing
Changing the management VDOM
Creating VDOM administrators
Troubleshooting ARP traffic on VDOMs
global
vdom

Confidential and Proprietary Information of ZTE CORPORATION 29

ZXSEC US CLI Reference Guide

Enabling virtual domain

configuration
The administrators with the super_admin profile can enable
virtual domain configuration through either the web-based
manager or the CLI. In the CLI, use the following command:
config system global
set vdom-admin enable
end
Log off and then log on again with a super_admin admin account.
By default, there is no password for the default admin account.

Accessing Commands in
Virtual Domain Configuration
When you log in as admin with virtual domain configuration
enabled, you have only four top-level commands:
config global Enter config global to access global commands.
In the global shell, you can execute commands
that affect all virtual domains, such as config
system autoupdate.
For a list of the global commands, see “global”.
config vdom Enter config vdom to access VDOM-specific
commands.
In the vdom shell, use the edit <vdom_name>
command to create a new VDOM or to edit the
configuration of an existing VDOM.
In the <vdom_name> shell, you can execute
commands to configure options that apply only
within the VDOM, such as config firewall policy.
For a list of VDOM-specific commands, see “vdom”.
When you have finished, enter next to edit
another vdom, or end.
get system status
see “vdom-link”.
exit Log off.

30 Confidential and Proprietary Information of ZTE CORPORATION

Chapter 2 Working with Virtual Domains

Creating and Configuring

VDOMs
When virtual domain configuration is enabled, admin has full
access to the global ZXSEC US unit configuration and to the
configuration of each VDOM. All of the commands described in
this Reference are available to admin, but they are accessed
through a special top-level command shell.

Creating a VDOM
You create a new VDOM using the config vdom command. For
example, to create a new VDOM
called vdomain2, you enter the following:
config vdom
edit vdomain2
end
This creates a new VDOM operating in NAT/Route mode. You can
have up to 10 VDOMs on your ZXSEC US unit by default.
For this VDOM to be useful, you need to assign interfaces or
VLAN subinterfaces to it.

Assigning Interfaces to a VDOM

By default, all interfaces belong to the root domain. You can
reassign an interface or VLAN subinterface to another VDOM if
the interface is not already used in a VDOM-specific
configuration such as a firewall policy. Interfaces are part of the
global configuration of the ZXSEC US unit, so only the admin
account can configure them.
For example, to assign port3 and port4 to vdomain2, log on as
admin and enter the following commands:
config global
config system interface
edit port3
set vdom vdomain2
next
edit port4
set vdom vdomain2
end

Confidential and Proprietary Information of ZTE CORPORATION 31

ZXSEC US CLI Reference Guide

end

Setting VDOM Operating Mode

When you create a VDOM, its default operating mode is
NAT/Route. You can change the operating mode of each VDOM
independently.
Changing to Transparent Mode
When you change the operating mode of a VDOM from
NAT/Route to Transparent mode, you must specify the
management IP address and the default gateway IP address.
The following example shows how to change vdomain2 to
Transparent mode. The management IP address is
192.168.10.100, and the default gateway is 192.168.10.1:
config vdom
edit vdomain3
config system settings
set opmode transparent
set manageip 192.168.10.100 255.255.255.0
set gateway 192.168.10.1
end
For more information, see “system settings”.

Changing Back to NAT/Route Mode

If you change a Transparent mode VDOM back to NAT/Route
mode, you must specify which interface you will use for
administrative access and the IP address for that interface. This
ensures that administrative access is configured on the interface.
You must also specify the default gateway IP address and the
interface that connects to the gateway. For example,
config vdom
edit vdomain3
config system settings
set opmode nat
end
config system interface edit port1
set ip 192.168.10.100 255.255.255.0
end
For more information, see “system settings”.

32 Confidential and Proprietary Information of ZTE CORPORATION

Chapter 2 Working with Virtual Domains

Configuring inter-VDOM
routing
By default, VDOMs are independent of each other and to
communicate they need to use physical interfaces that are
externally connected. By using the vdom-link command that was
added in US v3.0, this connection can be moved inside the
ZXSEC US unit, freeing up the physical interfaces. This feature
also allows you to determine the level of inter-VDOM routing you
want - only 2 VDOMs inter-connected, or interconnect all VDOMs.
The vdom-link command creates virtual interfaces, so you have
access to all the security available to physical interface
connections. These internal interfaces have the added bonus of
being faster the physical interfaces unless the CPU load is very
heavy. As of US v3.0 MR3, BGP is supported over inter-VDOM
links.
VDOM-links can also be configured through the web-based
management interface. For more information, see the ZXSEC US
Administration Guide.
In this example you already have configured two VDOMs called
v1 and v2. You want to set up a link between them. The
following command creates the VDOM link called v12_link. Once
you have the link in place, you need to bind the two ends of the
link to the VDOMs it will be connecting. Then you are free to
apply firewall policies or other security measures.
config global
config system vdom-link
edit v12_link
end
config system interface
edit v12_link0
set vdom v1
next
edit v12_link1
set vdom v2
next
end

Note:
When you are naming VDOM links you are limited to 8
characters for the base name. In the example below the link
name v12_link that is used is correct, but a link name of
v12_verylongname is too long.

Confidential and Proprietary Information of ZTE CORPORATION 33

ZXSEC US CLI Reference Guide

To remove the vdom-link, delete the vdom-link. You will not be

able to delete the ends of the vdom-link by themselves. To
delete the above set up, enter:
config global
config system vdom-link
delete v12_link
end

Note:
In an HA setup with virtual clusters, inter-VDOM routing must be
entirely within one cluster. You cannot create links between
virtual clusters, and you cannot move a VDOM that is linked into
another virtual cluster. In HA mode, with multiple vclusters
when you create the vdom-link in system vdom-link there is an
option to set which vcluster the link will be in.
Before inter-VDOM routing, VDOMs were completely separate
entities. Now, many new configurations are available such as a
service provider configuration (a number of VDOMS that go
through one main VDOM to access the internet) or a mesh
configuration (where some or all VDOMs are connected to some
or all other VDOMs). These configurations are discussed in-depth
in the ZXSEC US VLANs and VDOMs Guide.

Changing the management

VDOM
All management traffic leaves the ZXSEC US unit through the
management VDOM. Management traffic includes all external
logging, remote management, and other USnet services. By
default the management VDOM is root. You can change this to
another VDOM so that the traffic will leave your ZXSEC US unit
over the new VDOM.
You cannot change the management VDOM if any administrators
are using RADIUS authentication.
If you want to change the management VDOM to vdomain2, you
enter:
config global
config system global
set management-vdom vdomain2
end

34 Confidential and Proprietary Information of ZTE CORPORATION

Chapter 2 Working with Virtual Domains

Creating VDOM
Administrators
The super_admin admin accounts can create regular
administrators and assign them to VDOMs. The system admin
command, when accessed by admin, includes a VDOM
assignment.
For example, to create an administrator, admin2, for VDOM
vdomain2 with the default profile prof_admin, you enter:
config global
config system admin
edit admin2
set accprofile prof_admin
set password hardtoguess
set vdom vdomain2
end
The admin2 administrator account can only access the vdomain2
VDOM and can connect only through an interface that belongs to
that VDOM. The VDOM administrator can access only VDOM-
specific commands, not global commands.

Troubleshooting ARP Traffic

on VDOMs
Address Resolution Protocol (ARP) traffic is vital to
communication on a network and is enabled on ZXSEC US
interfaces by default. Normally you want ARP packets to pass
through the ZXSEC US unit, especially if it is sitting between a
client and a server or between a client and a router.

Duplicate ARP Packets

ARP traffic can cause problems, especially in Transparent mode
where ARP packets arriving on one interface are sent to all other
interfaces, including VLAN subinterfaces. Some Layer 2 switches
become unstable when they detect the same MAC address
originating on more than one switch interface or from more than
one VLAN. This instability can occur if the Layer 2 switch does
not maintain separate MAC address tables for each VLAN.
Unstable switches may reset causing network traffic to slow
down.

Confidential and Proprietary Information of ZTE CORPORATION 35

ZXSEC US CLI Reference Guide

Multiple VDOMs Solution

One solution is to configure multiple VDOMs on the ZXSEC US
unit, one for each VLAN. This means one inbound and one
outbound VLAN interface in each virtual domain. ARP packets
are not forwarded between VDOMs.
By default, physical interfaces are in the root domain. Do not
configure any of your VLANs in the root domain.
As a result of this VDOM configuration, the switches do not
receive multiple ARP packets with the same source MAC but
different VLAN IDs, and the instability does not occur.

Forward-domain Solution
You may run into problems using the multiple VDOMs solution. It
is possible that you have more VLANs than licensed VDOMs, not
enough physical interfaces or your configuration may work
better by grouping some VLANs together. In these situations the
separate VDOMs solution may not work for you.
In these cases, the solution is to use the forward-domain
<collision_group_number> command. This command tags VLAN
traffic as belonging to a particular forward-domain collision
group, and only VLANs tagged as part of that collision group
receive that traffic. By default ports and VLANs are part of
forward-domain collision group 0. For more information, see the
ZXSEC US VLANs and VDOMs Guide.
There are many benefits for this solution from reduced
administration, to using fewer physical interfaces to being able
to allowing you more flexible network solutions.
In the following example, forward-domain collision group 340
includes VLAN 340 traffic on Port1 and untagged traffic on Port2.
Forward-domain collision group 341 includes VLAN 341 traffic on
Port1 and untagged traffic on Port3. All other ports are part of
forward-domain collision group 0 by default.
These are the CLI commands to accomplish this setup.
config system interface
edit “port1”
next
edit "port2"
set forward_domain 340
next
edit “port3”
set forward_domain 341

36 Confidential and Proprietary Information of ZTE CORPORATION

Chapter 2 Working with Virtual Domains

next
edit "port1-340"
set forward_domain 340
set interface "port1"
set vlanid 340
next
edit "port1-341"
set forward_domain 341
set interface "port1"
set vlanid 341
next
end
There is a more detailed discussion of this issue in the
Asymmetric Routing and Other ZXSEC US Layer-2 Installation
Issues technical note.

Global
From the super_admin accounts, use this command to configure
features that apply to all virtual domains. Virtual domain
configuration (vdom-admin) must be enabled. See “system
global”.

Syntax
This command syntax shows how you access the commands
within config global. For information on these commands, refer
to the relevant sections in this Reference.
config global
config antivirus ...
config firewall service
config gui console
config imp2p ...
config ips ...
config log Usla setting
config log report definition
config log report filter
config log report output
config log report period

Confidential and Proprietary Information of ZTE CORPORATION 37

ZXSEC US CLI Reference Guide

config log report schedule

config log report scope
config log report selection
config log syslogd setting
config log webtrends setting
config spamfilter ...
config system accprofile
config system admin
config system alertemail
config system auto-install
config system autoupdate clientoverride
config system autoupdate override
config system autoupdate override
config system autoupdate push-update
config system autoupdate schedule
config system autoupdate tunneling
config system bug-report
config system console
config system dns
config system fips-cc
config system Usservice
config system gi-gk (US Carrier)
config system global
config system ha
config system interface
config system replacemsg admin
config system replacemsg alertmail
config system replacemsg auth
config system replacemsg Usservice-wf
config system replacemsg ftp
config system replacemsg http
config system replacemsg im
config system replacemsg mail
config system replacemsg mm1 (US Carrier)
config system replacemsg mm3 (US Carrier)
config system replacemsg mm4 (US Carrier)
config system replacemsg mm7 (US Carrier)
config system replacemsg nntp

38 Confidential and Proprietary Information of ZTE CORPORATION

Chapter 2 Working with Virtual Domains

config system replacemsg spam

config system replacemsg sslvpn
config system replacemsg-group (US Carrier)
config system replacemsg-image (US Carrier)
config system session-helper
config system session-sync
config system snmp community
config system snmp sysinfo
config system vdom-link
config user dynamic-profile (US Carrier)
config vpn certificate ca
config vpn certificate crl
config vpn certificate local
config vpn certificate remote
config webfilter Usservice
execute backup
execute batch
execute central-mgmt
execute CUS reload
execute CUS save
execute cli
execute date
execute deploy
execute dhcp lease-list
execute disconnect-admin-session
execute factoryreset
execute formatlogdisk
execute fsae refresh
execute ha disconnect
execute ha manage
execute ha synchronize
execute log delete-all
execute log delete-filtered
execute log delete-rolled
execute log display
execute log filter
execute log list
execute log roll

Confidential and Proprietary Information of ZTE CORPORATION 39

ZXSEC US CLI Reference Guide

execute reboot
execute restore
execute set-next-reboot
execute shutdown
execute time
execute update-av
execute update-ips
execute update-now
execute usb-disk
execute vpn certificate ...
get firewall vip ...
end
Related topics
vdom

VDOM
From the super admin account, use this command to add and
configure virtual domains. The number of virtual domains you
can add is dependent on the ZXSEC US model. Virtual domain
configuration (vdom-admin) must be enabled. See “system
global”.
Once you add a virtual domain you can configure it by adding
zones, firewall policies, routing settings, and VPN settings. You
can also move physical interfaces from the root virtual domain
to other virtual domains and move VLAN subinterfaces from one
virtual domain to another.
By default all physical interfaces are in the root virtual domain.
You cannot remove an interface from a virtual domain if the
interface is part of any of the following configurations:
routing
proxy arp
DHCP server
zone
firewall policy
IP pool
redundant pair
link aggregate (802.3ad) group
Delete these items or modify them to remove the interface first.

40 Confidential and Proprietary Information of ZTE CORPORATION

Chapter 2 Working with Virtual Domains

You cannot delete the default root virtual domain and you
cannot delete a virtual domain that is used for system
management.

Syntax
This command syntax shows how you access the commands
within config global. Refer to the relevant sections in this
Reference for information on these commands.
config vdom
edit <vdom_name>
config antivirus
config firewall address, address6
config firewall addrgrp, addrgrp6
config firewall dnstranslation
config firewall ipmacbinding setting
config firewall ipmacbinding table
config firewall ippool
config firewall multicast-policy
config firewall policy, policy6
config firewall schedule onetime
config firewall schedule recurring
config firewall service custom
config firewall service group
config firewall vip
config gui
config log {disk | Usla | memory | syslogd | webtrends |
Usservice} filter
config log Usla setting
config log memory setting
config log trafficfilter
config router ...
config system admin
config system arp-table
config system dhcp reserved-address
config system dhcp server
config system gre-tunnel
config system interface
config system ipv6-tunnel

Confidential and Proprietary Information of ZTE CORPORATION 41

ZXSEC US CLI Reference Guide

config system proxy-arp

config system session-ttl
config system settings
config system zone
config user adgrp
config user fsae
config user group
config user ldap
config user local
config user endpoint-bwl (US Carrier)
config user endpoint-translation (US Carrier)
config user peer
config user peergrp
config user radius
config vpn ...
execute backup execute date
execute deploy
execute dhcp lease-list
execute disconnect-admin-session
execute fsae refresh
execute ha disconnect
execute ha manage
execute ha synchronize
execute log delete-all
execute log delete-filtered
execute log delete-rolled
execute log display
execute log filter
execute log list
execute log roll
execute ping
execute ping-options
execute ping6
execute reboot
execute restore
execute router clear bgp
execute router clear ospf process
execute router restart

42 Confidential and Proprietary Information of ZTE CORPORATION

Chapter 2 Working with Virtual Domains

execute set-next-reboot
execute traceroute
execute usb-disk
execute vpn sslvpn del-tunnel
next
edit <another_vdom>
config ...
execute ...
end
end

Variable Description Default

edit <vdom_name> Enter a new name to create a new
VDOM. Enter an existing
VDOM name to configure that
VDOM.
The VDOM you enter becomes the
current VDOM. A VDOM cannot
have the same name as a VLAN.
A VDOM name cannot exceed 11
characters in length.

Note:
The VDOM names vsys_ha and vsys_USfm are in use by the
ZXSEC US unit. If you attempt to name a new VDOM vsys_ha or
vsys_USfm it will generate an error.

Note:
Use config system settings set opmode {nat | transparent} to
set the operation mode for this VDOM to nat (NAT/Route) or
transparent.

Example
This example shows how to add a virtual domain called Test1.
config system vdom
edit Test1
end
Related topics
global

Confidential and Proprietary Information of ZTE CORPORATION 43

Chapter 3

Alertemail

Overview
Use alertemail commands to configure the ZXSEC US unit to
monitor logs for log messages with certain severity levels. If the
message appears in the logs, the ZXSEC US unit sends an email
to a predefined recipient(s) of the log message encountered.
Alert emails provide immediate notification of issues occurring
on the ZXSEC US unit, such as system failures or network
attacks.
By default, the alertemail commands do not appear if no SMTP
server is configured. An SMTP server is configured using the
system alertemail commands. See “system alertemail” for more
information.
When configuring an alert email, you must configure at least one
DNS server. The ZXSEC US unit uses the SMTP server name to
connect to the mail server and must look up this name on your
DNS server. See “dns” for more information about configuring
DNS servers.
This chapter contains the following section:
Setting

Setting
Use this command to configure the ZXSEC US unit to send an
alert email to up to three recipients. This command can also be
configured to send an alert email a certain number of days
before the UDS license expires and/or when the disk usage
exceeds a certain threshold amount. You need to configure an
SMTP server before configuring alert email settings. See “system
alertemail” for more information.

Confidential and Proprietary Information of ZTE CORPORATION 45

ZXSEC US CLI Reference Guide

Note:
The ZXSEC US unit must be able to look up the SMTP server
name on your DNS server because the ZXSEC US unit uses the
SMTP server to connect to the mail server. See “system dns” for
more information.
Syntax
config alertemail setting
set username <user-name-str>
set mailto1 <email-address-str>
set mailto2 <email-address-str>
set mailto3 <email-address-str>
set filter-mode <category> <threshold>
set email-interval <minutes-integer>
set severity {alert | critical | debug | emergency | error |
information | notification | warning}
set emergency-interval <minutes-integer>
set alert-interval <minutes-integer>
set critical-interval <minutes-integer>
set error-interval <minutes-integer>
set warning-interval <minutes-integer>
set notification-interval <minutes-integer>
set information-interval <minutes-integer>
set debug-interval <minutes-integer>
set IPS-logs {disable | enable}
set firewall-authentication-failure-logs {disable | enable}
set HA-logs {enable | disable}
set IPsec-error-logs {disable | enable}
set UDS-update-logs {disable | enable}
set PPP-errors-logs {disable | enable}
set sslvpn-authentication-errors-logs {disable | enable}
set antivirus-logs {disable | enable}
set webfilter-logs {disable | enable}
set configuration-changes-logs {disable | enable}
set violation-traffic-logs {disable | enable}
set admin-login-logs {disable | enable}
set local-disk-usage-warning {disable | enable}
set UDS-license-expiring-warning {disable | enable}
set UDS-license-expiring-days <integer>

46 Confidential and Proprietary Information of ZTE CORPORATION

Chapter 3 Alertemail

set local-disk-usage <percentage>

set Usservice-log-quota-warning
end
end

TABLE 8 ALERTEMAIL SETTING

Keywords and Description Default

variables
username Enter a valid email address in the No
<user-name-str> format user@domain.com. This default.
address appears in the From header
of the alert email.
mailto1 Enter an email address. This is one No
<email-address- of the email addresses where the default.
str> ZXSEC US unit sends an alert email.

mailto2 Enter an email address. This is one No

<email-address- of the email addresses where the default.
str> ZXSEC US unit sends an alert email.

mailto3 Enter an email address. This is one No

<email-address- of the email addresses where the default.
str> ZXSEC US unit sends an alert email.

email-interval Enter the number of minutes the 5

<minutes- ZXSEC US unit should wait before
integer> sending out an alert email. This is
not available when filter- mode
threshold is enabled.
emergency- Enter the number of minutes the 1
interval ZXSEC US unit should wait before
<minutes- sending out alert email for
integer> emergency level messages. Only
available when filter-mode threshold
is entered.
alert-interval Enter the number of minutes the 2
<minutes- ZXSEC US unit should wait before
integer> sending out an alert email for alert
level messages. Only available when

Confidential and Proprietary Information of ZTE CORPORATION 47

ZXSEC US CLI Reference Guide

Keywords and Description Default

variables
filter-mode threshold is entered.
critical-interval Enter the number of minutes the 3
<minutes- ZXSEC US unit should wait before
integer> sending out an alert email for
critical level messages. Only
available when filter-mode threshold
is entered.
error-interval Enter the number of minutes the 5
<minutes- ZXSEC US unit should wait before
integer> sending out an alert email for error
level messages. Only available when
filter-mode threshold is entered.
warning-interval Enter the number of minutes the 10
<minutes- ZXSEC US unit should wait before
integer> sending out an alert email for
warning level messages. Only
available when filter-mode threshold
is entered.
notification- Enter the number of minutes the 20
interval ZXSEC US unit should wait before
<minutes- sending out an alert email for
integer> notification level messages. Only
available when filter-mode threshold
is entered.
information- Enter the number of minutes the 30
interval ZXSEC US unit should wait before
<minutes- sending out an alert email for
integer> information level messages. Only
available when filter-mode threshold
is entered.
debug-interval Enter the number of minutes the 60
<minutes- ZXSEC US unit should wait before
integer> sending out an alert email for debug
level messages. Only available when
filter-mode threshold is entered.
severity Select the logging severity level. alert
{alert | critical | This is only available when filter-
debug | mode threshold is entered. The
emergency | error ZXSEC US unit logs all messages at
| information | and above the logging severity level
notification | you select. For example, if you
warning} error, the unit logs error, critical,
alert, and emergency level
messages.
alert – Immediate action is required.
critical – Functionality is affected.
debug – Information used for
diagnosing or debugging the
ZXSEC US unit.
emergency – The system is
unusable.
error – An erroneous condition

48 Confidential and Proprietary Information of ZTE CORPORATION

Chapter 3 Alertemail

Keywords and Description Default

variables
exists and functionality is probably
affected.
information – General information
about system operations
notification – Information about
normal events.
warning – Functionality might be
affected.
IPS-logs Enable or disable IPS logs. disable
{disable | enable}
firewall- Enable or disable firewall disable
authentication- authentication failure logs.
failure- logs
{disable | enable}
HA-logs Enable or disable high availability disable
{enable | disable} (HA) logs.

IPsec-error-logs Enable or disable IPSec error logs disable

{disable | enable}
UDS-update-logs Enable or disable UDS update logs. disable
{disable | enable}
PPP-errors-logs Enable or disable PPP error logs. disable
{disable | enable}
sslvpn- Enable or disable SSL VPN disable
authentication- authentication error logs.
errors-logs
{disable | enable}
antivirus-logs Enable or disable antivirus logs. disable
{disable | enable}
webfilter-logs Enable or disable web filter logs. disable
{disable | enable}
configuration- Enable or disable configuration disable
changes- logs changes logs.
{disable | enable}
violation-traffic- Enable or disable traffic violation disable
logs logs.
{disable | enable}
admin-login-logs Enable or disable admin login logs disable
{disable | enable}
local-disk-usage- Enable or disable local disk usage disable
warning warning in percent. For example
{disable | enable} enter the number 15 for a warning
when the local disk usage is at 15
percent. The number cannot be 0 or
100.

Confidential and Proprietary Information of ZTE CORPORATION 49

ZXSEC US CLI Reference Guide

Keywords and Description Default

variables
UDS-license- Enable or disable to receive an disable
expiring- warning email notification of the expire date
{disable | enable} of the UDS license.

UDS-license- Enter the number of days to be 15

expiring- days notified by email when the UDS
<integer> license expires. For example, if you
want notification five days in
advance, enter 5.
local-disk-usage Enter a number for when the local 75
<percentage> disk’s usage exceeds that number.

Usservice-log- Enter to receive an alert email when disable

quota- warning the Usservice Log & Analysis server
reaches its quota.

Examples
This example shows how to configure the user name, add three
email addresses for sending alerts to, and what type of emails
will contain which log messages, such as HA and antivirus.
config alertemail setting
set username ZXSEC US@ourcompany.com
set mail1 admin1@ourcompany.com
set mail2 admin2@ourcompany.com
set mail3 admin3@ourcompany.com
set filter-mode category
set HA-logs enable
set UDS-update-logs enable
set antivirus-logs enable
set webfilter-logs enable
set admin-login-logs enable
set violation-traffic-logs enable
end
Related topics
system alertemail
system dns

50 Confidential and Proprietary Information of ZTE CORPORATION

Chapter 3 Alertemail

This page is intentionally blank.

Confidential and Proprietary Information of ZTE CORPORATION 51

Chapter 4

Antivirus

Overview
Use antivirus commands to configure antivirus scanning for
services, quarantine options, and to enable or disable grayware
and heuristic scanning.
This chapter contains the following sections:
filepattern
grayware
heuristic
quarantine
quarfilepattern
service

Filepattern
Use this command to add, edit or delete the file patterns used
for virus blocking and to set which protocols to check for files to
block.
If you need to add configuration via CLI that requires ? as part
of config, you need to input CTRL-V first. If you enter the
question mark (?) without first using CTRL-V, the question mark
has a different meaning in CLI: it will show available command
options in that section.
For example, if you enter ? without CTRL-V:
edit "*.xe
token line: Unmatched double quote.
If you enter ? with CTRL-V:
edit "*.xe?"
new entry '*.xe?' added

Confidential and Proprietary Information of ZTE CORPORATION 53

ZXSEC US CLI Reference Guide

Syntax
config antivirus filepattern
edit <filepattern_list_integer>
set name <filepattern_list>
set comment <filepattern_list_comment>
config entries
edit <filepattern_string>
set action <allow | block | intercept>
set active {ftp http im imap mm1 mm3 mm4 mm7 nntp pop3 smtp}
set file-type {unknown | ignored | activemime | arj | aspack |
base64 | bat | binhex | bzip | bzip2 | cab | com | elf | exe | fsg |
genscript | gzip | hlp | hta | html | javascript | lzh | mime | msc |
msoffice | perlscript | petite | rar | shellscript | sis | tar | upx | uue |
vbs | zip} (US Carrier)
set filter-type {pattern | type} (US Carrier)
end

TABLE 9 FILEPATTERN SETTING

Keywords and variables Description Default

<filepattern_list_integer> A unique number to identify
the file pattern list.
<filepattern_list> The name of the file pattern
header list.
<filepattern_list_comment> The comment attached to
the file pattern header list.
<filepattern_string> The name of the file pattern
being configured. This can
be any character string.
action <allow | block | The action taken when a block
intercept> matching file is being
transferred via a set active
protocol.
Select allow to have the
ZXSEC US unit allow
matching files.
Select block to have the
ZXSEC US unit block
matching files.
Select intercept to
allow matching files,
with a copy sent to a
quarantine.
Note that the store-
intercepted command in
config antivirus quarantine
must also be configured to
quarantine intercepted

54 Confidential and Proprietary Information of ZTE CORPORATION

Chapter 4 Antivirus

Keywords and variables Description Default

files. The intercept action is
supported in US Carrier.
active The action specified will Varies.
{ftp http im imap mm1 affect the file pattern in the
mm3 selected protocols.
mm4 mm7 nntp pop3 NNTP support for this
smtp} keyword will be added in
the future.
MM1, MM3, MM4, and MM7
traffic types supported in
US Carrier.

Related topics
antivirus heuristic
antivirus grayware
antivirus quarantine
antivirus quarfilepattern
antivirus service

Grayware
Use this command to enable or disable grayware scanning for
the specified category.
Grayware programs are unsolicited commercial software
programs that get installed on computers, often without the
user’s consent or knowledge. Grayware programs are generally
considered an annoyance, but these programs can cause system
performance problems or be used for malicious purposes.
The ZXSEC US unit scans for known grayware executable
programs in each category enabled. The category list and
contents are added or updated whenever the ZXSEC US unit
receives a virus update package. New categories may be added
at any time and are loaded with virus updates. By default, all
new categories are disabled.
Adware Adware is usually embedded in freeware programs
and causes ads to pop up whenever the program
is opened or used.
BHO BHOs (Browser Helper Objects) are DLL files that
are often installed as part of a software package
so the software can control the behavior of
Internet Explorer 4.x and higher. Not all BHOs are
malicious, but the potential exists to track surfing
habits and gather other information.
Dial Dialers allow others to use the PC modem to call
premium numbers or make long distance calls.

Confidential and Proprietary Information of ZTE CORPORATION 55

ZXSEC US CLI Reference Guide

Download Download components are usually run at Windows

startup and are designed to install or download
other software, especially advertising and dial
software.
Game Games are usually joke or nuisance games that
may be blocked from network users.
HackerTool
Hijacker Browser hijacking occurs when a ‘spyware’ type
program changes web browser settings, including
favorites or bookmarks, start pages, and menu
options.
Joke Joke programs can include custom cursors and
programs that appear to affect the system.
Keylog Keylogger programs can record every keystroke
made on a keyboard including passwords, chat,
and instant messages.
Misc The miscellaneous grayware category.
NMT Network management tools can be installed and
used maliciously to change settings and disrupt
network security.
P2P P2P, while a legitimate protocol, is synonymous
with file sharing programs that are used to swap
music, movies, and other files, often illegally.
Plugin Browser plugins can often be harmless Internet
browsing tools that are installed and operate
directly from the browser window. Some toolbars
and plugins can attempt to control or record and
send browsing preferences.
RAT Remote administration tools allow outside users to
remotely change and monitor a computer on a
network.
Spy Spyware, like adware, is often included with
freeware. Spyware is a tracking and analysis
program that can report users’ activities, such as
web browsing habits, to the advertiser’s web site
where it may be recorded and analyzed.
Toolbar While some toolbars are harmless, spyware
developers can use these toolbars to monitor web
habits and send information back to the developer.
Grayware scanning is enabled in a protection profile when Virus
Scan is enabled.
Syntax
config antivirus grayware <category_name_str>
set status {enable | disable}
end

56 Confidential and Proprietary Information of ZTE CORPORATION

Chapter 4 Antivirus

TABLE 10 GRAYWARE SETTING

Keywords and variables Description Default

<category_name_str> The grayware category
being configured.
status {enable | disable} Enable or disable grayware disable
scanning for the specified
category.

Note:
The ZXSEC US CLI is case sensitive and the first letter of all
grayware category names is uppercase.
Example
This example shows how to enable grayware scanning for
Adware programs.
config antivirus grayware Adware
set status enable
end
Related topics
antivirus filepattern
antivirus heuristic
antivirus quarantine
antivirus quarfilepattern
antivirus service
system autoupdate schedule
execute update-av

Heuristic
Use this command to configure heuristic scanning for viruses in
binary files.
Syntax
config antivirus heuristic
set mode {pass | block | disable}
end

TABLE 11 HEURISTIC SETTING

Keywords and Description Default

variables

Confidential and Proprietary Information of ZTE CORPORATION 57

ZXSEC US CLI Reference Guide

Keywords and Description Default

variables
mode Enter pass to enable pass
{pass | block | disable} heuristics but pass detected
files to the recipient.
Suspicious files are
quarantined if quarantine is
enabled.
Enter block to enable
heuristics and block detected
files. A replacement message
is forwarded to the recipient.
Blocked files are quarantined
if quarantine is enabled.
Enter disable to disable
heuristics.

Example
This example shows how to disable heuristic scanning.
config antivirus heuristic
set mode disable
end
Related topics
antivirus filepattern
antivirus quarantine
antivirus quarfilepattern
antivirus servic

Quarantine
Use this command to set file quarantine options.
ZXSEC US units with a local disk can quarantine blocked and
infected files. The quarantined files are removed from the
content stream and stored on the ZXSEC US local disk. Users
receive a message informing them that the removed files have
been quarantined.
ZXSEC US units that do not have a local disk can quarantine
blocked and infected files to a Usla unit.
View the file names and status information about the file in the
quarantined file list. Submit specific files and add file patterns to
the autoupload list so they are automatically uploaded to USnet
for analysis.
Syntax
config antivirus quarantine
set agelimit <hours_integer>

58 Confidential and Proprietary Information of ZTE CORPORATION

Chapter 4 Antivirus

set drop-blocked {ftp http im imap mm1 mm3 mm4 mm7 nntp
pop3 smtp}
set drop-heuristic {ftp http im imap mm1 mm3 mm4 mm7 nntp
pop3 smtp}
set drop-infected {ftp http im imap mm1 mm3 mm4 mm7 nntp
pop3 smtp}
set drop-intercepted {ftp http imap mm1 mm3 mm4 mm7 pop3
smtp} (US Carrier)
set lowspace {drop-new | ovrw-old}
set maxfilesize <MB_integer>
set quar-to-Usla {enable | disable}
set store-blocked {ftp http im imap mm1 mm3 mm4 mm7 nntp
pop3 smtp}
set store-heuristic {ftp http im imap mm1 mm3 mm4 mm7 nntp
pop3 smtp}
set store-infected {ftp http im imap mm1 mm3 mm4 mm7 nntp
pop3 smtp}
set store-intercepted {ftp http imap mm1 mm3 mm4 mm7 pop3
smtp} (US Carrier)
end

TABLE 12 QUARANTINE SETTING

Keywords and Description Default

variables
agelimit Specify how long files are kept in 0
<hours_integer> quarantine to a maximum of 479
hours. The age limit is used to
formulate the value in the TTL
column of the quarantined files list.
When the limit is reached the TTL
column displays EXP and the file is
deleted (although a record is
maintained in the quarantined files
list). Entering an age limit of 0
(zero) means files are stored on
disk indefinitely depending on low
disk space action.
drop-blocked Do not quarantine blocked files imap
{ftp http im imap found in traffic for the specified nntp
mm1 mm3 protocols. The files are deleted.
mm4 mm7 nntp NNTP support for this keyword will
pop3 smtp} be added in the future.
HTTP, FTP, MM1, MM3, MM4, and
MM7 traffic types supported in
US Carrier.
drop-heuristic Do not quarantine files found by http im
{ftp http im imap heuristic scanning in traffic for the imap
mm1 mm3 specified protocols. nntp
NNTP support for this keyword will pop3

Confidential and Proprietary Information of ZTE CORPORATION 59

ZXSEC US CLI Reference Guide

Keywords and Description Default

variables
mm4 mm7 nntp be added in the future. MM1, MM3, smtp
pop3 smtp} MM4, and MM7 traffic types
supported in US Carrier.
drop-infected Do not quarantine virus infected im imap
{ftp http im imap files found in traffic for the specified nntp
mm1 mm3 protocols.
mm4 mm7 nntp NNTP support for this keyword will
pop3 smtp} be added in the future. MM1, MM3,
MM4, and MM7 traffic types
supported in US Carrier.
drop-intercepted Do not quarantine intercepted files imap
{ftp http imap found in traffic for the specified smtp
mm1 mm3 protocols. The files are deleted. pop3
http ftp
mm4 mm7 pop3
mm1
smtp}
mm3
(US Carrier) mm4
mm7
lowspace Select the method for handling ovrw-old
{drop-new | ovrw- additional files when the ZXSEC US
old} hard disk is running out of space.
Enter ovwr-old to drop the oldest
file (lowest TTL), or drop-new to
drop new quarantine files.
maxfilesize Specify, in MB, the maximum file 0
<MB_integer> size to quarantine.
The ZXSEC US unit keeps any
existing quarantined files over the
limit. The ZXSEC US unit does not
quarantine any new files larger than
this value. The file size range is 0-
499 MB. Enter 0 for unlimited file
size.
quar-to-Usla For ZXSEC US units that do not disable
{enable | disable} have a local disc, send infected files
to a Usla unit.
store-blocked Quarantine blocked files found in No
{ftp http im imap traffic for the specified protocols. default.
mm1 mm3 NNTP support for this keyword will
mm4 mm7 nntp be added in the future.
pop3 smtp} HTTP, FTP, MM1, MM3, MM4, and
MM7 traffic types supported in
US Carrier.
store-heuristic Quarantine files found by heuristic No
{ftp http im imap scanning in traffic for the specified default.
mm1 mm3 protocols.
mm4 mm7 nntp NNTP support for this keyword will
pop3 smtp} be added in the future.
MM1, MM3, MM4, and MM7 traffic
types supported in US Carrier.

60 Confidential and Proprietary Information of ZTE CORPORATION

Chapter 4 Antivirus

Keywords and Description Default

variables
store-infected Quarantine virus infected files found No
{ftp http im imap in traffic for the specified protocols. default.
mm1 mm3 NNTP support for this keyword will
mm4 mm7 nntp be added in the future.
pop3 smtp} MM1, MM3, MM4, and MM7 traffic
types supported in US
Carrier.
store-intercepted Quarantine intercepted files found imap
{ftp http imap in traffic for the specified protocols. smtp
mm1 mm3 pop3
http ftp
mm4 mm7 pop3
mm1
smtp}
mm3
(US Carrier) mm4
mm7

Example
This example shows how to set the quarantine age limit to 100
hours, not quarantine blocked files from SMTP and POP3 traffic,
not quarantine heuristic tagged files from SMTP and POP3 traffic,
set the quarantine to drop new files if the memory is full, set the
maximum file size to quarantine at 2 MB, quarantine files from
IMAP traffic with blocked status, quarantine files with heuristic
status in IMAP, HTTP, and FTP traffic.
config antivirus quarantine
set agelimit 100
set drop-blocked smtp pop3
set drop-heuristic smtp pop3
set lowspace drop-new
set maxfilesize 2
set store-blocked imap
set store-heuristic imap http ftp
end
Related topics
antivirus filepattern
antivirus heuristic
antivirus quarfilepattern
antivirus service

Confidential and Proprietary Information of ZTE CORPORATION 61

ZXSEC US CLI Reference Guide

Quarfilepattern
Use this command to configure the file patterns used by
automatic file uploading. This command is only available on
ZXSEC US units with a hard drive.
Configure the ZXSEC US unit to upload suspicious files
automatically to USnet for analysis. Add file patterns to be
uploaded to the autoupload list using the * wildcard character.
File patterns are applied for autoupload regardless of file
blocking settings.
Also upload files to USnet based on status (blocked or heuristics)
or submit individual files directly from the quarantined files list.
For more information, see antivirus quarantine.
Syntax
config antivirus quarfilepattern
edit pattern_str
set status {enable | disable}
end

TABLE 13 QUARFILEPATTERN SETTING

Keywords and Description Default

variables
pattern_str The file pattern to be quarantined.
status {enable | Enable or disable using a file disable
disable} pattern.

Example
Use the following commands to enable automatic upload of *.bat
files.
config antivirus quarfilepattern
edit *.bat
set status enable
end
Related topics
antivirus filepattern
antivirus heuristic
antivirus quarantine
antivirus service

62 Confidential and Proprietary Information of ZTE CORPORATION

Chapter 4 Antivirus

Service
Use this command to configure how the ZXSEC US unit handles
antivirus scanning of large files in HTTP, HTTPS, FTP, POP3,
IMAP, and SMTP traffic and what ports the ZXSEC US unit scans
for these services.
For HTTPS, you can only configure the ports.
Syntax
config antivirus service <service_str>
set port <port_integer>
set scan-bzip2 {enable | disable}
set uncompnestlimit <depth_integer>
set uncompsizelimit <MB_integer>
end

TABLE 14 SERVICE SETTING

Keywords and Description Default

variables
<service_str> The service being configured:
HTTP, HTTPS, FTP, IM, IMAP,
NNTP, POP3, SMTP.
port Configure antivirus scanning on HTTP: 80
<port_integer> a nonstandard port number or HTTPS: 443
multiple port numbers for the
FTP: 21
service. Use ports from the
IMAP: 143
range 1-65535. Add up to 20
ports. NNTP: 119
POP3: 110
SMTP: 25
scan-bzip2 Enable to allow the antivirus disable
{enable | engine to scan the contents of
disable} bzip2 compressed files.
Requires antivirus engine 1.90
for full functionality. Bzip2
scanning is extemely CPU
intensive.
Unless this feature is required,
leave scan-bzip2 disabled.
uncompnestlimit Set the maximum number of 12
<depth_integer> archives in depth the AV engine
will scan with nested archives.
The limit is from 2 to 100. The
supported compression formats
are arj, bzip2, cab, gzip, lha,
lzh, msc, rar, tar, and zip. Bzip2
support is disabled by default.
uncompsizelimit Set the maximum 10 (MB)
<MB_integer> uncompressed file size that can

Confidential and Proprietary Information of ZTE CORPORATION 63

ZXSEC US CLI Reference Guide

Keywords and Description Default

variables
be buffered to memory for virus
scanning. Enter a value in
megabytes between 1 and the
maximum oversize threshold.
Enter “?” to display the range
for your ZXSEC US unit. Enter 0
for no limit
(not recommended).

Note:
If the file in uncompnestlimit has more levels than the limit you
set, or if the file in uncompsizelimit is larger than the limit you
set, the file will pass through without being virus scanned.

How File Size Limits Work

The uncompsizelimit applies to the uncompressed size of the file.
If other files are included within the file, the uncompressed size
of each one is checked against the uncompsizelimit value. If any
one of the uncompressed files is larger than the limit, the file is
passed without scanning, but the total size of all uncompressed
files within the original file can be greater than the
uncompsizelimit.
Example
This example shows how to set the maximum uncompressed file
size that can be buffered to memory for scanning at 15 MB, and
how to enable antivirus scanning on ports 70, 80, and 443 for
HTTP traffic.
config antivirus service http
set uncompsizelimit 15

64 Confidential and Proprietary Information of ZTE CORPORATION

Chapter 4 Antivirus

This page is intentionally blank.

Confidential and Proprietary Information of ZTE CORPORATION 65

Chapter 5

Firewall

Overview
Use firewall commands to configure firewall policies and the data
they use, including protection profiles, IP addresses and virtual
IP addresses, schedules, and services. You can also configure
DNS translation, IP/MAC binding, and multicast policies.
This chapter contains the following sections:
address, address6
addrgrp, addrgrp6
dnstranslation
gtp (US Carrier)
ipmacbinding setting
ipmacbinding table
ippool
ldb-monitor
multicast-policy
policy, policy6
profile
schedule onetime
schedule recurring
service custom
service group
vip
vipgrp

Confidential and Proprietary Information of ZTE CORPORATION 67

ZXSEC US CLI Reference Guide

Address, Address6
Use this command to configure firewall addresses used in
firewall policies. An IPv4 firewall address is a set of one or more
IP addresses, represented as a domain name, an IP address and
a subnet mask, or an IP address range. An IPv6 firewall address
is an IPv6 6-to-4 address prefix.
By default, ZXSEC US units have the firewall address All, which
represents any IP address. Addresses, address groups, and
virtual IPs must have unique names to avoid confusion in
firewall policies. If an address is selected in a policy, it cannot be
deleted until it is deselected from the policy.
Syntax
config firewall address
edit <name_str>
set associated-interface <interface_str>
set end-ip <address_ipv4>
set fqdn <domainname_str> set start-ip <address_ipv4>
set subnet <address_ipv4mask>
set type {ipmask | iprange | fqdn}
end
config firewall address6
edit <name_str>
set ip6 <address_ipv6prefix>
end

TABLE 15 FIREWALL ADDRESS SETTING

Keywords and Description Default

variables
The following commands are for config firewall address.
<name_str> Enter the name of the address. No
default.
associated-interface Enter the name of the No
<interface_str> associated interface. default.
If not configured, the firewall
address is bound to an interface
during firewall policy
configuration.
end-ip If type is iprange, enter the last 0.0.0.0
<address_ipv4> IP address in the range.
fqdn If type is fqdn, enter the fully No
<domainname_str> qualified domain name (FQDN). default.
start-ip If type is iprange, enter the 0.0.0.0
<address_ipv4> first IP address in the range.

68 Confidential and Proprietary Information of ZTE CORPORATION

Chapter 5 Firewall

Keywords and Description Default

variables
subnet If type is ipmask, enter an IP 0.0.0.0
<address_ipv4mask> address then its subnet mask, 0.0.0.0
in dotted decimal format and
separated by a space, or in
CIDR format with no
separation. For example, you
could enter either:
172.168.2.5/32
172.168.2.5
255.255.255.255
The IP address can be for a
single computer or a
subnetwork. The subnet
mask corresponds to the
class of the IP address
being added.
A single computer’s subnet
mask is 255.255.255.255
or /32.
A class A subnet mask is
255.0.0.0 or /8.
A class B subnet mask is
255.255.0.0 or /26.
A class C subnet mask is
255.255.255.0 or /24.

type {ipmask | Select whether this firewall ipmask

iprange | address is a subnet address, an
fqdn} address range, or fully qualified
domain name.
The following command is for config firewall address6.
<name_str> Enter the name of the IPv6 No
address prefix. default.
ip6 If the IP address is IPv6, enter ::/0
<address_ipv6prefix> an IPv6 IP address prefix.

Example
This example shows how to add one IPv4 address of each type:
ipmask, iprange, and fqdn. It also shows how to configure an
IPv6 address prefix.
config firewall address
edit Example_Subnet
set type ipmask
set subnet 192.168.1.0 255.255.255.0
next
edit Example_Range set type iprange

Confidential and Proprietary Information of ZTE CORPORATION 69

ZXSEC US CLI Reference Guide

set start-ip 10.10.1.10

set end-ip 10.10.1.30
next
edit Example_Domain set type fqdn
set fqdn www.example.com
end
config firewall address6
edit Example_ipv6_Prefix
set ip6 2002:CF8E:83CA::/48
end
Related topics
firewall addrgrp, addrgrp6
firewall policy, policy6

Addrgrp, Addrgrp6
Use this command to configure firewall address groups used in
firewall policies.
You can organize related firewall addresses into firewall address
groups to simplify firewall policy configuration. For example,
rather than creating three separate firewall policies for three
firewall addresses, you could create a firewall address group
consisting of the three firewall addresses, then create one
firewall policy using that firewall address group.
Addresses, address groups, and virtual IPs must all have unique
names to avoid confusion in firewall policies. If an address group
is selected in a policy, it cannot be deleted unless it is first
deselected in the policy.
Syntax
config firewall addrgrp, addrgrp6
edit <name_str>
set member <name_str>
end

T AB L E 1 6 AD D R G R P , AD D R G R P 6 S E T T I NG

Keywords and Description Default

variables
<name_str> Enter the name of the address No
group. default.
member <name_str> Enter one or more names of No
firewall addresses to add to the default.

70 Confidential and Proprietary Information of ZTE CORPORATION

Chapter 5 Firewall

Keywords and Description Default

variables
address group. Separate
multiple names with a space. To
remove an address name from
the group, retype the entire
new list, omitting the address
name.

Example
This example shows how to add two firewall addresses to a
firewall address group.
config firewall addrgrp
edit Group1
set Example_Subnet Example_Range
end
Related topics
firewall address, address6
firewall policy, policy6

Dnstranslation
Use this command to add, edit or delete a DNS translation entry.
If DNS translation is configured, the ZXSEC US unit rewrites the
payload of outbound DNS query replies from internal DNS
servers, replacing the resolved names’ internal network IP
addresses with external network IP address equivalents, such as
a virtual IP address on a ZXSEC US unit’s external network
interface. This allows external network hosts to use an internal
network DNS server for domain name resolution of hosts located
on the internal network.
For example, if a virtual IP provided network address translation
(NAT) between a public network, such as the Internet, and a
private network containing a web server, hosts on the public
network could access the web server by using its virtual IP
address. However, if hosts attempted to access the web server
by domain name, and the DNS server performing name
resolution for that domain name was also located on the private
network, the DNS query reply would contain a private network
IP address, which is not routable from the external network. To
solve this, you might configure DNS translation, and substitute
the web server’s private network IP address with the virtual IP
address in DNS query replies to the public network.
DNS translation mappings between src and dst must be one-to-
one; you cannot create one-to-many or many-to-one mappings.
For example, if src is a single IP address, it cannot be DNS

Confidential and Proprietary Information of ZTE CORPORATION 71

ZXSEC US CLI Reference Guide

translated into a dst subnet; dst must be a single IP address,

like src. If src is a subnet, dst must also be a subnet.
Syntax
config firewall dnstranslation
edit <index_int>
set dst <destination_ipv4>
set netmask <address_ipv4mask>
set src <source_ipv4>
end

TABLE 17 DNSTRANSL ATION SETTING

Keywords and Description Default

variables
<index_int> Enter the unique ID number of No
the DNS translation entry. default.
dst Enter the IP address or subnet 0.0.0.0
<destination_ipv4> on the external network to
substitute for the resolved
address in DNS query replies.
dst can be either a single IP
address or a subnet on the
external network, but must be
equal in number to the number
of mapped IP addresses in src.
netmask If src and dst are subnets rather 0.0.0.0
<address_ipv4mask> than single IP addresses, enter
the netmask for both src and
dst.
src <source_ipv4> Enter the IP address or subnet 0.0.0.0
on the internal network to
compare with the resolved
address in DNS query replies. If
the resolved address matches,
the resolved address is
substituted with dst.

Example
This example shows how to translate the resolved addresses in
DNS query replies, from an internal (source) subnet to an
external (destination) subnet.
config firewall dnstranslation
edit 1
set src 192.168.100.12
set dst 172.16.200.190
set netmask 255.255.255.0
end

72 Confidential and Proprietary Information of ZTE CORPORATION

Chapter 5 Firewall

GTP (US Carrier)

Use this command to configure GTP (GPRS Tunneling Protocol)
profiles.
Syntax
config firewall gtp edit <name_str> config apn
edit index_int
set action {allow | deny}
set selection-mode {ms net vrf}
set value <networkid_str>
end
config ie-remove-policy
edit <index_int>
set remove-ies {apn-restriction rat-type rai uli imei}
set sgsn-addr <addr/group_str>
end
config imsi
edit <index_int>
set action {allow | deny}
set apn <networkid_str>
set mcc-mnc <mccmnc_str>
set selection-mode {ms net vrf}
end
config ip-policy
edit <index_int>
set action {allow | deny}
set dstaddr <address_str>
set srcaddr <address_str>
end
config noip-policy
edit <index_int>
set action {allow | deny}
set start <protocol_int>
set end <protocol_int>

Confidential and Proprietary Information of ZTE CORPORATION 73

ZXSEC US CLI Reference Guide

ZXSEC US CLI Reference Guide

requiring that traffic from trusted hosts reflect both the IP

address and MAC address known for that host, fraudulent
connections are more difficult to construct.
To configure the table of IP addresses and the MAC addresses
bound to them, see “ipmacbinding table”. To enable or disable
IP/MAC binding for an individual ZXSEC US unit network
interface, see ipmac in “system interface”.

Note:
If IP/MAC binding is enabled, and the IP address of a host with
an IP or MAC address in the IP/MAC table is changed, or a new
computer is added to the network, update the IP/MAC table. If
you do not update the IP/MAC binding list, the new or changed
hosts will not have access to or through the ZXSEC US unit. For
details on updating the IP/MAC binding table, see “ipmacbinding
table”.

Caution:
If a client receives an IP address from the ZXSEC US unit’s DHCP
server, the client’s MAC address is automatically registered in
the IP/MAC binding table. This can simplify IP/MAC binding
configuration, but can also neutralize protection offered by
IP/MAC binding if untrusted hosts are allowed to access the
DHCP server. Use caution when enabling and providing access to
the DHCP server.
Syntax
config firewall ipmacbinding setting
set bindthroughfw {enable | disable}
set bindtofw {enable | disable}
set undefinedhost {allow | block}
end

TABLE 19 IP MACBINDING SETTING

Keywords and Description Default

variables
bindthroughfw Select to use IP/MAC binding disable
{enable | disable} to filter packets that a
firewall policy would
normally allow through the
ZXSEC US unit.
bindtofw Select to use IP/MAC binding disable
{enable | disable} to filter packets that would
normally connect to the
ZXSEC US unit.
undefinedhost Select how IP/MAC binding block
handles packets with IP and

86 Confidential and Proprietary Information of ZTE CORPORATION

Chapter 5 Firewall

Keywords and Description Default

variables
{allow | block} MAC addresses that are not
defined in the IP/MAC list for
traffic going through or to
the ZXSEC US unit.
allow: Allow packets with
IP and MAC address
pairs that are not in the
IP/MAC binding list.
block: Block packets
with IP and MAC address
pairs that are not in the
IP/MAC binding list.
This option is available only
when either or both
bindthroughfw and bindtofw
are enable.

Example
This example shows how to enable IP/MAC binding for traffic
both going to and through the ZXSEC US unit, and block
undefined hosts (IP/MAC address pairs).
config firewall ipmacbinding setting
set bindthroughfw enable
set bindtofw enable
set undefinedhost block
end
Related topics
firewall ipmacbinding table

IP Macbinding Table
Use this command to configure IP and MAC address pairs in the
IP/MAC binding table. You can bind multiple IP addresses to the
same MAC address, but you cannot bind multiple MAC addresses
to the same IP address.
To configure the IP/MAC binding settings, see “ipmacbinding
setting”. To enable or disable IP/MAC binding for an individual
ZXSEC US unit network interface, see ipmac in “system
interface”.

Note:
If IP/MAC binding is enabled, and the IP address of a host with
an IP or MAC address in the IP/MAC table is changed, or a new
computer is added to the network, update the IP/MAC table. If

Confidential and Proprietary Information of ZTE CORPORATION 87

ZXSEC US CLI Reference Guide

you do not update the IP/MAC binding list, the new or changed
hosts will not have access to or through the ZXSEC US unit.

Caution:
If a client receives an IP address from the ZXSEC US unit’s DHCP
server, the client’s MAC address is automatically registered in
the IP/MAC binding table. This can simplify IP/MAC binding
configuration, but can also neutralize protection offered by
IP/MAC binding if untrusted hosts are allowed to access the
DHCP server. Use caution when enabling and providing access to
the DHCP server.
Syntax
config firewall ipmacbinding table
edit <index_int>
set ip <address_ipv4>
set mac <address_hex>
set name <name_str>
set status {enable | disable}
end

TABLE 20 IP MACBINDING TABLE SETTING

Keywords and Description Default

variables
<index_int> Enter the unique ID number No default.
of this IP/MAC pair.
ip <address_ipv4> Enter the IP address to bind 0.0.0.0
to the MAC address.
To allow all packets with the
MAC address, regardless of
the IP address, set the IP
address to 0.0.0.0.
mac <address_hex> Enter the MAC address. 00:00:00:
To allow all packets with the 00:00:00
IP address, regardless of the
MAC address, set the MAC
address to
00:00:00:00:00:00.
name <name_str> Enter a name for this entry noname
on the IP/MAC address table.
(Optional.)
status {enable | Select to enable this IP/MAC disable
disable} address pair.
Packets not matching any
IP/MAC binding will be
dropped. Packets matching

88 Confidential and Proprietary Information of ZTE CORPORATION

Chapter 5 Firewall

Keywords and Description Default

variables
an IP/MAC binding will be
matched against the firewall
policy list.

Example
This example shows how to add and enable an IP/MAC entry to
the IP/MAC binding table.
config firewall ipmacbinding table
edit 1
set ip 172.16.44.55
set mac 00:10:F3:04:7A:4C
set name RemoteAdmin
set status enable
end
Related topics
firewall ipmacbinding setting

IP Pool
Use this command to configure IP address pools that you can
use to configure NAT mode firewall policies. An IP pool, also
called a dynamic IP pool, is a range of IP addresses added to a
firewall interface. You can enable Dynamic IP Pool in a firewall
policy to translate the source address to an address randomly
selected from the IP pool. To use IP pools, the IP pool interface
must be the same as the firewall policy destination interface.
Add an IP pool if in order to add NAT mode policies that
translate source addresses to addresses randomly selected from
the IP pool rather than being limited to the IP address of the
destination interface. IP pools are only available in NAT/Route
mode. Add multiple IP pools to any interface and configure the
firewall policy to select the IP pool to use for that firewall policy.
Syntax
config firewall ippool
edit <index_int>
set endip <address_ipv4>
set interface <name_str>
set startip <address_ipv4>
end

Confidential and Proprietary Information of ZTE CORPORATION 89

ZXSEC US CLI Reference Guide

TABLE 21 IP POOL SETTING

Keywords and Description Default

variables
<index_int> The unique ID number of No default.
this IP pool.
endip The end IP of the address 0.0.0.0
<address_ipv4> range. The end IP must be
higher than the start IP. The
end IP does not have to be
on the same subnet as the
IP address of the interface
for which you are adding the
IP pool.
interface Enter the name of a network No default.
<name_str> interface, binding the IP pool
to that interface. On ZXSEC
US350 models and greater,
the network interface can
also be a VLAN subinterface.
startip The start IP of the address 0.0.0.0
<address_ipv4> range. The start IP does not
have to be on the same
subnet as the IP address of
the interface for which you
are adding the IP pool.

Example
You might use the following commands to add an IP pool to the
internal network interface. The IP pool would then be available
when configuring firewall policies.
config firewall ippool
edit 1
set startip 192.168.1.100
set endip 192.168.1.200
set interface internal
end
Related topics
firewall policy, policy6

LDB-Monitor
Use this command to configure health check settings.
Health check settings can be used by load balancing VIPs to
determine if a real server is currently responsive before
forwarding traffic. One health check is sent per interval using the
specified protocol, port and HTTP-GET, where applicable to the
protocol. If the server does not respond during the timeout

90 Confidential and Proprietary Information of ZTE CORPORATION

Chapter 5 Firewall

period, the health check fails and, if retries are configured,

another health check is performed.
If all health checks fail, the server is deemed unavailable, and
another real server is selected to receive the traffic according to
the selected load balancing algorithm.
Health check settings can be re-used by multiple real servers.
For details on enabling health checking and using configured
health check settings, see “firewall vip”.
Syntax
config firewall ldb-monitor
edit <name_str>
set http-get <httprequest_str>
set http-match <contentmatch_str>
set interval <seconds_int>
set port <port_int>
set retry <retries_int>
set timeout <seconds_int>
set type {http | ping | tcp}
end

TABLE 22 LDB-MONITOR SETTING

Keywords and Description Default

variables
<name_str> Enter the name of the health No default.
check monitor.
http-get Enter the path (URI) of the No default.
<httprequest_str> HTTP-GET request to use
when testing the
responsivity of the server.
This option appears only if
type is http.
http-match Enter the content of the No default.
<contentmatch_str> server’s reply to the HTTP
request that must be
matched for the health check
to succeed. If the ZXSEC US
unit does not receive a reply
from the server, or its reply
does not contain matching
content, the health check
fails.
This option appears only if
type is http.
interval Enter the interval time in 10
<seconds_int> seconds between health
checks.

Confidential and Proprietary Information of ZTE CORPORATION 91

ZXSEC US CLI Reference Guide

Keywords and Description Default

variables
port <port_int> Enter the port number that 0
will be used by the health
check. This option does not
appear if type is ping.
retry <retries_int> Enter the number of times 3
that the ZXSEC US unit
should retry the health check
if a health check fails. If all
health checks, including
retries, fail, the server is
deemed unavailable.
timeout Enter the timeout in 2
<seconds_int> seconds. If the ZXSEC US
unit does not receive a
response to the health check
in this period of time, the
the health check fails.
type {http | ping | Select the protocol used by No default.
tcp} the health check monitor.

Example
You might configure a health check for a server using the HTTP
protocol to retrieve a web page. To ensure that a web page reply
containing an error message, such as an HTTP 404 page, does
not inadvertently cause the health check to succeed, you might
search the reply for text that does not occur in any web server
error page, such as unique text on a main page.
config firewall ldp-monitor
edit httphealthchecksettings
set type http set port 8080
set http-get “/index.php”
set http-match “Welcome to Example, Inc.”
set interval 5 set timeout 2 set retry 2
end
Related topics
firewall vip

Multicast-Policy
Use this command to configure a source NAT IP. This command
can also be used in Transparent mode to enable multicast
forwarding by adding a multicast policy.
The matched forwarded (outgoing) IP multicast source IP
address is translated to the configured IP address. For additional

92 Confidential and Proprietary Information of ZTE CORPORATION

Chapter 5 Firewall

options related to multicast, see multicast-forward {enable |

disable} in “system settings” and tp-mc-skip-policy {enable |
disable} in “system global”.
Syntax
config firewall multicast-policy
edit <index_int>
set action {accept | deny}
set dnat <address_ipv4>
set dstaddr <address_ipv4mask>
set dstintf <name_str>
set nat <address_ipv4>
set srcaddr <address_ipv4mask>
set srcintf <name_str>
set protocol <multicastlimit_int>
set start-port <port_int>
set end-port <port_int>
end

TABLE 23 MULTICAST-POLICY SETTING

Keywords and Description Default

variables
<index_int> Enter the unique ID number No default.
of this multicast policy.
action {accept | Enter the policy action. accept
deny}
dnat <address_ipv4> Enter an IP address to 0.0.0.0
destination network address
translate (DNAT) externally
received multicast
destination addresses to
addresses that conform to
your organization's internal
addressing policy.
dstaddr Enter the destination IP 0.0.0.0
<address_ipv4mask> address and netmask, 0.0.0.0
separated by a space, to
match against multicast NAT
packets.
dstintf <name_str> Enter the destination No default.
interface name to match
against multicast
NAT packets.
nat <address_ipv4> Enter the IP address to 0.0.0.0
substitute for the original
source IP address.

Confidential and Proprietary Information of ZTE CORPORATION 93

ZXSEC US CLI Reference Guide

Keywords and Description Default

variables
srcaddr Enter the source IP address 0.0.0.0
<address_ipv4mask> and netmask to match 0.0.0.0
against multicast NAT
packets.
srcintf <name_str> Enter the source interface No default.
name to match against
multicast
NAT packets.
protocol Limit the number of 0
<multicastlimit_int> protocols (services) sent out
via multicast using the
ZXSEC US unit.
start-port <port_int> The beginning of the port No default.
range used for multicast.
end-port <port_int> The end of the port range 65535
used for multicast.

Example
This example shows how to configure a multicast NAT policy.
config firewall multicast-policy edit 1
set dstaddr 10.0.0.1 255.255.255.0
set dstintf dmz
set nat 10.0.1.1
set srcaddr 192.168.100.12 255.255.255.0
set srcintf internal
end
Related topics
system global

Policy, Policy6
Use this command to add, edit, or delete firewall policies.
Firewall policies control all traffic passing through the ZXSEC US
unit. Firewall policies are instructions used by the ZXSEC US unit
to decide what to do with a connection request. The policy
directs the firewall to allow the connection, deny the connection,
require authentication before the connection is allowed, or apply
IPSec or SSL VPN processing.

Note:
If you are creating an IPv6 policy, some of the IPv4 options,
such as NAT and VPN settings, are not applicable.

94 Confidential and Proprietary Information of ZTE CORPORATION

Chapter 5 Firewall

Syntax
config firewall policy, policy6
edit <index_int>
set action {accept | deny | ipsec | ssl-vpn}
set auth-cert <certificate_str>
set auth-path {enable | disable}
set auth-redirect-addr <domainname_str>
set comments <comment_str>
set custom-log-fields <fieldid_int>
set diffserv-forward {enable | disable}
set diffserv-reverse {enable | disable}
set diffservcode-forward <dscp_bin>
set diffservcode-rev <dscp_bin>
set disclaimer {enable | disable}
set dstaddr <name_str>
set dstintf <name_str>
set fixedport {enable | disable}
set USDesktop-check {enable | disable}
set USDesktop-ra-notinstalled {enable | disable}
set USDesktop-ra-notlicensed {enable | disable}
set USDesktop-ra-db-outdated {enable | disable}
set USDesktop-ra-no-av {enable | disable}
set USDesktop-ra-no-fw {enable | disable}
set USDesktop-ra-no-wf {enable | disable}
set USDesktop-redir-portal {enable | disable}
set fsae {enable | disable}
set fsae-guest-profile <profile_str>
set gbandwidth <limit_int>
set groups <name_str>
set gtp_profile <name_str> (US Carrier)
set inbound {enable | disable}
set ippool {enable | disable}
set logtraffic {enable | disable}
set maxbandwidth <limit_int>
set nat {enable | disable}
set natinbound {enable | disable}
set natip <address_ipv4mask>
set natoutbound {enable | disable}

Confidential and Proprietary Information of ZTE CORPORATION 95

ZXSEC US CLI Reference Guide

set ntlm {enable | disable}

set outbound {enable | disable}
set poolname <name_str>
set priority {high | low | medium}
set profile <name_str>
set profile-status {enable | disable}
set redirect-url <name_str>
set schedule <name_str>
set service <name_str>
set srcaddr <name_str>
set srcintf <name_str>
set sslvpn-auth {any | ldap | local | radius | tacacs+}
set sslvpn-ccert {enable | disable}
set sslvpn-cipher {0 | 1 | 2}
set status {enable | disable}
set tcp-mss-sender <maximumsize_int>
set tcp-mss-receiver <maximumsize_int>
set trafficshaping {enable | disable}
set vpntunnel <name_str>
end

ZXSEC US CLI Reference Guide

because they have a destination address of 10.1.1.201. The

internal to wan1 NAT policy translates the destination address of
these return packets to the IP address of the originating PC and
sends them out the internal interface to the originating PC.

Use the Following Steps to Configure

NAT in Transparent Mode
Adding two management IPs
Adding an IP pool to the wan1 interface
Adding an internal to wan1 firewall policy

Adding two Management IPs

Use the following commands to add two management IPs. The

second management IP is the default gateway for the internal
network.
config system settings
set manageip 10.1.1.99/24 192.168.1.99/24
end

Adding an IP pool to the wan1 interface

Use the following command to add an IP pool to the wan1

interface:
config firewall ippool
edit nat-out
set interface "wan1"
set startip 10.1.1.201
set endip 10.1.1.201
end

Adding an internal to wan1 firewall policy

Confidential and Proprietary Information of ZTE CORPORATION 117

ZXSEC US CLI Reference Guide

end
config sip
set status {enable | disable}
set ack-rate <rate_int>
set archive-summary {enable | disable}
set block-ack {enable | disable}
set block-bye {enable | disable}
set block-cancel {enable | disable}
set block-info {enable | disable}
set block-invite {enable | disable}
set block-long-lines {enable | disable}
set block-notify {enable | disable}
set block-options {enable | disable}
set block-prack {enable | disable}
set block-publish {enable | disable}
set block-refer {enable | disable}
set block-register {enable | disable}
set block-subscribe {enable | disable}
set block-unknown {enable | disable}
set block-update {enable | disable}
set call-keepalive <limit_int>
set info-rate <rate_int>
set invite-rate <limit_int>
set max-dialogs <limit_int>
set max-line-length <limit_int>
set nat-trace {enable | disable}
set no-sdp-fixup {enable | disable}
set notify-rate <limit_int>
set options-rate <limit_int>
set prack-rate <limit_int>
set preserve-override {enable | disable}
set primary-secondary {enable | disable}
set refer-rate <limit_int>
set register-rate <limit_int>
set rtp {enable | disable}
set strict-register {enable | disable}
set subscribe-rate <limit_int>
set timeout-buffer <calls_int>

118 Confidential and Proprietary Information of ZTE CORPORATION

Chapter 5 Firewall

set update-rate <limit_int>

end
end

variables
{allow-ovrd error- category blocking.
allow rate-server-ip
allow-ovrd: Allow
strict-blocking} authenticated rating
overrides.
error-allow to allow web
pages with a rating error
to pass through.
rate-server-ip: Rate
both the URL and the IP
address of the requested
site, providing additional
security against
circumvention attempts.
strict-blocking to block
any web pages if any
classification or category
matches the rating.
Separate multiple options
with a space. To remove an
option from the list or add
an option to the list, retype
the list with the option
removed or added.
ussrv-wf-log Enter all, or enter one or No default.
{all | more category codes,
<category_str>} representing Usservice Web
Filtering web page
categories or category
groups that you want to log.
To view a list of available
category codes with their
descriptions, enter get, then
locate entries for ussrv-wf-
enable, such as g01
Potentially Liable, 1 Drug
Abuse, and c06 Spam URL.
Separate multiple codes
with a space. To delete
entries, use the unset
command to delete the
entire list.
ussrv-wf-options Select options for Usservice strict-
{allow-ovrd error- web filtering, separating blocking
allow multiple options with a
space.
http-err-detail
rate-image-urls rate- allow-ovrd: Allow
server-ip redir-block authenticated rating
strict-blocking} overrides.
error-allow: Allow web
pages with a rating error
to pass through.

124 Confidential and Proprietary Information of ZTE CORPORATION

Chapter 5 Firewall

Keywords and Description Default

Keywords and Description Default

Keywords and Description Default

variables
on ZXSEC US1300 models
and greater.
winny Select the action the ZXSEC pass
{block | pass | limit} US unit performs on WinNY
peer-to-peer (P2P) traffic.
block: Block WinNY
traffic.
pass: Allow WinNY
traffic.
limit: Restrict
bandwidth used by
WinNY. Configure
winny-limit to specify
the bandwidth limit.
This option is available only
if p2p is enable.
winny-limit Enter the maximum amount 0
<limit_int> of bandwidth WinNY
connections are allowed to
use, up to 100000 KB/s. If
this variable is set to zero
(0), WinNY traffic is not
allowed. This option appears
only if winny is set to limit.
The bandwidth limit can be
applied separately for each
firewall policy that uses the
protection profile, or shared
by all firewall policies that
use the protection profile.
By default, the limit is
applied separately to each
firewall policy. For
information on configuring
per policy or per protection
profile P2P bandwidth
limiting, see the p2p- rate-
limiting variable in “system
settings”.
yahoo Enter enable-inspect to inspect-
{enable-inspect | } enable inspection of Yahoo anyport
Messenger traffic, then
{archive-full archive-
enter any additional options.
summary block-audio
Separate multiple options
block-file block-im
with a space.
block-photo
inspect-anyport no- archive-full: Content
content-summary} archive both
metadata and the
chat itself.
archive-summary:

162 Confidential and Proprietary Information of ZTE CORPORATION

Chapter 5 Firewall

Keywords and Description Default

172 Confidential and Proprietary Information of ZTE CORPORATION

Chapter 5 Firewall

Keywords and Description Default

variables
This option appears only if
status is enable.
block-unknown Select to block unrecognized enable
{enable | disable} SIP requests.
This option appears only if
status is enable.
block-update Select to block UPDATE disable
{enable | disable} requests.
This option appears only if
status is enable.
call-keepalive Enter the number of minutes 0
<limit_int> to continue tracking calls
with no RTP.
This option appears only if
status is enable.
info-rate <rate_int> Enter the INFO rate limit per 0
second, per policy. This
option appears only if status
is enable.
invite-rate Enter the INVITE request 0
<limit_int> rate limit per second, per
policy. This option appears
only if status is enable.
max-dialogs Enter the maximum number 0
<limit_int> of concurrent calls. This
option appears only if status
is enable.
max-line-length Enter the maximum SIP 998
<limit_int> header line length (78-
4096). This option appears
only if status is enable.
nat-trace Select to preserve the enable
{enable | disable} original IP address in the
SDP line.
This option appears only if
status is enable.
no-sdp-fixup Select to preserve the SDP disable
{enable | disable} packet.
This option appears only if
status is enable.
notify-rate Enter the NOTIFY rate limit 0
<limit_int> per second, per policy. This
option appears only if status
is enable.
options-rate Enter the OPTIONS rate limit 0
<limit_int> per second, per policy. This
option appears only if status
is enable.
prack-rate Enter the PRACK rate limit 0

Confidential and Proprietary Information of ZTE CORPORATION 173

ZXSEC US CLI Reference Guide

Keywords and Description Default

variables
<limit_int> per second, per policy. This
option appears only if status
is enable.
preserve-override Select to omit the original IP disable
{enable | disable} address from SDP i line.
When disabled, IP addresses
are appended.
This option appears only if
status is enable.
primary-secondary Select to monitor disable
{enable | disable} primary/secondary
outbound proxy redundancy.
This option appears only if
status is enable.
refer-rate <limit_int> Enter the REFER rate limit 0
per second, per policy. This
option appears only if status
is enable.
register-rate Enter the REGISTER request 0
<limit_int> rate limit (per second, per
policy).
This option appears only if
status is enable.
rtp {enable | disable} Select for RTP NAT enable
traversal.
This option appears only if
status is enable.
strict-register Select to allow only the disable
{enable | disable} registrar to connect.
This option appears only if
status is enable.
subscribe-rate Enter the SUBSCRIBE rate 0
<limit_int> limit per second, per policy.
This option appears only if
status is enable.
timeout-buffer Enter the maximum number 0
<calls_int> of timed out calls to buffer.
This option appears only if
status is enable.
update-rate Enter the UPDATE rate limit 0
<limit_int> per second, per policy. This
option appears only if status
is enable.

Example
This example shows how to create a profile called spammail,
using:
filtering of email according to the email banned word list, the
MIME header list, and the return DNS check, enable spam to

174 Confidential and Proprietary Information of ZTE CORPORATION

Chapter 5 Firewall

be logged and tagged with the tag “Spam” in the subject for
POP3 traffic
filtering of email based on the DNSBL server, and discard
messages identified as spam for SMTP traffic
config firewall profile
edit spammail
set pop3 spamemailbwl spamhdrcheck spamraddrdns
set pop3-spamaction log tag
set pop3-spamtagmsg Spam
set pop3-spamtagtype subject set smtp spamrbl
set smtp-spamaction discard
end
This example shows how to add HTTP category blocking to the
spammail profile created above, using:
category blocking to deny access to web pages categorized
as Games (20), Personals and Dating (37), Shopping and
Auction (42) and the category group Objectionable or
Controversial (g02)
category monitoring to log access to web pages categorized
as Computer Security (50) and the category group
Potentially Bandwidth Consuming (g04)
config firewall profile
edit spammail
set ussrv-wf-deny 20 37 42 g02
set ussrv-wf-log 50 g04
end
Related topics
firewall policy, policy6
alertemail
antivirus
ips
webfilter

Schedule Onetime
Use this command to add, edit, or delete one-time schedules.
Use scheduling to control when policies are active or inactive.
Use one-time schedules for policies that are effective once for
the period of time specified in the schedule.

Confidential and Proprietary Information of ZTE CORPORATION 175

ZXSEC US CLI Reference Guide

Note:
To edit a schedule, define the entire schedule, including the
changes. This means entering all of the schedule parameters,
both those that are changing and those that are not.
Syntax
config firewall schedule onetime
edit <name_str>
set end <hh:mm> <yyyy/mm/dd>
set start <hh:mm> <yyyy/mm/dd>
end

TABLE 26 SCHEDULE ONETIME SETTING

Keywords and Description Default

variables
<name_str> Enter the name of this No default.
schedule.
end <hh:mm> Enter the ending day and 00:00
<yyyy/mm/dd> time of the schedule. 2001/01/01
hh - 00 to 23
mm - 00, 15, 30, or 45
yyyy - 1992 to infinity
mm - 01 to 12
dd - 01 to 31

start <hh:mm> Enter the starting day and 00:00

<yyyy/mm/dd> time of the schedule. 2001/01/01
hh - 00 to 23
mm - 00, 15, 30, or 45
yyyy - 1992 to infinity
mm - 01 to 12
dd - 01 to 31

Example
Use the following example to add a one-time schedule named
Holiday that is valid from 5:00 pm on 3 September 2004 until
8:45 am on 7 September 2004.
config firewall schedule onetime
edit Holiday
set start 17:00 2004/09/03
set end 08:45 2004/09/07

176 Confidential and Proprietary Information of ZTE CORPORATION

Chapter 5 Firewall

end
Related topics
firewall policy, policy6
firewall schedule recurring

Schedule Recurring
Use this command to add, edit, and delete recurring schedules
used in firewall policies.
Use scheduling to control when policies are active or inactive.
Use recurring schedules to create policies that repeat weekly.
Use recurring schedules to create policies that are effective only
at specified times of the day or on specified days of the week.

Note:
If a recurring schedule is created with a stop time that occurs
before the start time, the schedule starts at the start time and
finishes at the stop time on the next day. You can use this
technique to create recurring schedules that run from one day to
the next. To create a recurring schedule that runs for 24 hours,
set the start and stop times to the same time.
Syntax
config firewall schedule recurring
edit <name_str>
set day <name_str>
set end <hh:mm>
set start <hh:mm>
end

TABLE 27 SCHEDULE RECURRING SETTING

Keywords and Description Default

variables
<name_str> Enter the name of this No default.
schedule.
day <name_str> Enter the names of one or sunday
more days of the week for
which the schedule is valid.
Separate multiple names
with a space.
end <hh:mm> Enter the ending time of the 00:00
schedule.
• hh can be 00 to 23
• mm can be 00, 15, 30, or

Confidential and Proprietary Information of ZTE CORPORATION 177

ZXSEC US CLI Reference Guide

Keywords and Description Default

variables
45 only
start <hh:mm> Enter the starting time of 00:00
the schedule.
• hh can be 00 to 23
• mm can be 00, 15, 30, or
45 only
Example
This example shows how to add a recurring schedule named access so
that it is valid Monday to Friday from 7:45 am to 5:30 pm.
config firewall schedule recurring edit access
set day monday tuesday wednesday thursday friday
set start 07:45
set end 17:30
end
Edit the recurring schedule named access so that it is no longer valid on
Fridays.
config firewall schedule recurring
edit access
set day monday tuesday wednesday thursday
set start 07:45
set end 17:30
end
Related topics
firewall policy, policy6
firewall schedule onetime

Service Custom
Use this command to configure a firewall service that is not in
the predefined service list.

Note:
To display a list of all predefined service names, enter the
command get firewall service predefined ?. To display a
predefined service’s details, enter the command get firewall
service predefined <service_str>. For details, see “get firewall
service predefined”.
Syntax
config firewall service custom
edit <name_str>
set icmpcode <code_int>
set icmptype <type_int>

178 Confidential and Proprietary Information of ZTE CORPORATION

Chapter 5 Firewall

set protocol {ICMP | IP | TCP/UDP}

set protocol-number <protocol_int>
set tcp-portrange <dstportlow_int>[-<dstporthigh_int>:
<srcportlow_int>-<srcporthigh_int>]
set udp-portrange <dstportlow_int>[-<dstporthigh_int>:
<srcportlow_int>-<srcporthigh_int>]
end

TABLE 28 SERVICE CUSTOM SETTING

Keywords and Description Default

variables
<name_str> Enter the name of this No default
custom service.
icmpcode <code_int> Enter the ICMP code No default.
number. Find ICMP type and
code numbers at
www.iana.org.
icmptype <type_int> Enter the ICMP type 0
number. The range for
type_int is from
0-255. Find ICMP type and
code numbers at
www.iana.org.
protocol Enter the protocol used by IP
{ICMP | IP | the service.
TCP/UDP}
protocol-number For an IP service, enter the 0
<protocol_int> IP protocol number. For
information on protocol
numbers, see
http://www.iana.org.
tcp-portrange For TCP services, enter the No default.
<dstportlow_int>[- destination and source port
ranges.
<dstporthigh_int>:
If the destination port range
<srcportlow_int>-
can be any port, enter 1-
<srcporthigh_int>] 65535. If the destination is
only a single port, simply
enter a single port number
for dstportlow_int and no
value for dstporthigh_int.
If source port can be any
port, no source port need be
added. If the source port is
only a single port, simply
enter a single port number
for srcportlow_int and no
value for srcporthigh_int.
udp-portrange For UDP services, enter the No default.
destination and source port

Confidential and Proprietary Information of ZTE CORPORATION 179

ZXSEC US CLI Reference Guide

Keywords and Description Default

variables
<dstportlow_int>[- ranges.
<dstporthigh_int>: If the destination port range
<srcportlow_int>- can be any port, enter 1-
65535. If the destination is
<srcporthigh_int>]
only a single port, simply
enter a single port number
for dstportlow_int and no
value for dstporthigh_int.
If source port can be any
port, no source port need be
added. If the source port is
only a single port, simply
enter a single port number
for srcportlow_int and no
value for srcporthigh_int.

Example
This example shows how to add a custom service called
Custom_1. The service destination port range is TCP 4501 to
4503. The service can use any source port.
config firewall service custom
edit Custom_1
set protocol TCP/UDP
set tcp-portrange 4501-4503
end
A second example shows how to add a custom service called
Custom_2. The service destination port range is TCP 4545 to
4550. The service uses source port 9620.
config firewall service custom
edit Custom_1
set protocol TCP/UDP
set tcp-portrange 4545-4550:9620
end
Related topics
firewall policy, policy6

Service Group
Use this command to configure firewall service groups.
To simplify policy creation, you can create groups of services
and then add one policy to provide or block access for all the
services in the group. A service group can contain predefined
services and custom services in any combination. A service
group cannot contain another service group.

180 Confidential and Proprietary Information of ZTE CORPORATION

Chapter 5 Firewall

Note:
To edit a service group, enter all of the members of the service
group, both those changing and those staying the same.
Syntax
config firewall service group
edit <name_str>
set member <name_str>
end

TABLE 29 SERVICE GROUP SETTING

Keywords and Description Default

variables
<group-name_str> Enter the name of this No default.
service group.
member Enter one or more names of No default.
<service_str> predefined or custom
firewall services to add to
the service group. Separate
multiple names with a
space. To view the list of
available services enter set
member ? at the prompt.
<service_str> is case-
sensitive.

Example
This example shows how to add a service group called
web_Services that includes the FTP, HTTP, HTTPS, and Real
Audio services.
config firewall service group
edit web_Services
set member FTP HTTP HTTPS RAUDIO
end
This example shows how to add the TELNET service to the
web_Services service group.
config firewall service group
edit web_Services
set member FTP HTTP HTTPS RAUDIO TELNET
end
Related topics
firewall policy, policy6

Confidential and Proprietary Information of ZTE CORPORATION 181

ZXSEC US CLI Reference Guide

variables
temporarily use a
server whose status is
standby. The
healthcheck monitor
will continue to
monitor the
unresponsive server
for the duration of
holddown-interval. If
this server becomes
reliably responsive
again, it will be
restored to active
use, and the standby
server will revert to
standby. For details
on health check
monitoring when an
active server is
unresponsive, see
“holddown-interval
<seconds_int>”.
disable: The ZXSEC
US unit will not
forward traffic to this
server, and will not
perform health
checks. You might use
this option to
conserve server load
balancing resources
when you know that a
server will be
unavailable for a long
period, such as when
the server is down for
repair.
standby: If a server
whose status is active
becomes
unresponsive, the
ZXSEC US unit will
temporarily use a
responsive server
whose status is
standby until the
server whose status is
active again becomes
reliably responsive. If
multiple responsive
standby servers are

198 Confidential and Proprietary Information of ZTE CORPORATION

Chapter 5 Firewall

Keywords and Description Default

variables
available, the ZXSEC
US unit selects the
standby server with
the greatest weight. If
a standby server
becomes
unresponsive, the
ZXSEC US unit will
select another
responsive server
whose status is
standby.

wake-interval Enter the interval of time 10

<seconds_int> the connection will try to
detect a server before giving
up. Valid interval values are
between 10 and 255
seconds.
This option is deprecated
and may be removed in
future. Instead, configure
monitor.
weight Enter the weight value of a 1
<loadbalanceweight_i specific server. Servers with
nt> a greater weight receive a
greater proportion of
forwarded connections, or, if
their status is standby, are
more likely to be selected to
temporarily replace servers
whose status is active, but
that are unresponsive. Valid
weight values are between 1
and 255.
This option is available only
if ldb-method is weighted.

Example
This example shows how to add a static NAT virtual IP named
Web_Server that allows users on the Internet to connect to a
single web server on the private network. The public IP address
of the web server is 64.32.21.34 and the IP address of the web
server on the internal network is 192.168.1.44.
config firewall vip
edit Web_Server
set extintf external
set extip 64.32.21.34
set mappedip 192.168.1.44
end

Confidential and Proprietary Information of ZTE CORPORATION 199

ZXSEC US CLI Reference Guide

This example shows how to edit the static NAT virtual IP named
Web_Server to change the IP address of the web server on the
internal network to 192.168.110.23.
config firewall vip
edit web_Server
set mappedip 192.168.110.23
end
This example shows how to add a static NAT port forwarding
virtual IP that uses port address translation to allow external
access to a web server on the private network if there is no
separate external IP address for the web server. In this example,
the IP address of the external interface is 192.168.100.99 and
the real IP address of the web server on the internal network is
192.168.1.93.
config firewall vip
edit web_Server
set portforward enable set extintf external
set extip 192.168.100.99
set extport 80
set mappedip 192.168.1.93
set mappedport 80
end
This example shows how to enter a static NAT virtual IP named
Server_Range that allows Internet users to connect to a range of
10 virtual IP addresses on the Internet and have the IP
addresses in this range mapped to a range of IP addresses on
the DMZ network. The DMZ network contains 10 servers with IP
addresses from 10.10.10.20 to 10.10.10.29. The Internet IP
addresses for these servers are in the range 219.34.56.10 to
219.34.56.19. In this example you do not have to enter the
external IP address range. Instead you enter the first IP address
in the external IP address range and the
ZXSEC US unit calculates the end of the IP address range based
on the number of IP addresses defined by the mapped IP
address range. Also in the example, port2 is connected to the
Internet.
config firewall vip
edit Server_Range
set extintf port2
set extip 219.34.56.10
set mappedip 10.10.10.20 10.10.10.19
end
This example shows how to enter a load balancing virtual IP
named Ext_Load_Balance that allows Internet users to connect

200 Confidential and Proprietary Information of ZTE CORPORATION

Chapter 5 Firewall

to a single virtual IP address on the Internet and have that IP

address mapped to a range of IP addresses on the network
connected to port5. You might use a configuration such as this
to load balance connections from the Internet to an internal
server farm. In the example the Internet is connected to port2
and the virtual IP address is 67.34.56.90 and the IP address
range on the network connected to port5 is 172.20.120.10 to
172.20.120.30.
config firewall vip
edit Server_Range
set type load-balance set extintf port2
set extip 67.34.56.90
set mappedip 172.20.120.10-172.20.120.30
end
Related topics
firewall policy, policy6
firewall ldb-monitor
vipgrp

VIP GRP
You can create virtual IP groups to facilitate firewall policy traffic
control. For example, on the DMZ interface, if you have two
email servers that use Virtual IP mapping, you can put these two
VIPs into one VIP group and create one external-to-DMZ policy,
instead of two policies, to control the traffic.
Firewall policies using VIP Groups are matched by comparing
both the member VIP IP address(es) and port number(s).
Syntax
config firewall vipgrp
edit <name_str>
set interface <name_str>
set member <virtualip_str>
end

TABLE 31 VIP GRP SETTING

Keywords and Description Default

variables
<name_str> Enter the name of the No default.
virtual IP group.
interface Enter the name of the No default.
<name_str> interface to which the virtual

Confidential and Proprietary Information of ZTE CORPORATION 201

ZXSEC US CLI Reference Guide

Keywords and Description Default

variables
IP group will be bound.
member Enter one or more virtual No default.
<virtualip_str> IPs that will comprise the
virtual IP group.

Example
config firewall vipgrp
edit group_one
set interface internal
set member vipone viptwo vipthree
end
Related topics
firewall policy, policy6
vip

202 Confidential and Proprietary Information of ZTE CORPORATION

Chapter 5 Firewall

This page is intentionally blank.

Confidential and Proprietary Information of ZTE CORPORATION 203

Chapter 6

GUI

Overview
This chapter covers the commands to restore web-based
manager CLI console and topology viewer. This chapter contains
the following sections:
Console
Topology

Console
Use this command to configure the web-based manager CLI
console.
Syntax
config gui console
set preferences <filedata>
end
To obtain base-64 encoded data from a configured CLI console,
use:
show gui console

TABLE 32 CONSOLE SETTING

Keywords and Description Default

variables
preferences Base64-encoded file to No default
<filedata> upload containing the
commands to set up the
web-based manager CLI
console on the ZXSEC US
unit.

Example

Confidential and Proprietary Information of ZTE CORPORATION 205

ZXSEC US CLI Reference Guide

This example shows how to upload the data file pref-file

containing commands to set up the web-based manager CLI
console on the ZXSEC US unit.
config gui console
set preferences pref-file
end

Topology
Use this command to configure the web-based manager
topology viewer.
Syntax
config gui topology
set background-image <filedatabackground>
set database <filedatabase>
set preferences <filedatapref>
end
To obtain base-64 encoded data from a configured topology
viewer, use:
show gui topology

TABLE 33 TOPOLOGY SETTING

Keywords and Description Default

variables
preferences Base64-encoded file to upload No default
<filedata> containing the commands to set
up the web-based manager CLI
console on the ZXSEC US unit.

Example
This example shows how to upload the data file (topguifile)
containing commands to set up the topology GUI on the ZXSEC
US unit and the background image (backgroundfile).
config gui topology
set preferences topguifile
set background-image backgroundfile
end

206 Confidential and Proprietary Information of ZTE CORPORATION

Chapter 7

IMP2P

Overview
Use imp2p commands to configure user access to Instant
Messaging and Person-to-Person applications, and to configure a
global policy for unknown users who might use these
applications.
This chapter contains the following sections:
aim-user
icq-user
msn-user
old-version
policy
yahoo-user

AIM-user
Use this command to permit or deny a specific user the use of
AOL Instant Messenger.
Syntax
config imp2p aim-user
edit <name_str>
set action {permit | deny}
end

T A B L E 3 4 AI M - U S E R S E T T I N G

Keywords and Description Default

variables
name_str The name of the AIM user.

Confidential and Proprietary Information of ZTE CORPORATION 207

ZXSEC US CLI Reference Guide

Keywords and Description Default

variables
action {permit | Permit or deny the use of AOL deny
deny} Instant Messenger by this user.

Example
This example shows how to add user_1 and permit the user to
use the AIM protocol if the policy is set to allow AOL Instant
Messenger.
config imp2p aim-user
edit user_1
set action permit
end
Related topics
imp2p icq-user
imp2p msn-user
imp2p old-version
imp2p policy
imp2p yahoo-user

ICQ-user
Use this command to permit or deny a specific user the use of
ICQ Instant Messenger.
Syntax
config imp2p icq-user
edit <name_str>
set action {permit | deny}
end

TABLE 35 ICQ-USER SETTING

Keywords and Description Default

variables
name_str The name of the ICQ user.
action {permit | Permit or deny the use of the ICQ deny
deny} Instant Messenger by this user.

Example
This example shows how to add user_1 and permit the user to
use the ICQ protocol if the policy is set to allow ICQ Instant
Messenger.
config imp2p icq-user

208 Confidential and Proprietary Information of ZTE CORPORATION

Chapter 7 IMP2P

edit user_1
set action permit
end
Related topics
imp2p aim-user
imp2p msn-user
imp2p old-version
imp2p policy
imp2p yahoo-user

MSN-user
Use this command to permit or deny a specific user the use of
MSN Messenger.
Syntax
config imp2p msn-user
edit <name_str>
set action {permit | deny}
end

TABLE 36 MSN-USER SETTING

Keywords and Description Default

variables
name_str The name of the MSN user.
action {permit | Permit or deny the use of MSN deny
deny} Messenger by this user.

Example
This example shows how to add user_1 and permit the user to
use the MSN protocol if the policy is set to allow MSN Messenger.
config imp2p msn-user
edit user_1
set action permit
end
Related topics
imp2p aim-user
imp2p icq-user
imp2p old-version
imp2p policy

Confidential and Proprietary Information of ZTE CORPORATION 209

ZXSEC US CLI Reference Guide

imp2p yahoo-user

Old-version
Some older versions of IM protocols are able to bypass file
blocking because the message types are not recognized. The
following command provides the option to disable these older IM
protocol versions. Supported IM protocols include:
MSN 6.0 and above
ICQ 4.0 and above
AIM 5.0 and above
Yahoo 6.0 and above
Syntax
config imp2p old-version
set aim {block | best-effort}
set icq {block | best-effort}
set msn {block | best-effort}
set yahoo {block | best-effort}
end

TABLE 37 OLD-VERSION SETTING

Keywords and Description Default

variables
aim {block | Enter block to block the session if block
best-effort} the version is too old.
Enter best-effort to inspect the
session based on the policy.
icq {block | Enter block to block the session if block
best-effort} the version is too old.
Enter best-effort to inspect the
session based on the policy.
msn {block | Enter block to block the session if block
best-effort} the version is too old.
Enter best-effort to inspect the
session based on the policy.
yahoo Enter block to block the session if block
{block | best- the version is too old.
effort} Enter best-effort to inspect the
session based on the policy.

Example
This example shows how to block older versions of MSN
Messenger and inspect older versions of Yahoo Messenger.

210 Confidential and Proprietary Information of ZTE CORPORATION

Chapter 7 IMP2P

config imp2p old-version

set msn block
set yahoo best-effort
end
Related topics
imp2p aim-user
imp2p icq-user
imp2p msn-user
imp2p policy
imp2p yahoo-user

Policy
Use this command to create a global policy for instant
messenger applications. If an unknown user attempts to use one
of the applications, the user can either be permitted use and
added to a white list, or be denied use and added to a black list.
Syntax
config imp2p policy
set aim {allow | deny}
set icq {allow | deny}
set msn {allow | deny}
set yahoo {allow | deny}
end

TABLE 38 POLICY SETTING

Keywords and Description Default

variables
aim {allow | Allow an unknown user and add deny
deny} the user to the white list. Deny an
unknown user and add the user to
the black list.
icq {allow | Allow an unknown user and add deny
deny} the user to the white list. Deny an
unknown user and add the user to
the black list.
msn {allow | Allow an unknown user and add deny
deny} the user to the white list. Deny an
unknown user and add the user to
the black list.
yahoo {allow | Allow an unknown user and add deny
deny} the user to the white list. Deny an
unknown user and add the user to

Confidential and Proprietary Information of ZTE CORPORATION 211

ZXSEC US CLI Reference Guide

Keywords and Description Default

variables
the black list.

Example
This example shows how to configure the IM/P2P policy to allow
AOL Instant Messenger, MSN Messenger, and Yahoo Messenger
but deny ICQ Instant Messenger.
config imp2p policy
set aim allow
set msn allow set icq deny
set yahoo allow
end
Related topics
imp2p aim-user
imp2p icq-user
imp2p msn-user
imp2p old-version
imp2p yahoo-user

Yahoo-user
Use this command to permit or deny a specific user the use of
Yahoo Messenger.
Syntax
config imp2p yahoo-user
edit <name_str>
set action {permit | deny}
end

TABLE 39 POLICY SETTING

Keywords and Description Default

variables
name_str The name of the Yahoo user.
action {permit | Permit or deny the use of Yahoo deny
deny} Messenger by this user.

Example

212 Confidential and Proprietary Information of ZTE CORPORATION

Chapter 7 IMP2P

This example shows how to add user_1 and permit the user to
use the Yahoo protocol if the policy is set to allow Yahoo
Messenger.
config imp2p yahoo-user
edit user_1
set action permit
end
Related topics
imp2p aim-user
imp2p icq-user
imp2p msn-user
imp2p old-version
imp2p policy

Confidential and Proprietary Information of ZTE CORPORATION 213

ZXSEC US CLI Reference Guide

This page is intentionally blank.

214 Confidential and Proprietary Information of ZTE CORPORATION

Chapter 8

IPS

Overview
Use ips commands to configure IPS sensors to define which
signatures are used to examine traffic and what actions are
taken when matches are discovered. DoS sensors can also be
defined to examine traffic for anomalies
This chapter contains the following sections:
DoS
Custom
Decoder
Global
Rule
Sensor

Note:
If the IPS test can’t find the destination MAC address, the peer
interface will be used. To ensure packets get IPS inspection,
there must be a Peer Interface. Both interfaces must be in the
same VDOM, and one interface cannot be both the peer and
original interface. For information on how to set the Peer
Interface see “interface”.

DoS
ZXSEC US Intrusion Protection uses Denial of Service (DoS)
sensors to identify network traffic anomalies that do not fit
known or preset traffic patterns. Four statistical anomaly types
for the TCP, UDP, and ICMP protocols can be identified.

Confidential and Proprietary Information of ZTE CORPORATION 215

ZXSEC US CLI Reference Guide

Flooding If the number of sessions targeting a single

destination in one second is over a threshold, the
destination is experiencing flooding.
Scan If the number of sessions from a single source in
one second is over a threshold, the source is
scanning.
Source session limit
If the number of concurrent sessions from a single
source is over a threshold, the source session limit
is reached.
Destination session limit
If the number of concurrent sessions to a single
destination is over a threshold, the destination
session limit is reached.
Enable or disable logging for each anomaly, and select the action
taken in response to detecting an anomaly. Configure the
anomaly thresholds to detect traffic patterns that could
represent an attack.

Note:
It is important to estimate the normal and expected traffic on
the network before changing the default anomaly thresholds.
Setting the thresholds too low could cause false positives, and
setting the thresholds too high could allow some attacks.
The list of anomalies can be updated only when the ZXSEC US
firmware image is upgraded.

Config Limit
Access the config limit subcommand using the config ips
anomaly <name_str> command.
Use this command for session control based on source and
destination network address. This command is available for
tcp_src_session, tcp_dst_session, icmp_src_session,
icmp_dst_session, udp_src_session, udp_dst_session.
The default entry cannot be edited. Addresses are matched from
more specific to more general. For example, if thresholds are
defined for 192.168.100.0/24 and 192.168.0.0/16, the address
with the 24 bit netmask is matched before the entry with the 16
bit netmask.
Syntax
config ips DoS
edit <sensor_int>
config address

216 Confidential and Proprietary Information of ZTE CORPORATION

Chapter 8 IPS

edit <address_int>
set dst-ip <dst_ipv4mask>
set dst-port <dstport_int>
set src-ip <src_ipv4mask>
end
config anomaly
edit <anomaly_str>
set status {enable | disable}
set log {enable | disable}
set action {block | pass}
set threshold <threshold_int>
end
set comment <comment_str>
set name <name_str>
set status {disable | enable}
end

TABLE 40 DOS SETTING

Keywords and Description Default

variables
name_str The name of the Yahoo user.
sensor_int The DoS sensor number. Enter ‘?’
to display a list of sensor numbers.
Enter an unused number to create
a new sensor.
address_int Enter the protected address
integer. This is an ID number used
to reference a specified protected
address source/destination/ port
combination.
dst-ip Enter the destination IP address 0.0.0.0
<dst_ipv4mask and subnet to which this sensor 0.0.0.0
> applies. The default is all
addresses.
dst-port Enter the destination port to which 0
<dstport_int> this sensor applies. The default is
all ports.
src-ip Enter the source IP address and 0.0.0.0
<src_ipv4mask subnet to which this sensor 0.0.0.0
> applies. The default is all
addresses.
anomaly_str Enter the name of the anomaly
you want to configure. Display a
list of the available anomaly types
by entering ‘?’.

Confidential and Proprietary Information of ZTE CORPORATION 217

ZXSEC US CLI Reference Guide

Keywords and Description Default

variables
status {enable | Enable or disable the specified disable
disable} anomaly in the current DoS
sensor.
log {enable | Enable or disable logging of the enable
disable} specified anomaly in the current
DoS sensor.
action {block | Pass or block traffic in which the pass
pass} specified anomaly is detected.
threshold Enter the number of times the varies by
<threshold_int specified anomaly must be anomaly
> detected in network traffic before
the action is triggered.
comment Enter a description of the DoS
<comment_str sensor. This is displayed in the
> DoS sensor list. Descriptions with
spaces must be enclosed in
quotation marks.
name Enter a name for the DoS sensor.
<name_str> This is displayed in the DoS sensor
list. Names with spaces must be
enclosed in quotation marks.
status {disable Enable or disable the current DoS disable
| enable} sensor.

Examples
This example shows how to create a DoS sensor, name it, and
enable blocking of the udp_flood anomaly with the default
threshold.
config ips DoS
edit 12
set name test
set comment "This is for test"
config anomaly
edit udp_flood
set action block
set status enable
end
end
Related topics
ips custom
ips global
ips fail-open {enable | disable}

218 Confidential and Proprietary Information of ZTE CORPORATION

Chapter 8 IPS

Custom
Create custom IPS signatures and add them to IPS sensors.
Custom signatures provide the power and flexibility to customize
ZXSEC US Intrusion Protection for diverse network environments.
The ZXSEC US predefined signatures cover common attacks. If
an unusual or specialized application or an uncommon platform
is being used, add custom signatures based on the security
alerts released by the application and platform vendors.
Use custom signatures to block or allow specific traffic.
The custom signature settings are configured when it is defined
as a signature override in an IPS sensor. This way, a single
custom signature can be used in multiple sensors with different
settings in each. See “ips sensor” for details.
For more information on custom signature syntax see the ZXSEC
US IPS Custom Signatures Technical Bulletin.

Note:
Custom signatures are an advanced feature. This document
assumes the user has previous experience writing intrusion
detection signatures.
Syntax
config ips custom
edit <sig_str>
set signature <signature_str>
end

TABLE 41 CUSTOM SETTING

Keywords and Description Default

variables
sig_str The name of the custom signature.
signature Enter the custom signature. The No default.
<signature_str signature must be enclosed in
> single quotes.

Example
This example shows how to add a custom signature.
config ips custom
edit bad_things
set signature 'F-SBID (--protocol tcp; --flow bi_direction;
--pattern "nude cheerleader"; --no_case)'
end
Related topics

Confidential and Proprietary Information of ZTE CORPORATION 219

ZXSEC US CLI Reference Guide

ips global
execute backup
execute restore
ips fail-open {enable | disable}

Decoder
The Intrusion Protection system looks for certain types of traffic
on specific ports. Using the decoders command, you can change
ports if your configuration uses non-standard ports.
Syntax
config ips decoder
edit <decoder_str>
set port_list <port_int>
end

TABLE 42 DECODER SETTING

Keywords and Description Default

variables
decoder_str Enter the name of the decoder.
Enter ‘?’ for a list.
port_list Enter the ports which the decoder varies by
<port_int> will examine. Multiple ports can be decoder
specified by separating them with
commas and enclosing the list in
quotes.

Example
This example shows how to modify the dns_decoder to examine
ports 1, 2, and 3 instead of the default 53.
config ips decoder dns_decoder
set port_list "1,2,3"
end

Global
Use this command to ignore sessions after a set amount of
traffic has passed.
Syntax
config ips global
set anomaly-mode {continuous | periodical}

220 Confidential and Proprietary Information of ZTE CORPORATION

Chapter 8 IPS

set engine-count <integer>

set fail-open {enable | disable}
set ignore-session-bytes <byte_integer>
set session-limit-mode {accurate | heuristic}
set socket-size <ips_buffer_size>
set traffic-submit {enable | disable}
end

TABLE 43 GLOBAL SETTING

Keywords and Description Default

variables
anomaly-mode Enter continuous to start blocking continuous
{continuous | packets once attack starts. Enter
periodical} periodical to allow configured
number of packets per second.
engine-count Enter the number of intrusion 0
<integer> protection engines to run. Multi-
processor ZXSEC US units can
more efficiently process traffic with
multiple engines running. When
set to the default value of 0, the
ZXSEC US unit determines the
optimal number of intrusion
protection engines to run.
fail-open If for any reason the IPS should enable
{enable | cease to function, it will fail open
disable} by default. This means that crucial
network traffic will not be blocked
and the Firewall will continue to
operate while the problem is
resolved.
ignore-session- Set the number of bytes after 204800
bytes which the session is ignored.
<byte_integer>
session-limit- Enter accurate to accurately count heuristic
mode the concurrent sessions. This
{accurate | option demands more resource.
heuristic} Enter heuristic to heuristically
count the concurrent sessions.
socket-size Set intrusion protection buffer model-
<ips_buffer_siz size. The default value is correct in dependent
e> most cases.

traffic-submit Submit attack characteristics to disable

{enable | Usservice Service
disable}
anomaly-mode Enter continuous to start blocking continuous
{continuous packets once attack starts. Enter
| periodical} periodical to allow configured
number of packets per second.

Confidential and Proprietary Information of ZTE CORPORATION 221

ZXSEC US CLI Reference Guide

Example
This example shows how to set intrusion protection to ignore
sessions after 204800 bytes.
config ips global
set ignore-session-bytes 204800
end
This example shows how to see the current configuration of ips
global.
# get ips global
anomaly-mode: continuous
engine-count: 0
fail-open: enable
ignore-session-bytes:204800
session-limit-mode: heuristic
socket-size: 8 (MB)
traffic-submit: disable
Related topics
execute backup
execute restore
ips fail-open {enable | disable}

Rule
The IPS sensors use signatures to detect attacks. These
signatures can be listed with the rules command. Details about
the default settings of each signature can also be displayed.
Syntax
config ips rule <rule_str>
get

TABLE 44 RULE SETTING

Keywords and Description Default

variables
rule_str Enter the name of a signature. For
a complete list of the predefined
signatures, enter ‘?’ instead of a
signature name.

Example

222 Confidential and Proprietary Information of ZTE CORPORATION

Chapter 8 IPS

This example shows how to display the current configuration of

the Apache.Long.Header.DoS signature.
# config ips rule Apache.Long.Header.DoS
(Apache.Long.He~d) # get
name: Apache.Long.Header.DoS
status: enable
log: enable
log-packet: disable
action: pass
group: web_server
severity: medium
location: server
os: Windows, Linux, BSD, Solaris
application: Apache
service: TCP, HTTP
rule-id : 11206
rev : 2.450
end

Sensor
The IPS sensors use signatures to detect attacks. IPS sensors
are made up of filters and override rules. Each filter specifies a
number of signature attributes and all signatures matching all
the specified attributes are included in the filter. Override rules
allow you to override the settings of individual signatures.
Syntax
config ips sensor
edit <sensor_str>
config filter
edit <filter_str>
set location {all | client | server}
set severity {all | info low medium high critical}
set protocol <protocol_str>
set os {all | other windows linux bsd solaris macos}
set application <app_str>
set status {default | enable | disable}
set log {default | enable | disable}
set action {block | default | pass | reject}

Confidential and Proprietary Information of ZTE CORPORATION 223

ZXSEC US CLI Reference Guide

end
config override
edit <override_int>
config exempt-ip
edit <exempt_int>
set dst-ip <dest_ipv4mask>
set src-ip <source_ipv4mask>
end
set action {block | pass | reset}
set log {disable | enable}
set log-packet {disable | enable}
set status {disable | enable}
end
set comment <comment_str>
end

TABLE 45 SENSOR SETTING

Keywords and Description Default

variables
sensor_str Enter the name of an IPS sensor.
For a list of the IPS sensors, enter
‘?’ instead of an IPS sensor name.
Enter a new name to create a
sensor.
filter_str Enter the name of a filter. For a
list of the filters in the IPS sensor,
enter ‘?’ instead of a filter name.
Enter a new name to create a
filter.
location {all | Specify the type of system to be all
client | protected.
server} client selects signatures for
attacks against client
computers.
server selects signatures for
attacks against servers.
all selects both client and
server signatures.

severity {all | Specify the severity level or levels. all

info low Specify all to include all severity
medium high levels.
critical}
protocol Specify the protocols to be all
<protocol_str> examined. Enter ‘?’ to display a list
of the available protocols. All will

224 Confidential and Proprietary Information of ZTE CORPORATION

Chapter 8 IPS

Keywords and Description Default

variables
include all protocols. Other will
include all unlisted protocols.
os {all | other Specify the operating systems to all
windows linux be protected. All will include all
bsd solaris operating systems. Other will
macos} include all unlisted operating
systems.
application Specify the applications to be all
<app_str> protected. Enter ‘?’ to display a
list of the available applications.
All will include all applications.
Other will include all unlisted
applications.
status {default Specify the status of the default
| enable | signatures included in the filter.
disable}
enable will enable the filter.
disable will disable the filter.
default will enable the filter
and only use the filters with a
default status of enable. Filters
with a default status of disable
will not be used.

log {default | Specify the logging status of the default

enable | signatures included in the filter.
disable}
enable will enable logging.
disable will disable logging.
default will enable logging for
only the filters with a default
logging status of enable.
Filters with a default logging
status of disable will not be
logged.

action {block | Specify what action is taken with default

default | pass | traffic in which signatures ar
reject} detected.
block will drop the session with
the offending traffic.
default will use the default
signature action.
pass will allow the traffic.
reject will reset the session.

override_int Enter the rule ID of an override

filter. The rule ID is number
assigned to a filter, pre-defined or
custom, and it specified which
filter is being overridden. For a list
of the currently defined overrides,

Confidential and Proprietary Information of ZTE CORPORATION 225

ZXSEC US CLI Reference Guide

Keywords and Description Default

variables
enter ‘?’ instead of a rule ID.
Rule IDs are an attribute of every
signature. Use the config ips rule
command to list the signatures or
view them in the GUI.
exempt_int Each override can apply to any
number of source addresses,
destination addresses, or
source/destination pairs. The
addresses are referenced by
exempt_id values.
dst-ip Enter the destination IP address 0.0.0.0
<dest_ipv4mas and subnet to which this sensor 0.0.0.0
k> will apply. The default is all
addresses.
src-ip Enter the source IP address and 0.0.0.0
<source_ipv4m subnet to which this sensor will 0.0.0.0
ask> apply. The default is all addresses.
action {block | Specify the action to be taken for pass
pass | this override.
reset} block will drop the session.
pass will allow the traffic.
reset will reset the session.

log {disable | Specify whether the log should disable

enable} record when the override occurs.
log-packet When enabled, packet logging will disable
{disable | save the packet that triggers the
enable} override. You can download the
packets in pcap format for
diagnostic use. This feature is only
available in ZXSEC US units with
internal hard drives.
status {disable Enable or disable the override. disable
| enable}
comment Enter a description of the IPS
<comment_str sensor. This description will appear
> in the ISP sensor list. Descriptions
with spaces must be enclosed in
quotes.

Example
This example shows how to create an IPS sensor containing a
filter that includes all signatures to protect against Windows
server attacks.
config ips sensor
edit dept_srv
set comment "Department file servers"

226 Confidential and Proprietary Information of ZTE CORPORATION

Chapter 8 IPS

config filter edit win_srv

set location server set os windows
set action block
end
end

Confidential and Proprietary Information of ZTE CORPORATION 227

ZXSEC US CLI Reference Guide

This page is intentionally blank.

228 Confidential and Proprietary Information of ZTE CORPORATION

Chapter 9

LOG

Overview
Use the config log commands to set the logging type, the
logging severity level, and the logging location for the ZXSEC US
unit.

Note:
In Transparent mode, certain log settings and options may not
be available because certain features do not support logging or
are not available in this mode. For example, SSL VPN events are
not available in Transparent mode.
custom-field
{disk | Usla | memory | syslogd | webtrends | Usservice}
filter
disk setting
Usla setting
Usservice setting
memory setting
memory global setting syslogd setting
webtrends setting
trafficfilter
report customization
report definition
report filter
report output
report period
report schedule
report scope

Confidential and Proprietary Information of ZTE CORPORATION 229

ZXSEC US CLI Reference Guide

report selection
report summary-layout

Custom-field
Use the following command to customize the log fields with a
name and/or value. The custom name and/or value will appear
in the log message.
Syntax
config log custom-field
edit id <integer>
set name <name>
set value <integer>
end

TABLE 46 CUSTOM-FIELD SETTING

Keywords and Description Default

variables
id <integer> Enter the identification number for No default
the log field.
name <name> Enter a name to identify the log. No default
You can use letters, numbers,
(‘_‘), but no characters such as
the number symbol (#). The
name must be no longer than 16
characters.
value Enter a firewall policy number to No default
<integer> associate a firewall policy with the
logs.

Example
This example shows how to configure a customized field for logs
for branch offices in a company and are associated with specific
firewall policies.
config log custom-field edit 1
set name company_branch1
set value 2
next edit 2
set name company_branch2
set value 4
next edit 3
set name company_branch3

230 Confidential and Proprietary Information of ZTE CORPORATION

Example
This example shows how to set the logging severity level to
warning, enable virus logging for infected files, and enable event
logging for anomaly and IPSec events.
config log disk filter
set severity warning set virus enable
set infected enable set event enable
set anomaly enable set ipsec enable
end
Related topics
log Usla setting
log memory setting
log syslogd setting
log webtrends setting
log trafficfilter
log report definition
firewall

Disk Setting
Use this command to configure log settings for logging to the
local disk. Disk logging is only available for ZXSEC US units with
an internal hard disk. You can also use this command to
configure the ZXSEC US unit to upload current log files to an FTP
server every time the log files are rolled.
If you have an AMC disk installed on your ZXSEC US unit, you
can use disk setting to configure logging of traffic to the AMC

Confidential and Proprietary Information of ZTE CORPORATION 237

ZXSEC US CLI Reference Guide

disk. The AMC disk behaves as a local disk after being inserted
into the ZXSEC US unit and the ZXSEC US unit rebooted. You
can view logs from Log&Report > Log Access > Disk when
logging to an AMC disk.

Note:
AMC disk is supported on all ZXSEC US units that have single-
wide AMC slots.
Syntax
config log disk setting
set status {enable | disable}
set log full-first-warning threshold
set log full-second-warning threshold
set log full-final-warning threshold
set max-log-file-size <integer max>
set roll-schedule {daily | weekly}
set roll-time <hh:mm>
set diskfull {nolog | overwrite}
set upload {enable | disable}
set upload-destination {Usla | ftp-server}
set uploadip <class_ip>
set uploadport <port_integer>
set uploaduser <user_str>
set uploadpass <passwd>
set uploaddir <dir_name_str>
set uploadtype {attack event im spamfilter traffic virus voip
webfilter}
set uploadzip {disable | enable}
set uploadsched {disable | enable}
set uploadtime <time_integer>
set upload-delete-files {enable | disable}
set drive-standby-time <0-19800>
end

TABLE 48 DISK SETTING

Keywords and Description Default

variables
id <integer> Enter the identification number for No default
the log field.
status Enter enable to enable logging to disable
{enable | the local disk.

238 Confidential and Proprietary Information of ZTE CORPORATION

Chapter 9 LOG

Keywords and Description Default

variables
disable}
full-first- Enter to configure the first warning 75
warning before reaching the threshold. You
threshold can enter a number between 1
and 100.
full-second- Enter to configure the second 90
warning warning before reaching the
threshold threshold. You can enter a number
between 1 and 100.
full-final- Enter to configure the final 95
warning warning before reaching the
threshold threshold. You can enter a number
between 1 and 100.
max-log-file- Enter the maximum size of the log 100
size file (in MB) that is saved to the
<integer max> local disk.
When the log file reaches the
specified maximum size, the
ZXSEC US unit saves the current
log file and starts a new active log
file. The default minimum log file
size is 1 MB and the maximum log
file size allowed is 1024MB.
roll-schedule Enter the frequency of log rolling. daily
{daily | When set, the ZXSEC US unit will
weekly} roll the log event if the maximum
size has not been reached.
roll-time Enter the time of day, in the 00:00
<hh:mm> format hh:mm, when the ZXSEC
US unit saves the current log file
and starts a new active log file.
diskfull Enter the action to take when the overwrite
{nolog | local disk is full. When you enter
overwrite} nolog, the ZXSEC US unit will stop
logging; overwrite will begin
overwriting the oldest file once the
local disk is full.
upload Enable or disable uploading log disable
{enable | files to a remote directory. Enable
disable} upload to upload log files to an
FTP server whenever a log file
rolls.
Use the uploaddir, uploadip,
uploadpass, uploadport, and
uploaduser keywords to add this
information required to connect to
the FTP server and upload the log
files to a specific location on the
server.
Use the uploadtype keyword to
select the type of log files to

Confidential and Proprietary Information of ZTE CORPORATION 239

ZXSEC US CLI Reference Guide

Keywords and Description Default

variables
upload.
Use the upload-delete-files
keyword to delete the files from
the hard disk once the ZXSEC US
unit completes the file transfer.
All upload keywords are available
after enabling the upload
command.
upload- Select to upload log files directly disable
destination to a Usla unit or to an FTP server.
{Usla | ftp- When you select to upload log files
server} directly to a Usla unit, you can
also schedule when to upload the
log files, when the log file rolls,
and so on.
uploadip Enter the IP address of the FTP 0.0.0.0
<class_ip> server. This is required.

uploadport Enter the port number used by the 21

<port_integer> FTP server. The default port is 21.
Port 21 is the standard FTP port.
uploaduser Enter the user account for the No default.
<user_str> upload to the FTP server. This is
required.
uploadpass Enter the password required to No default
<passwd> connect to the FTP server. This is
required.
uploaddir Enter the name of the path on the No default
<dir_name_str FTP server where the log files will
> be transferred to. If you do not
specify a remote directory, the log
files are uploaded to the root
directory of the FTP server.
uploadtype Select the log files to upload to the traffic event
{attack event FTP server. You can enter one or spamfilter
im spamfilter more of the log file types virus
traffic virus voip separated by spaces. Use a space webfilter
webfilter} to separate the log file types. If voip
you want to remove a log file type im
from the list or add a log file type
to the list, you must retype the list
with the log file type removed or
added.
uploadzip Enter enable to compress the log disable
{disable | files after uploading to the FTP
enable} server. If disable is entered, the
log files are uploaded to the FTP
server in plain text format.
uploadsched Enable log uploads at a specific disable
{disable | time of the day. When set to
enable} disable, the ZXSEC US unit
uploads the logs when the logs are

240 Confidential and Proprietary Information of ZTE CORPORATION

Chapter 9 LOG

Keywords and Description Default

variables
rolled.
uploadtime Enter the time of day when the 0
<time_integer> ZXSEC US unit uploads the logs.
The uploadsched setting must first
be set to enable.
upload-delete- Enable or disable the removal of enable
files the log files once the ZXSEC US
{enable | unit has uploaded the log file to
disable} the FTP server.

drive-standby- Set the power management for 0

time the hard disk. Enter the number of
<0-19800> seconds, up to 19800. If there is
no hard disk activity within the
defined time frame, the hard disk
will spin down to conserve energy.
Setting the value to 0 disables the
setting.

Example
This example shows how to enable logging to the local disk, set
the action to stop logging when the disk is full, log files have a
maximum size of 300MB, roll log files daily and start a new one
at 1:30pm every day.
config log disk setting
set status enable
set diskfull nolog
set max-log-file-size 300
set roll-schedule daily
set roll-time 01:30
end
This example shows how to enable uploading the traffic log and
content archive files to an FTP server. The FTP server has the IP
address 172.30.120.24, the user name is ftpone, the password
is ftppass1, and the directory on the FTP server is ZXSEC
US\login.
config log disk setting
set upload enable
set uploadip 172.30.120.24
set uploaduser ftpone
set uploadpass ftppass1
set uploadtype traffic content
set uploaddir ZXSEC US\logs
end
Related topics

Confidential and Proprietary Information of ZTE CORPORATION 241

ZXSEC US CLI Reference Guide

log {disk | Usla | memory | syslogd | webtrends | Usservice}

filter
log Usla setting
log memory setting
log syslogd setting
log trafficfilter
log webtrends setting
log report definition

Usla Setting
Use this command to configure the ZXSEC US unit to send log
files to a Usla unit. See “fips-cc” to set the Usla configuration
settings.
Usla units are network appliances that provide integrated log
collection, analysis tools and data storage. Detailed log reports
provide historical as well as current analysis of network and
email activity to help identify security issues and reduce network
misuse and abuse.
Using the CLI, you can send logs to up to three different Usla
units for maximum fail-over protection of log data. After
configuring logging to Usla units, the ZXSEC US unit will send
the same log packets to all configured Usla units. Additional Usla
units are configured using the Usla 2 and Usla 3 commands.
Use the multi-report command to enable configuring Usla
reports. By default, multi-report is disabled and only the default
Usla report is available.

Note:
The Usla CLI commands are not cumulative. Using a syntax
similar to the following is not valid:
config log Usla Usla2 Usla3 setting
Syntax
config log Usla setting
set status {disable | enable}
set multi-report {enable | disable}
set max-buffer-size
end

242 Confidential and Proprietary Information of ZTE CORPORATION

Chapter 9 LOG

TABLE 49 USLA SETTING

Keywords and Description Default

variables
status {disable Enter enable to enable logging to a disable
| enable} Usla unit.
multi-report Enter enable configuring of disable
{enable | multiple reports. You need to
disable} enable this command to configure
any Usla reports.
max-buffer-size Enter a number between 0 to 10
4095MB for the maximum buffer
size for the Usla unit. The number
0 disables the maximum buffer
size.

Example
This example shows how to enable logging to a Usla unit.
config log Usla setting
set status enable
end
Related topics
system fips-cc
log {disk | Usla | memory | syslogd | webtrends | Usservice}
filter
log Usla setting
log memory setting
log syslogd setting
log webtrends setting
log trafficfilter
log report definition

Usservice Setting
Use this command for configuring Usservice Analysis Service
settings. See the ZXSEC US Administration Guide for more
information about subscription-based Usservice Analysis and
Management Service, including enabling logging to a Usservice
Analysis server.

Note:
The Usservice setting command is only available when Usservice
Analysis and Management Service subscription-based services
are enabled. The storage space is a specified amount, and varies,
depending on the services requested.

Confidential and Proprietary Information of ZTE CORPORATION 243

ZXSEC US CLI Reference Guide

Syntax
config log Usservice setting
set quotafull {nolog | overwrite}
set status {disable | enable}
end

TABLE 50 USSERVICE SETTING

Keywords and Description Default

variables
quotafull {nolog Enter the action to take when the overwrite
| overwrite} specified storage space on the
Usservice Analysis server is full.
When you enter nolog, the ZXSEC
US unit will stop logging, and
overwrite will begin overwriting
the oldest file.
status {disable Enter to enable the Usservice disable
| enable} Analysis server.

Example
In this example, the ZXSEC US unit is logging to a Usservice
Analysis server, and will stop logging when the maximum
storage space on the server is reached.
config log Usservice setting
set quotafull nolog
set status enable
end
Related topics
{disk | Usla | memory | syslogd | webtrends | Usservice}
filter

Memory Setting
Use this command to configure log settings for logging to the
ZXSEC US system memory.
The ZXSEC US system memory has a limited capacity and only
displays the most recent log entries. Traffic logs are not stored
in the memory buffer, due to the high volume of traffic
information. After all available memory is used, by default, the
ZXSEC US unit begins to overwrite the oldest messages. All log
entries are deleted when the ZXSEC US unit restarts.
Syntax
config log memory setting
set diskfull <overwrite>

244 Confidential and Proprietary Information of ZTE CORPORATION

Chapter 9 LOG

set status {disable | enable}

end

TABLE 51 MEMORY SETTING

Keywords and Description Default

variables
diskfull Enter the action to take when the overwrite
<overwrite> memory is reaching its capacity.
The only option available is
overwrite, which means that the
ZXSEC US unit will begin
overwriting the oldest file.
status {disable Enter enable to enable logging to disable
| enable} the ZXSEC US system memory.

Example
This example shows how to enable logging to the ZXSEC US
system memory.
config log memory setting
set status enable
set diskfull overwrite
end
Related topics
log {disk | Usla | memory | syslogd | webtrends | Usservice}
filter
log Usla setting
log syslogd setting
log webtrends setting
log trafficfilter
log report definition
memory global setting

Memory Global Setting

Use this command to configure log threshold warnings, as well
as the maximum buffer lines, for the ZXSEC US system memory.
The ZXSEC US system memory has a limited capacity and
displays only the most recent log entries. Traffic logs are not
stored in the memory buffer, due to the high volume of traffic
information. After all available memory is used, by default, the
ZXSEC US unit begins to overwrite the oldest log messages.
All log entries are deleted when the ZXSEC US unit restarts.
Syntax

Confidential and Proprietary Information of ZTE CORPORATION 245

ZXSEC US CLI Reference Guide

config log memory global setting

set full-final-warning-threshold
set full-first-warning-threshold
set full-second-warning-threshold
set max-lines
end

TABLE 52 MEMORY GLOBAL SETTING

Keywords and Description Default

variables
full-final- Enter to configure the final 95
warning- warning before reaching the
threshold threshold. You can enter a number
between 1 and 100.
full-first- Enter to configure the first warning 75
warning- before reaching the threshold. You
threshold can enter a number between 1
and 100.
full-second- Enter to configure the second 90
warning- warning before reaching the
threshold threshold. You can enter a number
between 1 and 100.
max-lines Enter the maximum number of No default
lines in the memory buffer log.

Example
This example shows how to configure the first, second, and final
threshold warnings as well as the maximum lines for the
memory buffer log.
config log memory global setting
set first-full-warning-threshold 40
set second-full-warning-threshold 60
set final-full-warning-threshold 80
set max-lines 60
end
Related topics
log {disk | Usla | memory | syslogd | webtrends | Usservice}
filter
log Usla setting
log syslogd setting
log webtrends setting
log trafficfilter
log report definition

246 Confidential and Proprietary Information of ZTE CORPORATION

Chapter 9 LOG

memory setting

Syslogd Setting
Use this command to configure log settings for logging to a
remote syslog server. You can configure the ZXSEC US unit to
send logs to a remote computer running a syslog server.
Using the CLI, you can send logs to up to three different syslog
servers. Configure additional syslog servers using syslogd2 and
syslogd3 commands and the same keywords outlined below.

Note:
Syslog CLI commands are not cumulative. Using a syntax similar
to the following is not valid:
config log syslogd syslogd2 syslogd3 setting
Syntax
config log syslogd setting
set csv {disable | enable}
set facility {alert | audit | auth | authpriv | clock | cron | daemon | ftp
| kernel | local0 | local1 | local2 | local3 | local4 | local5 | local6 |
local7 | lpr | mail | news | ntp | syslog | user | uucp}
set port <port_integer>
set server <address_ipv4>
set status {disable | enable}
end

TABLE 53 SYSLOGD SETTING

Keywords and Description Default

variables
full-final- Enter to configure the final 95
warning- warning before reaching the
threshold threshold. You can enter a number
between 1 and 100.
csv {disable | Enter enable to enable the ZXSEC disable
enable} US unit to produce the log in
Comma Separated Value (CSV)
format. If you do not enable CSV
format the ZXSEC US unit
produces plain text files.
facility {alert | Enter the facility type. facility local7
audit | auth | identifies the source of the log
authpriv | clock message to syslog. You might
| cron | daemon want to change facility to
| ftp | kernel | distinguish log messages from
local0 | local1 different ZXSEC US units.

Confidential and Proprietary Information of ZTE CORPORATION 247

ZXSEC US CLI Reference Guide

Keywords and Description Default

variables
| local2 | local3 Available facility types are:
| local4 | local5
alert: log alert
| local6 | local7
| lpr | mail | audit: log audit
news | ntp |
syslog | user | auth: security/authorization
uucp} messages
authpriv:
security/authorization
messages (private)
clock: clock daemon
cron: cron daemon performing
scheduled commands
daemon: system daemons
running background system
processes
ftp: File Transfer Protocol
(FTP) daemon
kernel: kernel messages
local0 – local7: reserved for
local use
lpr: line printer subsystem
mail: email system
news: network news
subsystem
ntp: Network Time Protocol
(NTP) daemon
syslog: messages generated
internally by the syslog
daemon

port Enter the port number for 514

<port_integer> communication with the syslog
server.
server Enter the IP address of the syslog No default.
<address_ipv4 server that stores the logs.
>
status {disable Enter enable to enable logging to a disable
| enable} remote syslog server.

Example
This example shows how to enable logging to a remote syslog
server, configure an IP address and port for the server, and
enable logging in CSV format.
config log syslogd setting
set status enable
set server 220.210.200.190

248 Confidential and Proprietary Information of ZTE CORPORATION

Chapter 9 LOG

set port 601

set csv enable
end
Related topics
log {disk | Usla | memory | syslogd | webtrends | Usservice}
filter
log Usla setting
log memory setting
log webtrends setting
log trafficfilter
log report definition

Webtrends Setting
Use this command to configure log settings for logging to a
remote computer running a NetIQ WebTrends firewall reporting
server.
ZXSEC US log formats comply with WebTrends Enhanced Log
Format (WELF) and are compatible with NetIQ WebTrends
Security Reporting Center and Firewall Suite 4.1.
Syntax
config log webtrends setting
set server <address_ipv4>
set status {disable | enable}
end

TABLE 54 WEBTRENDS SETTING

Keywords and Description Default

variables
server Enter the IP address of the No default.
<address_ipv4 WebTrends server that stores the
> logs.
status {disable Enter enable to enable logging to a disable
| enable} WebTrends server.

Example
This example shows how to enable logging to and set an IP
address for a remote WebTrends server.
config log webtrends setting
set status enable
set server 220.210.200.190

Confidential and Proprietary Information of ZTE CORPORATION 249

ZXSEC US CLI Reference Guide

end
Related topics
log {disk | Usla | memory | syslogd | webtrends | Usservice}
filter
log Usla setting
log memory setting
log syslogd setting
log trafficfilter
log report definition

Trafficfilter
Use this command to configure the following global settings for
traffic logging:
resolve IP addresses to host names
display the port number or service (protocol) in the log
message
Syntax
config log trafficfilter
set display {name | port}
set resolve {disable | enable}
end
The config log trafficfilter command has 1 subcommand.
config rule

TABLE 55 TRAFFICFILTER SETTING

Keywords and Description Default

variables
display {name | Enter name to enable the display port
port} of the service name in the traffic
log messages. Enter port to
display the port number used by
traffic in traffic log messages.
resolve Enter enable to enable resolving IP disable
{disable | addresses to host names in traffic
enable} log messages.

Example
This example shows how to display the service name and enable
resolving IP addresses to host names in log messages.
config log trafficfilter

250 Confidential and Proprietary Information of ZTE CORPORATION

Chapter 9 LOG

set display name

set resolve enable
end

Config Rule
Access the rule subcommand using the log trafficfilter command.
Use the following commands to configure traffic filter rules based
on source IP address, destination IP address, and service
(protocol).
Syntax
config rule
edit <name_str>
set dst <any_ip&any_netmask>
set service <name_str>
set src <class_ip&net_netmask>
end

TABLE 56 TRAFFICFILTER CONFIG RULE SETTING

Keywords and Description Default

variables
dst Enter the destination IP address 0.0.0.0
<any_ip&any_n and netmask where you want to 0.0.0.0
etmask> filter traffic logs to.
service Enter the service that you want to No default.
<name_str> filter traffic logs. You can choose
from any of the predefined
services listed and any custom
services you have configured. See
“service custom”.
src Enter the source IP address and 0.0.0.0
<class_ip&net_ netmask where you want to filter 0.0.0.0
netmask> traffic logs to.

Example
This example shows how to configure a traffic filter called TF_1,
to configure the source and destination IP and netmask, and to
set the service to HTTP.
config log trafficfilter config rule
edit TF_1
set dst 220.210.200.190 255.255.255.0
set src 192.168.100.1 255.255.255.0
set service HTTP

Confidential and Proprietary Information of ZTE CORPORATION 251

ZXSEC US CLI Reference Guide

end
end
Related topics
log {disk | Usla | memory | syslogd | webtrends | Usservice}
filter
log Usla setting
log memory setting
log syslogd setting
log webtrends setting
log report definition

Report Customization
Use this command to customize your report with the company
name, or to customize footers and headers.
Syntax
config log report customization
set company <company_name>
set footer-option {custom | report-title} <footer>
set header <header_name>
end

TABLE 57 REPORT CUSTOMIZATION SETTING

Keywords and Description Default

variables
company Enter your company name to No default
<company_na display on the report.
me>
footer-option Enter to display the report-title in report-title
{custom | the footers of the report, or
report-title} custom to customize the footers.
<footer> When customizing the footer, you
can enter the footer comment by
using footer instead of entering
footer-option custom
header Enter a header for the report. No default
<header_name
>

Example
This example shows how to customize the report with the
company name XYN, along with a customized footer and header
for the report.

252 Confidential and Proprietary Information of ZTE CORPORATION

Chapter 9 LOG

config log report definition

set description "A weekly traffic report for the ZXSEC US120"
set title "Weekly Report"
set footer “XYN: Weekly Report”
set header “XYN: Week of June 21”
end
Related topics
report filter
report output
report period
report schedule
report scope
report selection

Report Definition
Use this command to add information to the report, including
the title of the report and a description of what is contained in
the report.
Syntax
config log report definition
set description <report_description>
set title <report_title>
end

TABLE 58 REPORT CUSTOMIZATION SETTING

Keywords and Description Default

variables
description Enter a description for the report No default
<report_descrip describing what the report
tion> contains. Enclose the description
in quotes. For example,
“This report contains network
traffic statistics.”
title Enter a title for the report. If the No default
<report_title> title is more than one word,
enclose the title in quotes. For
example, “Network Traffic
Statistics.”

Example
This example shows how to set the report name and title.

Confidential and Proprietary Information of ZTE CORPORATION 253

ZXSEC US CLI Reference Guide

config log report definition

set description "A weekly traffic report for the ZXSEC US120"
set title "Weekly Report"
end
Related topics
report filter
report output
report period
report schedule
report scope
report selection

Report Filter
Use this command to view or remove information from a report
to provide a more concise report. For example, you only want
reports on specific error messages, or you do not want include
certain IP address destinations.
Syntax
config log report filter
set filter-string <filter_string>
end

TABLE 59 REPORT FILTER SETTING

Keywords and Description Default

variables
filter-string Enter a filter to define what is No default
<filter_string> included in the report. For
example, the filter admin. See
“{disk | Usla | memory | syslogd |
webtrends | Usservice} filter” for
more information about the
available filters.
This command allows only one
filter entry per report.

Related topics
report definition
report output
report period
report schedule
report scope

254 Confidential and Proprietary Information of ZTE CORPORATION

Chapter 9 LOG

report selection

Report Output
Use this command to configure a file format for the report for
email recipients, saved to the Usla hard disk. Use this command
to also configure the Usla unit to upload the report files to an
FTP server when completed.
Syntax
config log report output config addresses
edit address <address_str>
set from <from_sender>
set server <server_ip>
next
end
set email {html | pdf | rtf | txt}
set email-attachment-name <name_str>
set email-body <string>
set email-subject <subject_str>
set file {html | pdf | rtf | txt}
set upload {enable | disable}
set upload-delete {enable | disable}
set upload-dir <directory_str>
set upload-gzipped {enable | disable}
set upload-ip <ip_str>
set upload-password <passwd_str>
set upload-server-type {FTP | SCP | SFTP}
set upload-username <username_str>
end

TABLE 60 REPORT OUTPUT SETTING

Keywords and Description Default

variables
edit address Enter the email recipients for the No default
<address_str> Usla report.

set from Enter the sender’s email address. No default

<from_sender>
set server Enter the server IP address. No default
<server_ip>

Confidential and Proprietary Information of ZTE CORPORATION 255

ZXSEC US CLI Reference Guide

Keywords and Description Default

variables
email Select the file format for the Usla No default
{html | pdf | rtf unit sends to the email recipients.
| txt}
email- Enter the email output attachment No default
attachment- name.
name
<name_str>
email-body Enter the email output body. No default.
<string>
email-subject Enter the email’s subject for the No default
<subject_str> subject line.

file Select the file format the Usla html

{html | pdf | rtf saves to its hard disk.
| txt}
upload {enable Set whether the Usla unit uploads disable
| disable} the report files to an FTP server.
All upload keywords are available
when upload is enabled.
upload-delete Enable or disable the removal of disable
{enable | the log files once the
disable} ZXSEC US unit has uploaded the
log file to the FTP server.
upload-dir Enter the target directory in the No default
<directory_str> uploading server. For example, the
file is in d:\, so it would be
d:\george_files_xyn2006.
upload-gzipped Enable or disable the compressing disable
{enable | of the log files before uploading to
disable} the FTP server. This keyword is
available when upload is enabled.
upload-server- Enter the upload server type. FTP
type
{FTP | SCP |
SFTP}
upload-ip Enter the IP address required to No default
<ip_str> connect to the FTP server. This
keyword is available when upload
is enabled.
upload- Enter the password required to No default
password connect to the FTP server. This
<passwd_str> keyword is available when upload
is enabled.
upload- Enter the user name required to No default
username connect to the FTP server. This
<username_str keyword is available when upload
> is enabled.

Example

256 Confidential and Proprietary Information of ZTE CORPORATION

Chapter 9 LOG

This example shows how to set the report output to HTML and
PDF formats.
config log report output
set output file html pdf
end
Related topics
report definition
report filter
report period
report schedule
report scope
report selection

Report Period
Use this command to select the time span for the report period
or select a specific time frame. When the Usla unit generates the
report, it uses the log data found within the specified time period
only.
Syntax
config log report period
set type {last-14-days | last-2-weeks |last-30-days | last-7-
days|last-month | last-n-days | last-n-hours | last-n-weeks | last-
quarter | last week | other | this-month | this-quarter | this-week |
this-year | today | yesterday}
end

TABLE 61 REPORT PERIOD SETTING

Keywords and variables Description Default

type {last-14-days | Select a time period last-7- days
last-2-weeks |last-30- days | for the report. This
last-7-days |last- month | command is required
last-n-days | before entering the
end and start date
last-n-hours | last-n- weeks |
for the report period.
last-quarter | last week |
The end and start
other | this- month | this-
date will not appear
quarter | this-week | this-
unless a type is
year | today | yesterday}
selected.

Example
This example shows how to set the reporting period to the
previous weeks data.
config log report period

Confidential and Proprietary Information of ZTE CORPORATION 257

ZXSEC US CLI Reference Guide

set type last-week

end
Related topics
report definition
report filter
report output
report schedule
report scope
report selection

Report Schedule
Use this command to set a schedule when the Usla unit
generates the reports.
Syntax
config log report schedule
set type {daily | dates | days | none}
set dates {1-31}
set days {mon | tue | wed | thu | fri | sat |sun}
set time <hh:mm>
end

TABLE 62 REPORT SCHEDULE SETTING

Keywords and Description Default

variables
type {daily | Select when the Usla unit initiates none
dates | the report. With a selection of
days | none} none, the Usla administrator must
start the report manually from the
Usla unit.
dates {1-31} Select the days of the month when No default
the Usla unit runs the report.
Separate multiple dates with a
space.
For example, set dates 1 15 30.
days {mon | Select the days of the week when No default
tue | wed | the Usla unit runs the report.
thu | fri | sat Separate multiple dates with a
|sun} space.
For example, set days mon wed.
time <hh:mm> Select the time of the day when 00:00
the Usla unit runs the report.

258 Confidential and Proprietary Information of ZTE CORPORATION

Chapter 9 LOG

Example
This example shows how to set the report to run every Monday
at 9:56.
config log report schedule
set type days
set days mon set time 09:56
end
Related topics
report definition
report filter
report output
report period
report scope
report selection

Report Scope
Use this command to select the type of results you would like to
include in the report.
Syntax
config log report scope
set audit <integer>
set exclude-summary {enable |disable}
set include-nodata {enable | disable}
set include-summary {enable | disable}
set include-table-of-content {enable | disable}
set obfuscate-user {enable | disable}
set resolve-host {enable | disable}
set resolve-service {enable | disable}
set result {all} set top1 {1-30}
set top2 {1-30}
end

TABLE 63 REPORT SCOPE SETTING

Keywords and Description Default

variables
audit <integer> Enter a number from 1 to 10000 100
to display the top number of
values in all audit reports.

Confidential and Proprietary Information of ZTE CORPORATION 259

ZXSEC US CLI Reference Guide

Keywords and Description Default

variables
exclude- Enable to exclude summary enable
summary information in the report.
{enable
|disable}
include-nodata Enable to include no summary disable
{enable | information in the report.
disable}
include- Enable to include the summary disable
summary information in the report.
{enable |
disable}
include-table- Enable to include the table of disable
of-content contents in the report.
{enable |
disable}
obfuscate-user Enable to include obfsucate user disable
{enable | group names in the report.
disable}
resolve-host Enable or disable the report to disable
{enable | include actual user names
disable} rather than IP addresses. IP
aliases must be configured on the
Usla unit. For example, User One
instead of
10.10.10.1
resolve-service Enable or disable the report to disable
{enable | include names rather than port
disable} numbers. For example, HTTP
instead of port 80.
result {all} Set to include the results for all all
virtual domains
top1 {1-30} For some report types, you can set 6
the top ranked items for the
report. These reports have “Top”
in their name, and will always
show only the top number of
entries. For example, report on the
most active mail clients within the
organization rather than all mail
clients. Enter the value for the first
“top” results.
Reports that do not include “Top”
in their name will always show all
information. Changing the values
for top field will not affect these
reports.
top2 {1-30} For some report types, you can set 3
the top ranked items for the
report. These reports have “Top”

260 Confidential and Proprietary Information of ZTE CORPORATION

Chapter 9 LOG

Keywords and Description Default

variables
in their name, and will always
show only the top number of
entries. For example, report on the
most active mail clients within the
organization rather than all mail
clients. Enter the value for the
second “top” results.
Reports that do not include “Top”
in their name will always show all
information. Changing the values
for top field will not affect these
reports.

Example
This example shows how to set the resolving of the host and
service names in the report.
config log report scope
set resolve-host enable
set resolve-service enable
end
Related topics
report definition
report filter
report output
report period
report schedule
report selection

Report Selection
Use this command to select the reports to include within the
report profile.
Syntax
config log report selection
set selection <report_category> [<report> <report>...]
end
For a list of report categories and reports, see the list in the
command line interface.

Confidential and Proprietary Information of ZTE CORPORATION 261

ZXSEC US CLI Reference Guide

TABLE 64 REPORT SELECTION SETTING

Keywords and Description Default

variables
selection Select the report types to include. No default
<report_catego
ry>
[<report>
<report>...]

Example
This example shows how to set the network activity report.
config log report selection
set network-activity net-date-dir net-dir
end
Related topics
report definition
report filter
report output
report period
report schedule
report scope

Report Summary-layout
Use this command to customize the summary reports.
Syntax
config log report summary-layout
set summary-column {1 | 2 | 3 | 4}
config summary-reports
edit name <sum_category> [<sum_report> <sum_report>...]
set order <integer>
set style {bar | line | pie}
set topN <integer>
end
end

TABLE 65 REPORT SUMM ARY-LAYOUT SETTING

Keywords and Description Default

variables
summary- Select a number for the number of 2

262 Confidential and Proprietary Information of ZTE CORPORATION

Chapter 9 LOG

Keywords and Description Default

variables
column columns included in the summary
{1 | 2 | 3 | 4} layout.

summary- Enter to configure and edit No default

reports summary reports.
name Select a report name to configure No default.
<sum_category and edit. Enter enter name to view
> all summary reports so you can
[<sum_report> choose which one to configure and
edit.
<sum_report>.
..]
order Enter a number to specify the 100
<integer> display order of query in report.
style {bar | line Select the style for the summary pie
| pie} report.
topN <integer> Enter a number to show the top 1-10
values of the first variable in
Ranked Reports. The maximum
value is 100.

Example
In this example, the number of columns in the summary layout
is three. There are four summary reports included in this report,
the summary protocol distribution, total viruses detected, total
spam activity, and total web filter activity. The summary report,
total viruses detected, will come first and all summary reports
will be pie charts.
config log report summary-layout set summary-column 3
config summary-reports edit name sum-proto
set order 4
set style column set topN 5
next
edit name sum-tv set order 1
set style bar set topN 5
next
edit name sum-mf set order 2
set style line set topN 5
next
edit name sum-wf
set order 3 set style pie
set topN 5
end
end

Confidential and Proprietary Information of ZTE CORPORATION 263

ZXSEC US CLI Reference Guide

Related topics
report definition
report filter
report output
report period
report schedule
report scope

264 Confidential and Proprietary Information of ZTE CORPORATION

Chapter 10 LOG

Chapter 10

Notification (US Carrier)

Overview
This chapter covers the commands to configure event notification. This
chapter contains the following sections:
Notification

Notification
Use this command to configure event notification.
Syntax
config notification
set maximum-retries <integer>
set maximum-sessions <integer>
set mem-percent <integer>
end

TABLE 66 NOTIFICATION SETTING

Variables Description Default

maximum- Enter the maximum number of 20
retries retries allowed for each
<integer> notification message.
maximum- Enter the maximum number of 2048
sessions simultaneous sessions with the
<integer> MMSC.
mem-percent Enter the percentage of memory 5
<integer> the notification cache is allowed to
use.

This page is intentionally blank.

Confidential and Proprietary Information of ZTE CORPORATION 265

ZXSEC US CLI Reference Guide

This page is intentionally blank.

266 Confidential and Proprietary Information of ZTE CORPORATION

Chapter 11

Router

Overview
Routers move packets from one network segment to another
towards a network destination. When a packet reaches a router,
the router uses data in the packet header to look up a suitable
route on which to forward the packet to the next segment. The
information that a router uses to make routing decisions is
stored in a routing table. Other factors related to the availability
of routes and the status of the network may influence the route
selection that a router makes when forwarding a packet to the
next segment.
The ZXSEC US unit supports many advanced routing functions
and is compatible with industry standard Internet routers. The
ZXSEC US unit can communicate with other routers to determine
the best route for a packet.
The following router commands are available to configure
options related to ZXSEC US unit router communications and
packet forwarding:
access-list
aspath-list
auth-path
bgp
community-list
key-chain
multicast
ospf
policy
prefix-list
rip
route-map

Confidential and Proprietary Information of ZTE CORPORATION 267

ZXSEC US CLI Reference Guide

static
static6

Access-list
Use this command to add, edit, or delete access lists. Access
lists are filters used by ZXSEC US unit routing processes. For an
access list to take effect, it must be called by a ZXSEC US unit
routing process (for example, a process that supports RIP or
OSPF).
Each rule in an access list consists of a prefix (IP address and
netmask), the action to take for this prefix (permit or deny), and
whether to match the prefix exactly or to match the prefix and
any more specific prefix.

Note:
The default route, 0.0.0.0/0 can not be exactly matched with an
access-list. A prefix-list must be used for this purpose. See
“prefix-list”.
The ZXSEC US unit attempts to match a packet against the rules
in an access list starting at the top of the list. If it finds a match
for the prefix, it takes the action specified for that prefix. If no
match is found the default action is deny.
Syntax
config router access-list edit <access_list_name> set comments
<string>
config rule
edit <access_list_id>
set action {deny | permit}
set exact-match {enable | disable}
set prefix { <prefix_ipv4mask> | any }
set wildcard <address_ipv4> <wildcard_mask>
end
end

Note:
The action and prefix keywords are required. The exact-match
keyword is optional.

T AB L E 6 7 AC C E S S -L I S T S ET T I N G

Variables Description Default

maximum- Enter the maximum number of 20

268 Confidential and Proprietary Information of ZTE CORPORATION

Chapter 11 Router

Variables Description Default

retries retries allowed for each
<integer> notification message.
edit Enter a name for the access list. No default.
<access_list_na An access list and a prefix list
me> cannot have the same name.
comments Enter a descriptive comment. The No default.
<string> max length is 127 characters.
config rule variables
edit Enter an entry number for the No default.
<access_list_id rule. The number must be an
> integer.
action {deny | Set the action to take for this permit
permit} prefix.
exact-match By default, access list rules are disable
{enable | matched on the prefix or any more
disable} specific prefix. Enable exact-match
to match only the configured
prefix.
prefix { Enter the prefix for this access list any
<prefix_ipv4ma rule, either:
sk> | any } Type the IP address and
network mask.
Type any to match any prefix.

wildcard Enter the IP address and reverse No default.

<address_ipv4 (wildcard) mask to process. The
> value of the mask (for example,
<wildcard_mas 0.0.255.0) determines which
k> address bits to match. A value of 0
means that an exact match is
required, while a binary value of 1
indicates that part of the binary
network address does not have to
match. You can specify
discontinuous masks (for example,
to process “even” or “odd”
networks according to any network
address octet).
For best results, do not specify a
wildcard attribute unless prefix is
set to any.

Example
This example shows how to add an access list named acc_list1
with two rules. The first rule denies the subnet that exactly
matches the prefix 192.168.50.0 255.255.255.0 and permits all
other subnets that match the prefix 192.168.0.0 255.255.0.0.
config router access-list
edit acc_list1
config rule

Confidential and Proprietary Information of ZTE CORPORATION 269

ZXSEC US CLI Reference Guide

edit 1
set prefix 192.168.50.0 255.255.255.0
set action deny
set exact-match enable
next
edit 2
set prefix 192.168.0.0 255.255.0.0
set action permit
set exact-match disable
end
end
The next example shows how to add an access list that permits
all subnets matching network address 10.20.4.1 through
10.20.4.255 (addresses 10.20.4.x are processed):
config router access-list
edit acc_list2
config rule
edit 1
set action permit
set wildcard 10.20.4.0 0.0.0.255
end
end
The next example shows how to add an access list that permits
“odd” subnets according to the third- octet of network address
172.16.x.0 (networks 172.16.1.0, 172.16.3.0, 172.16.5.0, and
so on are processed):
config router access-list
edit acc_list3
config rule edit 1
set action permit
set wildcard 172.16.1.0 0.0.254.0
end
Related topics
router ospf
router prefix-list
router rip

270 Confidential and Proprietary Information of ZTE CORPORATION

Chapter 11 Router

Aspath-list
Use this command to set or unset BGP AS-path list parameters.
By default, BGP uses an ordered list of Autonomous System (AS)
numbers to describe the route that a packet takes to reach its
destination.
A list of AS numbers is called an AS path. You can filter BGP
routes using AS path lists.
When the ZXSEC US unit receives routing updates from other
autonomous systems, it can perform operations on updates from
neighbors and choose the shortest path to a destination. The
shortest path is determined by counting the number of AS
numbers in the AS path. The path that has the least number of
AS numbers is considered the shortest AS path.
Use the config router aspath-list command to define an access
list that examines the AS_PATH attributes of BGP routes to
match routes. Each entry in the AS-path list defines a rule for
matching and selecting routes based on the setting of the
AS_PATH attribute. The default rule in an AS path list (which the
ZXSEC US unit applies last) denies the matching of all routes.
Syntax
config router aspath-list
edit <aspath_list_name>
config rule
edit <as_rule_id>
set action {deny | permit}
set regexp <regexp_str>
end
end

Note:
The action and regexp keywords are required.

T AB L E 6 8 AS P AT H -L I S T S E T T I N G

Variables Description Default

edit Enter a name for the AS path list. No default.
<aspath_list_na
me>
config rule variables
edit Enter an entry number for the No default.
<as_rule_id> rule. The number must be an
integer.
action {deny | Deny or permit operations on a No default.
permit} route based on the value of the

Confidential and Proprietary Information of ZTE CORPORATION 271

ZXSEC US CLI Reference Guide

Variables Description Default

route’s AS_PATH attribute.
regexp Specify the regular expression that Null.
<regexp_str> will be compared to the
AS_PATH attribute (for example,
^730$).
The value is used to match AS
numbers. Delimit a complex
regexp_str value using double-
quotation marks.

Example
This example shows how to create an AS-path list named
ebgp_in. The list contains a single rule that permits operations
on BGP routes whose AS_PATH attribute references an AS
number of 333, 334, 338, or 71. The AS path list will match
routes that originate in AS 333, AS 334, AS 338, or AS 71.
config router aspath-list
edit ebgp_in
config rule edit 1
set action permit
set regexp _(333|334|338|71)$
end
end
Related topics
router bgp
router community-list
Using route maps with BGP
router key-chain

Auth-path
Authentication based routing allows firewall policies to direct
network traffic flows.
This command configures a RADIUS object on your ZXSEC US
unit. The same object is required to be configured on the
RADIUS server.
To configure authentication based routing on your ZXSEC US
unit
1. Configure your ZXSEC US unit to communicate with a
RADIUS authentication server.
2. Configure a user that uses the RADIUS server.

272 Confidential and Proprietary Information of ZTE CORPORATION

Chapter 11 Router

3. Add that user to a user group configured to use the RADIUS

server.
4. Configure the router auth-path object.
5. Configure a custom service for RADIUS traffic.
6. Configure a service group that includes RADIUS traffic along
with other types of traffic that will be allowed to pass
through the firewall.
7. Configure a firewall policy that has route based
authentication enabled.
The USnet Knowledge Center has an article on authentication
based routing that provides a sample configuration for these
steps.

Note:
The auth-path command is not available when the ZXSEC US
unit is in Transparent mode.
Syntax
config router auth-path
edit <aspath_list_name>
set device <interface>
set gateway <gway_ipv4>
end

T AB L E 6 9 AU T H -P AT H S E T T I N G

Variables Description Default

edit Enter a name for the No default.
<auth_path_na authentication path.
me>
device Specify the interface for this path. No default.
<interface>
gateway Specify the gateway IP address for Null.
<gway_ipv4> this path.

Example
This example shows how to configure an auth-path object called
auth_route that routes traffic over the dmz interface using
172.20.120.4. These settings also need to be configured on the
RADIUS server used to authenticate.
config router auth-path
edit auth_route
set device dmz
set gateway 172.20.120.4
next

Confidential and Proprietary Information of ZTE CORPORATION 273

ZXSEC US CLI Reference Guide

end
Related topics
user local
user radius
firewall policy, policy6

BGP
Use this command to set or unset BGP-4 routing parameters.
BGP can be used to perform Classless Interdomain Routing
(CIDR) and to route traffic between different autonomous
systems or domains using an alternative route if a link between
a ZXSEC US unit and a BGP peer (such as an ISP router) fails.
USnet BGP-4 complies with RFC 1771 and supports IPv4
addressing.
When BGP is enabled, the ZXSEC US unit sends routing table
updates to the upstream ISP router whenever any part of the
routing table changes. The update advertises which routes can
be used to reach the ZXSEC US unit. In this way, routes are
made known from the border of the internal network outwards
(routes are pushed forward) instead of relying on upstream
routers to propagate alternative paths to the ZXSEC US unit.
ZXSEC US unit BGP supports the following extensions to help
manage large numbers of BGP peers:
Communities — The ZXSEC US unit can set the COMMUNITY
attribute of a route to assign the route to predefined paths
(see RFC 1997). The ZXSEC US unit can examine the
COMMUNITY attribute of learned routes to perform local
filtering and/or redistribution.
Internal BGP (IBGP) route reflectors — The ZXSEC US unit
can operate as a route reflector or participate as a client in a
cluster of IBGP peers (see RFC 1966).
External BGP (EBGP) confederations — The ZXSEC US unit
can operate as a confederation member, using its AS
confederation identifier in all transactions with peers that are
not members of its confederation (see RFC 3065).
Bi-directional Forwarding Detection (BFD) is a protocol used by
BGP and OSPF. It is used to quickly locate hardware failures in
the network. Routers running BFD communicate with each other,
and if a timer runs out on a connection then that router is
declared down. BFD then communicates this information to the
routing protocol and the routing information is updated. BFD
support was added in US v3.0 MR4, and can only be configured
through the CLI.
Syntax
config router bgp

274 Confidential and Proprietary Information of ZTE CORPORATION

Chapter 11 Router

set always-compare-med {enable | disable}

set as <local_as_id>
set bestpath-as-path-ignore {enable | disable}
set bestpath-cmp-confed-aspath {enable | disable}
set bestpath-cmp-routerid {enable | disable}
set bestpath-med-confed {enable | disable}
set bestpath-med-missing-as-worst {enable | disable}
set client-to-client-reflection {enable | disable}
set cluster-id <address_ipv4>
set confederation-identifier <peerid_integer>
set dampening {enable | disable}
set dampening-max-suppress-time <minutes_integer>
set dampening-reachability-half-life <minutes_integer>
set dampening-reuse <reuse_integer>
set dampening-route-map <routemap-name_str>
set dampening-suppress <limit_integer>
set dampening-unreachability-half-life <minutes_integer>
set default-local-preference <preference_integer>
set deterministic-med {enable | disable}
set distance-external <distance_integer>
set distance-internal <distance_integer>
set distance-local <distance_integer>
set enforce-first-as {enable | disable}
set fast-external-failover {enable | disable}
set graceful_restart {enable | disable}
set holdtime-timer <seconds_integer>
set ignore_optional_capability {enable | disable}
set keep-alive-timer <seconds_integer>
set log-neighbor-changes {enable | disable}
set network-import-check {enable | disable}
set router-id <address_ipv4>
set scan-time <seconds_integer>
set synchronization {enable | disable}
config admin-distance
edit <route_entry_id>
set distance <integer>
set neighbor-prefix <ip_and_netmask>
set route-list <string>

Confidential and Proprietary Information of ZTE CORPORATION 275

ZXSEC US CLI Reference Guide

end
config aggregate-address
edit <aggr_addr_id>
set as-set {enable | disable}
set prefix <address_ipv4mask>
set summary-only {enable | disable}
end
config neighbor
edit <neighbor_address_ipv4>
set activate {enable | disable}
set advertisement-interval <seconds_integer>
set allowas-in <max_num_AS_integer>
set allowas-in-enable {enable | disable}
set attribute-unchanged [as-path] [med] [next-hop]
set bfd {enable | disable}
set capability-default-originate {enable | disable}
set capability-dynamic {enable | disable}
set capability-graceful-restart {enable | disable}
set capability-orf {both | none | recieve | send}
set capability-route-refresh {enable | disable}
set connect-timer <seconds_integer>
set description <text_str>
set distribute-list-in <access-list-name_str>
set distribute-list-out <access-list-name_str>
set dont-capability-negotiate {enable | disable}
set ebgp-enforce-multihop {enable | disable}
set ebgp-multihop-ttl <seconds_integer>
set filter-list-in <aspath-list-name_str>
set filter-list-out <aspath-list-name_str>
set holdtime-timer <seconds_integer>
set interface <interface-name_str>
set keep-alive-timer <seconds_integer>
set maximum-prefix <prefix_integer>
set maximum-prefix-threshold <percentage_integer>
set maximum-prefix-warning-only {enable | disable}
set next-hop-self {enable | disable}
set override-capability {enable | disable}
set passive {enable | disable}

276 Confidential and Proprietary Information of ZTE CORPORATION

Chapter 11 Router

set prefix-list-in <prefix-list-name_str>

set prefix-list-out <prefix-list-name_str>
set remote-as <id_integer>
set remove-private-as {enable | disable}
set retain-stale-time <seconds_integer>
set route-map-in <routemap-name_str>
set route-map-out <routemap-name_str>
set route-reflector-client {enable | disable}
set route-server-client {enable | disable}
set send-community {both | disable | extended | standard}
set shutdown {enable | disable}
set soft-reconfiguration {enable | disable}
set strict-capability-match {enable | disable}
set unsuppress-map <route-map-name_str>
set update-source <interface-name_str>
set weight <weight_integer>
end
config network
edit <network_id>
set backdoor {enable | disable}
set prefix <address_ipv4mask>
set route-map <routemap-name_str>
end
config redistribute {connected | static | rip | ospf}
set status {enable | disable}
set route-map <route-map-name_str>
end
end

Config Router BGP

Use this command to enable a Border Gateway Protocol version
4 (BGP-4) process on the ZXSEC US unit, define the interfaces
making up the local BGP network (see “config network”), and set
operating parameters for communicating with BGP neighbors
(see “config neighbor”).
When multiple routes to the ZXSEC US unit exist, BGP attributes
determine the best route and the ZXSEC US unit communicates
this information to its BGP peers. The best route is added to the

Confidential and Proprietary Information of ZTE CORPORATION 277

ZXSEC US CLI Reference Guide

IP routing table of the BGP peer, which in turn propagates this

updated routing information to upstream routers.
ZXSEC US units maintain separate entries in their routing tables
for BGP routes. See “Using route maps with BGP”. To reduce the
size of the BGP routing table and conserve network resources,
you can optionally aggregate routes to the ZXSEC US unit. An
aggregate route enables the ZXSEC US unit to advertise one
block of contiguous IP addresses as a single, less-specific
address. You can implement aggregate routing either by
redistributing an aggregate route (see “config redistribute”) or
by using the conditional aggregate routing feature (see “config
aggregate-address”).

Note:
In the following table, the as and router-id keywords are
required. All other keywords are optional.

distance- This keyword is available when 200
internal distance-external is set. Set the
<distance_integ administrative distance of IBGP
er> routes. The range is from 1 to
255.
distance-local This keyword is available when 200
<distance_integ distance-external is set. Set the
er> administrative distance of local
BGP routes. The range is from 1 to
255.
enforce-first-as Enable or disable the addition of disable
{enable | routes learned from an EBGP peer
disable} when the AS number at the
beginning of the route’s AS_PATH
attribute does not match the AS
number of the EBGP peer.
fast-external- Immediately reset the session enable
failover information associated with
{enable | BGP external peers if the link used
disable} to reach them goes down.
graceful_restart Graceful restart capability limits disable
{enable | the effects of software problems
disable} by allowing forwarding to continue
when the control plane of the
router fails. It also reduces routing
flaps by stabilizing the network.
holdtime-timer The maximum amount of time (in 240
<seconds_integ seconds) that may expire before
er> the ZXSEC US unit declares any
BGP peer down. A keepalive
message must be received every
seconds_integer seconds, or the
peer is declared down. The value
can be 0 or an integer in the 3 to
65535 range.
ignore_optional Don’t send unknown optional disable
_capabilit y capability notification message.
{enable |
disable}
keep-alive- The frequency (in seconds) that a 60
timer keepalive message is sent from
<seconds_integ the ZXSEC US unit to any BGP
er> peer. The range is from 0 to
65535. BGP peers exchange
keepalive messages to maintain
the connection for the duration of
the session.
log-neighbor- Enable or disable the logging of disable
changes changes to BGP neighbor status.
{enable |
disable}
network- Enable or disable the advertising enable

Confidential and Proprietary Information of ZTE CORPORATION 281

ZXSEC US CLI Reference Guide

Variables Description Default

import-check of the BGP network in IGP (see
{enable | “config network”).
disable}
router-id Specify a fixed identifier for the 0.0.0.0
<address_ipv4 ZXSEC US unit. A value of 0.0.0.0
> is not allowed.
scan-time Configure the background scanner 60
<seconds_integ interval (in seconds) for next-hop
er> route scanning. The range is from
5 to 60.
synchronization Only advertise routes from iBGP if disable
{enable | routes are present in an interior
disable} gateway protocol (IGP) such as
RIP or OSPF.

Example
The following example defines the number of the AS of which
the ZXSEC US unit is a member. It also defines an EBGP
neighbor at IP address 10.0.1.2.
config router bgp
set as 65001
set router-id 172.16.120.20
config neighbor edit 10.0.1.2
set remote-as 65100
end
end

Config Admin-Distance
Use this subcommand to set administrative distance
modifications for bgp routes.

TABLE 71 CONFIG ADMIN-DISTANCE SETTING

Variables Description Default

To advertise unchanged
MULTI_EXIT_DISC attributes,
select med.
To advertise the IP address of
the next-hop router interface
(even when the address has
not changed), select next-hop.
An empty set is a supported value.
bfd {enable | Enable to turn on Bi-Directional disable
disable} Forwarding Detection (BFD) for
this neighbor. This indicates that
this neighbor is using BFD.
capability- Enable or disable the advertising disable
default- of the default route to BGP
originate neighbors.
{enable |
disable}
capability- Enable or disable the advertising disable
dynamic of dynamic capability to BGP
{enable | neighbors.
disable}
capability- Enable or disable the advertising disable
graceful-restart of graceful-restart capability to
{enable | BGP neighbors.
disable}
capability-orf Enable or disable the advertising disable
{both | none | of Outbound Routing Filter (ORF)
receive | send} prefix-list capability to the BGP
neighbor.
To enable send and receive
capability, select both.
To enable receive capability,
select receive.
To enable send capability,
select send.
To disable the advertising of
ORF prefix-list capability,
select none.

capability-orf Accept/Send outbound router filter none

{both | none | (ORF) lists to/from this neighbor:
recieve | send}
both - both accept and send
ORF lists
none - do not accept or send
ORF lists
recieve - only accept ORF lists
send - only send ORF lists

{enable | the BGP neighbor.
disable}
soft- Enable or disable the ZXSEC US disable
reconfiguration unit to store unmodified updates
{enable | from the BGP neighbor to support
disable} inbound

Confidential and Proprietary Information of ZTE CORPORATION 289

ZXSEC US CLI Reference Guide

Variables Description Default

soft-reconfiguration.
strict- Enable or disable strict-capability disable
capability- negotiation matching with the BGP
match neighbor.
{enable |
disable}
unsuppress- Specify the name of the route-map Null.
map to selectively unsuppress
<route-map- suppressed routes. You must
name_str> create the route-map before it can
be selected here. See “route-
map” and “Using route maps with
BGP”.
update-source Specify the name of the local Null.
<interface- ZXSEC US unit interface to use for
name_str> TCP connections to neighbors. The
IP address of the interface will be
used as the source address for
outgoing updates.
weight Apply a weight value to all routes unset
<weight_intege learned from a neighbor. A higher
r> number signifies a greater
preference. The range is from 0 to
65535.

Example
This example shows how to set the AS number of a BGP
neighbor at IP address 10.10.10.167 and enter a descriptive
name for the configuration.
config router bgp
config neighbor
edit 10.10.10.167
set remote-as 2879
set description BGP_neighbor_Site1
end
end

Config Network
Use this subcommand to set or unset BGP network configuration
parameters. The subcommand is used to advertise a BGP
network (that is, an IP prefix)—you specify the IP addresses
making up the local BGP network.
When you enable the network-import-check attribute on the
ZXSEC US unit (see “network- import-check {enable | disable})
and you specify a BGP network prefix through the config
network command, the ZXSEC US unit searches its routing table

290 Confidential and Proprietary Information of ZTE CORPORATION

Chapter 11 Router

for a matching entry. If an exact match is found, the prefix is

advertised. A route-map can optionally be used to modify the
attributes of routes before they are advertised.

Note:
The prefix keyword is required. All other keywords are optional.

TABLE 73 CONFIG NETWORK SETTING

Variables Description Default

edit Enter an ID number for the entry. No default.
<network_id> The number must be an integer.
backdoor Enable or disable the route as a disable
{enable | backdoor, which causes an
disable} administrative distance of 200 to
be assigned to the route. Backdoor
routes are not advertised to EBGP
peers.
prefix Enter the IP address and netmask 0.0.0.0
<address_ipv4 that identifies the BGP network to 0.0.0.0
mask> advertise.
route-map Specify the name of the route-map Null.
<routemap- that will be used to modify the
name_str> attributes of the route before it is
advertised. You must create the
route-map before it can be
selected here. See “route-map”
and “Using route maps with BGP”.

Example
This example defines a BGP network at IP address 10.0.0.0/8. A
route map named BGP_rmap1 is used to modify the attributes of
the local BGP routes before they are advertised.
config router bgp
config network
edit 1
set prefix 10.0.0.0/8
set route-map BGP_rmap1
end
end
config router route-map
edit BGP_rmap1
config rule edit 1
set set-community no-export end
end

Confidential and Proprietary Information of ZTE CORPORATION 291

ZXSEC US CLI Reference Guide

Config Redistribute
Use this subcommand to set or unset BGP redistribution table
parameters. You can enable BGP to provide connectivity
between connected, static, RIP, and/or OSPF routes. BGP
redistributes the routes from one protocol to another. When a
large internetwork is divided into multiple routing domains, use
the subcommand to redistribute routes to the various domains.
As an alternative, you can use the config network subcommand
to advertise a prefix to the BGP network (see “config network”).
The BGP redistribution table contains four static entries. You
cannot add entries to the table. The entries are defined as
follows:
connected—Redistribute routes learned from a direct
connection to the destination network.
static—Redistribute the static routes defined in the ZXSEC US
unit routing table.
rip—Redistribute routes learned from RIP.
ospf—Redistribute routes learned from OSPF.
When you enter the subcommand, end the command with one of
the four static entry names (that is, config redistribute
{connected | static | rip | ospf}).

Note:
The status and route-map keywords are optional.

TABLE 74 CONFIG REDISTRIBUTE SETTING

Variables Description Default

status {enable | Enable or disable the redistribution disable
disable} of connected, static, RIP, or
OSPF routes.
route-map Specify the name of the route map Null.
<route-map- that identifies the routes to
name_str> redistribute. You must create the
route map before it can be
selected here. See “route-map”
and “Using route maps with BGP”.
If a route map is not specified, all
routes are redistributed to BGP.

Example
The following example changes the status and route-map fields
of the connected entry.
config router bgp
config redistribute connected
set status enable

292 Confidential and Proprietary Information of ZTE CORPORATION

Chapter 11 Router

set route-map rmap1

end
end
Related topics
router aspath-list
router community-list
Using route maps with BGP
router key-chain

Community-list
Use this command to identify BGP routes according to their
COMMUNITY attributes (see RFC 1997). Each entry in the
community list defines a rule for matching and selecting routes
based on the setting of the COMMUNITY attribute. The default
rule in a community list (which the ZXSEC US unit applies last)
denies the matching of all routes.
You add a route to a community by setting its COMMUNITY
attribute. A route can belong to more than one community. A
route may be added to a community because it has something in
common with the other routes in the group (for example, the
attribute could identify all routes to satellite offices).
When the COMMUNITY attribute is set, the ZXSEC US unit can
select routes based on their COMMUNITY attribute values.
Syntax
config router community-list
edit <community_name>
set type {standard | expanded}
config rule
edit <community_rule_id>
set action {deny | permit}
set match <criteria>
set regexp <regular_expression>
end
end

ZXSEC US CLI Reference Guide

config router key-chain

edit test1
config key
edit 1
set accept-lifetime 10:00:00 1 6 2004 46800
set send-lifetime 10:00:00 1 6 2004 46800
set key-string 1a2b2c4d5e6f7g8h next
edit 2
set accept-lifetime 22:00:00 1 6 2004 46800
set send-lifetime 22:00:00 1 6 2004 46800
set key-string 9i1j2k3l4m5n6o7p next
edit 3
set accept-lifetime 10:00:00 2 6 2004 infinite
set send-lifetime 10:00:00 2 6 2004 infinite
set key-string 123abc456def789g
end
end
Related topics
router rip
system global

Multicast
A ZXSEC US unit can operate as a Protocol Independent
Multicast (PIM) version 2 router in the root virtual domain.
ZXSEC US units support PIM sparse mode (RFC 4601) and PIM
dense mode (RFC 3973) and can service multicast servers or
receivers on the network segment to which a ZXSEC US unit
interface is connected. Multicast routing is only available in the
root virtual domain. It is not supported in Transparent mode (TP
mode).

Note:
To support PIM communications, the sending/receiving
applications and all connecting PIM routers in between must be
enabled with PIM version 2. PIM can use static routes, RIP, OSPF,
or BGP to forward multicast packets to their destinations. To
enable source-to-destination packet delivery, either sparse mode
or dense mode must be enabled on the PIM-router interfaces.
Sparse mode routers cannot send multicast messages to dense
mode routers. In addition, if a ZXSEC US unit is located between
a source and a PIM router, two PIM routers, or is connected

298 Confidential and Proprietary Information of ZTE CORPORATION

Chapter 11 Router

directly to a receiver, you must create a firewall policy manually

to pass encapsulated (multicast) packets or decapsulated data
(IP traffic) between the source and destination.
A PIM domain is a logical area comprising a number of
contiguous networks. The domain contains at
least one Boot Strap Router (BSR), and if sparse mode is
enabled, a number of Rendezvous Points
(RPs) and Designated Routers (DRs). When PIM is enabled on a
ZXSEC US unit, the ZXSEC US unit can perform any of these
functions at any time as configured.

Sparse Mode
Initially, all candidate BSRs in a PIM domain exchange bootstrap
messages to select one BSR to
which each RP sends the multicast address or addresses of the
multicast group(s) that it can service. The selected BSR chooses
one RP per multicast group and makes this information available
to all of the PIM routers in the domain through bootstrap
messages. PIM routers use the information to build packet
distribution trees, which map each multicast group to a specific
RP. Packet distribution trees may also contain information about
the sources and receivers associated with particular multicast
groups.

Note:
When a ZXSEC US unit interface is configured as a multicast
interface, sparse mode is enabled on it by default to ensure that
distribution trees are not built unless at least one downstream
receiver requests multicast traffic from a specific source. If the
sources of multicast traffic and their receivers are close to each
other and the PIM domain contains a dense population of active
receivers, you may choose to enable dense mode throughout the
PIM domain instead.
An RP represents the root of a non-source-specific distribution
tree to a multicast group. By joining and pruning the information
contained in distribution trees, a single stream of multicast
packets (for example, a video feed) originating from the source
can be forwarded to a certain RP to reach a multicast destination.
Each PIM router maintains a Multicast Routing Information Base
(MRIB) that determines to which neighboring PIM router join and
prune messages are sent. An MRIB contains reverse-path
information that reveals the path of a multicast packet from its
source to the PIM router that maintains the MRIB.
To send multicast traffic, a server application sends IP traffic to
a multicast group address. The locally elected DR registers the
sender with the RP that is associated with the target multicast

Confidential and Proprietary Information of ZTE CORPORATION 299

ZXSEC US CLI Reference Guide

group. The RP uses its MRIB to forward a single stream of IP

packets from the source to the members of the multicast group.
The IP packets are replicated only when necessary to distribute
the data to branches of the RP’s distribution tree.
To receive multicast traffic, a client application can use Internet
Group Management Protocol (IGMP) version 1 (RFC 1112), 2
(RFC 2236), or 3 (RFC 3376) control messages to request the
traffic for a particular multicast group. The locally elected DR
receives the request and adds the host to the multicast group
that is associated with the connected network segment by
sending a join message towards the RP for the group. Afterward,
the DR queries the hosts on the connected network segment
continually to determine whether the hosts are active. When the
DR no longer receives confirmation that at least one member of
the multicast group is still active, the DR sends a prune message
towards the RP for the group.

Dense Mode
The packet organization used in sparse mode is also used in
dense mode. When a multicast source begins to send IP traffic
and dense mode is enabled, the closest PIM router registers the
IP traffic from the multicast source (S) and forwards multicast
packets to the multicast group address (G). All PIM routers
initially broadcast the multicast packets throughout the PIM
domain to ensure that all receivers that have requested traffic
for multicast group address G can access the information if
needed.
To forward multicast packets to specific destinations afterward,
the PIM routers build distribution trees based on the information
in multicast packets. Upstream PIM routers depend on
prune/graft messages from downstream PIM routers to
determine if receivers are actually present on directly connected
network segments. The PIM routers exchange state refresh
messages to update their distribution trees. ZXSEC US units
store this state information in a Tree Information Base (TIB),
which is used to build a multicast forwarding table. The
information in the multicast forwarding table determines
whether packets are forwarded downstream. The forwarding
table is updated whenever the TIB is modified.
PIM routers receive data streams every few minutes and update
their forwarding tables using the source (S) and multicast group
(G) information in the data stream. Superfluous multicast traffic
is stopped by PIM routers that do not have downstream
receivers — PIM routers that do not manage multicast groups
send prune messages to the upstream PIM routers. When a
receiver requests traffic for multicast address G, the closest PIM
router sends a graft message upstream to begin receiving
multicast packets.

300 Confidential and Proprietary Information of ZTE CORPORATION

Chapter 11 Router

Syntax
config router multicast
set igmp-state-limit <limit_integer>
set multicast-routing {enable | disable}
set route-limit <limit_integer>
set route-threshold <threshold_integer>
config interface
edit <interface_name>
set cisco-exclude-genid {enable | disable}
set dr-priority <priority_integer>
set hello-holdtime <holdtime_integer>
set hello-interval <hello_integer>
set neighbour-filter <access_list_name>
set passive {enable | disable}
set pim-mode {sparse-mode | dense-mode}
set propagation-delay <delay_integer>
set rp-candidate {enable | disable}
set rp-candidate-group <access_list_name>
set rp-candidate-interval <interval_integer>
set rp-candidate-priority <priority_integer>
set state-refresh-interval <refresh_integer>
set ttl-threshold <ttl_integer>
end
config join-group
edit address <address_ipv4>
end
config igmp
set access-group <access_list_name>
set immediate-leave-group <access_list_name>
set last-member-query-count <count_integer>
set last-member-query-interval <interval_integer>
set query-interval <interval_integer>
set query-max-response-time <time_integer>
set query-timeout <timeout_integer>
set router-alert-check { enable | disable }
set version {1 | 2 | 3}

Confidential and Proprietary Information of ZTE CORPORATION 301

ZXSEC US CLI Reference Guide

end
end
config pim-sm-global
set accept-register-list <access_list_name>
set bsr-allow-quick-refresh {enable | disable}
set bsr-candidate {enable | disable}
set bsr-priority <priority_integer>
set bsr-interface <interface_name>
set bsr-hash <hash_integer>
set cisco-register-checksum {enable | disable}
set cisco-register-checksum-group <access_list_name>
set cisco-crp-prefix {enable | disable}
set cisco-ignore-rp-set-priority {enable | disable}
set message-interval <interval_integer>
set register-rate-limit <rate_integer>
set register-rp-reachability {enable | disable}
set register-source {disable | interface | ip-address}
set register-source-interface <interface_name>
set register-source-ip <address_ipv4>
set register-suppression <suppress_integer>
set rp-register-keepalive <keepalive_integer>
set spt-threshold {enable | disable}
set spt-threshold-group <access_list_name>
set ssm {enable | disable}
set ssm-range <access_list_name>
config rp-address edit <rp_id>
set ip-address <address_ipv4>
set group <access_list_name>
end
end

Config Router Multicast

You can configure a ZXSEC US unit to support PIM using the
config router multicast CLI command. When PIM is enabled, the
ZXSEC US unit allocates memory to manage mapping
information. The ZXSEC US unit communicates with neighboring
PIM routers to acquire mapping information and if required,

302 Confidential and Proprietary Information of ZTE CORPORATION

Chapter 11 Router

processes the multicast traffic associated with specific multicast

groups.

Note:
The end-user multicast client-server applications must be
installed and configured to initiate Internet connections and
handle broadband content such as audio/video information.
Client applications send multicast data by registering IP traffic
with a PIM-enabled router. An end-user could type in a class D
multicast group address, an alias for the multicast group address,
or a call- conference number to initiate the session. Rather than
sending multiple copies of generated IP traffic to more than one
specific IP destination address, PIM-enabled routers encapsulate
the data and use the one multicast group address to forward
multicast packets to multiple destinations. Because one
destination address is used, a single stream of data can be sent.
Client applications receive multicast data by requesting that the
traffic destined for a certain multicast group address be
delivered to them— end-users may use phone books, a menu of
ongoing or future sessions, or some other method through a
user interface to select the address of interest.
A class D address in the 224.0.0.0 to 239.255.255.255 range
may be used as a multicast group address, subject to the rules
assigned by the Internet Assigned Numbers Authority (IANA). All
class D addresses must be assigned in advance. Because there
is no way to determine in advance if a certain multicast group
address is in use, collisions may occur (to resolve this problem,
end-users may switch to a different multicast address).
To configure a PIM domain
1. If you will be using sparse mode, determine appropriate
paths for multicast packets.
2. Make a note of the interfaces that will be PIM-enabled. These
interfaces may run a unicast routing protocol.
3. If you will be using sparse mode and want multicast packets
to be handled by specific (static) RPs, record the IP
addresses of the PIM-enabled interfaces on those RPs.
4. Enable PIM version 2 on all participating routers between the
source and receivers. On ZXSEC US units, use the config
router multicast command to set global operating
parameters.
5. Configure the PIM routers that have good connections
throughout the PIM domain to be candidate BSRs.
6. If sparse mode is enabled, configure one or more of the PIM
routers to be candidate RPs.
7. If required, adjust the default settings of PIM-enabled
interface(s).

Confidential and Proprietary Information of ZTE CORPORATION 303

ZXSEC US CLI Reference Guide

Note:
All keywords are optional.

TABLE 77 CONFIG ROUTER MULTICAST SETTING

Variables Description Default

igmp-state-limit If memory consumption is an 3200
<limit_integer> issue, specify a limit on the
number of IGMP states (multicast
memberships) that the ZXSEC US
unit will store. The value
represents the maximum
combined number of IGMP states
(multicast memberships) that can
be handled by all interfaces.
Traffic associated with excess
IGMP membership reports is not
delivered. The range is from 96 to
64 000.
multicast- Enable or disable PIM routing. disable
routing
{enable |
disable}
route-limit If memory consumption is an 2147483674
<limit_integer> issue, set a limit on the number of
multicast routes that can be added
to the ZXSEC US unit routing
table. The range is from 1 to 2 147
483 674.
route-threshold Specify the number of multicast 2147483674
<threshold_inte routes that can be added to the
ger> ZXSEC US unit’s routing table
before a warning message is
displayed. The route-threshold
value must be lower than the
route-limit value. The range is
from 1 to
2 147 483 674.

Config Interface
Use this subcommand to change interface-related PIM settings,
including the mode of operation (sparse or dense). Global
settings do not override interface-specific settings.

Note:
All keywords are optional.

304 Confidential and Proprietary Information of ZTE CORPORATION

Chapter 11 Router

Chapter 11 Router

Config Pim-sm-global
These global settings apply only to sparse mode PIM-enabled
interfaces. Global PIM settings do not override interface-specific
PIM settings.
If sparse mode is enabled, you can configure a DR to send
multicast packets to a particular RP by specifying the IP address
of the RP through the config rp-address subcommand. The IP
address must be directly accessible to the DR. If multicast
packets from more than one multicast group can pass through
the same RP, you can use an access list to specify the associated
multicast group addresses.

Note:
To send multicast packets to a particular RP using the config rp-
address subcommand, the ip- address keyword is required. All
other keywords are optional.

> RP.
group Configure a single static RP for the Null.
<access_list_na multicast group addresses given in
me> the specified access list. See
“access- list”. If an RP for any of
these group addresses is already
known to the BSR, the static RP
address is ignored and the RP
known to the BSR is used instead.

Example
This example shows how to enable a ZXSEC US unit to support
PIM routing in sparse mode and enable BSR candidacy on the
dmz interface:
config router multicast
set multicast-routing enable config interface
edit dmz
set pim-mode sparse-mode end
end
config pim-sm-global
set bsr-candidate enable
set bsr-priority 1
set bsr-interface dmz set bsr-hash 24
end
This example shows how to enable RP candidacy on the port1
interface for the multicast group addresses given through an
access list named multicast_port1:
config router multicast
set multicast-routing enable config interface
edit port1
set pim-mode sparse-mode
set rp-candidate enable
set rp-candidate-group multicast_port1
set rp-candidate-priority 15
end
end
Related topics
get router info multicast
execute mrouter clear

Confidential and Proprietary Information of ZTE CORPORATION 313

ZXSEC US CLI Reference Guide

OSPF
Use this command to configure Open Shortest Path First (OSPF)
protocol settings on the ZXSEC US unit. More information on
OSPF can be found in RFC 2328.
OSPF is a link state protocol capable of routing larger networks
than the simpler distance vector RIP protocol. An OSPF
autonomous system (AS) or routing domain is a group of areas
connected to a backbone area. A router connected to more than
one area is an area border router (ABR). Routing information is
contained in a link state database. Routing information is
communicated between routers using link state advertisements
(LSAs).
Bi-directional Forwarding Detection (BFD) is a protocol used by
BGP and OSPF. It is used to quickly locate hardware failures in
the network. Routers running BFD communicate with each other,
and if a timer runs out on a connection then that router is
declared down. BFD then communicates this information to the
routing protocol and the routing information is updated. BFD
support was added in US v3.0 MR4, and can only be configured
through the CLI.

Syntax
config router ospf
set abr-type {cisco | ibm | shortcut | standard}
set auto-cost-ref-bandwidth <mbps_integer>
set bfd {enable | disable | global}
set database-overflow {enable | disable}
set database-overflow-max-lsas <lsas_integer>
set database-overflow-time-to-recover <seconds_integer>
set default-information-metric <metric_integer>
set default-information-metric-type {1 | 2}
set default-information-originate {always | disable | enable}
set default-information-route-map <name_str>
set default-metric <metric_integer>
set distance <distance_integer>
set distance-external <distance_integer>
set distance-inter-area <distance_integer>
set distance-intra-area <distance_integer>
set distribute-list-in <access_list_name>
set passive-interface <name_str>

314 Confidential and Proprietary Information of ZTE CORPORATION

Chapter 11 Router

set restart-mode {graceful-restart | lls | none}

set rfc1583-compatible {enable | disable}
set router-id <address_ipv4>
set spf-timers <delay_integer> <hold_integer>
config area
edit <area_address_ipv4>
set authentication {md5 | none | text}
set default-cost <cost_integer>
set nssa-default-information-originate {enable | disable}
set nssa-default-information-originate-metric <metric>
set nssa-default-information-originate-metric-type {1 | 2}
set nssa-redistribution {enable | disable}
set nssa-translator-role {always | candidate | never}
set shortcut {default | disable | enable}
set stub-type {no-summary | summary}
set type {nssa | regular | stub}
config filter-list
edit <filter-list_id>
set direction {in | out}
set list <name_str>
end
config range
edit <range_id>
set advertise {enable | disable}
set prefix <address_ipv4mask>
set substitute <address_ipv4mask>
set substitute-status {enable | disable}
end
config virtual-link
edit <vlink_name>
set authentication {md5 | none | text}
set authentication-key <password_str>
set dead-interval <seconds_integer>
set hello-interval <seconds_integer>
set md5-key <id_integer><key_str>
set peer <address_ipv4>
set retransmit-interval <seconds_integer>
set transmit-delay <seconds_integer>

Confidential and Proprietary Information of ZTE CORPORATION 315

ZXSEC US CLI Reference Guide

end end
config distribute-list
edit <distribute-list_id>
set access-list <name_str>
set protocol {connected | rip | static}
end
end
config neighbor
edit <neighbor_id>
set cost <cost_integer>
set ip <address_ipv4>
set poll-interval <seconds_integer>
set priority <priority_integer>
end
end
config network
edit <network_id>
set area <id-address_ipv4>
set prefix <address_ipv4mask>
end
end
config ospf-interface
edit <ospf_interface_name>
set authentication {md5 | none | text}
set authentication-key <password_str> set
set cost <cost_integer>
set database-filter-out {enable | disable}
set dead-interval <seconds_integer>
set hello-interval <seconds_integer>
set interface <name_str>
set ip <address_ipv4>
set md5-key <id_integer> <key_str>
set mtu <mtu_integer>
set mtu-ignore {enable | disable}
set network-type <type>
set priority <priority_integer>
set resync-timeout <integer>
set retransmit-interval <seconds_integer>

316 Confidential and Proprietary Information of ZTE CORPORATION

Chapter 11 Router

set status {enable | disable}

set transmit-delay <seconds_integer>
end
end
config redistribute {bgp | connected | static | rip}
set metric <metric_integer>
set metric-type {1 | 2}
set routemap <name_str>
set status {enable | disable}
set tag <tag_integer>
end
config summary-address
edit <summary-address_id>
set advertise {enable | disable}
set prefix <address_ipv4mask>
set tag <tag_integer>
end
end
end

Config Router OSPF

Use this command to set the router ID of the ZXSEC US unit.
Additional configuration options are supported.

Note:
The router-id keyword is required. All other keywords are
optional.

Confidential and Proprietary Information of ZTE CORPORATION 317

ZXSEC US CLI Reference Guide

<distance_integ routes. The range is from 1 to
er> 255.
distribute-list-in Limit route updates from the OSPF Null.
<access_list_na neighbor based on the Network
me> Layer Reachability Information
(NLRI) defined in the specified
access list. You must create the
access list before it can be
selected here. See “access- list”.
passive- OSPF routing information is not No default.
interface sent or received through the
<name_str> specified interface.
restart-mode Select the restart mode from: none
{graceful- graceful-restart - (also known as
restart hitless restart) when ZXSEC US
| lls | none} unit goes down it advertises to
neighbors how long it will be down
to reduce trafficlls - Enable Link-
local Signaling (LLS) mode none -
hitless restart (graceful restart) is
disabled
rfc1583- Enable or disable RFC 1583 disable
compatible compatibility. RFC 1583
{enable | compatibility should be enabled
disable} only when there is another OSPF
router in the network that only
supports RFC 1583.
When RFC 1583 compatibility is
enabled, routers choose the path
with the lowest cost. Otherwise,
routers choose the lowest cost
intra-area path through a non-
backbone area.
router-id Set the router ID. The router ID is 0.0.0.0
<address_ipv4 a unique number, in IP address
> dotted decimal format, that is
used to identify an OSPF router to
other OSPF routers within an area.
The router ID should not be
changed while OSPF is running.
A router ID of 0.0.0.0 is not
allowed.
spf-timers Change the default shortest path 5 10
<delay_integer first (SPF) calculation delay time
> and frequency.
<hold_integer> The delay_integer is the time, in
seconds, between when OSPF
receives information that will
require an SPF calculation and
when it starts an SPF calculation.
The valid range for delay_integer
is 0 to 4294967295.
The hold_integer is the minimum

320 Confidential and Proprietary Information of ZTE CORPORATION

Chapter 11 Router

Variables Description Default

time, in seconds, between
consecutive SPF calculations. The
valid range for hold_integer is 0 to
4294967295.
OSPF updates routes more quickly
if the SPF timers are set low;
however, this uses more CPU. A
setting of 0 for spf-timers can
quickly use up all available CPU.

Example
This example shows how to set the OSPF router ID to 1.1.1.1 for
a standard area border router:
config router ospf
set abr-type standard
set router-id 1.1.1.1
end

Config Area
Use this subcommand to set OSPF area related parameters.
Routers in an OSPF autonomous system (AS) or routing domain
are organized into logical groupings called areas. Areas are
linked together by area border routers (ABRs). There must be a
backbone area that all areas can connect to. You can use a
virtual link to connect areas that do not have a physical
connection to the backbone. Routers within an OSPF area
maintain link state databases for their own areas.
You can use the config filter-list subcommand to control the
import and export of LSAs into and out of an area. See “config
filter-list variables”. You can use access or prefix lists for OSPF
area filter lists. For more information, see “access-list” and
“prefix-list”.
You can use the config range subcommand to summarize routes
at an area boundary. If the network numbers in an area are
contiguous, the ABR advertises a summary route that includes
all the networks within the area that are within the specified
range. See “config range variables”.
You can configure a virtual link using the config virtual-link
subcommand to connect an area to the backbone when the area
has no direct connection to the backbone (see “config virtual-link
variables”). A virtual link allows traffic from the area to transit a
directly connected area to reach the backbone. The transit area
cannot be a stub area. Virtual links can only be set up between
two ABRs.

Confidential and Proprietary Information of ZTE CORPORATION 321

ZXSEC US CLI Reference Guide

Note:
If you define a filter list, the direction and list keywords are
required. If you define a range, the prefix keyword is required. If
you define a virtual link, the peer keyword is required. All other
keywords are optional.

TABLE 81 CONFIG ARE A SETTING

Example
Use the following command to enable OSPF for the interfaces
attached to networks specified by the IP address 10.0.0.0 and
the netmask 255.255.255.0 and to add these interfaces to area
10.1.1.1.
config router ospf
config network
edit 2
set area 10.1.1.1
set prefix 10.0.0.0 255.255.255.0
end
end

Config OSPF-Interface
Use this subcommand to change interface related OSPF settings.

Note:

Confidential and Proprietary Information of ZTE CORPORATION 329

ZXSEC US CLI Reference Guide

The interface keyword is required. All other keywords are

optional.

TABLE 85 CONFIG OSPF-INTERFACE SETTING

Variables Description Default

point network.
The valid range for priority_integer
is 0 to 255.
resync-timeout Enter the synchronizing timeout 40
<integer> for graceful restart interval. This is
the period for this interface to
synchronize with a neighbor.
retransmit- The time, in seconds, to wait 5
interval before sending a LSA
<seconds_integ retransmission. The value for the
er> retransmit interval must be
greater than the expected round-
trip delay for a packet. The valid
range for seconds_integer is 1 to
65535.
status Enable or disable OSPF on this enable
{enable | interface.
disable}
transmit-delay The estimated time, in seconds, 1
<seconds_integ required to send a link state
er> update packet on this interface.
OSPF increments the age of the
LSAs in the update packet to
account for transmission and
propagation delays on the
interface.
Increase the value for transmit-
delay on low speed links. The valid
range for seconds_integer is 1 to
65535.

Example
This example shows how to assign an OSPF interface
configuration named test to the interface named internal and
how to configure text authentication for this interface.
config router ospf config ospf-interface
edit test
set interface internal set ip 192.168.20.3
set authentication text
set authentication-key a2b3c4d5e
end
end

Confidential and Proprietary Information of ZTE CORPORATION 333

ZXSEC US CLI Reference Guide

Config Redistribute
Use this subcommand to redistribute routes learned from BGP,
RIP, static routes, or a direct connection to the destination
network.
The OSPF redistribution table contains four static entries. You
cannot add entries to the table. The entries are defined as
follows:
bgp—Redistribute routes learned from BGP.
connected—Redistribute routes learned from a direct
connection to the destination network.
static—Redistribute the static routes defined in the ZXSEC US
unit routing table.
rip—Redistribute routes learned from RIP.
When you enter the subcommand, end the command with one of
the four static entry names (that is, config redistribute {bgp |
connected | static | rip}).

TABLE 86 CONFIG REDISTRIBUTE SETTING

Variables Description Default

metric Enter the metric to be used for the 10
<metric_integer redistributed routes. The
> metric_integer range is from 1 to
16777214.
metric-type {1 Specify the external link type to be 2
| 2} used for the redistributed routes.
routemap Enter the name of the route map Null.
<name_str> to use for the redistributed routes.
For information on how to
configure route maps, see “route-
map”.
status {enable | Enable or disable redistributing disable
disable} routes.
tag Specify a tag for redistributed 0
<tag_integer> routes.
The valid range for tag_integer is
0 to 4294967295.

Example
This example shows how to enable route redistribution from RIP,
using a metric of 3 and a route map named rtmp2.
config router ospf
config redistribute rip
set metric 3
set routemap rtmp2

334 Confidential and Proprietary Information of ZTE CORPORATION

Chapter 11 Router

set status enable

end

Config Summary-Address
Use this subcommand to summarize external routes for
redistribution into OSPF. This command works only for
summarizing external routes on an Autonomous System
Boundary Router (ASBR). For information on summarization
between areas, see “config range variables”. By replacing the
LSAs for each route with one aggregate route, you reduce the
size of the OSPF link-state database.

Note:
The prefix keyword is required. All other keywords are optional.

TABLE 87 CONFIG SUMMARY- ADDRESS SETTING

Variables Description Default

edit Enter an ID number for the No default.
<summary- summary address. The number
address_id> must be an integer.
advertise Advertise or suppress the enable
{enable | summary route that matches the
disable} specified prefix.

prefix Enter the prefix (IP address and 0.0.0.0

<address_ipv4 netmask) to use for the summary 0.0.0.0
mask> route. The prefix 0.0.0.0 0.0.0.0 is
not allowed.
tag Specify a tag for the summary 0
<tag_integer> route.
The valid range for tag_integer is
0 to 4294967295.

Example
This example shows how to summarize routes using the prefix
10.0.0.0 255.0.0.0.
config router ospf
config summary-address
edit 5
set prefix 10.0.0.0 255.0.0.0
end
end
Related topics
router access-list

Confidential and Proprietary Information of ZTE CORPORATION 335

ZXSEC US CLI Reference Guide

get router info ospf

get router info protocols
get router info routing-table
router prefix-list
router route-map

Policy
Use this command to add, move, edit or delete a route policy.
When you create a policy route, any packets that match the
policy are forwarded to the IP address of the next-hop gateway
through the specified outbound interface.
You can configure the ZXSEC US unit to route packets based on:
a source address
a protocol, service type, or port range
the inbound interface
When the ZXSEC US unit receives a packet, it starts at the top
of the policy routing list and attempts to match the packet with a
policy in ascending order. If no packets match the policy route,
the ZXSEC US unit routes the packet using the routing table.
Route policies are processed before static routing. You can
change the order of policy routes using the move command. See
“config branch”.

Note:
For static routing, any number of static routes can be defined for
the same destination. When multiple routes for the same
destination exist, the ZXSEC US unit chooses the route having
the lowest administrative distance. Route redundancy is not
available for policy routing: any packets that match a route
policy are forwarded according to the route specified in the
policy.
Syntax
config router policy
move <seq-num1> {before | after} <seq-num2>
edit <policy_integer>
set dst <dest-address_ipv4mask>
set end-port <port_integer>
set gateway <address_ipv4>
set input-device <interface-name_str>
set output-device <interface-name_str>
set protocol <protocol_integer>

336 Confidential and Proprietary Information of ZTE CORPORATION

Chapter 11 Router

set src <source-address_ipv4mask>

set start-port <port_integer>
end

Note:
The input-device keyword is required. All other keywords are
optional.

Confidential and Proprietary Information of ZTE CORPORATION 337

ZXSEC US CLI Reference Guide

TABLE 88 ROUTE POLICY SETTING

Variables Description Default

edit Enter an ID number for the No default.
<summary- summary address. The number
address_id> must be an integer.
move <seq- Move one policy before or after No default.
num1> another.
{before | after}
<seq-num2>
edit Enter an ID number for the route No default.
<policy_integer policy. The number must be an
> integer.
dst <dest- Match packets that have this 0.0.0.0
address_ipv4m destination IP address and 0.0.0.0
ask> netmask.
end-port The end port number of a port 65535
<port_integer> range for a policy route. Match
packets that have this destination
port range. You must configure
both the start-port and end-port
keywords for destination-port-
range matching to take
effect. To specify a range, the
start-port value must be lower
than the end-port value. To
specify a single port,
the start-port value must be
identical to the end-port
value. The port_integer range is 0
to 65 535.
gateway Send packets that match the 0.0.0.0
<address_ipv4 policy to this next hop router.
>
input-device Match packets that are received on Null.
<interface- this interface.
name_str>
output-device Send packets that match the Null.
<interface- policy out this interface.
name_str>
protocol Match packets that have this 0
<protocol_integ protocol number. The range is
er> 0 to 255.
src Match packets that have this 0.0.0.0
<source- source IP address and netmask. 0.0.0.0
address_ipv4m
ask>
start-port The start port number of a port 1
<port_integer> range for a policy route. Match
packets that have this destination

338 Confidential and Proprietary Information of ZTE CORPORATION

Chapter 11 Router

Variables Description Default

port range. You must configure
both the start-port and end-port
keywords for destination-port-
range matching to take
effect. To specify a range, the
start-port value must be lower
than the end-port value. To
specify a single port,
the start-port value must be
identical to the end-port
value. The port_integer range is 0
to 65 535.

Example
If a ZXSEC US unit provides Internet access for multiple internal
subnets, you can use policy routing to control the route that
traffic from each network takes to the Internet. For example, if
the internal network includes the subnets 192.168.10.0 and
192.168.20.0 you can enter the following route policies:
Enter the following command to route traffic from the
192.168.10.0 subnet to the 100.100.100.0 subnet. Force the
packets to the next hop gateway at IP address 1.1.1.1
through the interface named external.
config router policy
edit 1
set input-device internal
set src 192.168.10.0 255.255.255.0
set dst 100.100.100.0 255.255.255.0
set output-device external
set gateway 1.1.1.1
end
Enter the following command to route traffic from the
192.168.20.0 subnet to the 200.200.200.0 subnet. Force the
packets to the next hop gateway at IP address 2.2.2.1
through the interface named external.
config router policy
edit 2
set input-device internal
set src 192.168.20.0 255.255.255.0
set dst 200.200.200.0 255.255.255.0
set output-device external
set gateway 2.2.2.1
end

Confidential and Proprietary Information of ZTE CORPORATION 339

ZXSEC US CLI Reference Guide

Enter the following command to direct all HTTP traffic using

port 80 to the next hop gateway at IP address 1.1.1.1.
config router policy
edit 1
set input-device internal
set src 0.0.0.0 0.0.0.0
set dst 0.0.0.0 0.0.0.0
set output-device external
set gateway 1.1.1.1
set protocol 6
set start-port 80
set end-port 80
end
Enter the following command to direct all other traffic to the
next hop gateway at IP address 2.2.2.1.
config router policy
edit 2
set input-device internal
set src 0.0.0.0 0.0.0.0
set dst 0.0.0.0 0.0.0.0
set output-device external
set gateway 2.2.2.1
end
Related topics
router static

Prefix-list
Use this command to add, edit, or delete prefix lists. A prefix list
is an enhanced version of an access list that allows you to
control the length of the prefix netmask.
Each rule in a prefix list consists of a prefix (IP address and
netmask), the action to take for this prefix (permit or deny), and
maximum and minimum prefix length settings.
The ZXSEC US unit attempts to match a packet against the rules
in a prefix list starting at the top of the list. If it finds a match
for the prefix it takes the action specified for that prefix. If no
match is found the default action is deny. A prefix-list should be
used to match the default route 0.0.0.0/0.

340 Confidential and Proprietary Information of ZTE CORPORATION

Chapter 11 Router

For a prefix list to take effect, it must be called by another

ZXSEC US unit routing feature such as RIP or OSPF.
Syntax
config router prefix-list edit <prefix_list_name> set comments <string>
config rule
edit <prefix_rule_id>
set action {deny | permit}
set ge <length_integer>
set le <length_integer>
set prefix {<address_ipv4mask> | any}
end
end

Note:
The action and prefix keywords are required. All other keywords
are optional.

TABLE 89 PREFIX-LIST SETTING

Variables Description Default

edit Enter a name for the prefix list. A No default.
<prefix_list_na prefix list and an access list cannot
me> have the same name.
config rule variables
edit Enter an entry number for the No default.
<prefix_rule_id rule. The number must be an
> integer.
action {deny | Set the action to take for this permit
permit} prefix.
comments Enter a description of this access
<string> list entry. The description can be
up to 127 characters long.
ge Match prefix lengths that are 0
<length_integer greater than or equal to this
> number. The setting for ge should
be less than the setting for le. The
setting for ge should be greater
than the netmask set for prefix.
length_integer can be any number
from 0 to
32.
le Match prefix lengths that are less 32
<length_integer than or equal to this number. The
> setting for le should be greater
than the setting for ge.
length_integer can be any number
from 0 to 32.

Confidential and Proprietary Information of ZTE CORPORATION 341

ZXSEC US CLI Reference Guide

Variables Description Default

prefix Enter the prefix (IP address and 0.0.0.0
{<address_ipv4 netmask) for this prefix list rule or 0.0.0.0
mask> | any} enter any to match any prefix. The
length of the netmask should be
less than the setting for ge. If
prefix is set to any, ge and le
should not be set.

Examples
This example shows how to add a prefix list named prf_list1 with
three rules. The first rule permits subnets that match prefix
lengths between 26 and 30 for the prefix 192.168.100.0
255.255.255.0. The second rule denies subnets that match the
prefix lengths between 20 and 25 for the prefix 10.1.0.0
255.255.0.0. The third rule denies all other traffic.
config router prefix-list edit prf_list1
config rule edit 1
set prefix 192.168.100.0 255.255.255.0
set action permit
set ge 26
set le 30
next edit 2
set prefix 10.1.0.0 255.255.0.0
set action deny
set ge 20
set le 25
next edit 3
set prefix any set action deny
end
end
The following example shows how to create a prefix-list that will
drop the default route but allow all other prefixes to be passed.
The first rule matches the default route only and is set to deny,
the second rule will match all other prefixes and allow them to
be passed.
config router prefix-list
edit "drop_default"
config rule
edit 1
set action deny
set prefix 0.0.0.0 0.0.0.0
unset ge

342 Confidential and Proprietary Information of ZTE CORPORATION

Chapter 11 Router

unset le
next
edit 2
set prefix any
unset ge
unset le
next
end
next
end
Related topics
router access-list
router rip

RIP
Use this command to configure the Routing Information Protocol
(RIP) on the ZXSEC US unit. RIP is a distance-vector routing
protocol intended for small, relatively homogeneous, networks.
RIP uses hop count as its routing metric. Each network is usually
counted as one hop. The network diameter is limited to 15 hops
with 16 hops.
Syntax
config router rip
set default-information-originate {enable | disable}
set default-metric <metric_integer>
set garbage-timer <timer_integer>
set passive-interface <name_str>
set timeout-timer <timer_integer>
set update-timer <timer_integer>
set version {1 2}
config distance
edit <distance_id>
set access-list <name_str>
set distance <distance_integer>
set prefix <address_ipv4mask>
end
config distribute-list
edit <distribute_list_id>

Confidential and Proprietary Information of ZTE CORPORATION 343

ZXSEC US CLI Reference Guide

set direction {in | out}

set interface <name_str>
set listname <access/prefix-listname_str>
set status {enable | disable}
end
config interface
edit <interface_name>
set auth-keychain <name_str>
set auth-mode {none | text | md5}
set auth-string <password_str>
set receive-version {1 2}
set send-version {1 2}
set send-version1-compatible {enable | disable}
set split-horizon {poisoned | regular}
set split-horizon-status {enable | disable}
end
config neighbor
edit <neighbor_id>
set ip <address_ipv4>
end
config network
edit <network_id>
set prefix <address_ipv4mask>
end
config offset-list
edit <offset_list_id>
set access-list <name_str>
set direction {in | out}
set interface <name_str>
set offset <metric_integer>
set status {enable | disable}
end
config redistribute {connected | static | ospf | bgp}
set metric <metric_integer>
set routemap <name_str>
set status {enable | disable}
end

344 Confidential and Proprietary Information of ZTE CORPORATION

Chapter 11 Router

Config Router RIP

Use this command to specify RIP operating parameters. The
ZXSEC US unit implementation of RIP supports both RIP version
1 as defined by RFC 1058, and RIP version 2 as defined by RFC
2453. RIP version 2 enables RIP messages to carry more
information, and to support simple authentication and subnet
masks.

Note:
All keywords are optional.

TABLE 90 CONFIG ROUTER RIP SETTING

Variables Description Default

edit Enter a name for the prefix list. A No default.
<prefix_list_na prefix list and an access list cannot
me> have the same name.
default- Enter enable to advertise a default disable
information- static route into RIP.
originate
{enable |
disable}
default-metric For non-default routes in the static 1
<metric_integer routing table and directly
> connected networks the default
metric is the metric that the
ZXSEC US unit advertises to
adjacent routers. This metric is
added to the metrics of learned
routes. The default metric can be a
number from 1 to 16.
garbage-timer The time in seconds that must 120
<timer_integer elapse after the timeout interval
> for a route expires, before RIP
deletes the route. If RIP receives
an update for the route after the
timeout timer expires but before
the garbage timer expires then the
entry is switched back to
reachable.
RIP timer defaults are effective in
most configurations. All routers
and access servers in the network
should have the same RIP timer
settings.
passive- Block RIP broadcasts on the No default.
interface specified interface. You can use
<name_str> “config neighbor” and the passive
interface command to allow RIP to
send unicast updates to the
specified neighbor while blocking

Confidential and Proprietary Information of ZTE CORPORATION 345

ZXSEC US CLI Reference Guide

Variables Description Default

broadcast updates on the specified
interface.
timeout-timer The time interval in seconds after 180
<timer_integer which a route is declared
> unreachable. The route is removed
from the routing table. RIP holds
the route until the garbage timer
expires and then deletes the
route. If RIP receives an update
for the route before the timeout
timer expires, then the timeout-
timer is restarted. If RIP receives
an update for the route after the
timeout timer expires but before
the garbage timer expires then the
entry is switched back to
reachable. The value of the
timeout timer should be at least
three times the value of the
update timer.
RIP timer defaults are effective in
most configurations. All routers
and access servers in the network
should have the same RIP timer
settings.
update-timer The time interval in seconds 30
<timer_integer between RIP updates.
> RIP timer defaults are effective in
most configurations. All routers
and access servers in the network
should have the same RIP timer
settings.
version {1 2} Enable sending and receiving RIP 2
version 1 packets, RIP version 2
packets, or both for all RIP-
enabled interfaces. You can
override this setting on a per
interface basis using the receive-
version {1 2}and send-version {1
2} keywords described under
“config interface”.

Example
This example shows how to enable the advertising of a default
static route into RIP, enable the sending and receiving of RIP
version 1 packets, and raise the preference of local routes in the
static routing table (the default metric) from the default of 1 to 5
- those routes well be less preferred.
config router rip
set default-information-originate enable
set version 1
set default-metric 5

346 Confidential and Proprietary Information of ZTE CORPORATION

Chapter 11 Router

end

Config Distance
Use this subcommand to specify an administrative distance.
When different routing protocols provide multiple routes to the
same destination, the administrative distance sets the priority of
those routes.
The lowest administrative distance indicates the preferred route.
If you specify a prefix, RIP uses the specified distance when the
source IP address of a packet matches the prefix.

Note:
The distance keyword is required. All other keywords are
optional.

TABLE 91 CONFIG DISTANCE SETTING

Variables Description Default

edit Enter an entry number for the No default.
<distance_id> distance. The number must be an
integer.
access-list Enter the name of an access list. Null.
<name_str> The distances associated with the
routes in the access list will be
modified. To create an access list,
see “access-list”.
distance Enter a number from 1 to 255, to 0
<distance_integ set the administrative distance.
er> This keyword is required.
prefix Optionally enter a prefix to apply 0.0.0.0
<address_ipv4 the administrative distance to. 0.0.0.0
mask>

Example
This example shows how to change the administrative distance
to 10 for all IP addresses that match the internal_example
access-list.
config router rip config distance
edit 1
set distance 10
set access-list internal_example
end
end

Confidential and Proprietary Information of ZTE CORPORATION 347

ZXSEC US CLI Reference Guide

Config Distribute-list
Use this subcommand to filter incoming or outgoing updates
using an access list or a prefix list. If you do not specify an
interface, the filter will be applied to all interfaces. You must
configure the access list or prefix list that you want the
distribution list to use before you configure the distribution list.
For more information on configuring access lists and prefix lists,
see “access-list” and “prefix-list”.

Note:
The direction and listname keywords are required. All other
keywords are optional.

TABLE 92 CONFIG DISTRIBUTE-LIST SETTING

Variables Description Default

edit Enter an entry number for the No default.
<distribute_list distribution list. The number must
_id> be an integer.
direction {in | Set the direction for the filter. out
out} Enter in to filter incoming packets.
Enter out to filter outgoing
packets.
interface Enter the name of the interface to Null.
<name_str> apply this distribution list to.
If you do not specify an interface,
this distribution list will be
used for all interfaces.
listname Enter the name of the access list Null.
<access/prefix- or prefix list to use for this
listname_str> distribution list.

status {enable | Enable or disable this distribution disable

disable} list.

Example
This example shows how to configure and enable a distribution
list to use an access list named acc_list1 for incoming updates
on the external interface.
config router rip
config distribute-list edit 1
set direction in
set interface external
set listname acc_list1
set status enable
end

348 Confidential and Proprietary Information of ZTE CORPORATION

Chapter 11 Router

end

Config Interface
Use this subcommand to configure RIP version 2 authentication,
RIP version send and receive for the specified interface, and to
configure and enable split horizon.
Authentication is only available for RIP version 2 packets sent
and received by an interface. You must set auth-mode to none
when receive-version or send-version are set to 1 or 1 2 (both
are set to 1 by default).
A split horizon occurs when a router advertises a route it learns
over the same interface it learned it on.
In this case the router that gave the learned route to the last
router now has two entries to get to another location. However,
if the primary route fails that router tries the second route to
find itself as part of the route and an infinite loop is created. A
poisoned split horizon will still advertise the route on the
interface it received it on, but it will mark the route as
unreachable. Any unreachable routes are automatically removed
from the routing table. This is also called split horizon with
poison reverse.

Note:
All keywords are optional.

TABLE 93 CONFIG INTERFACE SETTING

Note:
The ip keyword is required. All other keywords are optional.

Confidential and Proprietary Information of ZTE CORPORATION 351

ZXSEC US CLI Reference Guide

TABLE 94 CONFIG NEIGHBOR SETTING

Variables Description Default

edit Enter an entry number for the RIP No default.
<neighbor_id> neighbor. The number must be an
integer.
ip Enter the IP address of the 0.0.0.0
<address_ipv4 neighboring router to which to
> send unicast updates.

Example
This example shows how to specify that the router at
192.168.21.20 is a neighbor.
config router rip config neighbor
edit 1
set ip 192.168.21.20
end
end

Config Network
Use this subcommand to identify the networks for which to send
and receive RIP updates. If a network is not specified, interfaces
in that network will not be advertised in RIP updates.

Note:
The prefix keyword is optional.

TABLE 95 CONFIG NETWORK SETTING

Variables Description Default

edit Enter an entry number for the RIP No default.
<network_id> network. The number must be an
integer.
prefix Enter the IP address and netmask 0.0.0.0
<address_ipv4 for the RIP network. 0.0.0.0
mask>

Example
Use the following command to enable RIP for the interfaces
attached to networks specified by the IP address 10.0.0.0 and
the netmask 255.255.255.0.
config router rip
config network
edit 2
set prefix 10.0.0.0 255.255.255.0

352 Confidential and Proprietary Information of ZTE CORPORATION

Chapter 11 Router

end
end

Config Offset-list
Use this subcommand to add the specified offset to the metric
(hop count) of a route from the offset list.

Note:
The access-list, direction, and offset keywords are required. All
other keywords are optional.

TABLE 96 CONFIG OFFSET-LIST SETTING

Variables Description Default

edit Enter an entry number for the No default.
<offset_list_id> offset list. The number must be an
integer.
access-list Enter the name of the access list Null.
<name_str> to use for this offset list. The
access list is used to determine
which routes to add the metric to.
direction {in | Enter in to apply the offset to the out
out} metrics of incoming routes. Enter
out to apply the offset to the
metrics of outgoing routes.
interface Enter the name of the interface to Null.
<name_str> match for this offset list.
offset Enter the offset number to add to 0
<metric_integer the metric. The metric is the hop
> count. The metric_integer range is
from 1 to 16, with 16 being
unreachable.
status {enable | Enable or disable this offset list. disable
disable}

Example
This example shows how to configure and enable offset list
number 5 that adds a metric of 3 to incoming routes that match
the access list named acc_list1 on the external interface.
config router rip config offset-list
edit 5
set access-list acc_list1
set direction in
set interface external
set offset 3

Confidential and Proprietary Information of ZTE CORPORATION 353

ZXSEC US CLI Reference Guide

set status enable

end
end

Config Redistribute
Use this subcommand to redistribute routes learned from OSPF,
BGP, static routes, or a direct connection to the destination
network.
The RIP redistribution table contains four static entries. You
cannot add entries to the table. The entries are defined as
follows:
bgp—Redistribute routes learned from BGP.
connected—Redistribute routes learned from a direct
connection to the destination network.
ospf—Redistribute routes learned from OSPF.
static—Redistribute the static routes defined in the ZXSEC US
unit routing table.
When you enter the subcommand, end the command with one of
the four static entry names (that is, config redistribute {bgp |
connected | ospf | static}).

Note:
All keywords are optional.

TABLE 97 CONFIG REDISTRIBUTE SETTING

Variables Description Default

metric Enter the metric value to be used 0
<metric_integer for the redistributed routes. The
> metric_integer range is from 0 to
16.
routemap Enter the name of the route map Null.
<name_str> to use for the redistributed routes.
For information on how to
configure route maps, see “route-
map”.
status {enable | Enable or disable redistributing disable
disable} routes.

Example
This example shows how to enable route redistribution from
OSPF, using a metric of 3 and a route map named rtmp2.
config router rip
config redistribute ospf

354 Confidential and Proprietary Information of ZTE CORPORATION

Chapter 11 Router

set metric 3
set routemap rtmp2
set status enable
end
Related topics
router access-list
router key-chain
router prefix-list
router route-map
get router info protocols
get router info rip
get router info routing-table

Route-map
Use this command to add, edit, or delete route maps. To use the
command to limit the number of received or advertised BGP
route and routing updates using route maps, see “Using route
maps with BGP”.
Route maps provide a way for the ZXSEC US unit to evaluate
optimum routes for forwarding packets or suppressing the
routing of packets to particular destinations. Compared to access
lists, route maps support enhanced packet-matching criteria. In
addition, route maps can be configured to permit or deny the
addition of routes to the ZXSEC US unit routing table and make
changes to routing information dynamically as defined through
route-map rules.
The ZXSEC US unit compares the rules in a route map to the
attributes of a route. The rules are examined in ascending order
until one or more of the rules in the route map are found to
match one or more of the route attributes:
When a single matching match-* rule is found, changes to
the routing information are made as defined through the
rule’s set-ip-nexthop, set-metric, set-metric-type, and/or
set- tag settings.
If no matching rule is found, no changes are made to the
routing information.
When more than one match-* rule is defined, all of the
defined match-* rules must evaluate to TRUE or the routing
information is not changed.
If no match-* rules are defined, the ZXSEC US unit makes
changes to the routing information only when all of the

Confidential and Proprietary Information of ZTE CORPORATION 355

ZXSEC US CLI Reference Guide

default match-* rules happen to match the attributes of the

route.
The default rule in the route map (which the ZXSEC US unit
applies last) denies all routes. For a route map to take effect, it
must be called by a ZXSEC US unit routing process.

Note:
Any keywords and rules that to not appear here can be found in
the BGP route-map section. See“Using route maps with BGP”.

Syntax
config router route-map
edit <route_map_name>
set comments <string>
config rule
edit <route_map_rule_id>
set action {deny | permit}
set match-interface <name_str>
set match-ip-address <access/prefix-listname_str>
set match-ip-nexthop <access/prefix-listname_str>
set match-metric <metric_integer>
set match-route-type {1 | 2}
set match-tag <tag_integer>
set set-ip-nexthop <address_ipv4>
set set-metric <metric_integer>
set set-metric-type {1 | 2}
set set-tag <tag_integer>
end
end

Note:
All keywords are optional.

TABLE 98 ROUTE-M AP SETTING

Variables Description Default

metric Enter the metric value to be used 0
<metric_integer for the redistributed routes. The
> metric_integer range is from 0 to
16.
edit Enter a name for the route map. No default.
<route_map_na
me>

356 Confidential and Proprietary Information of ZTE CORPORATION

Chapter 11 Router

Variables Description Default

comments Enter a description for this route No default.
<string> map name.
config rule variables
edit Enter an entry number for the No default.
<route_map_ru rule. The number must be an
le_id> integer.
action {deny | Enter permit to permit routes that permit
permit} match this rule. Enter deny to
deny routes that match this rule.
match-interface Enter the name of the local ZXSEC Null.
<name_str> US unit interface that will be used
to match route interfaces.
match-ip- Match a route if the destination Null.
address address is included in the specified
<access/prefix- access list or prefix list.
listname_str>
match-ip- Match a route that has a next-hop Null.
nexthop router address included in the
<access/prefix- specified access list or prefix list.
listname_str>
match-metric Match a route with the specified 0
<metric_integer metric. The metric can be a
> number from 1 to 16.

match-route- Match a route that has the external-

type {1 | 2} external type set to 1 or type1
2.
match-tag This keyword is available when 0
<tag_integer> set-tag is set. Match a route that
has the specified tag.
set-ip-nexthop Set the next-hop router address 0.0.0.0
<address_ipv4 for a matched route.
>
set-metric Set a metric value of 1 to 16 for a 0
<metric_integer matched route.
>
set-metric-type Set the type for a matched route. external-
{1 | 2} type1
set-tag Set a tag value for a matched 0
<tag_integer> route.

Example
This example shows how to add a route map list named rtmp2
with two rules. The first rule denies routes that match the IP
addresses in an access list named acc_list2. The second rule
permits routes that match a metric of 2 and changes the metric
to 4.
config router route-map

Confidential and Proprietary Information of ZTE CORPORATION 357

ZXSEC US CLI Reference Guide

edit rtmp2
config rule edit 1
set match-ip-address acc_list2
set action deny next
edit 2
set match-metric 2 set action permit set set-metric 4
end
end

Using Route Maps with BGP

When a connection is established between BGP peers, the two
peers exchange all of their BGP route entries. Afterward, they
exchange updates that only include changes to the existing
routing
information. Several BGP entries may be present in a route-map
table. You can limit the number of received or advertised BGP
route and routing updates using route maps. Use the config
router route-map command to create, edit, or delete a route
map.

Note:
When you specify a route map for the dampening-route-map
value through the config router bgp command (see “dampening-
route-map <routemap-name_str>”), the ZXSEC US unit ignores
global dampening settings. You cannot set global dampening
settings for the ZXSEC US unit and then override those values
through a route map.
Syntax
config router route-map
edit <route_map_name>
set comments <string>
config rule
edit <route_map_rule_id>
set match-as-path <aspath-list-name_str>
set match-community <community-list-name_str>
set match-community-exact {enable | disable}
set match-origin {egp | igp | incomplete | none}
set set-aggregator-as <id_integer>
set set-aggregator-ip <address_ipv4>
set set-aspath <id_integer> <id_integer> <id_integer> ...

358 Confidential and Proprietary Information of ZTE CORPORATION

Chapter 11 Router

set set-atomic-aggregate {enable | disable}

set set-community-delete <community-list-name_str>
set set-community <criteria>
set set-community-additive {enable | disable}
set set-dampening-reachability-half-life <minutes>
set set-dampening-reuse <reuse_integer>
set set-dampening-suppress <suppress_integer>
set set-dampening-max-suppress <minutes>
set set-dampening-unreachability-half-life <minutes>
set set-extcommunity-rt <AA:NN> <AA:NN> <AA:NN> ... set set-
extcommunity-soo <AA:NN> <AA:NN> <AA:NN> ...
set set-local-preference <preference_integer>
set set-originator-id <address_ipv4>
set set-origin {egp | igp | incomplete | none}
set set-weight <weight_integer>
end

Note:
All keywords are optional.

reuse dampened BGP route will be
<reuse_integer reused. The range is from 1 to 20
> 000. If you set set- dampening-
reuse, you must also set set-
dampening- suppress and set-
dampening-max-suppress.
set-dampening- Set the limit at which a BGP route 0
suppress may be suppressed. The range is
<suppress_inte from 1 to 20 000. See also
ger> “dampening- suppress
<limit_integer>”.
set-dampening- Set maximum time (in minutes) 0
max-suppress that a BGP route can be
<minutes> suppressed. The range is from 1 to
255. See also “dampening-max-
suppress-time” in “dampening-
max-suppress-time
<minutes_integer>”.
set-dampening- Set the unreachability half-life of a 0
unreachability- BGP route (in minutes). The range
half-life is from 1 to 45. See also
<minutes> “dampening- unreachability-half-
life” in “dampening-
unreachability-half-life
<minutes_integer>”.
set- Set the target extended No default.
extcommunity- community (in decimal notation)
rt of a BGP route. The COMMUNITY
<AA:NN> attribute value has the syntax
<AA:NN> AA:NN, where AA represents an
<AA:NN> ... AS, and NN is the community
identifier.
set- Set the site-of-origin extended No default.
extcommunity- community (in decimal notation)
soo of a BGP route. The COMMUNITY
<AA:NN> attribute value has the syntax
<AA:NN> AA:NN, where AA represents an
<AA:NN> ... AS, and NN is the community
identifier.
set-local- Set the LOCAL_PREF value of an 0
preference IBGP route. The value is
<preference_int advertised to IBGP peers. The

362 Confidential and Proprietary Information of ZTE CORPORATION

Chapter 11 Router

Variables Description Default

eger> range is from 0 to 4294967295. A
higher number signifies a
preferred route among multiple
routes to the same destination.
set-originator-id Set the ORIGINATOR_ID attribute, 0.0.0.0
<address_ipv4 which is equivalent to the router-id
> of the originator of the route in the
local AS. Route reflectors use this
value to prevent routing loops.
set-origin {egp Set the ORIGIN attribute of a local none
| igp | BGP route.
incomplete | To set the value to the NLRI
none} learned from the Exterior
Gateway Protocol (EGP), select
egp.
To set the value to the NLRI
learned from a protocol
internal to the originating AS,
select igp.
If you did not specify egp or
igp, select incomplete.
To disable the ORIGIN
attribute, select none.

set-weight Set the weight of a BGP route. A 0

<weight_intege route’s weight has the most
r> influence when two identical BGP
routes are compared. A higher
number signifies a greater
preference. The range is from 0 to
2147483647.

Example
This example shows how to create a route map named
BGP_rtmp2. The route map contains two rules. The first rule
permits operations on routes that match the IP addresses in an
access list named acc_list2. The second rule permits operations
on routes according to a community list named com_list3.
config router route-map
edit BGP_rtmp2
set comments “example BGP route map”
config rule
edit 1
set match-ip-address acc_list2
set action permit next
edit 2
set match-community com_list3
set action permit

Confidential and Proprietary Information of ZTE CORPORATION 363

ZXSEC US CLI Reference Guide

end
end
Related topics
router access-list
router prefix-list
router rip
router aspath-list
router bgp
router community-list
router key-chain

Static
Use this command to add, edit, or delete static routes for IPv4
traffic. For IPv6 traffic, use the static6 command. You add static
routes to control traffic exiting the ZXSEC US unit. You configure
routes by specifying destination IP addresses and network
masks and adding gateways for these destination addresses.
Gateways are the next-hop routers to which traffic that matches
the destination addresses in the route are forwarded.
You can adjust the administrative distance of a route to indicate
preference when more than one route to the same destination is
available. The lower the administrative distance, the greater the
preferability of the route. If the routing table contains several
entries that point to the same destination (the entries may have
different gateways or interface associations), the ZXSEC US unit
compares the administrative distances of those entries, selects
the entries having the lowest distances, and installs them as
routes in the ZXSEC US unit forwarding table. Any ties are
resolved by comparing the routes’ priority, with lowest priority
being preferred. As a result, the ZXSEC US unit forwarding table
only contains routes having the lowest distances to every
possible destination.If both administrative distance and priority
are both tied for two or more routes, an equal cost multi-path
(ECMP) situation occurs. In this case, the egress index for the
routes will be used to determine the selected route.
After the ZXSEC US unit selects static routes for the forwarding
table based on their administrative distances, the sequence
numbers of those routes determines routing priority. When two
routes to the same destination exist in the forwarding table, the
ZXSEC US unit selects the route having the lowest sequence
number.
Syntax
config router static

364 Confidential and Proprietary Information of ZTE CORPORATION

Chapter 11 Router

edit <sequence_number>
set blackhole {enable | disable}
set device <interface_name>
set distance <distance>
set dst <destination-address_ipv4mask>
set dynamic-gateway {enable | disable}
set gateway <gateway-address_ipv4>
set priority <integer>
end

Note:
The dst and gateway keywords are required when blackhole is
disabled. When blackhole is enabled, the dst keyword is required.
All other keywords are optional.

TABLE 100 USING ROUTE MAPS WITH BGP

Variables Description Default

edit Enter a sequence number for the No default.
<sequence_nu static route. The sequence number
mber> may influence routing priority in
the ZXSEC US unit forwarding
table.
blackhole Enable or disable the advertising disable
{enable | of this route to neighbors through
disable} dynamic routing protocols while
dropping all packets that match
this route.
device This keyword is available when Null.
<interface_nam blackhole is set to disable. Enter
e> the name of the ZXSEC US unit
interface through which to route
traffic. Use ‘?’ to see a list of
interfaces.
distance Enter the administrative distance 10
<distance> for the route. The distance value
may influence route preference in
the ZXSEC US unit routing table.
The range is an integer from 1-
255. See also config system
interface “distance
<distance_integer>”.
dst Enter the destination IP address 0.0.0.0
<destination- and network mask for this route. 0.0.0.0
address_ipv4m You can enter 0.0.0.0 0.0.0.0 to
ask> create a new static default route.
dynamic- When enabled, dynamic-gateway disable
gateway hides the gateway variable for a
{enable | dynamic interface, such as a DHCP

Confidential and Proprietary Information of ZTE CORPORATION 365

ZXSEC US CLI Reference Guide

Variables Description Default

disable} or PPPoE interface. When the
interface connects or disconnects,
the corresponding routing entries
are updated to reflect the change.
gateway This keyword is available when 0.0.0.0
<gateway- blackhole is set to disable. Enter
address_ipv4> the IP address of the next-hop
router to which traffic is
forwarded.
priority The administrative priority value is 0
<integer> used to resolve ties in route
selection. In the case where both
routes have the same priority,
such as equal cost multi-path
(ECMP), the egress index for the
routes will be used to determine
the selected route. The range
is an integer from 0 to
4294967295.
Lower priority routes are preferred
routes. This field is only accessible
through the CLI.

Example
This example shows how to add a static route that has the
sequence number 2.
config router static
edit 2
set dev internal
set dst 192.168.22.0 255.255.255.0
set gateway 192.168.22.44
end
This example shows how to add a static route for a dynamic
modem interface with a administrative distance of 1 and a
priority of 1. These settings makes this the preferred route.
config route static
edit 3
set dev modem
set dynamic-gateway enable
set dst 10.0.0.7 255.255.255.0
set distance 1
set priority 1
end
Related topics
system interface

366 Confidential and Proprietary Information of ZTE CORPORATION

Chapter 11 Router

get router info routing-table

Static6
Use this command to add, edit, or delete static routes for IPv6
traffic. You add static routes to specify the destination of traffic
exiting the ZXSEC US unit. You configure routes by adding
destination IP addresses and network masks and adding
gateways for these destination addresses. The gateways are the
next-hop routers to which traffic that matches the destination
addresses in the route are forwarded.

Note:
You can configure static routes for IPv6 traffic on ZXSEC US
units that run in NAT/Route mode.
Syntax
config router static6
edit <sequence_number>
set device <interface_name>
set dst <destination-address_ipv6mask>
set gateway <gateway-address_ipv6>
end

Note:
The device, dst, and gateway keywords are all required.

TABLE 101 STATIC6 SETTING

Variables Description Default

edit Enter a sequence number for the No default.
<sequence_nu static route.
mber>
device The name of the ZXSEC US unit Null.
<interface_nam interface through which to route
e> traffic.
dst The destination IPv6 address and ::/0
<destination- netmask for this route. You can
address_ipv6m enter ::/0 to create a new static
ask> default route for
IPv6 traffic.
gateway The IPv6 address of the next-hop ::
<gateway- router to which traffic is
address_ipv6> forwarded.

Example

Confidential and Proprietary Information of ZTE CORPORATION 367

ZXSEC US CLI Reference Guide

This example shows how to add an IPv6 static route that has the
sequence number 2.
config router static6
edit 2
set dev internal
set dst 2001:DB8::/32
set gateway 2001:DB8:0:CD30:123:4567:89AB:CDEF
end
Related topics
system interface
get router info routing-table

368 Confidential and Proprietary Information of ZTE CORPORATION

Chapter 12 Router

Chapter 12

Spamfilter

Overview
Use spamfilter commands to create a banned word list, configure filters
based on email addresses, ip addresses, and MIME headers, and to
configure the Usservice-Antispam service.
This chapter contains the following sections:
BWord
Emailbwl
USshield
Ipbwl
Iptrust
Mheader
Options
DNSBL

BWord
Use this command to add or edit and configure options for the spam filter
banned word list. The ZXSEC US spam filters are applied in the following
order:
For SMTP
1. IP address BWL check - Last hop IP
2. DNSBL & ORDBL check, IP address Usservice check, HELO DNS lookup
3. E-mail address BWL check
4. MIME headers check
5. IP address BWL check (for IPs extracted from “Received” headers)

Confidential and Proprietary Information of ZTE CORPORATION 369

ZXSEC US CLI Reference Guide

6. Return e-mail DNS check, Usservice Antispam check (for IPs extracted
from “Received” headers, and URLs in email content)
7. Banned word check
For POP3 and IMAP
1. E-mail address BWL check
2. MIME headers check, IP BWL check
3. Return e-mail DNS check, Usservice Antispam check, DNSBL & ORDBL
check
4. Banned word check
For SMTP, POP3, and IMAP
Control spam by blocking email messages containing specific words or
patterns. If enabled in the protection profile, the ZXSEC US unit searches
for words or patterns in email messages. If matches are found, values
assigned to the words are totalled. If a user-defined threshold value is
exceeded, the message is marked as spam. If no match is found, the
email message is passed along to the next filter.
Use Perl regular expressions or wildcards to add banned word patterns to
the list. See “Using Perl regular expressions”. Add one or more banned
words to sort email containing those words in the email subject, body, or
both. Words can be marked as spam or clear. Banned words can be one
word or a phrase up to 127 characters long.
If a single word is entered, the ZXSEC US unit blocks all email that contain
that word. If a phrase is entered, the ZXSEC US unit blocks all email
containing the exact phrase. To block any word in a phrase, use Perl
regular expressions.

Note:
Perl regular expression patterns are case sensitive for Spam Filter banned
words. To make a word or phrase case insensitive, use the regular
expression /i. For example, /bad language/i blocks all instances of bad
language regardless of case. Wildcard patterns are not case sensitive.
Syntax
config spamfilter bword
edit <banned_word_list_integer>
set name <banned_word_list>
set comment <banned_word_list_comment>
config entries
edit <banned_word_integer>
set action {clear | spam}
set language {french | japanese | korean | simch | thai | trach | western}
set pattern <banned_word_str>
set pattern-type {regexp | wildcard}
set score <integer_value>

370 Confidential and Proprietary Information of ZTE CORPORATION

Chapter 12 Router

set status {enable | disable}

set where {all | body | subject}
end

TABLE 102 BWORD SETTING

Variables Description Default

<banned_word A unique number to identify the
_list_integer> banned word list.
<banned_word The name of the banned word list.
_list>
<banned_word The comment attached to the
_list_comment banned word list.
>
<banned_word A unique number to identify the
_integer> banned word or pattern.
action {clear | Enter clear to allow the email. spam
spam} Enter spam to apply the spam
action configured in the protection
profile.
language Enter the language character set western
{french | used for the banned word or
japanese | phrase. Choose from French,
korean | simch Japanese, Korean, Simplified
Chinese, Thai, Traditional Chinese,
| thai | trach |
or Western.
western}
pattern Enter the banned word or phrase No default.
<banned_word pattern using regular expressions
_str> or wildcards.
pattern-type Enter the pattern type for the wildcard
{regexp | banned word (pattern). Choose
wildcard} from regular expressions or
wildcard.
score A numerical weighting applied to 10
<integer_value the banned word. The score values
> of all the matching words
appearing in an email message are
added, and if the total is greater
than the spamwordthreshold value
set in the protection profile, the
message is processed according to
the spam action setting in the
protection profile. The score for a
banned word is counted once even
if the word appears multiple times
in an email message.
status {enable | Enable or disable scanning email enable
disable} for each banned word.
where {all | Enter where in the email to search all
body | for the banned word or phrase.
subject}

Confidential and Proprietary Information of ZTE CORPORATION 371

ZXSEC US CLI Reference Guide

Related topics
spamfilter emailbwl
spamfilter USshield
spamfilter ipbwl
spamfilter iptrust
spamfilter mheader
spamfilter options
spamfilter
DNSBL

Emailbwl
Use this command to filter email based on the sender’s email address or
address pattern. The ZXSEC US spam filters are applied in the following
order:
For SMTP
1. IP address BWL check - Last hop IP
2. DNSBL & ORDBL check, IP address Usservice check, HELO DNS lookup
3. E-mail address BWL check
4. MIME headers check
5. IP address BWL check (for IPs extracted from “Received” headers)
6. Return e-mail DNS check, Usservice Antispam check (for IPs extracted
from “Received” headers, and URLs in email content)
7. Banned word check
For POP3 and IMAP
1. E-mail address BWL check
2. MIME headers check, IP BWL check
3. Return e-mail DNS check, Usservice Antispam check, DNSBL & ORDBL
check
4. Banned word check
For SMTP, POP3, and IMAP
The ZXSEC US unit uses the email address list to filter incoming email. The
ZXSEC US unit compares the email address or domain of the sender to the
list in sequence. If a match is found, the corresponding action is taken. If
no match is found, the email is passed on to the next spam filter.
The ZXSEC US unit can filter email from specific senders or all email from
a domain (such as example.net). Each email address can be marked as
clear or spam.
Use Perl regular expressions or wildcards to add email address patterns to
the list. See “Using Perl regular expressions”.

372 Confidential and Proprietary Information of ZTE CORPORATION

Chapter 12 Router

Syntax
config spamfilter emailbwl
edit <emailbwl_list_integer>
set name <emailbwl_list>
set comment <emailbwl_list_comment>
config entries
edit <email_address_integer>
set action {clear | spam}
set email-pattern <email_address_str>
set pattern-type {regexp | wildcard}
set status {enable | disable}
end

TABLE 103 EM AILBWL SETTING

Variables Description Default

<emailbwl_list_ A unique number to identify the
integer> email black/white list.
<emailbwl_list> The name of the email black/white
list.
<emailbwl_list_ The comment attached to the
comment> email black/white list.
<email_address A unique number to identify the
_integer> email pattern.
action {clear | Enter clear to exempt the email spam
spam} from the rest of the spam filters.
Enter spam to apply the spam
action configured in the protection
profile.
email-pattern Enter the email address pattern
<email_address using wildcards or Perl regular
_str> expressions.

pattern-type Enter the pattern-type for the wildcard

{regexp | email address. Choose from
wildcard} wildcards or Perl regular
expressions.
status {enable | Enable or disable scanning for enable
disable} each email address.

Related topics
spamfilter bword
spamfilter USshield
spamfilter ipbwl
spamfilter iptrust
spamfilter mheader

Confidential and Proprietary Information of ZTE CORPORATION 373

ZXSEC US CLI Reference Guide

spamfilter options
spamfilter DNSBL

USshield
Use this command to configure the settings for the Usservice-Antispam
Service. The ZXSEC US spam filters are applied in the following order:
For SMTP
1. IP address BWL check - Last hop IP
2. DNSBL & ORDBL check, IP address Usservice check, HELO DNS lookup
3. E-mail address BWL check
4. MIME headers check
5. IP address BWL check (for IPs extracted from “Received” headers)
6. Return e-mail DNS check, Usservice Antispam check (for IPs extracted
from “Received” headers, and URLs in email content)
7. Banned word check
For POP3 and IMAP
1. E-mail address BWL check
2. MIME headers check, IP BWL check
3. Return e-mail DNS check, Usservice Antispam check, DNSBL & ORDBL
check
4. Banned word check
For SMTP, POP3, and IMAP
Usservice-Antispam Service is an antispam system from USnet that
includes an IP address black list, a URL black list, and spam filtering tools.
The IP address black list contains IP addresses of email servers known to
be used to generate Spam. The URL black list contains found in Spam
email.
Usservice-Antispam Service compiles the IP address and URL list from
email captured by spam probes located around the world. Spam probes
are email addresses purposely configured to attract spam and identify
known spam sources to create the antispam IP address and URL list.
Usservice- Antispam Service combines IP address and URL checks with
other spam filter techniques in a two- pass process.
On the first pass, if spamfsip is selected in the protection profile,
Usservice-Antispam Service extracts the SMTP mail server source address
and sends the IP address to a Usservice-Antispam Service server to see if
this IP address matches the list of known spammers. If spamfsurl is
selected in the protection profile, Usservice-Antispam Service checks the
body of email messages to extract any URL links. These URL links will be
sent to a Usservice-Antispam Service server to see if any of them is listed.
Typically Spam messages contain URL links to advertisements (also called
spamvertizing).

374 Confidential and Proprietary Information of ZTE CORPORATION

Chapter 12 Router

If an IP address or URL match is found, Usservice-Antispam Service

terminates the session. If Usservice-Antispam Service does not find a
match, the mail server sends the email to the recipient.
As each email is received, Usservice-Antispam Service performs the
second antispam pass by checking the header, subject, and body of the
email for common spam content. If Usservice-Antispam Service finds
spam content, the email is tagged or dropped according to the
configuration in the firewall protection profile.
Both Usservice-Antispam Service antispam processes are completely
automated and configured by USnet. With constant monitoring and
dynamic updates, Usservice-Antispam Service is always current. Enable or
disable Usservice-Antispam Service in a firewall protection profile.
Syntax
config spamfilter USshield
set spam-submit-force {enable | disable}
set spam-submit-srv <url_str>
set spam-submit-txt2htm {enable | disable}
end

TABLE 104 USSHIELD SETTING

Variables Description Default

spam-submit- Enable or disable force insertion of enable
force {enable a new mime entity for the
| disable} submission text.

spam-submit- The host name of the Usservice- www.nospa

srv <url_str> Antispam Service server. The mmer.net
ZXSEC US unit comes
preconfigured with the host name.
Use this command only to change
the host name.
spam-submit- Enable or disable converting text enable
txt2htm email to HTML.
{enable |
disable}

Related topics
spamfilter bword
spamfilter emailbwl
spamfilter ipbwl
spamfilter iptrust
spamfilter mheader
spamfilter options
spamfilter DNSBL

Confidential and Proprietary Information of ZTE CORPORATION 375

ZXSEC US CLI Reference Guide

IPBWL
Use this command to filter email based on the IP or subnet address. The
ZXSEC US spam filters are generally applied in the following order:
For SMTP
1. IP address BWL check - Last hop IP
2. DNSBL & ORDBL check, IP address Usservice check, HELO DNS lookup
3. E-mail address BWL check
4. MIME headers check
5. IP address BWL check (for IPs extracted from “Received” headers)
6. Return e-mail DNS check, Usservice Antispam check (for IPs extracted
from “Received” headers, and URLs in email content)
7. Banned word check
For POP3 and IMAP
1. E-mail address BWL check
2. MIME headers check, IP BWL check
3. Return e-mail DNS check, Usservice Antispam check, DNSBL & ORDBL
check
4. Banned word check
For SMTP, POP3, and IMAP
The ZXSEC US unit uses the IP address list to filter incoming email. The
ZXSEC US unit compares the IP address of the sender to the list in
sequence. If a match is found, the corresponding protection profile action
is taken. If no match is found, the email is passed on to the next spam
filter.
Enter an IP address and mask in one of two formats:
x.x.x.x/x.x.x.x, for example 192.168.10.23/255.255.255.0
x.x.x.x/x, for example 192.168.10.23/24
Configure the ZXSEC US unit to filter email from specific IP addresses.
Mark each IP address as clear, spam, or reject. Filter single IP addresses,
or a range of addresses at the network level by configuring an address and
mask.
Syntax
config spamfilter ipbwl
edit <ipbwl_list_integer>
set name <ipbwl_list>
set comment <ipbwl_list_comment>
config entries
edit <address_ipv4_integer>
set action {clear | reject | spam}

376 Confidential and Proprietary Information of ZTE CORPORATION

Chapter 12 Router

set ip/subnet
{<address_ipv4> | address_ipv4>/<address_ipv4mask>}
set status {enable | disable}
end

TABLE 105 IPBWL SETTING

Variables Description Default

<ipbwl_list_inte A unique number to identify the IP
ger> black/white list.
<ipbwl_list> The name of the IP black/white
list.
<ipbwl_list_co The comment attached to the IP
mment> black/white list.
<address_ipv4_ A unique number to identify the
integer> address.
action Enter clear to exempt the email spam
{clear | reject | from the rest of the spam filters.
spam} Enter reject to drop any current or
incoming sessions. Enter spam to
apply the spam action configured
in the protection profile.
ip/subnet The IP address to filter. A subnet No default.
{<address_ipv4 mask in the format
>| 192.168.10.23/255.255.255.0 or
<address_ipv4 192.168.10.23/24 can also be
>/<address_ip included.
v4mask>}
status {enable | Enable or disable scanning email enable
disable} for each IP address.

Related topics
spamfilter bword
spamfilter emailbwl
spamfilter USshield
spamfilter iptrust
spamfilter mheader
spamfilter options
spamfilter DNSBL

IPTrust
Use this command to add an entry to a list of trusted IP addresses.
If the ZXSEC US unit sits behind a company’s Mail Transfer Units, it may
be unnecessary to check email IP addresses because they are internal and

Confidential and Proprietary Information of ZTE CORPORATION 377

ZXSEC US CLI Reference Guide

trusted. The only IP addresses that need to be checked are those from
outside of the company. In some cases, external IP addresses may be
added to the list if it is known that they are not sources of spam.
Syntax
config spamfilter iptrust
edit <iptrust_list_integer>
set name <iptrust_list>
set comment <iptrust_list_comment>
config entries
edit <address_integer>
set ip/subnet {<address_ipv4> |
<address_ipv4>/<address_ipv4mask>}
set status {enable | disable}
end

TABLE 106 IPTRUST SETTING

Variables Description Default

<iptrust_list_int A unique number to identify the IP
eger> trust list.
<iptrust_list> The name of the IP trust list.
<iptrust_list_co The comment attached to the IP
mment> trust list.
<address_integ A unique number to identify the
er> address.
ip/subnet The trusted IP address. A subnet No default
{<address_ipv4 mask in the format
>| 192.168.10.23/255.255.255.0 or
<address_ipv4 192.168.10.23/24 can also be
>/<address_ip included.
v4mask>}
status Enable or disable the IP address. enable
{enable |
disable}

Related topics
spamfilter bword
spamfilter emailbwl
spamfilter USshield
spamfilter ipbwl
spamfilter mheader
spamfilter options
spamfilter DNSBL

378 Confidential and Proprietary Information of ZTE CORPORATION

Chapter 12 Router

MHeader
Use this command to configure email filtering based on the MIME header.
MIME header settings are configured with this command but MIME header
filtering is enabled within each protection profile.
The ZXSEC US spam filters are applied in the following order:
For SMTP
1. IP address BWL check - Last hop IP
2. DNSBL & ORDBL check, IP address Usservice check, HELO DNS lookup
3. E-mail address BWL check
4. MIME headers check
5. IP address BWL check (for IPs extracted from “Received” headers)
6. Return e-mail DNS check, Usservice Antispam check (for IPs extracted
from “Received” headers, and URLs in email content)
7. Banned word check
For POP3 and IMAP
1. E-mail address BWL check
2. MIME headers check, IP BWL check
3. Return e-mail DNS check, Usservice Antispam check, DNSBL & ORDBL
check
4. Banned word check
For SMTP, POP3, and IMAP
The ZXSEC US unit compares the MIME header key-value pair of incoming
email to the list pair in sequence. If a match is found, the corresponding
action is taken. If no match is found, the email is passed on to the next
spam filter.
MIME (Multipurpose Internet Mail Extensions) headers are added to email
to describe content type and content encoding, such as the type of text in
the email body or the program that generated the email. Some examples
of MIME headers include:
X-mailer: outgluck
X-Distribution: bulk
Content_Type: text/html
Content_Type: image/jpg
The first part of the MIME header is called the header key, or just header.
The second part is called the value. Spammers often insert comments into
header values or leave them blank. These malformed headers can fool
some spam and virus filters.
Use the MIME headers list to mark email from certain bulk mail programs
or with certain types of content that are common in spam messages. Mark
the email as spam or clear for each header configured.

Confidential and Proprietary Information of ZTE CORPORATION 379

ZXSEC US CLI Reference Guide

Use Perl regular expressions or wildcards to add MIME header patterns to

the list. See “Using Perl regular expressions”.

Note:
MIME header entries are case sensitive.
Syntax
config spamfilter mheader
edit <mime_list_integer>
set name <mime_list>
set comment <mime_list_comment>
config entries
edit <mime_integer>
set action {clear | spam}
set fieldbody <mime_str>
set fieldname <mime_str>
set pattern-type {regexp | wildcard}
set status {enable | disable}
end
end

TABLE 107 IPTRUST SETTING

Variables Description Default

<mime_list_int A unique number to identify the
eger> MIME header list.
<mime_list> The name of the MIME header list.
<mime_list_co The comment attached to the
mment> MIME header list.
<mime_integer A unique number to identify the
> MIME header.
action {clear | Enter clear to exempt the email spam
spam} from the rest of the spam filters.
Enter spam to apply the spam
action configured in the protection
profile.
fieldbody Enter the MIME header (key, No default.
<mime_str> header field body) using wildcards
or Perl regular expressions.
fieldname Enter the MIME header value No default.
<mime_str> (header field name) using
wildcards or Perl regular
expressions. Do not include a
trailing colon.
pattern-type Enter the pattern-type for the wildcard
{regexp | MIME header. Choose from

380 Confidential and Proprietary Information of ZTE CORPORATION

Chapter 12 Router

Variables Description Default

wildcard} wildcards or Perl regular
expressions.
status Enable or disable scanning email enable
{enable | headers for the MIME header and
disable} header value defined in the
fieldbody and fieldname strings.

Related topics
spamfilter bword
spamfilter USshield
spamfilter USshield
spamfilter ipbwl
spamfilter iptrust
spamfilter options
spamfilter DNSBL

Options
Use this command to set the spamfilter dns query timeout.
Syntax
config spamfilter options
set dns-timeout <timeout_integer>
end
Example
This example shows how to set the dns timeout.
config spamfilter options
set dns-timeout 15
end

TABLE 108 OPTIONS

Variables Description Default

dns-timeout Set the DNS query timeout in the 7
<timeout_integ range 1 to 30 seconds.
er>

Related topics
spamfilter bword
spamfilter emailbwl
spamfilter USshield
spamfilter ipbwl

Confidential and Proprietary Information of ZTE CORPORATION 381

ZXSEC US CLI Reference Guide

spamfilter iptrust
spamfilter mheader
spamfilter DNSBL

DNSBL
Use this command to configure email filtering using DNS-based Blackhole
List (DNSBL) or Open Relay Database List (ORDBL) servers. DSNBL and
ORDBL settings are configured with this command but DSNBL and ORDBL
filtering is enabled within each protection profile.
The ZXSEC US spam filters are generally applied in the following order:
For SMTP
1 IP address BWL check - Last hop IP
2 DNSBL & ORDBL check, IP address Usservice check, HELO DNS
lookup
3 E-mail address BWL check
4 MIME headers check
5 IP address BWL check (for IPs extracted from “Received” headers)
6 Return e-mail DNS check, Usservice Antispam check (for IPs
extracted from “Received” headers, and URLs in email content)
7 Banned word check
For POP3 and IMAP
1 E-mail address BWL check
2 MIME headers check, IP BWL check
3 Return e-mail DNS check, Usservice Antispam check, DNSBL &
ORDBL check
4 Banned word check
For SMTP, POP3, and IMAP
The ZXSEC US unit compares the IP address or domain name of the
sender to any database lists configured in sequence. If a match is found,
the corresponding action is taken. If no match is found, the email is
passed on to the next spam filter.
Some spammers use unsecured third party SMTP servers to send
unsolicited bulk email. Using DNSBLs and ORDBLs is an effective way to
tag or reject spam as it enters the network. These lists act as domain
name servers that match the domain of incoming email to a list of IP
addresses known to send spam or allow spam to pass through.
There are several free and subscription servers available that provide
reliable access to continually updated DNSBLs and ORDBLs. Please check
with the service being used to confirm the correct domain name for
connecting to the server.

382 Confidential and Proprietary Information of ZTE CORPORATION

Chapter 12 Router

Note:
Because the ZXSEC US unit uses the server domain name to connect to
the DNSBL or ORDBL server, it must be able to look up this name on the
DNS server. For information on configuring DNS, see “system dns”.
Syntax
config spamfilter DNSBL
edit <DNSBL_list_integer>
set name <DNSBL_list>
set comment <DNSBL_list_comment>
config entries
edit <server_integer>
set action {reject | spam}
set server <name_str>
set status {enable | disable}
end

TABLE 109 DNSBL

Variables Description Default

<DNSBL_list_in A unique number to identify the
teger> DNSBL list.
<DNSBL_list> The name of the DNSBL header
list.
<DNSBL_list_co The comment attached to the
mment> DNSBL header list.
<server_integer A unique number to identify the
> DNSBL server.
action {reject | Enter reject to stop any further spam
spam} processing of the current session
and to drop an incoming
connection at once. Enter spam to
identify email as spam.
server Enter the domain name of a Real- No default.
<name_str> time Blackhole List server or an
Open Relay Database server.
status {enable | Enable or disable querying the enable
disable} Real-time Blackhole List server or
Open Relay Database server
named in the server string.

Related topics
spamfilter bword
spamfilter emailbwl
spamfilter USshield
spamfilter ipbwl

Confidential and Proprietary Information of ZTE CORPORATION 383

ZXSEC US CLI Reference Guide

This page is intentionally blank.

384 Confidential and Proprietary Information of ZTE CORPORATION

Chapter 13

System

Overview
Use system commands to configure options related to the overall
operation of the ZXSEC US unit, including:
Administrative access
Automatic updating of antivirus and attack definitions
High availability (HA)
Network interfaces
Replacement messages
VLANs and virtual domains
This chapter contains the following sections:
accprofile
admin
alertemail
arp-table
auto-install
autoupdate
clientoverride
autoupdate
override
autoupdate
push-update
autoupdate
schedule
autoupdate
tunneling

Confidential and Proprietary Information of ZTE CORPORATION 385

ZXSEC US CLI Reference Guide

aux
bug-report console
dhcp reserved-address
dhcp server dns
fips-cc
Usla, Usla2, Usla3
gi-gk (US Carrier)
global
gre-tunnel ha interface
ipv6-tunnel
mac-address-table management-tunnel
modem
npu
proxy-arp
replacemsg
admin
replacemsg
alertmail
replacemsg
auth
replacemsg
Usservice-wf
replacemsg
ftp
replacemsg
http
replacemsg
im
replacemsg
mail
replacemsg mm1 (US Carrier)
replacemsg mm3 (US Carrier)
replacemsg mm4 (US Carrier)
replacemsg mm7 (US Carrier)
replacemsg nntp
replacemsg spam

386 Confidential and Proprietary Information of ZTE CORPORATION

Chapter 13 User

replacemsg sslvpn
replacemsg-group (US Carrier)
replacemsg-image (US Carrier)
session-helper
session-sync
session-ttl
settings
snmp community
snmp sysinfo
switch-interface
tos-based-priority
vdom-link
wireless mac-filter
wireless settings
zone

Accprofile
Use this command to add access profiles that control
administrator access to ZXSEC US features. Each ZXSEC US
administrator account must include an access profile. You can
create access profiles that deny access, allow read only, or allow
both read and write access to ZXSEC US features.
You cannot delete or modify the super_admin access profile, but
you can use the super_admin profile with more than one
administrator account.
Syntax
config system accprofile
edit <profile-name>
set <access-group> <access-level>
config fwgrp-permission
set address {none | read | read-write}
set others {none | read | read-write}
set policy {none | read | read-write}
set profile {none | read | read-write}
set schedule {none | read | read-write}
set service {none | read | read-write}
end

Confidential and Proprietary Information of ZTE CORPORATION 387

ZXSEC US CLI Reference Guide

set schedule read-write
end
end
end
Related topics
system admin

Admin
Use this command to add, edit, and delete administrator
accounts. Administrators can control what data modules appear
in the ZXSEC US unit system dashboard by using the config
system admin command. Administrators must have read and
write privileges to make dashboard GUI modifications.
Use the default admin account or an account with system
configuration read and write privileges to add new administrator
accounts and control their permission levels. Each administrator
account except the default admin must include an access profile.
You cannot delete the default super admin account or change
the access profile (super_admin). In addition, there is also an
access profile that allows read-only super admin privileges,
super_admin_readonly. The super_admin_readonly profile
cannot be deleted or changed, similar to the super_admin profile.
This read-only super-admin may be used in a situation where it
is necessary to troubleshoot a customer configuration without
making changes.
You can authenticate administrators using a password stored on
the ZXSEC US unit or you can use a RADIUS server to perform
authentication. When you use RADIUS authentication, you can
authenticate specific administrators or you can allow any
account on the RADIUS server to access the ZXSEC US unit as
an administrator.

Note:
For users with super_admin access profile, you can reset the
password in the CLI.
For a user ITAdmin with the access profile super_admin,
to set the password to 123456:
config sys admin
edit ITAdmin
set password 123456
end

Confidential and Proprietary Information of ZTE CORPORATION 391

ZXSEC US CLI Reference Guide

For a user ITAdmin with the access profile super_admin,

to reset the password from 123456 to the default ‘empty’
or ‘null’:
config sys admin
edit ITAdmin un
set password 123456
end
If you type ‘set password ?’ in the CLI, you will have to enter the
new password and the old password in order for the change to
be effective. In this case, you will NOT be able to reset the
password to ‘empty’ or‘null’.
You can configure an administrator to only be allowed to log in
at certain times. The default setting allows administrators to log
in any time.
For detailed information about configuring administrators, see
the System Administration chapter of the ZXSEC US
Administration Guide for your model.

Note:
You cannot change the management VDOM if any administrators
are using RADIUS authentication.
Syntax
config system admin
edit <name_str>
set accprofile <profile-name>
set comments <comments_string>
set password <admin_password>
set peer-auth <peer_auth>
set peer-group <peer-grp>
set remote-auth {enable | disable}
set remote-group <name>
set schedule <schedule-name>
set ssh-public-key1 "<key-type> <key-value>"
set ssh-public-key2 "<key-type> <key-value>"
set ssh-public-key3 "<key-type> <key-value>"
set trusthost1 <address_ipv4mask>
set trusthost2 <address_ipv4mask>
set trusthost3 <address_ipv4mask>
set vdom <vdom_name> setsystem wildcard {enable | disable}
config dashboard
edit moduleid <module_name>

392 Confidential and Proprietary Information of ZTE CORPORATION

Chapter 13 User

set column <column_number>

set status <module_status>
end
end
end

TABLE 111 ADMIN SETTING

Example
Use the following commands to add a new administrator account
named new_admin with the password set to p8ssw0rd and that
includes an access profile named policy_profile. It is accessible
on the main_office VDOM. Administrators that log in to this
account will have administrator access to the ZXSEC US unit
from any IP address. The dashboard setting alert > show-
system-restart is enabled and displays in column 2 of the US
GUI.
config system admin
edit new_admin
set password p8ssw0rd
set accprofile policy_profile
set vdom main_office
config dashboard

396 Confidential and Proprietary Information of ZTE CORPORATION

Chapter 13 User

edit alert
set column 2
set status open
show-system-restart enable end
end
end
Related topics
system accprofile

Alertemail
Use this command to configure the ZXSEC US unit to access an
SMTP server to send alert emails. This command is global in
scope.
To configure alertemail settings you must first configure the
server, and enable authenticate. Then you will be able to see all
the keywords.

Note:
You must configure the server setting under config system
alertemail before the commands under config alertemail become
accessible. For more information on config alertemail, see
“alertemail”.
Syntax
config system alertemail
set authenticate {disable | enable}
set password <password-str>
set server {<name-str> | <address-ipv4>}
set username <username-str>
end

Confidential and Proprietary Information of ZTE CORPORATION 397

ZXSEC US CLI Reference Guide

TABLE 112 ALERTEM AIL SETTING

Variables Description Default

authenticate Enable SMTP authentication if the disable
{disable | ZXSEC US unit is required to
enable} authenticate before using the
SMTP server.
This variable is accessible only if
server is defined.
password Enter the password that the No default.
<password-str> ZXSEC US unit needs to access the
SMTP server.
This variable is accessible only if
authenticate is enabled and server
is defined.
server Enter the name of the SMTP No default.
{<name-str> | server, in the format
<address- smtp.domain.com, to which the
ipv4>} ZXSEC US unit should send email.
Alternately, the IP address of the
SMTP server can be entered. The
SMTP server can be located on any
network connected to the ZXSEC
US unit.
username Enter the user name for the SMTP No default.
<username- server that the ZXSEC US unit
str> uses to send alert emails.
This variable is accessible only if
authenticate is enabled and server
is defined.

Examples
This example shows how to configure the ZXSEC US unit to send
alert emails using the SMTP server smtp.ourcompany.com. The
order of the keywords is important. The server must be defined
first. Then authentication needs to be next. The ZXSEC US unit
uses the user name admin2 and the password h8rdt0g3uss to
connect to the SMTP server.
config system alertemail
set server smtp.ourcompany.com
set authenticate enable
set password h8rdt0g3uss
set username admin2
end

398 Confidential and Proprietary Information of ZTE CORPORATION

Chapter 13 User

ARP-table
Use this command to manually configure the ARP table entries
on the ZXSEC US unit. You can only access the arp-table values
from the CLI.
This command is not available when VDOMs are enabled or in TP
mode.
Syntax
config system arp-table
edit <table_value>
set interface <port>
set ip <address-ipv4>
set mac <mac_address>
end

TABLE 113 ARP-TABLE SETTING

Variables Description Default

interface Enter the interface this ARP entry No default
<port> is associated with
ip <address- Enter the IP address of the ARP No default.
ipv4> entry.
mac Enter the MAC address of the No default.
<mac_address device entered in the table, in the
> form of xx:xx:xx:xx:xx:xx.

Examples
This example adds an entry to the arp-table with a MAC address
of 00-09-0f-69-00-7c and an IP address of 172.20.120.161 on
the port2 interface.
config system arp-table
edit 3
set interface port2
set ip 172.20.120.161
set mac 00:09:0f:69:00:7c
end
Related topics
get system arp

Confidential and Proprietary Information of ZTE CORPORATION 399

ZXSEC US CLI Reference Guide

Auto-install
Use this command to configure automatic installation of
firmware and system configuration from a USB disk when the
ZXSEC US unit restarts. This command is available only on units
that have a USB disk connection.
If you set both configuration and firmware image update, both
occur on the same reboot. The ZXSEC US unit will not reload a
firmware or configuration file that is already loaded.
USUSB and generic USB disks are supported. However, the USB
disk must be formatted as a FAT16 drive. No other partition type
is supported.
To format your USB Disk when its connected to your ZXSEC US
unit, at the CLI prompt type “exe usb- disk format”.
To format your USB disk when it is connected to a Windows
system, at the command prompt type “format <drive_letter>:
/FS:FAT /V:<drive_label>” where <drive_letter> is the letter of
the connected USB drive you want to format, and <drive_label>
is the name you want to give the USB disk volume for
identification.

Note:
This command is available only when a USB key is installed on
the ZXSEC US unit. Formatting your USB disk will delete all
information on your USB disk.
Syntax
config system auto-install
set auto-install-config {disable | enable}
set auto-install-image {disable | enable}
set default-config-file
set default-image-file
end

TABLE 114 AUTO-INSTALL SETTING

Variables Description Default

auto-install- Enable or disable automatic disable
config loading of the system
{disable | configuration from a USB disk on
enable} the next reboot.

auto-install- Enable or disable automatic disable

day Enter the day of the week on Monday
<day_of_week which to check for updates. Enter
> one of: Sunday, Monday, Tuesday,
Wednesday, Thursday, Friday, or
Saturday.
This option is available only when
frequency is set to weekly.
frequency Schedule the ZXSEC US unit to every
{every | daily | check for updates every hour,
weekly} once a day, or once a week. Set
interval to one of the following:
every
Check for updates periodically.
Set time to the time interval to
wait between updates.daily
Check for updates once a day.
Set time to the time of day to
check for updates weekly
Check for updates once a
week. Set day to the day of
the week to check for updates.
Set time to the time of day to
check for updates.

status {enable | Enable or disable scheduled disable

disable} updates.
time <hh:mm> Enter the time at which to check 01:60
for updates.
hh can be 00 to 23
mm can be 00-59, or 60 for
random minute

Example
This example shows how to configure the ZXSEC US unit to
check the Usservice Distribution Network (UDN) for updates
once a day at 3:00 in the morning.
config system autoupdate schedule
set frequency daily
set time 03:00
set status enable
end
This example is the same as the above example but it will check
for updates once a day at sometime between 3:00 and 4:00 in
the morning.
config system autoupdate schedule

Confidential and Proprietary Information of ZTE CORPORATION 405

ZXSEC US CLI Reference Guide

set frequency daily

set time 03:60
set status enable
end
Related topics
system autoupdate override
system autoupdate push-update
system autoupdate tunneling
system global

Autoupdate Tunneling
Use this command to configure the ZXSEC US unit to use a
proxy server to connect to the Usservice Distribution Network
(UDN). To use the proxy server, you must enable tunneling and
add the IP address and port required to connect to the proxy
server. If the proxy server requires authentication, add the user
name and password required to connect to the proxy server.
The ZXSEC US unit connects to the proxy server using the HTTP
CONNECT method, as described in RFC 2616. The ZXSEC US
unit sends a HTTP CONNECT request to the proxy server
(optionally with authentication information) specifying the IP
address and port required to connect to the UDN. The
proxy server establishes the connection to the UDN and passes
information between the ZXSEC US unit and the UDN.
The CONNECT method is used mostly for tunneling SSL traffic.
Some proxy servers do not allow CONNECT to connect to any
port; proxy servers restrict the allowed ports to the well known
ports for HTTPS and perhaps some other similar services.
Because ZXSEC US autoupdates use HTTPS on port 8890 to
connect to the UDN, your proxy server might have to be
configured to allow connections on this port.
Syntax
config system autoupdate tunneling
set address <proxy_address>
set password <password>
set port <proxy_port>
set status {enable | disable}
set username <name>
end

406 Confidential and Proprietary Information of ZTE CORPORATION

Chapter 13 User

TABLE 119 AUTOUPDATE TUNNELING SETTING

Variables Description Default

address The IP address or fully qualified No default.
<proxy_addres domain name of the proxy server.
s>
password The password to connect to the No default.
<password> proxy server if one is required.
port The port required to connect to the No default.
<proxy_port> proxy server.
status {enable | Enable or disable tunneling. disable
disable}
username The user name used to connect to No default.
<name> the proxy server.

Example
This example shows how to enable tunneling where the ZXSEC
US unit must connect to a proxy server with IP address
67.35.50.34 that uses port 8080, requires the user id
proxy_user and the password proxy_pwd.
config system autoupdate tunneling
set address 67.35.50.34
set port 8080
set username proxy_user
set password proxy_pwd
set status enable
end
Related topics
system autoupdate override
system autoupdate push-update
system autoupdate schedule

Aux
Use this command to configure the AUX port on 2010, 2010A,
and 2350 models for remote console connection. You would use
a modem to remotely connect to a console session on the ZXSEC
US unit.
The main difference between the standard console port and the
aux port is that the standard console port is for local serial
console connections only - it cannot accept a modem connection
to establish a remote console connection. The aux console port
allows you to establish a local connection, but it has some
limitations the standard console port does not have.

Confidential and Proprietary Information of ZTE CORPORATION 407

ZXSEC US CLI Reference Guide

The AUX port will not display the booting messages that the
standard console connection displays.
The AUX port will send out modem initializing strings (AT
strings) that will appear on an aux console session at the
start.
Syntax
config system aux
set baudrate <baudrate>
end
<baudrate> is the speed of the connection. It can be set to one
of the following: 9600, 19200, 38400, 57600, or 115200. The
default is 9600.
Ensure devices on both ends of the connection are set to the
same baudrate.
Related topics
system console

Bug-report
Use this command to configure a custom email relay for sending
problem reports to USnet customer support.
Syntax
config system bug-report
set auth {no | yes}
set mailto <email_address>
set password <password>
set server <servername>
set username <name>
set username-smtp <account_name>
end

TABLE 120 BUG-REPORT SETTING

baudrate Set the console port baudrate. 9600
<speed> Select one of 9600, 19200,
38400, 57600, or 115200.
mode {batch | Set the console mode to line or line
line} batch. Used for autotesting only.
output Set console output to standard (no standard
{standard | pause) or more (pause after each
more} screen is full, resume on
keypress).
This setting applies to show or get
commands only.

Example
This example shows how to set the baudrate to 38400 and set
the output style to more so it will pause after each screen full of
information.
config system console
set baudrate 38400 set output more
end
Related topics
system aux

DHCP Reserved-address
Use this command to reserve an IP address for a particular client
identified by its device MAC address and type of connection. The
DHCP server then always assigns the reserved IP address to the
client. The number of reserved addresses that you can define
ranges from 10 to 200 depending on the ZXSEC US model.

Note:
For this configuration to take effect, you must configure at least
one DHCP server using the config system dhcp server command,
see “dhcp server”.
Syntax
config system dhcp reserved-address
edit <name_str>
set ip <address_ipv4>
set mac <address_hex>

410 Confidential and Proprietary Information of ZTE CORPORATION

Chapter 13 User

set type {regular | ipsec}

end

TABLE 122 DHCP RESERVED-ADDRESS SETTING

Variables Description Default

ip Enter the IP address. 0.0.0.0
<address_ipv4
>
mac Enter the MAC address. 00:00:00:00
<address_hex> :00:00
type {regular | Enter the type of the connection to regular
ipsec} be reserved:
• regular
Client connecting through regular
Ethernet
• IPSec
Client connecting through IPSec
VPN

Example
Use the following command to add a reserved address named
client_1 consisting of IP address 192.168.110.3 and MAC
address 00:09:0F:0A:01:BC for a regular ethernet connection.
config system dhcp reserved-address
edit client_1
set ip 192.168.110.3
set mac 00:09:0F:0A:01:BC
set type regular
end
Related topics
system dhcp server
system interface

DHCP Server
Use this command to add one or more DHCP servers for any
ZXSEC US interface. As a DHCP server, the interface dynamically
assigns IP addresses to hosts on a network connected to the
interface. On ZXSEC US models numbered 100 and below, you
can configure up to 8 DHCP servers. On all other models, you
can configure up to 32 DHCP servers.
You can add more than one DHCP server to a single interface to
be able to provide DHCP services to multiple networks. For more
information on configuring your network and ZXSEC US unit to

Confidential and Proprietary Information of ZTE CORPORATION 411

ZXSEC US CLI Reference Guide

use multiple DHCP servers on one interface, see the System

DHCP chapter in the Administration Guide for your ZXSEC US
unit.
This command is available in NAT/Route mode only.
Syntax
config system dhcp server edit <dhcpservername>
set conflicted-ip-timeout <timeout_int>
set default-gateway <address_ipv4>
set dns-server1 <address_ipv4>
set dns-server2 <address_ipv4>
set dns-server3 <address_ipv4>
set domain <domain-name_str>
set enable {enable | disable}
set end-ip <address_ipv4>
set interface <interface-name>
set ipsec-lease-hold <release_seconds>
set lease-time <seconds>
set netmask <mask>
set option1 <option_code> [<option_hex>]
set option2 <option_code> [<option_hex>]
set option3 <option_code> [<option_hex>]
set server-type <type>
set start-ip <address_ipv4>
set wins-server1 <wins_ipv4>
set wins-server2 <wins_ipv4>
config exclude-range
edit <excl_range_num>
set end-ip <excl_ipv4>
set start-ip <excl_ipv4>
end
end

TABLE 123 DHCP SEVER SETTING

Variables Description Default

conflicted-ip- Enter the time in seconds to wait 1800
timeout before a conflicted IP address is
<timeout_int> removed from the DHCP range.
Valid range is from 60 to 8640000
seconds (1 minute to 100 days).
default-gateway The IP address of the default 0.0.0.0

Chapter 13 User

Variables Description Default

client-override-status is
enable.
client-override- Enable to force your ZXSEC US disable
status unit to connect to the Usservice
{enable | servers using a specific IP address.
disable} You must also configure client-
override-ip.
hostname Enter the host name of the service.
<url_str> primary Usservice server. Usservice
ZXSEC US unit defaults include the .net
host name. Use this command
only when required to change the
host name. Alternatively configure
srv-ovrd.
This keyword is available only if
srv-ovrd is disable.
port {53 | Enter the port to use for rating 53
8888} queries to the Usservice Web
Filtering or Usservice Antispam
service.
service- Enter the Service Account ID to No default.
account-id use with communications with
<id_str> Usservice Analysis Service or
Usservice Management Service.
srv-ovrd Enable to override the primary disable
{enable | Usservice server set in hostname.
disable} Specify override server(s) using
config srv-ovrd-list. Alternatively,
configure hostname.
hostname is not used and
unavailable for configuration when
this keyword is enable.
webfilter-cache Enable or disable caching of disable
{enable | Usservice Web Filtering query
disable} results, including category ratings
for URLs.
Enabling the cache can improve
performance because the ZXSEC
US unit does not need to access
the UDN each time the same IP
address or URL is requested. When
the cache is full, the least recently
used cache entry is replaced.

DNS
Use this command to set the DNS server addresses. Several
ZXSEC US functions, including sending email alerts and URL
blocking, use DNS.

Confidential and Proprietary Information of ZTE CORPORATION 417

ZXSEC US CLI Reference Guide

On models numbered 100 and lower, you can use this command
to configure DNS forwarding. The autosvr and fwdintf keywords
are only available on models numbered 100 and lower.
Syntax
config system dns
set autosvr {enable | disable}
set cache-notfound-responses {enable | disable}
set dns-cache-limit <integer>
set domain <domain_name>
set fwdintf <interface>
set primary <dns_ipv4>
set secondary <dns_ip4>
end
Example
This example shows how to set the primary ZXSEC US DNS
server IP address to 45.37.121.76 and the secondary ZXSEC US
DNS server IP address to 45.37.121.77.
config system dns
set primary 45.37.121.76
set secondary 45.37.121.77
end

FIPS-CC
Use this command to set the ZXSEC US unit into FIPS-CC mode.
Enable Federal Information Processing Standards-Common
Criteria (FIPS-CC) mode. This is an enhanced security mode that
is valid only on FIPS-CC-certified versions of the ZXSEC US
firmware.
When switching to FIPS-CC mode, you will be prompted to
confirm, and you will have to login.

Note:
When you enable FIPS-CC mode, all of the existing configuration
is lost.
For more information on FIPS-CC mode, see the FIPS-CC
technote on the Knowledge Center website.
Syntax
config system fips-cc
set

418 Confidential and Proprietary Information of ZTE CORPORATION

Chapter 13 User

Chapter 13 User

Usservice
Use this command to configure communications with the
Usservice Distribution Network (UDN) for Usservice subscription
services such as:
Usservice Antivirus and IPS
Usservice Web Filtering and Antispam
Usservice Analysis and Management Service
By default, ZXSEC US units connect to the UDN using a set of
default connection settings. You can override these settings to
use IP addresses and port numbers other than the defaults.

Note:
If the ZXSEC US unit is unable to connect to the UDN, verify
connectivity on required ports. For a list of required ports, see
the USnet Knowledge Center article Traffic Types and TCP/UDP
Ports Used by USnet Products.
IP address and port number overrides for Usservice Analysis and
Management Service are configured separately from other
Usservice services. For details, see “system Usservice-log”. For
additional information on the Usservice Analysis and
Management Service, see the Usservice Analysis and
Management Service Administration Guide.
Syntax
config system Usservice
set antispam-status {enable | disable}
set antispam-cache {enable | disable}
set antispam-cache-ttl <ttl_int>
set antispam-cache-mpercent <ram_int>
set antispam-timeout <timeout_int>
set avquery-status {enable | disable}
set avquery-cache {enable | disable}
set avquery-cache-ttl <ttl_int>
set avquery-cache-mpercent <max_int>
set avquery-timeout <timeout_int>
set central-mgmt-auto-backup {enable | disable}
set central-mgmt-scheduled-config-restore {enable | disable}
set central-mgmt-scheduled-upgrade {enable | disable}
set central-mgmt-status {enable | disable}
set client-override-ip <ovrd_ipv4>
set client-override-status {enable | disable}

Confidential and Proprietary Information of ZTE CORPORATION 421

ZXSEC US CLI Reference Guide

set hostname <url_str>

set port {53 | 8888}
set service-account-id <id_str>
set srv-ovrd {enable | disable}
set webfilter-cache {enable | disable}
set webfilter-cache-ttl <ttl_int>
set webfilter-status {enable | disable}
set webfilter-timeout <timeout_int>
config serv-ovrd-list
edit <index_int>
set ip <ovrd_ipv4>
end
end
end

ZXSEC US CLI Reference Guide

Variables Description Default

and is set after contacting the UDN
to validate the Usservice Web
Filtering license.
This variable can be viewed with
the get command, but cannot be
set.
webfilter-status Enable or disable use of Usservice disable
{enable | Web Filtering service.
disable}
webfilter- Enter the Usservice Web Filtering 15
timeout query timeout. Valid timeout
<timeout_int> ranges from 1 to 30 seconds.

config serv-ovrd-list
This command is available only if srv-ovrd is enable.
<index_int> Enter the index number of a No default.
Usservice Antivirus and IPS server
override.
ip <ovrd_ipv4> Enter the IP address that will 0.0.0.0
override the default server IP
address. This may be the IP
address of a specific UDN server.

Example
This example shows how to configure the ZXSEC US unit for
remote administration by Usservice
Analysis and Management Service.
config system Usservice
set central-mgmt-status enable
set service-account-id ExampleCo
set central-mgmt-auto-backup enable
set central-mgmt-config-restore enable
set central-mgmt-scheduled-upgrade enable
end
config system management-tunnel
end
Related topics
get system dashboard
system Usservice-log
system management-tunnel
Usservice setting

426 Confidential and Proprietary Information of ZTE CORPORATION

Chapter 13 User

Usservice-log
Use this command to override default ports and IP addresses to
which the ZXSEC US unit connects for Usservice Analysis and
Management Service.
Syntax
config system Usservice-log
set controller-ip <address_ipv4>
set controller-port <port_int>
set override-controller {enable | disable}
end

TABLE 128 USSERVICE-LOG SETTING

Variables Description Default

controller-ip Enter the IP address of the 0.0.0.0
<address_ipv4 Usservice Analysis and
> Management Service controller.
This option appears only if
override-controller is
enable.
controller-port Enter the port number of the 0
<port_int> Usservice Analysis and
Management Service controller.
Valid ports range from 0 to
65535.
This option appears only if
override-controller is
enable.
override- Select to override the default disable
controller Usservice Analysis and
{enable | Management Service controller IP
disable} address and/or port.

Example
This example shows how to override the default IP address and
port number to which the ZXSEC US unit connects when
communicating with the Usservice Analysis and Management
Service for features such as remote logging and reporting.
config system Usservice-log
set override-controller enable
set controller-ip 172.168.1.5
set controller-port 1234
end
Related topics

Confidential and Proprietary Information of ZTE CORPORATION 427

ZXSEC US CLI Reference Guide

system Usservice
system management-tunnel
Usservice setting

GI-GK (US Carrier)

This command configures the settings for the Gi gateway firewall.
This firewall is used in the anti- overbilling configuration, and
can be enabled on a per interface basis. For more information
see“system interface”.
Syntax
config system gi-gk
set context <id_integer>
set port <tcp_port>
end

TABLE 129 GI-GK (US CARRIER) SETTING

Variables Description Default

context Enter the context ID for the Gi
<id_integer> gateway firewall
port Enter the TCP port to listen to. 0
<tcp_port> Valid range is from 0 to 65535.

428 Confidential and Proprietary Information of ZTE CORPORATION

Chapter 13 User

interface is configured as one interface shared by all four ports.

Switch mode allows you to configure each interface on the
switch separately with their own interfaces. Consult your release
notes for the most current list of supported models for this
feature. The keywords internal-switch-mode {interface | switch}
and internal-switch-speed {100full | 100half | 10full | 10half |
auto} apply only to switch mode enabled ZXSEC US models.
Syntax
config system global
set access-banner {enable | disable}
set admin-https-pki-required {enable | disable}
set admin-maintainer {enable | disable}
set admin-port <port_number>
set admin-scp {enable | disable}
set admin-server-cert { self-sign | <certificate>}
set admin-sport <port_number>
set admin-ssh-port <port_number>
set admin-ssh-v1 {enable | disable}
set admin-telnet-port <port_number>
set admintimeout <admin_timeout_minutes>
set allow-interface-subnet-overlap {enable | disable}
set auth-cert <cert-name>
set auth-http-port <http_port>
set auth-https-port <https_port>
set auth-keepalive {enable | disable}
set av-failopen {idledrop | off | one-shot | pass}
set av-failopen-session {enable | disable}
set batch_cmdb {enable | disable}
set CUS-save {automatic | manual | revert}
set CUS-revert-timeout <seconds>
set check-reset-range {enable | disable}
set clt-cert-req {enable | disable}
set conn-tracking {enable | disable}
set daily-restart {enable | disable}
set detection-summary {enable | disable}
set dst {enable | disable}
set failtime <failures_count>
set fds-statistics {enable | disable}
set fds-statistics-period <minutes>

Confidential and Proprietary Information of ZTE CORPORATION 429

ZXSEC US CLI Reference Guide

set USDesktop-portal-port <port>

set fsae-burst-size <packets>
set fsae-rate-limit (pkt_sec)
set gui-lines-per-page <gui_lines>
set hostname <unithostname>
set http-obfuscate {header-only | modified | no-error | none}
set ie6workaround {enable | disable}
set internal-switch-mode {interface | switch}
set internal-switch-speed {100full | 100half | 10full | 10half | auto}
set interval <deadgw_detect_seconds>
set ip-src-port-range <start_port>-<end_port>
set language <language>
set lcdpin <pin_number>
set lcdprotection {enable | disable}
set ldapconntimeout <ldaptimeout_msec>
set loglocaldeny {enable | disable}
set management-vdom <domain>
set ntpserver <ntp_server_address>
set ntpsync {enable | disable}
set optimize {antivirus | throughput}
set phase1-rekey {enable | disable}
set radius-port <radius_port>
set refresh <refresh_seconds>
set remoteauthtimeout <remoteauth_timeout_mins>
set reset-sessionless-tcp {enable | disable}
set restart-time <hh:mm>
set show-backplane-intf {enable | disable}
set sslvpn-sport <port_number>
set strong-crypto {enable | disable}
set syncinterval <ntpsync_minutes>
set tcp-halfclose-timer <seconds>
set tcp-halfopen-timer <seconds>
set tcp-option {enable | enable}
set timezone <timezone_number>
set tos-based-priority {low | medium | high}
set tp-mc-skip-policy {enable | disable}
set udp-idle-timer <seconds>
set user-server-cert <cert_name>

430 Confidential and Proprietary Information of ZTE CORPORATION

Chapter 13 User

set vdom-admin {enable | disable}

set vip-arp-range {unlimited | restricted}
end

Chapter 13 User

Variables Description Default

tos-based- Select the default system-wide high
priority level of priority for Type of Service
{low | medium (TOS). TOS determines the priority
| high} of traffic for scheduling. Typically
this is set on a per service type
level. See system tos-based-
priority for more information.
The value of this keyword is the
default setting for when TOS is not
configured on a per service level.
tp-mc-skip- Enable to allow skipping of the disable
policy policy check, and to enable
{enable | multicast through.
disable}
udp-idle-timer Enter the number of seconds 180
<seconds> before an idle udp connection
times out. The valid range is from
1 to 86400 seconds.
user-server-cert Select the certificate to use for See
<cert_name> https user authentication. definition
Default setting is USnet_Factory, if under
available, otherwise self-sign. Description.

vdom-admin Enable to configure multiple virtual disable

{enable | domains.
disable}
vip-arp-range vip-arp-range controls the number restricted
{unlimited | of ARP packets the ZXSEC US unit
restricted} sends for a VIP range.
If restricted, the ZXSEC US unit
sends ARP packets for only the
first 8192 addresses in a VIP
range.
If unlimited, the ZXSEC US unit
sends ARP packets for every
address in the VIP range.

Example
This example shows how to change to enable daylight savings
time.
config system global
set dst enable
end
Related topics
execute CUS reload
execute CUS save

Confidential and Proprietary Information of ZTE CORPORATION 441

ZXSEC US CLI Reference Guide

GRE-tunnel
Use this command to configure the tunnel for a GRE interface. A
new interface of type “tunnel” with the same name is created
automatically as the local end of the tunnel. This command is
available only in NAT/Route mode.
To complete the configuration of a GRE tunnel, you need to:
configure a firewall policy to pass traffic from the local
private network to the tunnel interface
configure a static route to the private network at the remote
end of the tunnel using the GRE tunnel“device”
optionally, define the IP addresses for each end of the tunnel
to enable dynamic routing through the tunnel or to enable
pinging of each end of the tunnel for testing
Syntax
config system gre-tunnel edit <tunnel_name>
set interface <interface_name>
set local-gw <localgw_IP>
set remote-gw <remotegw_IP>
end
Example
In this example, a GRE tunnel is needed between two sites using
ZXSEC US units. Users on the 192.168.2.0/24 network at Site A
need to communicate with users on the 192.168.3.0/24 network
at Site B. At both sites the private network is connected to Port
2 of the ZXSEC US unit and the connection to the Internet is
through Port 1. At Site A, the public IP address is 172.16.67.199
and at Site B it is 172.16.68.198.
Site A configuration Site B configuration
config system gre-tunnel
edit toSiteB
set interface port1
set local-gw 172.16.67.199
set remote-gw 172.16.68.198
end
config system gre-tunnel
edit toSiteA
set interface port1
set local-gw 172.16.68.198
set remote-gw 172.16.67.199
end

442 Confidential and Proprietary Information of ZTE CORPORATION

Chapter 13 User

config firewall policy

edit 1
set src-intf port2 set dst-intf toSiteB set srcaddr all
set dstaddr all set action accept set service ANY
set schedule always next
config firewall policy
edit 1
set src-intf port2 set dst-intf toSiteA set srcaddr all
set dstaddr all set action accept set service ANY
set schedule always next
edit 2
set src-intf toSiteB set dst-intf port2 set srcaddr all
set dstaddr all set action accept set service ANY
set schedule always end
edit 2
set src-intf toSiteA set dst-intf port2 set srcaddr all
set dstaddr all set action accept set service ANY
set schedule always end
config route static
edit 1
set device toSiteB
set dst 192.168.3.0/24
end
config route static
edit 1
set device toSiteA
set dst 192.168.2.0/24
end
(Optional)
config system interface
edit toSiteB
set ip 10.0.0.1/32
set remote-ip 10.0.0.2
set allowaccess ping end
(Optional)
config system interface
edit toSiteA
set ip 10.0.0.2/32

Confidential and Proprietary Information of ZTE CORPORATION 443

ZXSEC US CLI Reference Guide

set remote-ip 10.0.0.1

set allowaccess ping
end
Related topics
system interface
firewall policy, policy6
router static

Ha
Use this command to enable and configure ZXSEC US high
availability (HA) and virtual clustering. HA is supported on ZXSEC
US and USWiFi models numbered 120 and higher. Using the
config system ha command you must configure all cluster
members with the same group name, mode, and password before
the ZXSEC US units can form a cluster.
Group name, mode, password, as well as priority and group ID
are not synchronized between cluster units. The primary unit
synchronizes all other configuration settings, including the other
HA configuration settings.
When virtual domains are enabled for the ZXSEC US units to be
operating in HA mode you are configuring virtual clustering.
Using virtual clustering you create two virtual clusters and add
virtual domains to each cluster. Configuring virtual clustering is
very similar to configuring normal HA except that in a virtual
cluster, the HA mode can only be set to active-passive. As well
additional options are available for adding virtual domains to
each virtual cluster and for setting the device priority for each
device in each virtual cluster.

Note:
You cannot enable HA mode if one of the ZXSEC US unit
interfaces uses DHCP or PPPoE to acquire an IP address. If DHCP
or PPPoE is configured, the config ha mode keyword is not
available.
For complete information about how to configure and operate
ZXSEC US HA clusters and more detail about the config system
ha CLI command, see the ZXSEC US HA Overview, the ZXSEC US
HA Guide, and the USnet Knowledge Center.
Command syntax pattern
config system ha
set arps <arp_integer>
set arps-interval <interval_integer>
set authentication {disable | enable}

444 Confidential and Proprietary Information of ZTE CORPORATION

Chapter 13 User

set encryption {disable | enable}

set group-id <id_integer>
set group-name <name_str>
set hb-interval <interval_integer>
set hb-lost-threshold <threshold_integer>
set hbdev <interface_name> <priority_integer> [<interface_name>
<priority_integer>]...
set helo-holddown <holddown_integer>
set link-failed-signal {disable | enable}
set load-balance-all {disable | enable}
set mode {a-a | a-p | standalone}
set monitor <interface_names>
set override {disable | enable}
set password <password_str>
set pingserver-failover-threshold <threshold_integer>
set pingserver-flip-timeout <timeout_integer>
set pingserver-monitor-interface <interface_names>
set priority <priority_integer>
set route-hold <hold_integer>
set route-ttl <ttl_integer>
set route-wait <wait_integer>
set schedule {hub | ip | ipport | leastconnection | none | random
| round-robin | weight-round-robin}
set session-pickup {disable | enable}
set sync-config {disable | enable}
set uninterruptable-upgrade {disable | enable}
set weight <priority_integer> <weight_integer>
set vdom <vdom_names>
set vcluster2 {disable | enable}
end
config secondary-vcluster
set monitor <interface_names>
set override {disable | enable}
set priority <priority_integer>
set vdom <vdom_names>
end
end

Confidential and Proprietary Information of ZTE CORPORATION 445

ZXSEC US CLI Reference Guide

vdom Add virtual domains to virtual All virtual
<vdom_names cluster 1 or virtual cluster 2. domains are
> Virtual cluster 2 is also called the added to
secondary virtual cluster. virtual
In the config system ha shell, use cluster 1.
set vdom to add virtual domains to
virtual cluster 1. Adding a virtual
domain to virtual cluster 1
removes that virtual domain from
virtual cluster 2.
In the config secondary-vcluster
shell, use set vdom to add virtual
domains to virtual cluster 2.
Adding a virtual domain to virtual
cluster 2 removes it from virtual
cluster 1.
You can use vdom to add virtual
domains to a virtual cluster in any
combination. You can add virtual
domains one at a time or you can
add multiple virtual domains at a
time. For example, entering set
vdom domain_1 followed by
set vdom domain_2 has the same
result as entering
set vdom domain_1 domain_2.
vcluster2 Enable or disable virtual cluster 2. disable
{disable | In the global virtual domain
enable} configuration, virtual cluster 2 is
enabled by default. When virtual
cluster 2 is enabled you
can use config secondary-cluster
to configure virtual cluster 2.
Disable virtual cluster 2 to move
all virtual domains from virtual
cluster 2 back to virtual cluster 1.
Enabling virtual cluster 2 enables
override for virtual cluster 1 and
virtual cluster 2.
config Configure virtual cluster 2. You Same
secondary- must enable vcluster2. Then you defaults as
vcluster can use config secondary-vcluster virtual
to set monitor, override, priority, cluster 1
and vdom for virtual cluster 2. except that
the default
value for
override is
enable.

Example
This example shows how to configure a ZXSEC US unit for
active-active HA operation. The example shows how to set up a

460 Confidential and Proprietary Information of ZTE CORPORATION

Chapter 13 User

basic HA configuration by setting the HA mode, changing the

group-name, and entering a password. You would enter the exact
same commands on every ZXSEC US unit in the cluster. In the
example virtual domains are not enabled.
config system ha
set mode a-a
set group-name myname
set password HApass
end
The following example shows how to configure a ZXSEC US unit
with virtual domains enabled for active- passive HA operation. In
the example, the ZXSEC US unit is configured with three virtual
domains (domain_1, domain_2, and domain_3) in addition to the
root virtual domain. The example shows how to set up a basic
HA configuration similar to the previous example; except that the
HA mode can only be set to a-p. In addition, the example shows
how to enable vcluster2 and how to add the virtual domains
domain_2 and domain_3 to vcluster2.
config global
config system ha
set mode a-p
set group-name myname
set password HApass
set vcluster2 enable
config secondary-vcluster
End of steps.
end
end
end
The following example shows how to change the device priority
of the primary unit to 200 so that this cluster unit always
becomes the primary unit. When you log into the cluster you are
actually connecting to the primary unit. When you change the
device priority of the primary unit this change only affects the
primary unit because the device priority is not synchronized to all
cluster units. After you enter the following commands the cluster
renegotiates and may select a new primary unit.
config system ha
set priority 200
end
The following example shows how to change the device priority of
a subordinate unit to 255 so that this subordinate unit becomes
the primary unit. This example involves connecting to the cluster

Confidential and Proprietary Information of ZTE CORPORATION 461

ZXSEC US CLI Reference Guide

CLI and using the execute ha manage 0 command to connect to

the highest priority subordinate unit. After you enter the
following commands the cluster renegotiates and selects a new
primary unit.
execute ha manage 0
config system ha
set priority 255
end
The following example shows how to change the device priority
of the primary unit in virtual cluster 2. The example involves
connecting to the virtual cluster CLI and changing the global
configuration. In the example virtual cluster 2 has already been
enabled so all you have to do is use the config secondary-
vcluster command to configure virtual cluster 2.
config global config system ha
config secondary-vcluster
set priority 50
end
end
end
The following example shows how to change the default
heartbeat interface configuration so that the port4 and port1
interfaces can be used for HA heartbeat communication and to
give the port4 interface the highest heartbeat priority so that
port4 is the preferred HA heartbeat interface.
config system ha
set hbdev port4 100 port1 50
end
The following example shows how to enable monitoring for the
external, internal, and DMZ interfaces.
config system ha
set monitor external internal dmz
end
The following example shows how to configure weighted round
robin weights for a cluster of three ZXSEC US units. You can
enter the following commands to configure the weight values for
each unit:

T A B L E 1 3 2 E X A MP L E W EI G H TS F O R T H R E E C L U ST E R U N I TS

Cluster unit priority Weight

0 1
1 3

462 Confidential and Proprietary Information of ZTE CORPORATION

Chapter 13 User

Cluster unit priority Weight

2 3

config system ha
set schedule weight-round-robin set weight 0 1
set weight 1 3
set weight 2 3
end
These commands have the following results:
The first connection is processed by the primary unit (priority
0, weight 1)
The next three connections are processed by the first
subordinate unit (priority 1, weight 3)
The next three connections are processed by the second
subordinate unit (priority 2, weight 3)
The subordinate units process more connections than the primary
unit, and both subordinate units, on average, process the same
number of connections.
This example shows how to display the settings for the system
ha command.
get system ha
This example shows how to display the configuration for the
system hacommand.
show system ha

Remote IP Monitoring Example

HA Remote IP monitoring is similar to HA port monitoring. Port
monitoring causes a cluster to failover if a monitored primary
unit interface fails or is disconnected. Remote IP monitoring uses
ping servers configured on ZXSEC US interfaces on the primary
unit to test connectivity with IP addresses of network devices.
Usually these would be IP addresses of network devices not
directly connected to the cluster. Remote IP monitoring causes a
failover if one or more of these remote IP addresses does not
respond to a ping server.
Using remote IP monitoring to select a new primary unit can be
useful in a number of ways depending on your network
configuration. For example, in a full mesh HA configuration, with
remote IP monitoring the cluster can detect failures in network
equipment that is not directly connected to the cluster but that
would interrupt traffic processed by the cluster if the equipment
failed. In the example topology shown in Figure 1, the switch
connected directly to the primary unit is operating normally but
the link on the other side of the switches fails. As a result traffic
can no longer flow between the primary unit and the Internet.

Confidential and Proprietary Information of ZTE CORPORATION 463

ZXSEC US CLI Reference Guide

To detect this failure you can create a remote IP monitoring

configuration consisting of a ping server on port2 of the cluster.
The primary unit tests connectivity to 192.168.20.20. If the ping
server cannot connect to 192.268.20.20 the cluster to fails over
and the subordinate unit becomes the new primary unit. The
remote HA monitoring ping server on the new primary unit can
connect to 192.168.20.20 so the failover maintains connectivity
between the internal network and the Internet through the
cluster.

ZXSEC US CLI Reference Guide

end
config wifi-mac_list
edit <entry_number>
set mac <mac_address>
end

Note:
A VLAN cannot have the same name as a zone or a virtual
domain.

Specify a list of physical interfaces that
are part of an aggregate or redundant
group. To modify a list, enter the
complete revised list.
If VDOMs are enabled, then vdom must
be set the same for each interface
before you enter the member list.
An interface is available to be part of an
aggregate or redundant group only if
it is a physical interface, not a VLAN
interface
it is not already part of an aggregated
or redundant interface
it is in the same VDOM as the
aggregated interface
it has no defined IP address and is not
member configured for DHCP or PPPoE
<if_name1> it has no DHCP server or relay
configured on it No default.
<if_name2>
... it does not have any VLAN subinterfaces
it is not referenced in any firewall
policy, VIP, IP Pool or multicast policy
it is not an HA heartbeat device or
monitored by HA
In a redundant group, failover to the
next member interface happens when
the active interface fails or is
disconnected.
The order you specify the interfaces in
the member list is the order they will
become active in the redundant group.
For example if you enter set member
port5 port1, then port5 will be active at
the start, and when it fails or is
disconnected port1 will become active.
This is available only when type is
aggregate or redundant.

Example
This example shows how to set the ZXSEC US550 internal
interface IP address and netmask to 192.168.100.159
255.255.255.0, and the management access to ping, https, and
ssh.
config system interface edit internal
set allowaccess ping https ssh
set ip 192.168.110.26 255.255.255.0
end
This example shows how to add a loopback interface with a
name of loop1. The IP address is set to 10.0.0.10 255.255.255.0

490 Confidential and Proprietary Information of ZTE CORPORATION

Chapter 13 User

and bfd is set to global. Any traffic sent to this interface will be
dropped, as it is a blackhole route.
config system interface edit loop1
set type loopback
set ip 10.0.0.10 255.255.255.0
set bfd global
end
This example shows how to add a secondary IP address and
netmask of 192.176.23.180 255.255.255.0 to the internal
interface. Also configure ping and https management access to
this secondary IP address. You can not add a secondary IP that is
part of the subnet of the original interface IP address.
config system interface edit internal
config secondaryip edit 1
set allowaccess ping https
set ip 192.176.23.180 255.255.255.0
end
end

Ipv6-tunnel
Use this command to tunnel IPv6 traffic over an IPv4 network.
The IPv6 interface is configured under config system interface.

Note:
This command is not available in Transparent mode.

Syntax
config system ipv6-tunne
edit <tunnel_name>
set destination <tunnel_address>
set interface <name>
set ip6 <address_ipv6>
set source <address_ipv4>
end

Variables Description Default

edit No
Enter a name for the IPv6 tunnel.
<tunnel_name> default.

Confidential and Proprietary Information of ZTE CORPORATION 491

ZXSEC US CLI Reference Guide

Variables Description Default

destination The destination IPv4 address for
0.0.0.0
<tunnel_address> this tunnel.

The interface used to send and No

interface <name>
receive traffic for this tunnel. default.
ip6 No
The IPv6 address for this tunnel.
<address_ipv6> default.
source The source IPv4 address for this
0.0.0.0
<address_ipv4> tunnel.

Example
Use the following commands to set up an IPv6 tunnel.
config system ipv6-tunnel
edit test_tunnel
set destination 10.10.10.1
set interface internal
set ip6 12AB:0:0:CD30::/60
set source 192.168.50.1
end
Related topics
f system interface

mac-address-table
Use this command to create a static MAC table. The table can
hold up to 200 entries. This command is available in Transparent
mode only.
Syntax
config system mac-address-table
edit <mac-address_hex>
set interface <if_name>
end
Example
Use the following commands to add a static MAC entry for the
internal interface.
config system mac-address-table
edit 11:22:33:00:ff:aa
set interface internal
end

492 Confidential and Proprietary Information of ZTE CORPORATION

Chapter 13 User

Management-tunnel
Use this command to configure the remote management tunnel
that is required by some Usservice Analysis and Management
Service remote administration features, such as the real-time
monitor, and which remote management actions the ZXSEC US
unit will allow from Usservice Analysis and Management Service.
To complete remote management setup with Usservice
Management Service, also configure their required settings, such
as providing the service account ID. For details on enabling
remote administration and remote management connections
initated by the ZXSEC US unit rather than the Usservice Analysis
and Management Service, see “system Usservice”.
Syntax
config system management-tunnel
set allow-collect-statistics {enable | disable}
set allow-config-restore {enable | disable}
set allow-push-configuration {enable | disable}
set allow-push-firmware {enable | disable}
set authorized-manager-only {enable | disable}
set serial-number <serial_str>
set status {enable | disable}
end

Variables Description Default

Enable or disable real-time
allow-collect- monitor SNMP polls through the
statistics tunnel. enable
{enable | disable} This option appears only if
statusis enable.
Enable or disable remote
restoration of a previous
allow-config-restore
configuration. enable
{enable | disable}
This option appears only if
statusis enable.
Enable or disable remote
allow-push-
configuration.
configuration enable
This option appears only if
{enable | disable}
statusis enable.
allow-push-firmware Enable or disable remote
{enable firmware upgrades. This option enable
| disable} appears only if statusis enable.

Enable or disable the SSL-

secured management tunnel
status {enable |
between the ZXSEC US unit and enable
disable}
Usservice Analysis and
Management Service.

Confidential and Proprietary Information of ZTE CORPORATION 493

ZXSEC US CLI Reference Guide

Example
This example shows how to configure the remote management
tunnel to allow Usservice Analysis and Management Service to
query for real-time monitor (SNMP) statistics, but not to initiate
remote firmware upgrades.
config system Usservice
set central-mgmt-status enable
set service-account-id ExampleCo
end
config system management-tunnel
set status enable
set allow-collect-statistics enable
set allow-push-firmware disable
end
Related topics
f system Usservice
f system Usservice-log

Npu
Use this command to configure the Network Processing Unit (NPU)
for ZXSEC US units that support FB4.

Note:
If you use the traffic-shaping-mode command, the bidirection
option counts twice as much traffic. You need to allow twice the
bandwidth as with unidirection.
Syntax
config system npu
set enc-offload-antireplay {enable | disable}
set dec-offload-antireplay {enable | disable}
set offload-ipsec-host {enable | disable}
set traffic-shaping-mode {unidirection | bidirection}
next
end

Defaul
Variables Description
t

494 Confidential and Proprietary Information of ZTE CORPORATION

Chapter 13 User

Defaul
Variables Description
t
Enable this option for the system
enc-offload-antireplay to offload IPSEC packet
encryption to FB4 when the disable
{enable | disable} egress port of the tunnel is on
FB4.
Enable this option for the system
dec-offload-antireplay to offload IPSEC packet
encryption to FB4 when the enable
{enable | disable} ingress port of the tunnel is on
FB4.
Enable this option for the system
offload-ipsec-host to offload packet encryption to
disable
{enable | disable} FB4 when the egress port of this
packet is on FB4.
Select the fast path bandwidth
calculation method.
In unidirection, traffic in each
direction is counted separately.
traffic-shaping-mode In bidirectionthe traffic in both
{unidirection | directions is counted at the same
bidirection} time.
The default value on 6010
models is bidirection.
The default value on 3810B
models is unidirection.

Proxy-arp
Use this command to add IP addresses to MAC address
translation entries to the proxy ARP table.
Syntax
config system proxy-arp
edit <table_entry>
set interface <port>
set ip <ipv4_address>
next
end

Variables Description Default

Enter the unique ID of the No
edit <table_entry>
table entry to add or modify. default.
Enter the physical port this IP No
interface <port>
will be associated with. default.

Confidential and Proprietary Information of ZTE CORPORATION 495

ZXSEC US CLI Reference Guide

Variables Description Default

Enter the IP address to
No
ip <ipv4_address> associate with this physical
default.
port.

Related topics
f system arp-table
f get router info bgp

496 Confidential and Proprietary Information of ZTE CORPORATION

Chapter 13 User

Eplacemsg admin
Use this command to change the administration disclaimer page.
These are HTML messages with HTTP headers.
If you unset the buffer for a replacement message, it will be
cleared.
Syntax
config system replacemsg admin admin_disclaimer_text
set buffer <message>
set format <format>
set header <header_type>
end

Variable Description Default

Type a new replacement message to Depends
buffer replace the current replacement on
<message> message. Maximum length 8 192 messag
characters. e type.
Set the format of the message:

format html No
<format> text default

none

Set the format of the message header:

header Depends
8bit on
<header_type messag
http
> e type.
none

Replacement messages can include replacement message tags.

When users receive the replacement message, the replacement
message tag is replaced with content relevant to the message.
Generally there is not a large call for these tags in disclaimer
pages.

T A B L E 1 3 4 R E P L A C E ME N T M E SS A G E TAG S

Tag Description
%%AUTH_RE
Link to open a new window. (optional).
DIR_URL%%
%%AUTH_LO
Immediately close the connection policy.
GOUT%%
URL the keep alive page connects to that keeps the
%%KEEPALIV
connection policy alive. Connects every
EURL%%
%%TIMEOUT%% seconds.

Confidential and Proprietary Information of ZTE CORPORATION 497

ZXSEC US CLI Reference Guide

Tag Description
%%TIMEOUT Configured number of seconds between
%% %%KEEPALIVEURL%% connections.

Replacemsg alertmail
Alertmail can be configured to alert users or admins about
important system events such as blocked files or viruses
detected.
Use this command to change the alertmail pages including:
the block message that alerts users a file transfer was
blocked
the critical firewall event message
the hard disk log is full message
the nids event message to notify a network intrusion event
has occurred
the virus message to indicate that a message was found
These are HTML messages with HTTP headers.
If you unset the buffer for a replacement message, it will be
cleared.
Syntax
config system replacemsg alertmail
auth_msg_type
set buffer <message>
set format <format>
set header <header_type>
end

Variable Description Default

auth_msg_ty Usservice replacement alertmail message No
pe type. One of: default
A file download was
blocked.
alertmail-block
Default message
includes name of file.
A critical firewall
event occurred.
alertmail-crit-
Default message
event
includes the event
type.
alertmail-disk- The hard disk log is
full full.

498 Confidential and Proprietary Information of ZTE CORPORATION

Chapter 13 User

Variable Description Default

An intrusion event
occurred.
alertmail-nids-
event Default message
includes the intrusion
type.
A virus or worm was
detected.
alertmail-virus Default message
includes the virus or
worm type.
Type a new replacement message to Depends
buffer replace the current replacement on
<message> message. Maximum length 8 192 message
characters. type.
Set the format of the message:
html
format No
<format> text default

none

Set the format of the message header:

header Depends
8bit on
<header_type message
http
> type.
none

Replacement messages can include replacement message tags.

When users receive the replacement message, the replacement
message tag is replaced with content relevant to the message.

T A B L E 1 3 5 R E P L A C E ME N T M E SS A G E TAG S

Confidential and Proprietary Information of ZTE CORPORATION 499

ZXSEC US CLI Reference Guide

Tag Description
Added to alert email critical event email messages.
%%CRITICAL %%CRITICAL_EVENT%% is replaced with the
_EVENT%% critical event message that triggered the alert
email.
The protocol (HTTP, FTP, POP3, IMAP, SMTP) in
%%PROTOCO which a virus was detected.
L%% %%PROTOCOL%% is added to alert email virus
messages.
%%SOURCE_ IP address of the email server that sent the email
IP%% containing the virus.
IP address of the user’s computer that attempted to
%%DEST_IP
download the message from which the file was
%%
removed.
%%EMAIL_FR The email address of the sender of the message
OM%% from which the file was removed.
%%EMAIL_TO The email address of the intended receiver of the
%% message from which the file was removed.
%%NIDS_EVE The IPS attack message. %%NIDS_EVENT%% is
NT%% added to alert email intrusion messages.

Example
The default message for a detected virus is:
Virus/Worm detected: %%VIRUS%% Protocol:
%%PROTOCOL%% Source IP: %%SOURCE_IP%% Destination
IP: %DST_IP%% Email Address From: %%EMAIL_FROM%%
Email Address To:
%%EMAIL_TO%%

Replacemsg auth
Use this command to change the authentication pages including:
the challenge page that prompts users for additional
verification past initial login information
the disclaimer page that notifies users when they are leaving
the protected network
the keepalive page that keeps a session open by renewing
the connection at a set interval
the failed login page that informs the user of their failed
attempt to authenticate themselves and provides the login
prompt for them to try again
the login page presented to users who must authenticate
themselves to use firewall policies or VPNs
the reject page that is displayed when the user rejects the
disclaimer page

500 Confidential and Proprietary Information of ZTE CORPORATION

Chapter 13 User

These are HTML messages with HTTP headers.

Note:
If you unset the buffer for a replacement message, it will be
cleared.
Syntax
config system replacemsg auth
auth_msg_type
set buffer <message>
set format <format>
set header <header_type>
end

Variable Description Default

Usservice replacement message type. One of:
auth-
Challenges the user with a
challenge-
question.
page
Prompts user to accept the
displayed disclaimer when
leaving protected network.
auth-
disclaimer[ The extra pages seamlessly
extend the size of the page
1|2|3]
from 8 192 characters up 16
384 and 24 576 characters
respectively.
auth_msg_ty Keeps a session open by No
pe auth- connecting to renew the default
keepalive- connection policy.
page Closing the page will timeout
the connection.
Displays after user fails to
auth-login- login. This page includes a
failed-page failed login message and a
login prompt.
Prompts the user for their
auth-login-
username and password to
page
login.
auth-reject- Displays when user rejects
page the disclaimer page.
Depends
Type a new replacement message to replace
buffer on
the current replacement message. Maximum
<message> message
length 8 192 characters.
type.

Confidential and Proprietary Information of ZTE CORPORATION 501

ZXSEC US CLI Reference Guide

Variable Description Default

Set the format of the message:
html
format No
<format> text default

none

Set the format of the message header:

header Depends
8bit on
<header_type message
http
> type.
none

Replacement messages can include replacement message tags.

When users receive the replacement message, the replacement
message tag is replaced with content relevant to the message.

T A B L E 1 3 6 R E P L A C E ME N T M E SS A G E TAG S

Tag Description
%%AUTH_RE
Link to open a new window. (optional).
DIR_URL%%
%%AUTH_LO
Immediately close the connection policy.
GOUT%%
%%FAILED_M Message displayed on failed login page after user
ESSAGE%% login fails.
URL the keep alive page connects to that keeps the
%%KEEPALIV
connection policy alive. Connects every
EURL%%
%%TIMEOUT%% seconds.
The default login and rejected login pages use this
text immediately preceding the username and
password fields. the default challenge page uses
%%QUESTION this as the challenge question. These are treated as
%% two different variables by the server.
If you want to use different text, replace
%%QUESTION%%with the text that you prefer.
%%TIMEOUT Configured number of seconds between
%% %%KEEPALIVEURL%% connections.
%%USERNAM Username of the user logging in. This tag is used on
EID%% the login and failed login pages.
%%PASSWOR Password of the user logging in. This tag is used on
DID%% the challenge, login and failed login pages.

Requirements for login page

The authentication login page is linked to ZXSEC US functionality
and you must construct it according to the following guidelines to
ensure that it will work.
The login page must be an HTML page containing a form with
ACTION="/" and METHOD="POST"
The form must contain the following hidden controls:

502 Confidential and Proprietary Information of ZTE CORPORATION

Chapter 13 User

f <INPUT TYPE="hidden" NAME="%%MAGICID%%"

VALUE="%%MAGICVAL%%">
f <INPUT TYPE="hidden" NAME="%%STATEID%%"
VALUE="%%STATEVAL%%">
f <INPUT TYPE="hidden" NAME="%%REDIRID%%"
VALUE="%%PROTURI%%">
The form must contain the following visible controls:
f <INPUT TYPE="text" NAME="%%USERNAMEID%%"
size=25>
f <INPUT TYPE="password"
NAME="%%PASSWORDID%%" size=25>
Example
This example shows how to change the authentication login page.
You enter the web page content as one long quoted string, using
the backslash (“\”) character at the end of each line to continue
the text on the next line.
config system replacemsg auth auth-login-page
set buffer "<html><head> \
<title>Firewall Authentication</title> \
</head> \
<body><h4>You must authenticate to use this service.</h4> \
<form action="/" method="post"> \
<input name="%%MAGICID%%" value="%%MAGICVAL%%"
type="hidden"> \
<table align="center" bgcolor="#00cccc" border="0" \
cellpadding="15" cellspacing="0" width="320"><tbody> \
<tr><th>Username:</th> \
<td><input name="%%USERNAMEID%%" size="25"
type="text"></td></tr> \
<tr><th>Password:</th> \
<td><input name="%%PASSWORDID%%" size="25"
type="password"></td> \
</tr><tr><td colspan="2" align="center" bgcolor="#00cccc"> \
<input name="%%STATEID%%" value="%%STATEVAL%%"
type="hidden"> \
<input name="%%REDIRID%%" value="%%PROTURI%%"
type="hidden"> \
<input value="Continue" type="submit"></td></tr></tbody></table> \
</font></form></body></html>"
set format html set header http
end

Confidential and Proprietary Information of ZTE CORPORATION 503

ZXSEC US CLI Reference Guide

Replacemsg Usservice-wf
Use this command to change the default messages that replace a
web pages that Usservice web filtering has blocked.
By default, these are HTML messages.

Note:
If you unset the buffer for a replacement message, it will be
cleared.
Syntax
config system replacemsg Usservice-wf <Usservice_msg_type>
set buffer <message>
set format <format>
set header <header_type>
end

Variable Description Default

Usservice replacement message
type. One of:
ussrv- Usservice blocked a web
<Usservice_msg_t block page. No
ype> ussrv- default.
Usservice override form.
ovrd
An error occurred when
http-err
accessing the web page.
Type a new replacement message to Depends
replace the current replacement on
buffer <message>
message. Maximum length 8 192 message
characters. type.
Set the format of the message, one
of:
html
format <format> html
text
none

Set the format of the message

header:
header 8bit http
<header_type>
http
none.

Replacement messages can include replacement message tags.

When users receive the replacement message, the replacement
message tag is replaced with content relevant to the message.

504 Confidential and Proprietary Information of ZTE CORPORATION

Chapter 13 User

T A B L E 1 3 7 R E P L A C E ME N T M E SS A G E TAG S

Tag Description
The URL of a web page. This can be a web page
that is blocked by web filter content
%%URL%% or URL blocking. %%URL%%can also be used in
http virus and file block messages to be the URL of
the web page from which a user attempted to
download a file that is blocked.

Replacemsg ftp
Use this command to change default replacement messages
added to FTP sessions when the antivirus engine blocks a file either
because of a matching file pattern or because a virus is detected.
By default, these are text-format messages with no header.

Note:
If you unset the buffer for a replacement message, it will be cleared.

Syntax
config system replacemsg ftp <message-type>
set buffer <message>
set format <format>
set header <header_type>
end

Variable Description Default

FTP replacement message type. One
of:
Antivirus system blocks
ftp-dl-
a file that matches a
blocked
file pattern.

<message- Antivirus system blocks No

type> ftp-dl- an oversize file default.
filesize (one that is too large
to scan).
Antivirus system
ftp-dl- detects a virus in a file
infected being downloaded and
blocks the file.
Type a new replacement message to Depends
buffer replace the current replacement on
<message> message. Maximum length 8 192 message
characters. type.

Confidential and Proprietary Information of ZTE CORPORATION 505

ZXSEC US CLI Reference Guide

Variable Description Default

Set the format of the message, one
of:
format html
text
<format>
text
none

Set the format of the message header,

one of:
header 8bit none
<header_type>
http
none.

Replacement messages can include replacement message tags.

When users receive the replacement message, the replacement
message tag is replaced with content relevant to the message.

T A B L E 1 3 8 R E P LAC E M ENT M E S SA G E TAG S

Tag Description
The name of a file that has been removed from a
content stream. This could be a file that contained a
%%FILE%% virus or was blocked by antivirus file blocking.
%%FILE%% can be
used in virus and file block messages.
The name of a virus that was found in a file by the
%%VIRUS%
antivirus system. %%VIRUS%% can be used in
%
virus messages
The name of a file that has been removed from a
content stream and added to the quarantine. This
could be a file that contained a virus or was blocked
%%QUARFILE
by antivirus file blocking. %%QUARFILENAME%%
NAME%%
can be used in virus and file block messages.
Quarantining is only available on ZXSEC US units
with a local disk.
The URL of a web page. This can be a web page
that is blocked by web filter content
%%URL%% or URL blocking. %%URL%% can also be used in
http virus and file block messages to be the URL of
the web page from which a user attempted to
download a file that is blocked.
The protocol (HTTP, FTP, POP3, IMAP, SMTP) in
%%PROTOCO which a virus was detected.
L%% %%PROTOCOL%%is added to alert email virus
messages.
The IP address from which a virus was received. For
email this is the IP address of the email server that
%%SOURCE_ sent the email containing the virus. For HTTP this is
IP%% the IP address
of the web page that sent the virus.

506 Confidential and Proprietary Information of ZTE CORPORATION

Chapter 13 User

Tag Description
The IP address of the computer that would have
received the blocked file. For email this is the IP
%%DEST_IP
address of the user’s computer that attempted to
%%
download the message from which the file was
removed.

Example
This example shows how to change the message sent when an
FTP download is oversize.
config system replacemsg ftp ftp-dl-filesize
set buffer "This file download was blocked because it is > 10MB."
end

Replacemsg http
Use this command to change default replacement messages
added to web pages when the antivirus engine blocks a file in an HTTP
session because of a matching file pattern or because a virus is detected;
or when web filter blocks a web page.

Note:
If you unset the buffer for a replacement message, it will be
cleared.
Syntax
config system replacemsg http <message-type>
set buffer <message>
set format <format>
set header <header_type>
end

Variable Description Default

HTTP replacement message type, one No
<message-type>
of: default.
The web filter
banned word list
bannedword
blocks a web
page.
The antivirus
system blocks a
http-block
file that matches
a file pattern.
The antivirus
http-client- system blocks a
bannedword file that matches
a file pattern.

Confidential and Proprietary Information of ZTE CORPORATION 507

ZXSEC US CLI Reference Guide

Variable Description Default

The antivirus
system blocks a
http-client-block
file that matches
a file pattern.
The antivirus
system blocks a
http-client-filesize
file that is too
large to scan.
The antivirus
system blocks a
http-client-virus
file that contains
a virus.
The antivirus
system blocks a
http-filesize file that is too
large to be virus
scanned.
The antivirus
system blocks a
http-virus
file that contains
a virus.
The antivirus
system blocks a
infcache-block URL that has a
previously
discovered virus.
Web filter URL
url-block blocking blocks a
web page.
Type a new replacement message to Depends
buffer replace the current replacement on
<message> message. Maximum length 8 192 message
characters. type.
Set the format of the message, one
of:
format html html
<format>
text
none

Set the format of the message header,

one of:
header 8bit http
<header_type>
http
none

Replacement messages can include replacement message tags.

When users receive the replacement message, the replacement
message tag is replaced with content relevant to the message.

508 Confidential and Proprietary Information of ZTE CORPORATION

Chapter 13 User

T A B L E 1 3 9 R EP L A C E M E N T M E S S A G E TAG S

Tag Description
The name of a file that has been removed from a
content stream. This could be a file that contained a
%%FILE%% virus or was blocked by antivirus file blocking.
%%FILE%% can be
used in virus and file block messages.
The name of a virus that was found in a file by the
%%VIRUS%
antivirus system. %%VIRUS%% can be used in
%
virus messages
The name of a file that has been removed from a
content stream and added to the quarantine. This
could be a file that contained a virus or was blocked
%%QUARFILE
by antivirus file blocking. %%QUARFILENAME%%
NAME%%
can be used in virus and file block messages.
Quarantining is only available on ZXSEC US units
with a local disk.
The URL of a web page. This can be a web page
that is blocked by web filter content
%%URL%% or URL blocking. %%URL%% can also be used in
http virus and file block messages to be the URL of
the web page from which a user attempted to
download a file that is blocked.
The protocol (HTTP, FTP, POP3, IMAP, SMTP) in
%%PROTOCO which a virus was detected.
L%% %%PROTOCOL%%is added to alert email virus
messages.
%%SOURCE_ The IP address of the web page from which a virus
IP%% was received.
The IP address of the computer that would have
received the blocked file. For email this is the IP
%%DEST_IP
address of the user’s computer that attempted to
%%
download the message from which the file was
removed.

Example
This example shows how to change the message that replaces a
web page blocked for banned words.
config system replacemsg http http-client-bannedword
set buffer "This web page was blocked. It contains banned words."
end

Replacemsg im
Use this command to change default replacement messages
added to instant messaging and peer-to-peer sessions when
either file-transfer or voice-chat is blocked.
By default, these are text messages with an 8-bit header.

Confidential and Proprietary Information of ZTE CORPORATION 509

ZXSEC US CLI Reference Guide

Note:
If you unset the buffer for a replacement message, it will be
cleared.
Syntax
config system replacemsg im <message-type>
set buffer <message>
set format <format>
set header <header_type>
end

Variable Description Default

im replacement message type, one of:
The IM system
im-file-xfer-block blocks a file
transfer.
The IM system
im-file-xfer-
blocks a virus-
infected
infected file.
The IM system
im-file-xfer-name blocks a file due No
<message-type>
to file block list. default.
The IM system
im-file-xfer-size blocks an oversize
file.
The IM system
im-photo-share-
blocks a photo-
block
sharing request.
im-voice-chat- The IM system
block blocks voice chat.
Type a new replacement message to Depends
buffer replace the current replacement on
<message> message. Maximum length 8 192 message
characters. type.
Set the format of the message, one
of:
format html
text
<format>
text
none

Set the format of the message

header, one of:
header 8bit
8bit
<header_type>
http
none

510 Confidential and Proprietary Information of ZTE CORPORATION

Chapter 13 User

Replacement messages can include replacement message tags.

When users receive the replacement message, the replacement
message tag is replaced with content relevant to the message.

T A B L E 1 4 0 R E P LA C E M E NT M E S S A G E TAG S

Tag Description
The name of a file that has been removed from a
content stream. This could be a file that contained a
%%FILE%% virus or was blocked by antivirus file blocking.
%%FILE%% can be
used in virus and file block messages.
The name of a virus that was found in a file by the
%%VIRUS%
antivirus system. %%VIRUS%% can be used in
%
virus messages
The name of a file that has been removed from a
content stream and added to the quarantine. This
could be a file that contained a virus or was blocked
%%QUARFILE
by antivirus file blocking. %%QUARFILENAME%%
NAME%%
can be used in virus and file block messages.
Quarantining is only available on ZXSEC US units
with a local disk.
The protocol (HTTP, FTP, POP3, IMAP, SMTP) in
%%PROTOCO which a virus was detected.
L%% %%PROTOCOL%%is added to alert email virus
messages.
The IP address from which a virus was received. For
email this is the IP address of the email server that
%%SOURCE_ sent the email containing the virus. For HTTP this is
IP%% the IP address
of the web page that sent the virus.
The IP address of the computer that would have
received the blocked file. For email this is the IP
%%DEST_IP
address of the user’s computer that attempted to
%%
download the message from which the file was
removed.

Example
This example shows how to change the message added to
instant messaging sessions when voice chat is blocked.
config system replacemsg im im-voice-chat-block
set buffer "Use of chat applications is not permitted."
end

Replacemsg mail
Use this command to change default replacement messages
added to email messages when the antivirus engine blocks a file

Confidential and Proprietary Information of ZTE CORPORATION 511

ZXSEC US CLI Reference Guide

either because of a matching file pattern or because a virus is

detected; or when spam filter blocks an email.
By default, these are text messages with an 8-bit header.

Note:
If you unset the buffer for a replacement message, it will be
cleared.
Syntax
config system replacemsg mail <message-type>
set buffer <message>
set format <format>
set header <header_type>
end

Variable Description Default

mail replacement message type, one
of:
The antivirus system
email-block blocks a file that
matches a file pattern.
The antivirus system
blocks an email
email-
message that is too
filesize
large to be virus
scanned.
The antivirus system
deletes a file from an
email-virus
email messages that
contains a virus.
The ZXSEC US unit No
<message-type> deletes a part of a
partial default.
fragmented email
message.
The antivirus system
blocks a file in an SMTP
smtp-block
email message that
matches a file pattern.
The antivirus system
blocks an SMTP email
smtp-
message that is too
filesize
large to be virus
scanned.
The antivirus system
deletes a file from an
smtp-virus
SMTP email messages
that contains a virus.

512 Confidential and Proprietary Information of ZTE CORPORATION

Chapter 13 User

Variable Description Default

Type a new replacement message to Depends
buffer replace the current replacement on
<message> message. Maximum length 8 192 message
characters. type.
Set the format of the message, one
of:
format html text
<format>
text
none

Set the format of the message header,

one of:
header 8bit 8bit
<header_type>
http
none

Replacement messages can include replacement message tags.

When users receive the replacement message, the replacement
message tag is replaced with content relevant to the message.

T A B L E 1 4 1 R E P LA C E M E NT M E S S A G E TAG S

Tag Description
The name of a file that has been removed from a
content stream. This could be a file that contained a
%%FILE%% virus or was blocked by antivirus file blocking.
%%FILE%% can be
used in virus and file block messages.
The name of a virus that was found in a file by the
%%VIRUS%
antivirus system. %%VIRUS%% can be used in
%
virus messages
The name of a file that has been removed from a
content stream and added to the quarantine. This
could be a file that contained a virus or was blocked
%%QUARFILE
by antivirus file blocking. %%QUARFILENAME%%
NAME%%
can be used in virus and file block messages.
Quarantining is only available on ZXSEC US units
with a local disk.
The protocol (HTTP, FTP, POP3, IMAP, SMTP) in
%%PROTOCO which a virus was detected.
L%% %%PROTOCOL%%is added to alert email virus
messages.
%%SOURCE_ IP address of the email server that sent the email
IP%% containing the virus.
IP address of the user’s computer that attempted to
%%DEST_IP
download the message from which the file was
%%
removed.

Confidential and Proprietary Information of ZTE CORPORATION 513

ZXSEC US CLI Reference Guide

Tag Description
%%EMAIL_FR The email address of the sender of the message
OM%% from which the file was removed.
%%EMAIL_TO The email address of the intended receiver of the
%% message from which the file was removed.

Example
This example shows how to change the email message that is
sent to test the alert email system.
config system replacemsg mail email-virus
set buffer "The attachment was blocked because it contains a virus."
end

Replacemsg mm1 (US

Carrier)
Use this command to change default replacement messages
added to messages sent on the MM1 network when the antivirus
engine blocks a file either because of a matching file pattern or
because a virus is detected; or when spam filter blocks an email.
Syntax
config system replacemsg mm1 <message_type>
set add-smil {enable | disable}
set charset <character_set>
set class <class>
set format <format>
set from <from_address>
set from-sender {enable | disable}
set header <header_type>
set image <string>
set message <message_text>
set priority <priority>
set rsp-status <rsp_status>
set rsp-text <response_text>
set sender-visibility <sender_vis>
set smil-part <string>
set subject <subject_text>
end

514 Confidential and Proprietary Information of ZTE CORPORATION

Chapter 13 User

Keywords and
Description Default
variable
MM1 replacement message types, one
of:
mm1-retr-conf-block
mm1-retr-conf-bword
mm1-retr-conf-sis-block
mm1-retr-conf-virus
mm1-send-conf-block
<message_type No
> mm1-send-conf-bword default.
mm1-send-conf-sis-block
mm1-send-conf-virus
mm1-send-req-block
mm1-send-req-bword
mm1-send-req-sis-block
mm1-send-req-virus

Enable to add SMIL content to the

message. SMIL content can include
images.
This keyword is available for the
add-smil following message types:
{enable | disable
mm1-send-req-block
disable}
mm1-send-req-bword
mm1-send-req-sis-block
mm1-send-req-virus

Character encoding used for

replacement message, one of:
charset
us-ascii utf-8
<character_set>

utf-8

The message can be classified as one

of:
advertisement
automatic automati
class <class>
c
informational
not-included
personal

Confidential and Proprietary Information of ZTE CORPORATION 515

ZXSEC US CLI Reference Guide

Keywords and
Description Default
variable
Set the format of the message, one
of:
html
none
format <format> text
text
wml
Not all formats are supported by all
message types.
from
Address the message is from. null
<from_address>
from-sender Enable for the notification message to
{enable | be sent from the recipient. This is to disable
disable} avoid billing problems.

Set the format of the message

header, one of:
header 8bit
http
<header_type>
http
none

Enter the name of the image to

include in the SMIL message part.
Using ‘?’ will show the list of available
image <string> image names.
This is only available when add-smil
is enabled.
Depends
message on
Text of the replacement message.
<message_text> message
type.
Priority of the message, one of:
high
priority low
normal
<priority>
normal
not included

516 Confidential and Proprietary Information of ZTE CORPORATION

Chapter 13 User

Keywords and
Description Default
variable
Response status code, one of:
err-content-not-accepted
err-msg-fmt-corrupt
err-msg-not-found
err-
rsp-status err-net-prob content-
<rsp_status> err-snd-addr-unresolv not-
accepted
err-srv-denied
err-unspecified
err-unsupp-msg
ok

rsp-text Depends
on
<response_text Response text.
message
> type.
Sender visibility, one of:

sender-visibility hide not-

<sender_vis> not-specified specified

show

smil-part Enter the SMIL part of the

<string> replacement message.
Depends
subject on
Subject text string.
<subject_text> message
type.

Example
This example shows how to set the message sent when a virus
being sent by this user on the MM1 network. It uses the default
message text.
config system replacemsg mm1 mm1-send-conf-virus
set charset utf-8 set class automatic set format text
set header none set priority high
set rsp-status err-content-not-accepted
set subject “File you sent contains a virus”
set message "The message you sent has been blocked because the
file
%%FILE%% in the message contains the virus %%VIRUS%%.
The message has been quarantined as
%%QUARFILENAME%%."
end

Confidential and Proprietary Information of ZTE CORPORATION 517

ZXSEC US CLI Reference Guide

Replacemsg mm3 (US

Carrier)
Use this command to change default replacement messages
added to messages sent on the MM3 network when the antivirus
engine blocks a file either because of a matching file pattern or
because a virus is detected; or when spam filter blocks an email.
Syntax
config system replacemsg mm3 <message_type>
set charset <character_set>
set format <format>
set from <from_address>
set header <header_type> set message <message_text> set priority
<priority>
set subject <subject_text>
end

Keywords and
Description Default
variable
MM3 replacement message types, one
of:
mm3-block
mm3-block-notif
mm3-bword
<message_type mm3-bword-notif No
> default
mm3-sis-block
mm3-sis-block-notif
mm3-sis-block-notif
mm3-virus
mm3-virus-block

Character encoding used for

replacement messages, one of:
charset
us-ascii utf-8
<character_set>

utf-8

Replacement message format flag,

one of:
html
format <format> none text

text
wml

518 Confidential and Proprietary Information of ZTE CORPORATION

Chapter 13 User

Keywords and
Description Default
variable
from
Address the message is from. null
<from_address>
Set the format of the message
header, one of:
header 8bit
none
<header_type>
http
none

Depends
message on
Text of the replacement message.
<message_text> message
type.
Priority of the message, one of:
high
priority low
normal
<priority>
normal
not included

Depends
subject on
Subject text string.
<subject_text> message
type.

Example
This example shows how to set the message sent when a user on
the MM3 network sends one or more viruses. It uses the default
message text.
config system replacemsg mm3 mm3-virus
set charset utf-8 set class automatic set format text
set header none set priority high
set rsp-status err-content-not-accepted
set subject “Messages sent containing viruses”
set message "This device has sent %%NUM_MSG%% messages
containing the virus %%VIRUS%% in the last %%DURATION%%
hours."
end

Replacemsg mm4 (US

Carrier)
Use this command to change default replacement messages
added to messages sent on the MM4 network when the antivirus

Confidential and Proprietary Information of ZTE CORPORATION 519

ZXSEC US CLI Reference Guide

engine blocks a file either because of a matching file pattern or

because a virus is detected; or when spam filter blocks an email.
Syntax
config system replacemsg mm4 <message_type>
set charset <character_set>
set class <class>
set domain <address_domain>
set format <format>
set from <from_address>
set from-sender {enable | disable}
set header <header_type>
set image <string>
set message <message_text>
set priority <priority>
set rsp-status <rsp_status>
set smil-part <string>
set subject <subject_text>
end

Keywords and
Description Default
variables
MM4 replacement message types, one
of:
mm4-block
mm4-block-notif
mm4-bword
<message_type No
> mm4-bword-notif default
mm4-sis-block
mm4-sis-block-notif
mm4-virus
mm4-virus-block

Enable to add SMIL content to the

message. SMIL content can include
images.
add-smil This keyword is available for the
following message types: disable
{enable |
disable} mm4-block-notif
mm4-bword-notif
mm4-sis-block-notif

520 Confidential and Proprietary Information of ZTE CORPORATION

Chapter 13 User

Keywords and
Description Default
variables
Character encoding used for
replacement messages, one of:
charset
us-ascii utf-8
<character_set>

utf-8

The message can be classified as one

of:
advertisement
automatic automati
class <class>
c
informational
not-included
personal

domain
<address_domai The from address domain. null
n>
Replacement message format flag,
one of:
html
format <format> none text

text
wml

from
Address the message is from. null
<from_address>
from-sender Enable for the notification message to
{enable | be sent from the recipient. This is to disable
disable} avoid billing problems.

Set the format of the message

header, one of:
header 8bit none
<header_type>
http
none

Enter the name of the image to

include in the SMIL message part.
Using ‘?’ will show the list of available
image <string> image names.
This is only available when add-smil is
enabled.
Depends
message on
Text of the replacement message.
<message_text> message
type.

Confidential and Proprietary Information of ZTE CORPORATION 521

ZXSEC US CLI Reference Guide

Keywords and
Description Default
variables
Priority of the message, one of:
high
priority low
normal
<priority>
normal
not included

Response status codes, one of:

err-content-not-accepted
err-msg-fmt-corrupt
err-net-prob err-
rsp-status content-
err-snd-addr-unresolv not-
<rsp_status> accepte
err-srv-denied
d
err-unspecified
err-unsupp-msg
ok

smil-part Enter the SMIL part of the

<string> replacement message.
Depends
subject on
Subject text string.
<subject_text> message
type.

Example
This example shows how to set the message sent when a user on
the MM4 network sends one or more viruses. It uses the default
message text.
config system replacemsg mm4 mm4-virus-notif
set class automatic set domain ‘’
set format text set header none set priority high
set subject “Messages sent containing viruses”
set message "This device has sent %%NUM_MSG%% messages
containing the virus %%VIRUS%% in the last %%DURATION%%
hours."
end

Replacemsg mm7 (US

Carrier)
Use this command to change default replacement messages
added to messages sent on the MM7 network when the antivirus

522 Confidential and Proprietary Information of ZTE CORPORATION

Chapter 13 User

engine blocks a file either because of a matching file pattern or

because a virus is detected; or when spam filter blocks an email.
Syntax
config system replacemsg mm7 <mm7message_type>
set add-smil {enable | disable}
set addr_type <addr_type> set charset <character_set> set class
<class>
set format <format>
set from <from_address>
set from-sender {enable | disable}
set header <header_type>
set image <string>
set message <message_text>
set priority <priority>
set rsp-status <rsp_status>
set smil-part <string>
set subject <subject_text>
end

Keywords and
Description Default
variables
MM7 replacement message types, one
of:
mm7-block
mm7-block-notif
mm7-bword
<mm7message_ No
type> mm7-bword-notif default
mm7-sis-block
mm7-sis-block-notif
mm7-virus
mm7-virus-block

Enable to add SMIL content to the

message. SMIL content can include
images.
add-smil This keyword is available for the
following message types: Disable
{enable |
disable} mm7-block-notif
mm7-bword-notif
mm7-sis-block-notif

Confidential and Proprietary Information of ZTE CORPORATION 523

ZXSEC US CLI Reference Guide

Keywords and
Description Default
variables
From address types, one of:
number
addr_type
number
<addr_type> rfc2882-addr
short-code

Character encoding used for

replacement messages, one of:
charset
us-ascii utf-8
<character_set>

utf-8

The message can be classified as one

of:
advertisement
automatic automati
class <class>
c
informational
not-included
personal

Replacement message format flag,

one of:
html
format <format> none text

text
wml

from
Address the message is from. null
<from_address>
from-sender Enable for the notification message to
{enable | be sent from the recipient. This is to disable
disable} avoid billing problems.

Set the format of the message

header, one of:
header 8bit
none
<header_type>
http
none

Enter the name of the image to

include in the SMIL message part.
Using ‘?’ will show the list of available
image <string> image names.
This is only available when add-smil is
enabled.
Depends
message on
Text of the replacement message.
<message_text> message
type.

524 Confidential and Proprietary Information of ZTE CORPORATION

Chapter 13 User

Keywords and
Description Default
variables
Priority of the message, one of:
high
priority low
normal
<priority>
normal
not included

Response status codes, one of:

addr-err
addr-not-found
app-addr-not-supp
app-denied
app-id-not-found
client-err
content-refused
gen-service-err
improper-ident
link-id-not-found
msg-fmt-corrupt
msg-id-not-found Depends
rsp-status on
msg-rejected
<rsp_status> message
multiple-addr-not-supp type.
not-possible
oper-restrict
partial-success
repl-app-id-not-found
service-denied
service-err
service-unavail
srv-err
success
unsupp-oper
unsupp-ver
validation-err

smil-part Enter the SMIL part of the

<string> replacement message.
Depends
subject on
Subject text string.
<subject_text> message
type.

Confidential and Proprietary Information of ZTE CORPORATION 525

ZXSEC US CLI Reference Guide

Example
This example shows how to set the message sent when a user on
the MM7 network sends one or more viruses. It uses the default
message text.
config system replacemsg mm7 mm7-virus-notif
set charset utf-8 set class automatic set format text
set header none set priority high
set rsp-status err-content-not-accepted
set subject “Messages sent containing viruses”
set message "This device has sent %%NUM_MSG%% messages
containing the virus %%VIRUS%% in the last %%DURATION%%
hours."
end

Replacemsg nntp
Use this command to change the net news transfer protocol
(NNTP) download pages including:
NNTP download blocked
NNTP download filesize error
NNTP download infected
These are HTML messages with HTTP headers.

Note:
If you unset the buffer for a replacement message, it will be
cleared.
Syntax
config system replacemsg nntp auth_msg_type
set buffer <message>
set format <format>
set header <header_type>
end

Variable Description Default

auth_msg_ty Usservice replacement alertmail message No
pe type. One of: default
A file being downloaded has
nntp-dl-
been blocked, and
blocked
quarantined.
nntp-dl- The article is larger than the
filesize configured size limit.

526 Confidential and Proprietary Information of ZTE CORPORATION

Chapter 13 User

Variable Description Default

An attached file has had a
nntp-dl-
virus detected in it. The file
infected
has been quarantined.
Type a new replacement message to Depends
buffer replace the current replacement on
<message> message. Maximum length 8 192 message
characters. type.
Set the format of the message:

format html No
<format> text default

none

Set the format of the message header:

header Depends
8bit on
<header_type message
http
> type.
none

Replacement messages can include replacement message tags.

When users receive the replacement message, the replacement
message tag is replaced with content relevant to the message.

T A B L E 1 4 2 R E P LA C E M E NT M E S S A G E TAG S

Tag Description
The name of a file that has been removed from a
content stream. This could be a file that contained a
virus or was blocked by antivirus file blocking. The
%%FILE%%
file may have been quarantined if a virus was
detected. %%FILE%% can be used in virus and file
block messages.
The name of a file that has been removed from a
content stream and added to the quarantine. This
could be a file that contained a virus or was blocked
%%QUARFILE
by antivirus file blocking. %%QUARFILENAME%%
NAME%%
can be used in virus and file block messages.
Quarantining is only available on ZXSEC US units
with a local disk.
The name of a virus that was found in a file by the
%%VIRUS%
antivirus system. %%VIRUS%% can be used in
%
virus messages

Confidential and Proprietary Information of ZTE CORPORATION 527

ZXSEC US CLI Reference Guide

Replacemsg spam
Use this command to change default replacement messages
added to SMTP email messages when spam filter blocks an email
message. By default, these are text messages with an 8-bit
header.

Note:
If you unset the buffer for a replacement message, it will be
cleared.
Syntax
config system replacemsg spam <message-type>
set buffer <message>
set format <format>
set header <header_type>
end

Variable Description Default

spam replacement message type, one No
<message-type>
of: default.
The spam filter IP
address list
ipblocklist marked an email
message as reject
or as spam.
Spam filtering
return-email DNS
reversedns check identified a
message as
spam.
The spam filter
email address list
smtp-spam-
marked an SMTP
bannedword
message as
spam.
The spam filter
smtp-spam- email address list
emailblack marked an email
as spam.
Usservice-Spam
blocked an email
smtp-spam-feip based on its
originating IP
address.
Checksum is in
the Usservice-
smtp-spam-
AntiSpam
fschksum
checksum
blacklist.

528 Confidential and Proprietary Information of ZTE CORPORATION

Chapter 13 User

Variable Description Default

Usservice-Spam
blocked an email
smtp-spam-fsurl
based on its
originating URL.
An email
message is
smtp-spam-helo blocked because
the HELO/EHLO
domain is invalid.
The spam MIME
headers list
smtp-spam-
marked a
mimeheader
message as
spam.
The spam filter
DNSBL & ORDBL
list marked an
smtp-spam-rbl
email message as
reject or as
spam.
The spam submit
submit list marked an
email as spam.
Type a new replacement message to Depends
buffer replace the current replacement on
<message> message. Maximum length 8 192 message
characters. type.
Set the format of the message, one of:
html
format
text
<format> text
none

Set the format of the message header, one

of:
header 8bit 8bit
<header_type>
http
none

Replacement messages can include replacement message tags.

When users receive the replacement message, the replacement
message tag is replaced with content relevant to the message.

T A B L E 1 4 3 R E P LA C E M E NT M E S S A G E TAG S

Tag Description

Confidential and Proprietary Information of ZTE CORPORATION 529

ZXSEC US CLI Reference Guide

Tag Description
The name of a file that has been removed from a
content stream and added to the quarantine. This
could be a file that contained a virus or was blocked
%%QUARFILE
by antivirus file blocking. %%QUARFILENAME%%
NAME%%
can be used in virus and file block messages.
Quarantining is only available on ZXSEC US units
with a local disk.
The IP address from which a virus was received. For
email this is the IP address of the email server that
%%SOURCE_ sent the email containing the virus. For HTTP this is
IP%% the IP address
of the web page that sent the virus.
The IP address of the computer that would have
received the blocked file. For email this is the IP
%%DEST_IP
address of the user’s computer that attempted to
%%
download the message from which the file was
removed.
%%EMAIL_FR The email address of the sender of the message
OM%% from which the file was removed.
%%EMAIL_TO The email address of the intended receiver of the
%% message from which the file was removed.

Example
This example shows how to change the message added to SMTP mail
that the spam filter has blocked.
config system replacemsg spam ipblocklist
set buffer "This email was blocked as spam."
end

Replacemsg sslvpn
Use this command to change the login page presented to SSL-
VPN users. This is an HTML message with an HTTP header.

Note:
If you unset the buffer for a replacement message, it will be
cleared.
Syntax
config system replacemsg sslvpn sslvpn-login
set buffer <message>
set format <format>
set header <header_type>
end

530 Confidential and Proprietary Information of ZTE CORPORATION

Chapter 13 User

Variable Description Default

Type a new replacement message Depends
to replace the current replacement on
buffer <message>
message. Maximum length 8 192 message
characters. type.
Set the format of the message,
one of:
html No
format <format>
default
text
none

Set the format of the message

header, one of:
Depends
header 8bit on
<header_type> message
http type.
none

Replacement messages can include replacement message tags.

When users receive the replacement message, the replacement
message tag is replaced with content relevant to the message.
Requirements for login page
The SSL login page is linked to ZXSEC US functionality and you
must construct it according to the following guidelines to ensure
that it will work.
The login page must be an HTML page containing a form with
ACTION="%%SSL_ACT%%" and
METHOD="%%SSL_METHOD%%"
The form must contain the %%SSL_LOGIN%% tag to provide
the logon form.
The form must contain the %%SSL_HIDDEN%% tag.

Replacemsg-group (US
Carrier)
In US Carrier, replacement messages can be created and applied
to specific protection profiles. This allows the customization of
messages for specific users or user groups. Users are assigned to
a group through the protection profile feature of firewall. See
“firewall profile” for more information on protection profiles.
If a user is not part of a custom replacement message group,
their replacement messages come from the ‘default’ group.
The ’default’ group always exists, and cannot be deleted. All
additional replacement message groups inherit from the default
group. Any messages in custom groups that have not been

Confidential and Proprietary Information of ZTE CORPORATION 531

ZXSEC US CLI Reference Guide

modified, inherit any changes to those messages in the default

group.
The only replacement messages that can not be customized in
groups are administration related messages, which in the
following categories:
Alert Mail
Administration
Authentication
IM and P2P
SSL VPN
Except for mm1, mm3, mm4, mm7 which use the message
keyword, all replacement message types use the buffer
keyword to refer to the body of the message.
Syntax
config system replacemsg_group
edit <groupname_string>
set comment <string>
config {Usservice-wf | ftp | http | mail | mm1 | mm3 | mm4 | mm7 |
nntp | spam}
edit <msgkey_integer> set msg-type <type> set buffer <string>
set header <header_flag> set format <format_flag> set message
<string>
end
end

Variable Description Default

edit
Create or edit a replacement message
<groupname_stri
group.
ng>

comment Enter a descriptive comment for this

<string> replacement message group.

532 Confidential and Proprietary Information of ZTE CORPORATION

Chapter 13 User

Variable Description Default

Select a replacement message type to add

or edit. These types or protocols, match
with the existing replacemsg commands,
and determine which msg-types are
available.
For more information on these
replacement message types see:
“replacemsg Usservice-wf”
config
{Usservice-wf | “replacemsg ftp”
ftp | http | mail |
“replacemsg http”
mm1 | mm3 |
mm4 | mm7 | “replacemsg mail”
nntp | spam}
“replacemsg mm1 (US Carrier)”
“replacemsg mm3 (US Carrier)”
“replacemsg mm4 (US Carrier)”
“replacemsg mm7 (US Carrier)”
“replacemsg nntp”
“replacemsg spam”

Create or edit a message entry in the

edit table. Enter the key of the entry.
<msgkey_intege Using ‘?’ will show you the existing
r> message type as well as the msgkey
entries in the table.
Select the message type for this message
entry. Valid message types vary according
to which replacement message table you
msg-type are editing.
<type> For a list of valid message types for this
table, refer to the
CLI replacemsg command of the same
name.
Enter the replacement message for this
message type. Enclose the message in
quotes.
This keyword is used with the following
replacement messages:
Usservice-wf

buffer ftp
<string> http
mail
nntp
spam
Other replacement messages use the
messagekeyword.

Confidential and Proprietary Information of ZTE CORPORATION 533

ZXSEC US CLI Reference Guide

Variable Description Default

Select the header for this message. Valid

types include:
header
8bit
<header_fla
g> http
none

Select the format of this message. Valid

formats include:

format html
<format_fla none
g>
text
wml

Enter the replacement message for this

message type. Enclose the message in
quotes.
This keyword is used with the following
replacement messages:

message mm1
<string> mm3
mm4
mm7
Other replacement messages use the
bufferkeyword.

Example
In this example you have 2 groups of users that use different
replacement messages due to language and regional differences.
The first group is in the United States, and the other group is in
the United Kingdom. Different spelling and different speech
patterns mean, each group expects different messages. To keep
it simple, the format will be text only.
config system replacemsg-group
edit united_states
set comment “messages for United States customers”
config http edit 1
set msg-type bannedword set format text
set message “Your attempt to access this unauthorized web page has
been blocked. It contains off-color words that violate the banned word
list. URL = http://%%URL%%”
end
end
edit united_kingdom

534 Confidential and Proprietary Information of ZTE CORPORATION

Chapter 13 User

set comment “messages for United Kingdom customers”

config http edit 1
set msg-type bannedword set format text
set message “Unfortunately your requested web page has been
blocked.
It appears to contain prohibited off-colour words. URL =
http://%%URL%%”
end
end

Replacemsg-image (US
Carrier)
Use this command to add, edit, or delete images to be used in
SMIL parts of replacement messages. Both image-base64 and
image-type must be present for a valid entry.
Syntax
config system replacemsg-image
edit <image_name>
set image-base64 <image_data>
set image-type <format>
end

Defaul
Variables Description
t
edit Enter the name or tag to use for this
none.
<image_name> image
Enter the image in base64 encoding.
image-base64 You can also use the graphical
none.
<image_data> interface to add images by browsing
to their location.
Select the format of the image.
Available formats include:
gif
image-type
jpeg none.
<format>

png
tiff

Confidential and Proprietary Information of ZTE CORPORATION 535

ZXSEC US CLI Reference Guide

Session-helper
A session helper binds a service to a TCP or UDP port. By default,
there are session helpers that bind services to standard ports.
Use this command to configure a new session helper or to edit
an existing one.
Syntax
config system session-helper
edit <helper-number>
set name <helper-name>
set port <port_number>
set protocol <protocol_number>
end

TABLE 144 SERVICES, PORTS, AND PROTOCOLS

1 pptp port 1723 protocol 6

2 h323 port 1720 protocol 6
3 ras port 1719 protocol 17
4 tns port 1521 protocol 6
5 tftp port 69 protocol 17
6 rtsp port 23 protocol 6
7 rtsp port 25 protocol 6
8 ftp port 21 protocol 6
9 rtsp port 554 protocol 6
10 rtsp port 7070 protocol 6
11 pmap port 111 protocol 17
12 mms port 1863 protocol 6
13 pmap port 111 protocol 6

Keywords and
Description Default
variables
Enter the number of the
session-helper that you want
to edit, or enter an unused No
edit <helper-number>
number to create a new default.
session-helper.
The name of the session
helper. One of:
dns-tcp, dns-udp, ftp, h245I, No
name <helper-name>
h245O, h323, ident, mms, default.
pmap, pptp, ras, rtsp, sip,
tftp, tns.

536 Confidential and Proprietary Information of ZTE CORPORATION

Chapter 13 User

Keywords and
Description Default
variables
Enter the port number to use No
port <port_number>
for this protocol. default.
The protocol number for this
protocol service, as defined in No
<protocol_number> default.
RFC 1700.

Example
Use the following commands to edit the file transfer protocol
(FTP) and change it to port 111, but remain as protocol 6:
config system session-helper edit 8
set name ftp set port 111 set protocol 6
end

Session-sync
Use this command to configure TCP session synchronization
between two standalone ZXSEC US units. You can use this feature
with external routers or load balancers configured to distribute or
load balance TCP sessions between two peer ZXSEC US units. If
one of the peers fails, session failover occurs and active sessions
fail over to the peer that is still operating. This failover occurs
without any loss of data.
As well the external routers or load balancers will detect the
failover and re-distribute all sessions to the peer that is still
operating.

Note:
TCP session synchronization between two standalone ZXSEC US
units is also sometimes called standalone session
synchronization or session synchronization between non-HA
ZXSEC US units.
Standalone session synchronization can be used instead of HA to
provide session synchronization between two peer ZXSEC US
units. If the external load balances direct all sessions to one peer
the
affect is similar to active-passive HA. If external load balancers
or routers load balance traffic to both peers, the affect is similar
to active-active HA. The load balancers should be configured so
that all of the packets for any given session are processed by the
same peer. This includes return packets.
Unlike HA, standalone session synchronization does not include
configuration synchronization. In fact, the configuration of the
two peers is not identical because in most cases the peers would
have different

Confidential and Proprietary Information of ZTE CORPORATION 537

ZXSEC US CLI Reference Guide

IP addresses. Also unlike HA, load balancing is done by external

routers or load balancers. The ZXSEC US units only perform
session synchronization and session failover.

F I G U R E 2 S TA ND AL ON E SESSIO N SYNCHR O NI Z AT I ON

Notes and limitations

address is 192.168.20.34 and it connects to the ZXSEC US unit

internal interface.
config system snmp community edit 1
set name SNMP_Com1
set query-v2c-status disable
set trap-v2c-status disable
config hosts edit 1
set interface internal
set ip 192.168.10.34 end
end
Related topics

f system snmp sysinfo

Snmp sysinfo
Use this command to enable the ZXSEC US SNMP agent and to
enter basic system information used by the SNMP agent. Use
information about the ZXSEC US unit to identify it. When your
SNMP manager receives traps from the ZXSEC US unit, you will
know which unit sent the information.
Syntax
config system snmp sysinfo
set contact-info <info_str>
set description <description>
set location <location>
set status {enable | disable}
set trap-high-cpu-threshold <percentage>
set trap-log-full-threshold <percentage>
set trap-low-memory-threshold <percentage>
end

Keywords and
Description Default
variables
Add the contact information for
the person responsible for this
contact-info
ZXSEC US unit. The contact No default
<info_str>
information can be up to 35
characters long.
Add a name or description of
description the ZXSEC US unit. The
No default
<description> description can be up to 35
characters long.

Confidential and Proprietary Information of ZTE CORPORATION 553

ZXSEC US CLI Reference Guide

Keywords and
Description Default
variables
Describe the physical location of
the ZXSEC US unit. The system
location <location> No default
location description can be up
to 35 characters long.
status {enable | Enable or disable the ZXSEC US
disable
disable} SNMP agent.
Enter the percentage of CPU
trap-high-cpu-
used that will trigger the
threshold 80
threshold
<percentage>
SNMP trap for the high-cpu.

trap-log-full- Enter the percentage of disk

threshold space used that will trigger the
90
threshold SNMP trap for the log-
<percentage> full.
Enter the percentage of
trap-low-memory-
memory used that will be the
threshold 80
threshold
<percentage>
SNMP trap for the low-memory.

Example
This example shows how to enable the ZXSEC US SNMP agent
and add basic SNMP information.
config system snmp sysinfo set status enable
set contact-info 'System Admin ext 245'
set description 'Internal network unit'
set location 'Server Room A121'
end
Related topics
f system snmp community

Switch-interface
Use this command to group interfaces into a ‘soft-switch’ - a
switch that is implemented in software instead of hardware. A
group of switched interfaces have one IP address between them
to connect to the ZXSEC US unit. This feature is only available
on models that have the switch-mode feature Interfaces that
may be members of a ‘soft-switch’ are physical and wlan
interfaces that are not used anywhere else in US. Member
interfaces cannot be monitored by HA or used as heart beat
devices.
Syntax
config system switch-interface

554 Confidential and Proprietary Information of ZTE CORPORATION

Chapter 13 User

edit <group_name>
set member <if1_ipv4> <if2_ipv4> ...
end

Keywords and
Description Default
variables
The name for this group of interfaces.
Cannot be in use by any other No
<group_name>
interfaces, vlans, or inter-VDOM default
links.
Enter all the interfaces that will be
member part of this switch on one line.
<if1_ipv4> Separate each by a space. No
default
<if2_ipv4> ... Use <tab> to advance through the list
of available interfaces.

Example
This example shows how to create a group of 3 interfaces called
low_speed ideally that are all at 10m speed. It assumes these
interfaces are not referred to in US by anything else.
config system switch-interface edit low_speed
set member port1 wlan dmz
end

Tos-based-priority
Use this command to prioritize your network traffic based on its
type-of-service (TOS).
IP datagrams have a TOS byte in the header (as described in
RFC 791). Four bits within this field determine the delay, the
throughput, the reliability, and cost associated with that service.
Together these bits are the tos variable of the tos-based-priority
command.
The TOS information can be used to manage network traffic
based on the needs of the application or service. TOS application
routing (RFC 1583) is supported by OSPF routing.
Syntax
config system tos-based-priority
edit <name>
set tos <ip_tos_value>
set priority [high | medium | low]
end

Variables Description Default

Confidential and Proprietary Information of ZTE CORPORATION 555

ZXSEC US CLI Reference Guide

Variables Description Default

Enter the name of the link object No
edit <name>
to create default.
Enter the value of the type of
service byte in the IP datagram
tos <ip_tos_value> 0
header. This value can be from 0
to 15.
Select the priority of this type of
service as either high, medium,
priority [high |
or low priority. These priority High
medium | low]
levels conform to the firewall
traffic shaping priorities.

Examples
It is a good idea to have your entry names in the tos-based-
priority table and their TOS values be the same. Otherwise it can
become confusing.
config tos-based-priority edit 1
set tos 1
set priority low
next
edit 4
set tos 4
set priority medium
next
edit 6
set tos 6
set priority high
next
end
Related topics
f system global
f router ospf
f execute ping-options

Vdom-link
Use this command to create an internal point-to-point interface
object. This object is a link used to join virtual domains.
Creating the interface object also creates 2 new interface objects
by the name of <name>0 and <name>1. For example if your
object was named v_link, the 2 interface objects would be

556 Confidential and Proprietary Information of ZTE CORPORATION

Chapter 13 User

named v_link0 and v_link1. You can then configure these new
interfaces as you would any other virtual interface using config
system interface.
When using vdom-links in HA, you can only have vdom-links in
one vcluster. If you have vclusters defined, you must use the
vcluster keyword to determine which vcluster will be allowed to
contain the vdom-links.
As of US v3.0 MR3, inter-VDOM links support BGP routing.
As of US v3.0 MR6, DHCP is supported on inter-VDOM links.
For more information on the vdom-link command see
“Configuring inter-VDOM routing” and the ZXSEC US VLANs and
VDOMs Guide.
Syntax
config system vdom-link
edit <name>
end

Variables Description Default

Variable Description Default

The RTS threshold is the
maximum size, in bytes, of a
packet that the USWiFi will
accept without sending
RTS/CTS packets to the sending
wireless device. In some cases,
larger packets being sent may
cause collisions, slowing data
transmissions.
rts_threshold
Range 256-2347. 2347
<integer>
A setting of 2347 bytes
effectively disables this option.
This is available in AP mode
only.
For the 120W unit, see wifi-
rts_threshold <integer>
in the system interface
command.
Enter security (encryption)
mode:
None - Communication is
not encrypted.
WEP64 - WEP 64-bit
encryption
WEP128 - WEP 128-bit
encryption
WPA_PSK - WPA
security <sec_mode> encryption with pre-shared None
key
This is available in AP
mode only.
WPA_RADIUS - WPA
encryption via RADIUS
server. This is available in
AP mode only.
For the 120W unit, see wifi-
security <sec_mode> in the
system interface command.
Change the Service Set ID
(SSID) as required.
The SSID is the wireless
network name that the 120W
broadcasts. Users who wish to
use the 120W wireless network
ssid <ssid_string> should configure their USnet
computers to
connect to the network that
broadcasts this network name.
For the 120W unit, see wifi-ssid
<id_str> in the system
interface command.

562 Confidential and Proprietary Information of ZTE CORPORATION

Chapter 13 User

Example
This example shows how to configure the wireless interface.
config system wireless settings
set channel 4
set geography Americas
set security WEP128
set ssid test_wifi
end
Related topics
f system interface
f system vdom-link
f wireless mac-filter

Zone
Use this command to add or edit zones.
In NAT/Route mode, you can group related interfaces or VLAN
subinterfaces into zones. Grouping interfaces and subinterfaces
into zones simplifies policy creation. For example, if you have
two interfaces connected to the Internet, you can add both of
these interfaces to the same zone. Then you can configure
policies for connections to and from this zone, rather than to and
from each interface.
In Transparent mode you can group related VLAN subinterfaces
into zones and add these zones to virtual domains.
Syntax
config system zone edit <zone_name>
set interface <name_str>
set intrazone {allow | deny}
end

Keywords and
Description Default
variables
Enter the name of a new or
edit <zone_name>
existing zone.
Add the specified interface to this
zone. You cannot add an interface No
interface <name_str>
if it belongs to another zone or if default.
firewall policies are defined for it.
Allow or deny traffic routing
intrazone {allow |
between different interfaces in deny
deny}
the same zone.

Confidential and Proprietary Information of ZTE CORPORATION 563

ZXSEC US CLI Reference Guide

Example
This example shows how to add a zone named Zone1, add the
internal interface to it, and to deny routing between different
zones.
config system zone
edit Zone1
set interface internal
set intrazone deny
end
Related topics
system interface

564 Confidential and Proprietary Information of ZTE CORPORATION

Chapter 14 User

Chapter 14

User

Overview
This chapter covers:
configuration of the ZXSEC US unit to use external
authentication servers, including
Windows Active Directory
configuration of user accounts and user groups for firewall
policy authentication, administrator authentication and some
types of VPN authentication
configuration of peers and peer groups for IPSec VPN
authentication and PKI user authentication
configuration of dynamic profiles and msisdn filters (US
Carrier)
This chapter contains the following sections:
Configuring users for authentication
adgrp
dynamic-profile (US Carrier)
endpoint-bwl (US Carrier)
endpoint-ip-filter (US Carrier)
endpoint-translation (US Carrier)
fsae
group
ldap
loca
peer
peergrp
radius

Confidential and Proprietary Information of ZTE CORPORATION 565

ZXSEC US CLI Reference Guide

settings
tacac+

Configuring users for

authentication
This chapter covers two types of user configuration:
users authenticated by password
users, sites or computers (peers) authenticated by certificate
Configuring users for password authentication

You need to set up authentication in the following order:

1. If external authentication is needed, configure the required
servers.
See “user radius”.
See “user ldap”.
See “user tacacs+”
For Windows Active Directory, see “user fsae”.
2. Configure local user identities.
For each user, you can choose whether the ZXSEC US unit or an
external authentication server verifies the password.
See “user local”.
3. Create user groups.
Add local users to each user group as appropriate. You can also
add an authentication server to a user group. In this case, all
users in the server’s database can authenticate to the ZXSEC US
unit.
See “user group”.
For Windows Active Directory, also see “user adgrp”.
Configuring peers for certificate authentication
If your ZXSEC US unit will host IPSec VPNs that authenticate
clients using certificates, you need to prepare for certificate
authentication as follows:
1. Import the CA certificates for clients who authenticate with a
ZXSEC US unit VPN using certificates.
See “vpn certificate ca”.
2. Enter the certificate information for each VPN client (peer).
See “user peer”.

566 Confidential and Proprietary Information of ZTE CORPORATION

Chapter 14 User

3. Create peer groups, if you have VPNs that authenticate by

peer group. Assign the appropriate peers to each peer group.
See “user peergrp”.
For detailed information about IPSec VPNs, see the 《ZXSEC US
IPSec VPN Guide 》 . For CLI-specific information about VPN
configuration, see the VPN chapter of this Reference.

Adgrp
Use this command to list Active Directory user groups.
Syntax
get user adgrp [<adgroupname>]
If you do not specify a group name, the command returns information for
all Active Directory groups. For example:
== [ DOCTEST/Cert Publishers ]
name: DOCTEST/Cert Publishers server-name: ADserv1
== [ DOCTEST/Developers ]
name: DOCTEST/Developers server-name: ADserv1
== [ DOCTEST/Domain Admins ]
name: DOCTEST/Domain Admins server-name: ADserv1
== [ DOCTEST/Domain Computers ]
name: DOCTEST/Domain Computers server-name: ADserv1
== [ DOCTEST/Domain Controllers ]
name: DOCTEST/Domain Controllers server-name: ADserv1
== [ DOCTEST/Domain Guests ]
name: DOCTEST/Domain Guests server-name: ADserv1
== [ DOCTEST/Domain Users ]
name: DOCTEST/Domain Users server-name: ADserv1
== [ DOCTEST/Enterprise Admins ]
name: DOCTEST/Enterprise Admins server-name: ADserv1
== [ DOCTEST/Group Policy Creator Owners ]
name: DOCTEST/Group Policy Creator Owners server-name: ADserv1
== [ DOCTEST/Schema Admins ]
name: DOCTEST/Schema Admins server-name: ADserv1
If you specify an Active Directory group name, the command returns
information for only that group. For example:
name : DOCTEST/Developers server-name : ADserv1

Confidential and Proprietary Information of ZTE CORPORATION 567

ZXSEC US CLI Reference Guide

The server-name is the name you assigned to the Active

Directory server when you configured it in the user fsae
command.
Related topics
user fsae
execute fsae refresh

Dynamic-profile (US Carrier)

Dynamic profiles apply protection profiles on a per-user basis
rather than a per-policy basis. If dynamic profiles are enabled,
the ZXSEC US unit listens for RADIUS accounting start and stop
messages to learn the mapping of user names, IP addresses, and
protection profiles.
The ZXSEC US unit gets the protection profile information from
an administrator-configured attribute in the RADIUS accounting
start message.
Syntax
config user dynamic-profile
set context-timeout <timeout_seconds>
set endpoint-attribute <endpoint_attribute>
set hold-time <proxy_hold_time>
set log-flags <lflags>
set log-period <log_time>
set mem-percent <memory_percent>
set profile-attribute <profile_attribute_name>
set profile-attribute-key <profile_attribute_key>
set radius-response {enable | disable}
set radius-server-port <radius_listen_port>
set secret <server_password>
set status
set validate-request-secret {enable | disable}
set vdom <vdom-name>
end

Keywords and
Description Default
variables
Timeout value for user context
context-timeout
table entries. In seconds, 28800
<timeout_seconds>
0 disables the timeout feature.

568 Confidential and Proprietary Information of ZTE CORPORATION

Chapter 14 User

Keywords and
Description Default
variables
endpoint-attribute
RADIUS attribute used to hold
<endpoint_attribute Endpoint name.
>
Time to hold in proxy connection
hold-time state to receive RADIUS START. In
seconds, 0 disables the feature and 5
<proxy_hold_time> the proxy will wait until the session
times out.
Enter one or more of the following
options, separated by spaces:
none disable all RADIUS event
logging accounting-event enable to
log accounting events accounting-
stop- enable to log missed
accounting All
missed events options
log-flags <lflags>
context-missingenable to log except
missing context errors profile- none.
missing enable to log missing
profile errors protocol-error enable
to log protocol errors radiusd-other
enable to log other radius
log
messages
Enter the minimum time period to
log-period
use for event logs. In seconds, 0 0
<log_time>
means forever.
mem-percent Maximum percentage of system
<memory_percent memory to use for context tables. 4
> CLI only.

RADIUS attribute used to hold the

firewall protection profile name.
Details regarding standard RADIUS
profile-attribute
attributes are found in
<profile_attribute_ Class
RFC 2138 Remote Authentication
name>
Dial In User Service
(RADIUS) and RFC RADIUS
Accounting.
profile-attribute-
key Key that contains the profile name
No
in the profile- attribute. Maximum
<profile_attribute_k default.
36 characters.
ey>
radius-response
{enable | Enable to send RADIUS response
disable
packets.
disable}
radius-server-port
Enter the udp port to listen on for
<radius_listen_port 1813
RADIUS accounting packets.
>

Confidential and Proprietary Information of ZTE CORPORATION 569

ZXSEC US CLI Reference Guide

Keywords and
Description Default
variables
Enter the RADIUS server shared
secret No
secret for responses/validating
<server_password> default.
requests.
Enable dynamic profile queries for
protection profile features. The
following options are available:
status-ussrv Usservice overrides
status-ftp FTP
status-http HTTP, MM1, and
MM7
status enable
status-imap IMAP
status-im-ips IM, IPS, and VOIP
status-log log messages
status-nntp NNTP
status-pop3 POP3
status-smtp SMTP
validate-request- Enable to validate RADIUS request
secret shared secret. Maximum 12 disable
{enable | disable} characters.

Enter/select the vdom to use for

vdom <vdom- sending/receiving RADIUS
root
name> packets. Only available in VDOM
mode.

Example
This example shows how to enable a dynamic profile in the root
vdom that will send RADIUS responses/validate the RADIUS
request secret, will use the default profile if the HTTP header is
not present in the MMS transaction, and log all events.
config user dynamic-profile set status enable
set vdom “root”
set radius-response enable
set validate-request-secret enable set http-header-status enable
set http-header-fallback default-profile
set log-flags protocol-error profile-missing context-missing accounting-
stop-missed accounting-event radiusd-other
end
Related topics
f endpoint-bwl (US Carrier)
f endpoint-ip-filter (US Carrier)
f endpoint-translation (US Carrier)

570 Confidential and Proprietary Information of ZTE CORPORATION

Chapter 14 User

Endpoint-bwl (US Carrier)

From a protection profile, it is possible to enable a BLOCK or
ARCHIVE option for a lists of End Points from a catalog of lists.
With End Point filtering, MM1/3/4/7 messages are filtered by the
End Point specified in the ‘from’ and ‘to’ addresses.
When a user request arrives, the user’s End Point is checked to
determine the protection profile that should be applied. If the
user is found in the table, the specified protection profile is
applied, otherwise the default profile specified in the firewall
policy is applied.
There can be multiple End Point filter lists that can be associated
with each protection profile.
Syntax
config user endpoint-bwl
edit <endpoint_list_integer>
set comment endpoint_list_comment
config entries
edit endpoint-expression <endpoint_expression>
set pattern-type {regexp | wildcard | simple }
set action {none | block | exempt-mass-MMS | exempt }
set log-action {archive | intercept}
set status {enable | disable}
next
set name <endpoint_list_name>
next
end

Keywords and
Description Default
variables
The action (or actions archiveand
intercept) to take if the End Point
expression is found in the list.
none: no action is taken

action {none | block: message is not delivered

block | exempt- to intended recipient, log
message in AV LOG as blocked block
mass-MMS |
exempt } due to End Point
exempt-mass-MMS: no mass
MMS scanning performed
exempt: exempt user
messages from all scanning

Confidential and Proprietary Information of ZTE CORPORATION 571

ZXSEC US CLI Reference Guide

Keywords and
Description Default
variables

archive: message is delivered

to intended recipient, MMS
transaction forwarded to Usla
archive, entry generated in
content summary for ZXSEC US
log-action {archive unit
| disable
intercept: message delivered to
intercept}
intended recipient, files are
quarantined based on
quarantine configuration,
log message in AV LOG as
intercepted due to End Point.
Optional description of the End Point
filter list. The comment text must
endpoint_list_com
be less than 63 characters long, or null
ment
it will be truncated. Spaces are
replaced with a plus sign (+).
endpoint-
expression The End Point expression to use for
No
filtering/searching. Enclose in
<endpoint_expressi default
quotation marks.
on>
<endpoint_list_inte A unique number to identify the No
ger> End Point filter list. default
name
The name of the End Point filter
<endpoint_list_nam null
list.
e>
Set the pattern type for the banned
pattern-type word. Choose from regexp,
{regexp | wildcard., or simple. Create
wildcard
patterns for banned End Point
wildcard | simple } expressions using Perl regular
expressions or wildcards.
Enable End Point filter search for
status {enable |
End Point expression in endpoint- disable
disable}
expression.

Example
The following example details the End Point filter list
EndPoint2+List. Entries combine features including the action
(none, block, exempt from mass MMS, exempt from all scanning),
status (enable/disable), and pattern type (wildcard/regular
expression/single End Point).
config user endpoint-bwl
edit 2
set comment "Description+of+EndPoint2+list."
config entries edit "*504*"
set action exempt-mass-mms

572 Confidential and Proprietary Information of ZTE CORPORATION

Chapter 14 User

set pattern-type wildcard

set status enable
next
edit "6449675"
set pattern-type regexp
set status enable
next
edit "6132259381"
set action block
set log-action archive intercept
set pattern-type simple
set status enable next
edit "*555*"
set action exempt-mass-mms
set log-action archive intercept
set pattern-type wildcard
set status enable next
end
set name "EndPoint+List+2"
next
end
end
Related topics
dynamic-profile (US Carrier)
endpoint-ip-filter (US Carrier)
endpoint-translation (US Carrier)

Endpoint-ip-filter (US Carrier)

In mobile networks, neither the username nor the IP address can
be used to identify a specific user. The only element unique to a
user is the End Point. The End Point IP filter provides a
mechanism to block network access for a specific list of End
Points, in addition to the black/white list capability for MMS
transactions configured in the protection profile.
The End Point IP filter feature uses an End Point filter list created
using the CLI command config user endpoint-bwl. To set up an
End Point IP filter, you must create the End Point filter list prior
to enabling the End Point IP filter feature.

Confidential and Proprietary Information of ZTE CORPORATION 573

ZXSEC US CLI Reference Guide

Note:
With the End Point IP Filter, only the block action applies, there
is no intercept or archive capability.
Syntax
config user endpoint-ip-filter
edit endpoint_filter_list_integer
set log-status {enable | disable}
next
end

Keywords and
Description Default
variables
endpoint_filter_list_integ A unique number to identify No
er the End Point IP filter list. default
Enable End Point IP filter
log-status {enable |
search for End Point disable
disable}
expression.

Related topics
dynamic-profile (US Carrier)
endpoint-bwl (US Carrier)
endpoint-translation (US Carrier)

Endpoint-translation (US
Carrier)
With End Point filtering, MM1/3/4/7 messages are filtered by the
End Point specified in the ‘from’ or ‘to’ addresses. End Point
filtering is available in VDOM mode, on a per-vdom basis.
The End Point information is normally found in the HTTP header,
but there is a variety of formats and in some cases, a
requirement to extract this information from a cookie. The
endpoint-translation feature sets up the process to extract the
End Point information if it is not present in the HTTP header.
Syntax
config user endpoint-translation
set missing-header-fallback <policy-profile | session-ip>
set endpoint-header <endpoint_header_title>
set profile-query-type < extract-ip | extract-endpoint | session-ip >
set endpoint-prefix {enable | disable}
set endpoint-prefix-string <prefix_string>

574 Confidential and Proprietary Information of ZTE CORPORATION

Chapter 14 User

set endpoint-prefix-range-min <prefix_range_min>

set endpoint-prefix-range-max <prefix_range_max>
set endpoint-header-suppress {enable | disable}
set endpoint-source {http-header | cookie}
set endpoint-convert-hex {enable | disable}
set ip-header <ip_header_name>
set ip-header-suppress {enable | disable}
end

Keywords and
Description Default
variables
Specify method to determine user
identification if http_header is not
missing-header- present in the End Point
fallback information. policy-
<policy-profile | policy-profile: use the default profile
session-ip> profile
session-ip: use the ip header
address
endpoint-header x-up-
Name of the End Point header. Up
<endpoint_header_ calling-
to 64 character maximum. String.
title> line-id

Select the method used to suppress

the address header used to set up
a dynamic profile query from the
HTTP request as it is passed
profile-query-type through the ZXSEC US unit. The
< extract-ip | header may be either the End Point session-
extract- endpoint | header or the IP header. ip
session-ip >
extract-ip: query by extracted ip
address extract-endpoint: query by
extracted End Point session-ip:
query by ip session address
endpoint-prefix Enable to add the country code to
{enable | the extracted End Point for logging disable
disable} and notification.

endpoint-prefix- The alphanumeric string of the End

string Point prefix. Only available if null
<prefix_string> endpoint-prefixis enabled.

Minimum number of characters in

endpoint-prefix- the endpoint prefix string. Range is
range- min integer 1 - 16. null
<prefix_range_min
> Only available if endpoint-prefix is
enabled.
Maximum number of characters in
endpoint-prefix- the endpoint prefix string. Range is
range- max integer 1 - 16. null
<prefix_range_max
> Only available if endpoint-prefix is
enabled.

Confidential and Proprietary Information of ZTE CORPORATION 575

ZXSEC US CLI Reference Guide

Keywords and
Description Default
variables
Select the source of the End Point
identifier.
endpoint-source
http-header: source is the http http-
{http- header |
header field in the sender’s address header
cookie}
cookie: source is the attributes of
the sender’s address cookie
endpoint-convert- Enable to convert the sender
hex address from HEX to ASCII, if disable
{enable | disable} required, for blocking and logging.

Name of IP header. Only available

ip-header X-Up-
if profile-query- type is session-ip.
Forward
<ip_header_name> Up to 64 character maximum.
ed- For
String.
Enable to suppress the IP header
ip-header-suppress
address. Only available if disable
{enable | disable}
profile-query-type is session-ip.

Example
This example shows how to configure End Point filtering address
translation with the name ‘enable’ that uses the session IP
address (including the ability to convert from HEX to ASCII) and
is able to remove the address header to set up the dynamic
profile from the HTTP request:
config user endpoint-translation
set missing-header-fallback session-ip
set profile-query-type extract-ip
set endpoint-header “enable”
set endpoint-convert-hex
set ip-header-suppress enable
end
Related topics
dynamic-profile (US Carrier)
endpoint-bwl (US Carrier)
endpoint-ip-filter (US Carrier)

Fase
Use this command to configure the ZXSEC US unit to receive
user group information from a Windows Active Directory server
equipped with the USnet Server Authentication Extensions
(FSAE). You can specify up to five computers on which a FSAE
collector agent is installed. The ZXSEC US unit uses these
collector agents in a redundant configuration. If the first agent

576 Confidential and Proprietary Information of ZTE CORPORATION

Chapter 14 User

fails, the ZXSEC US unit attempts to connect to the next agent in

the list.
You can add Windows user groups to Active Directory type user
groups for authentication in firewall policies.
Syntax
config user fsae
edit <server_name>
set ldap_server <ldap-server-name>
set password <password> password2 <password2> password3
<password3> password4 <password4> password5 <password5>
set password2 <password2>
set password3 <password3>
set password4 <password4> set password5 <password5>
set port <port_number> <port_number2>
set port <port_number2>
set port <port_number3>
set port <port_number4>
set port <port_number5>
set server <domain> server2 <domain2> server3 <domain3>
server4 <domain4> server5 <domain5>
set server2 <domain2>
set server3 <domain3>
set server4 <domain4>
set server5 <domain5>
end

Keywords and Defau

Description
variables lt
Enter a name to identify the Windows
AD server.
edit Enter a new name to create a new No
<server_name> server definition or enter an existing default.
server name to edit that server
definition.
Enter the name of the LDAP server to
ldap_server <ldap- be used to access the No
server- name> default.
Windows AD.

Confidential and Proprietary Information of ZTE CORPORATION 577

ZXSEC US CLI Reference Guide

Keywords and Defau

Description
variables lt
password
<password>
password2
<password2>
password3 For each collector agent, enter the No
<password3> password. default.
password4
<password4>
password5
<password5>
port
<port_number>
<port_number2> For each collector agent, enter the
port number used for communication 8000
<port_number3>
with ZXSEC US units.
<port_number4>
<port_number5>
server <domain>
server2 <domain2> Enter the domain name or IP address
No
server3 <domain3> for up to five collector agents. Range
default.
server4 <domain4> from 1 to 63 characters.
server5 <domain5>

Related topics
user group
execute fsae refresh
firewall policy, policy6

Group
Use this command to add or edit user groups. There are three
types of user groups:
Firewall user group Provides access to firewall policies that require
authentication. A firewall policy specifies the user groups that are
allowed to use the policy. Members of a firewall user group can be local
users defined in user local, peer members defined in user peer, or
accounts on RADIUS or LDAP servers configured in user radius or
user ldap. Users must provide a user name and password to use the
firewall policy.
SSL-VPN user group Provides access to the ZXSEC US SSL-VPN
tunnel and SSL-VPN web applications. Members of an SSL-VPN user
group can be local users defined in user local or accounts on RADIUS
or LDAP servers configured in user radius or user ldap. Users
authenticate using their VPN client or through the SSL-VPN web portal
login page.
Active Directory user group Provides access to firewall policies that
require authentication. Members of an Active Directory user group are
members of selected Active Directory user groups on Active Directory

578 Confidential and Proprietary Information of ZTE CORPORATION

Chapter 14 User

servers configured in user fsae. Users are authenticated when they

Example
This example shows how to add a group named User_Grp_1, and
add User_2, User_3, Radius_2 and
LDAP_1 as members of the group, and set the protection profile
to strict:
config user group edit User_Grp_1
set member User_2 User_3 Radius_2 LDAP_1

584 Confidential and Proprietary Information of ZTE CORPORATION

Chapter 14 User

set profile strict

end
Related topics
user ldap
user local
user radius
user tacacs+

Chapter 14 User

set passwd <password_str>

set radius-server <servername>
set status {enable | disable}
set type <auth-type>
end

Keywords and
Description Default
variables
Enter the user name. Enter a new
name to create a new user account
edit <username>
or enter an existing user name to
edit that account.
Enter the name of the LDAP server
with which the user must
authenticate. You can only select an
ldap-server LDAP server that has been added to No
<servername> the list of LDAP servers. See “ldap”.
default.

This is available when type is set to

ldap.
Enter the password with which the
user must authenticate. Passwords
at least 6 characters long provide
passwd better security than shorter No
<password_str> passwords.
default.

This is available when type is set to

password.
Enter the name of the RADIUS
server with which the user must
authenticate. You can only select a
radius-server RADIUS server that has been added No
<servername> to the list of RADIUS servers. See default.
“radius” .
This is available when type is set to
radius.
Enter enableto allow the local user
status {enable | to authenticate with the enable
disable}
ZXSEC US unit.
Enter one of the following to specify No
type <auth-type>
how this user’s password is verified: default.

The LDAP server

specified in
ldap
ldap-serververifies the
password.
The ZXSEC US unit
verifies the password
password
against the value of
passwd.

Confidential and Proprietary Information of ZTE CORPORATION 589

ZXSEC US CLI Reference Guide

Keywords and
Description Default
variables
The RADIUS server
specified in
radius
radius-server verifies
the password.

Example
This example shows how to add and enable a local user called
Admin7 for authentication using the RADIUS server RAD1.
config user local
edit Admin7
set status enable
set type radius
set radius-server RAD1
end
This example shows how to change the authentication method
for the user Admin7 to password and enter the password.
config user local
edit Admin7
set type password
set passwd abc123
end
Related topics
user group
user ldap
user radius
user tacacs+

Peer
Use this command to add or edit peer (digital certificate holder)
information. You use the peers you define here in the config
vpn ipsec phase1 command if you specify peertype as peer.
Also, you can add these peers to peer groups you define in the
config user peergrp command.
For PKI user authentication, you can add or edit peer information
and configure use of LDAP server to check access rights for client
certificates.
This command refers to certificates imported into the ZXSEC US
unit. You import CA certificates using the vpn certificate ca

590 Confidential and Proprietary Information of ZTE CORPORATION

Chapter 14 User

command. You import local certificates using the vpn

certificate local command.
You can configure a peer user with no values in subject or ca.
This user behaves like a user account or policy that is disabled.

Note:
If you create a PKI user in the CLI with no values in subject or
ca, you cannot open the user record in the GUI, or you will be
prompted to add a value in Subject (subject) or CA (ca).
Syntax
config user peer
edit <peer_name>
set ca <ca_name>
set cn <cn_name>
set cn-type <type>
set ldap-password <ldap_password>
set ldap-server <ldap_server>
set ldap-username <ldap_user>
set subject <constraints>
end

Keywords and
Description Default
variables
Enter the CA certificate name, as
No
ca <ca_name> returned by execute vpn certificate ca
default.
list.
Enter the peer certificate common No
cn <cn_name>
name. default.
Enter the peer certificate common
cn-type <type> string
name type:
Fully-qualified domain
FQDN
name.
email The user’s email address.
The user’s IP address
ipv4
(IPv4).
The user’s IP address
ipv6
(IPv6).
Any other piece of
string
information.
Enter the peer name. Enter a new
edit name to create a new peer or enter No
<peer_name> an existing peer name to edit that default.
peer’s information.

Confidential and Proprietary Information of ZTE CORPORATION 591

ZXSEC US CLI Reference Guide

Keywords and
Description Default
variables
ldap-password Enter the login password for the LDAP
No
<ldap_password server used to perform client access
default.
> rights check for the defined peer.

Enter the name of one of the LDAP

ldap-server servers defined under ‘config user
null
<ldap_server> ldap’ used to perform client access
rights check for the defined peer.

ldap-username Enter the login name for the LDAP

server used to perform client access null
<ldap_user> rights check for the defined peer.
subject Optionally, enter any of the peer No
<constraints> certificate name constraints. default.

Example
This example shows how to add the branch_office peer.
Configure the peer using the CA certificate name and peer
information:
config user peer
edit branch_office
set ca CA_Cert_1
set cn ouraddress@example2.com
set cn-type email
end
Configure the peer with empty subject and ca fields.
config user peer
edit peer2
end
Related topics
user peergrp
vpn ipsec phase1
vpn certificate ca
vpn certificate local

Peergrp
Use this command to add or edit a peer group. Peers are digital
certificate holders defined using the config user peer command.
You use the peer groups you define here in the config vpn ipsec
phase1 command if you specify peertype as peergrp.

592 Confidential and Proprietary Information of ZTE CORPORATION

Chapter 14 User

For PKI user authentication, you can add or edit peer group
member information. User groups that use
PKI authentication can also be configured using config user
group.
Syntax
config user peergrp
edit <groupname>
set member <peer_names>
end

Keywords and
Description Default
variables
Enter a new name to create a
new peer group or enter an
edit <groupname>
existing group name to edit that
group.
Enter the names of peers to add
to the peer group. Separate
names by spaces. To add or
member No
remove names from the group
<peer_names> default.
you must re-enter the whole list
with the additions or deletions
required.

Example
This example shows how to add peers to the peergrp
EU_branches.
config user peergrp edit EU_branches
set member Sophia_branch Valencia_branch Cardiff_branch
end
Related topics
user peer
vpn ipsec phase1
vpn l2tp
vpn pptp

Radius
Use this command to add or edit the information used for
RADIUS authentication.
The default port for RADIUS traffic is 1812. If your RADIUS
server is using a different port you can change the default
RADIUS port. You may set a different port for each of your
RADIUS servers.

Confidential and Proprietary Information of ZTE CORPORATION 593

ZXSEC US CLI Reference Guide

The RADIUS server is now provided with more information to

make authentication decisions, based on values in server, use-
management-vdom, use-group-for-profile, and nas-ip.
Attributes include:
NAS-IP-Address - RADIUS setting or IP address of ZXSEC US
interface used to talk to RADIUS server, if not configured
NAS-Port - physical interface number of the traffic that
triggered the authentication
Called-Station-ID - same value as NAS-IP Address but in text
format
USnet-Vdom-Name - name of VDOM of the traffic that
triggered the authentication
NAS-Identifier - configured hostname in non-HA mode; HA
cluster group name in HA mode
Acct-Session-ID - unique ID identifying the authentication
session
Connect-Info - identifies the service for which the
authentication is being performed (web-auth, vpn-ipsec, vpn-
pptp, vpn-l2tp, vpn-ssl, admin-login, test)
You may select an alternative authentication method for each
server. These include CHAP, PAP, MS- CHAP, and MS-CHAP-v2.
Syntax
config user radius
edit <server_name>
set all-usergroup {enable | disable}
set auth-type {auto | chap | ms_chap | ms_chap_v2 | pap}
set nas-ip <use_ip>
set radius-port <radius_port_num>
set secondary-secret <sec_server_password>
set secondary-server <sec_server_domain>
set secret <server_password>
set server <domain>
set use-group-for-profile {enable | disable}
set use-management-vdom {enable | disable}
end

594 Confidential and Proprietary Information of ZTE CORPORATION

Chapter 14 User

Keywords and
Description Default
variables
Enter a name to identify the
RADIUS server.
edit Enter a new name to create a new
<server_name> server definition or enter an
existing server name to edit that
server definition.
all-usergroup
{enable | Enable to automatically include this
disable
RADIUS server in all user groups.
disable}
Select the authentication method
auth-type {auto | for this RADIUS server.
chap | ms_chap | auto
ms_chap_v2 | pap} auto uses pap, ms_chap_v2, and
chap.
IP address used as NAS-IP-Address
and
Called-Station-ID attribute in
RADIUS access requests. No
nas-ip <use_ip>
default.
RADIUS setting or IP address of US
interface used to talk with
RADIUS server, if not configured.

radius-port Change the default RADIUS port for

this server. The default port for
<radius_port_num 1812
RADIUS traffic is 1812. Range is
> 0..65535.
secondary-secret
Enter the secondary RADIUS server No
<sec_server_passw shared secret. default.
ord>
secondary-server Enter the secondary RADIUS server
domain name or IP No
<sec_server_domai default.
n> address.
secret
Enter the RADIUS server shared No
<server_password
secret. default.
>
Enter the RADIUS server domain No
server <domain>
name or IP address. default.
use-management- Enable to use the management
vdom VDOM to send all RADIUS disable
{enable | disable} requests.
use-group-for- Enable to use RADIUS group
profile attribute to select the protection disable
{enable | disable} profile.

Example
This example shows how to add the radius server RAD1 at the IP
address 206.205.204.203 and set the shared secret as
R1a2D3i4U5s.
config user radius

Confidential and Proprietary Information of ZTE CORPORATION 595

ZXSEC US CLI Reference Guide

edit RAD1
set secret R1a2D3i4U5s
set server 206.205.204.203
end
Related topics
user group
user ldap
user local
user tacacs+

Settings
Use this command to change per VDOM user settings such as the
firewall user authentication time out and protocol support for
firewall policy authentication.
user settings differ from system global settings in that system
global settings keywords apply to the entire ZXSEC US unit,
where user settings keywords apply only to the user VDOM.
Syntax
config user setting
set auth-cert <cert_name>
set auth-keepalive {enable | disable}
set auth-secure-http {enable | disable}
set auth-type {ftp | http | https | telnet}
set auth-timeout <auth_timeout_minutes>
end

Keywords and
Description Default
variables
HTTPS server certificate for policy
authentication. USnet_Factory,
USnet_Firmware (if applicable to
auth-cert
your ZXSEC US unit), and self- self- sign
<cert_name>
sign are built-in certificates but
others will be listed as you add
them.
Enable to extend the
auth-keepalive authentication time of the session
disable
{enable | disable} through periodic traffic to prevent
an idle timeout.

auth-secure-http Enable to have httpuser

authentication redirected to disable
{enable | disable} secure channel - https.

596 Confidential and Proprietary Information of ZTE CORPORATION

Chapter 14 User

Keywords and
Description Default
variables
Set the user authentication
auth-type {ftp | protocol support for firewall policy
http | authentication. User controls
https | telnet} which protocols should support
the authentication challenge.
Set the number of minutes before
the firewall user authentication
timeout requires the user to
auth-timeout authenticate again.
<auth_timeout_min The maximum authtimeout 5
utes> interval is 480 minutes (8 hours).
To improve security, keep the
authentication timeout at the
default value of 5 minutes.

Example
This example shows how to enable https user authentication, and
set the firewall user authentication timeout to 15 minutes.
config user setting set auth-type https
set auth-timeout 15
end

Tacacs+
Use this command to add or edit the information used for
TACACS+ authentication.
Terminal Access Controller Access-Control System (TACACS+) is
a remote authentication protocol used to communicate with an
authentication server. TACACS+ allows a client to accept a
username and password and send a query to a TACACS+
authentication server. The server host determines whether to
accept or deny the request and sends a response back that
allows or denies network access to the user.
The default port for a TACACS+ server is 49.
You may select an alternative authentication method for each
server. These include CHAP, PAP, MS- CHAP, and ASCII.
Syntax
config user tacacs+
edit <server_name>
set authen-type {ascii | auto | chap | ms_chap | pap}
set key <server_key>
set tacacs+-port <tacacs+_port_num>
set server <domain>

Confidential and Proprietary Information of ZTE CORPORATION 597

ZXSEC US CLI Reference Guide

end

Keywords and
Description Default
variables
Enter a name to identify the
TACACS+ server.
edit Enter a new name to create a new
<server_name> server definition or enter an
existing server name to edit that
server definition.
authen-type {ascii | Select the authentication method
auto for this TACACS+ server.
auto
| chap | ms_chap | auto uses pap, ms_chap_v, and
pap} chap, in that order.
key <server_key> Enter the key to access the server.

tacacs+-port Change the default TACACS+ port

for this server. The default port for
<tacacs+_port_nu 49
TACACS+ traffic is 49. Range is
m> 0..65535.
Enter the RADIUS server domain No
server <domain>
name or IP address. default.

Example
This example shows how to add the TACACS+ server TACACS1 at
the IP address 206.205.204.203, set the server key as
R1a2D3i4U5s, and authenticate using PAP.
config user tacacs+
edit TACACS1
set authen-type pap set key R1a2D3i4U5s
set server 206.205.204.203
end
Related topics
user group
user local
user ldap
user radius

598 Confidential and Proprietary Information of ZTE CORPORATION

Chapter 15

Vpn

Overview
Use vpn commands to configure options related to virtual private
networking through the ZXSEC US unit, including:
IPSec operating parameters
a local address range for PPTP or L2TP clients
SSL VPN configuration settings
This chapter contains the following sections:
certificate ca
certificate crl
certificate local
certificate ocsp
certificate remote
ipsec concentrator
ipsec USDesktop
ipsec manualkey
ipsec manualkey-interface
ipsec phase1
ipsec phase1-interface
ipsec phase2
ipsec phase2-interface
l2tp
pptp
ssl monitor
ssl settings
ssl web bookmarks

Confidential and Proprietary Information of ZTE CORPORATION 599

ZXSEC US CLI Reference Guide

ssl web bookmarks-group

ssl web favorite

Certificate ca
Use this command to install Certificate Authority (CA) root
certificates.
When a CA processes your Certificate Signing Request (CSR), it
sends you the CA certificate, the signed local certificate and the
Certificate Revocation List (CRL).
1. The process for obtaining and installing certificates is as
follows:
2. Use the execute vpn certificate local command to
generate a CSR. Send the CSR to a CA. The CA sends you the
CA certificate, the signed local certificate and the CRL.
3. Use the vpn certificate local command to install the
signed local certificate.
4. Use the vpn certificate ca command to install the CA
certificate.
5. Use the vpn certificate crl command to install the
CRL.Depending on your terminal software, you can copy the
certificate and paste it into the command.
Syntax
config vpn certificate ca
edit <ca_name>
set ca <cert>
end
To view all of the information about the certificate, use the get
command:
get vpn certificate ca <ca_name>

<keyword> Description
edit
Enter a name for the CA certificate.
<ca_name>
ca <cert> Enter or retrieve the CA certificate in PEM format.

Related topics
vpn certificate crl
vpn certificate local
vpn certificate ocsp
vpn certificate remote
execute vpn certificate ca

600 Confidential and Proprietary Information of ZTE CORPORATION

Chapter 15 Vpn

Certificate crl
Use this command to install a Certificate Revocation List (CRL).
When a CA processes your Certificate Signing Request (CSR), it
sends you the CA certificate, the signed local certificate and the
Certificate Revocation List (CRL).
The process for obtaining and installing certificates is as follows:
1. Use the execute vpn certificate local command to
generate a CSR.
2. Send the CSR to a CA.
The CA sends you the CA certificate, the signed local certificate
and the CRL.
3. Use the vpn certificate local command to install the
signed local certificate.
4. Use the vpn certificate ca command to install the CA
certificate.
5. Use the vpn certificate crl command to install the CRL.
Depending on your terminal software, you can copy the
certificate and paste it into the command. The CRL now updates
automatically from a remove server.
Syntax
config vpn certificate crl
edit <crl_name>
set crl <crl_PEM>
set ldap-server <ldap_server_name>
set ldap-username <ldap_username>
set ldap-password <ldap_password>
set scep-cert <scep_certificate>
set scep-url <scep_url>
set update-vdom <update_vdom>
set http-url <http_url>
end

<keyword> Description
edit Enter a name for the Certificate Revocation List
<crl_name> (CRL).
crl <crl_PEM> Enter the CRL in PEM format.
ldap-server
Name of the LDAP server defined in config user ldap
<ldap_server_ table for CRL auto-update.
name>

Confidential and Proprietary Information of ZTE CORPORATION 601

ZXSEC US CLI Reference Guide

<keyword> Description
ldap-
username
LDAP login name.
<ldap_userna
me>
ldap-password
<ldap_passwo LDAP login password.
rd>
scep-cert
Local certificate used for SCEP communication for
<scep_certific CRL auto-update.
ate>
scep-url URL of the SCEP server used for automatic CRL
<scep_url> certificate updates. Start with http://.

update-vdom
VDOM used to communicate with remote SCEP
<update_vdo server for CRL auto-update.
m>
http-url URL of an http server used for automatic CRL
<http_url> certificate updates. Start with http://.

Related topics
vpn certificate ca
vpn certificate local
vpn certificate ocsp
vpn certificate remote
execute vpn certificate crl

Certificate local
Use this command to install local certificates.

When a CA processes your Certificate Signing Request (CSR), it

sends you the CA certificate, the signed local certificate and the
Certificate Revocation List (CRL).
The process for obtaining and installing certificates is as follows:
1. Use the execute vpn certificate local command to generate a
CSR.
2. Send the CSR to a CA.
The CA sends you the CA certificate, the signed local
certificate and the CRL.
3. Use the vpn certificate local command to install the signed
local certificate.
4. Use the vpn certificate ca command to install the CA
certificate.

602 Confidential and Proprietary Information of ZTE CORPORATION

Chapter 15 Vpn

5. Use the vpn certificate crl command to install the CRL.

Depending on your terminal software, you can copy the
certificate and paste it into the command.
Syntax
config vpn certificate local
edit <cert_name>
set password <pwd>
set comments <comment_text>
set private-key <prkey>
set certificate <cert_PEM>
set csr <csr_PEM>
end
To view all of the information about the certificate, use the get
command:
get vpn certificate local [cert_name]

<keyword> Description
edit <cert_name> Enter the local certificate name.
certificate
Enter the signed local certificate in PEM format.
<cert_PEM>
comments Enter any relevant information about the
<comment_text> certificate.
You should not modify the following variables if you generated the
CSR on this unit.
csr <csr_PEM> The CSR in PEM format.
password <pwd> The password in PEM format.
private-key
The private key in PEM format.
<prkey>

Related topics
vpn certificate ca
vpn certificate crl
vpn certificate ocsp

Certificate ocsp
Use this command to install remote certificates. The remote
certificates are public certificates without a private key. They are
used as OCSP (Online Certificate Status Protocol) server
certificates.
Syntax

Confidential and Proprietary Information of ZTE CORPORATION 603

ZXSEC US CLI Reference Guide

config vpn certificate ocsp

edit cert <cert_name>
set url <ocsp_url>
set unavail-action <unavailable_action>
end
To view all of the information about the certificate, use the get
command:
get vpn certificate ocsp [cert_name]

<keyword> Description
Enter the OCSP server public certificate (one of
cert <cert_name>
the remote certificates).
url <ocsp_url> Enter the URL of the OCSP server.
unavail-action Action taken on client certification when the
<unavailable_acti OCSP server is unreachable.
on> revokeor ignore. Default is revoke.

Related topics
vpn certificate local
vpn certificate ca
vpn certificate crl
vpn certificate remote
execute vpn certificate remote

Certificate remote
Use this command to install remote certificates. The remote
certificates are public certificates without a private key. They are
used as OCSP (Online Certificate Status Protocol) server
certificates.
Syntax
config vpn certificate remote
edit cert <cert_name>
set remote <remote_cert_detail>
end
To view all of the information about the certificate, use the get
command:
get vpn certificate remote [cert_name]

<keyword> Description
cert <cert_name> Enter the name of the public certificate.

604 Confidential and Proprietary Information of ZTE CORPORATION

Chapter 15 Vpn

<keyword> Description
remote
<remote_cert_det Details/description of the remote certificate.
ail>

Related topics
vpn certificate local
vpn certificate ca
vpn certificate crl
vpn certificate ocsp
execute vpn certificate remote

Ipsec concentrator
Use this command to add IPSec policy-based VPN tunnels to a
VPN concentrator. The VPN concentrator collects hub-and-spoke
tunnels into a group.
The concentrator allows VPN traffic to pass from one tunnel to
the other through the ZXSEC US unit. The ZXSEC US unit
functions as a concentrator, or hub, in a hub-and-spoke network.

Note:
VPN concentrators are not available in Transparent mode.
Syntax
config vpn ipsec concentrator edit <concentrator_name>
set member <member_name> [<member_name>] [<member_name>]
end

ZXSEC US CLI Reference Guide

use for the tunnel. Because the keys are created when you
configure the tunnel, no negotiation is required for the VPN
tunnel to start. However, the VPN gateway or client that connects
to this tunnel must use the same encryption and authentication
algorithms and must have the same encryption and
authentication keys.
Syntax
config vpn ipsec manualkey
edit <tunnel_name>
set authentication <authentication_algorithm>
set authkey <authentication_key>
set encryption <method>
set enckey <encryption_key>
set interface <interface_name>
set localspi <local_spi_number>
set local-gw <address_ipv4>
set remote-gw <address_ipv4>
set remotespi <remote_spi_number>
end
The authentication, encryption, interface, remote-gw,
localspi, and remotespi keywords are required. All other
keywords are optional.

Variables Description Default

edit <tunnel_name> Enter a name for the tunnel. No default.
Enter one of the following
authentication algorithms:
md5
null
authentication
<authentication_alg sha1 null
orithm> Make sure you use the same
algorithm at both ends of the
tunnel. encryptionand
authenticationcannot both be
null.

608 Confidential and Proprietary Information of ZTE CORPORATION

Chapter 15 Vpn

Variables Description Default

This keyword is available when
authenticationis set to
md5or sha1.
• If authenticationis md5, enter
a 32 digit (16 byte) hexadecimal
number. Separate each 16 digit
(8 byte) hexadecimal segment
authkey with a hyphen. -
<authentication_key • If authenticationis sha1, enter (No
> a 40 digit (20 byte) default.)
hexadecimal number. Use a
hyphen to separate the first
16 digits (8 bytes) from the
remaining 24 digits (12 bytes).
Digits can be 0 to 9, and a to f.
Use the same authentication key
at both ends of the tunnel.
Enter one of the following
encryption algorithms:
3des
aes128
aes192

encryption aes256
null
<method> des
null
Make sure you use the same
algorithm at both ends of the
tunnel. encryption and
authentication cannot both be
null.

Confidential and Proprietary Information of ZTE CORPORATION 609

ZXSEC US CLI Reference Guide

Variables Description Default

This keyword is available when
encryption is set to 3des,
aes128, aes192, aes256, or des.
Enter the associated encryption
key:
If encryption is des, enter a
16 digit (8 byte)
hexadecimal number.
If encryption is 3des, enter a
48 digit (24 byte)
hexadecimal number.
If encryption is aes128,
enter a 32 digit (16 byte) -
enckey hexadecimal number.
(No
<encryption_key>
If encryption is aes192, default.)
enter a 48 digit (24 byte)
hexadecimal number.
If encryption is aes256,
enter a 64 digit (32 byte)
hexadecimal number.
Digits can be 0 to 9, and a to f.
For all of the above, separate
each 16 digit (8 byte)
hexadecimal segment with a
hyphen.
Use the same encryption key at
both ends of the tunnel.
Enter the name of the physical,
aggregate, or VLAN interface to
which the IPSec tunnel will be
bound. The ZXSEC US unit
interface obtains the IP address of the
interface from system interface Null.
<interface_name>
settings (see “interface”).
You cannot change interface if a
firewall policy references this
VPN.
Local Security Parameter Index.
Enter a hexadecimal number of
up to eight digits (digits can be 0
localspi to 9, a to f) in the
0x100
<local_spi_number> range 0x100 to FFFFFFF. This
number must be added to the
Remote SPI at the opposite end
of the tunnel.

610 Confidential and Proprietary Information of ZTE CORPORATION

Chapter 15 Vpn

Variables Description Default

Optionally, specify a secondary
IP address of the interface
selected in interface to use for
the local end of the VPN tunnel.
local-gw If you do not specify an IP
0.0.0.0
<address_ipv4> address here, the ZXSEC US unit
obtains the IP address of the
interface from the system
interface settings (see
“interface”).
remote-gw The IP address of the remote
0.0.0.0
<address_ipv4> gateway external interface.
Remote Security Parameter
Index. Enter a hexadecimal
remotespi number of up to eight digits in
<remote_spi_numbe the range 0x100 to FFFFFFF. This 0x100
r> number must be added to the
Local SPI at the opposite end of
the tunnel.

Chapter 15 Vpn

Variables Description Default

Local Security Parameter Index.
Enter a hexadecimal number of
up to eight digits (digits can be 0
local-spi to 9, a to f) in the
0x100
<local_spi_number> range 0x100 to FFFFFFF. This
number must be added to the
Remote SPI at the opposite end
of the tunnel.
The IP address of the remote 0.0.0.0
remote-gw gateway external interface.
for IPv4
<address_ipv4> remote-gw6 is available when ip-
remote-gw6 version is 6.
<address_ipv6> remote-gw is available when ip- :: for
version is 4. IPv6

Remote Security Parameter

Index. Enter a hexadecimal
remote-spi number of up to eight digits in
<remote_spi_numbe the range 0x100 to FFFFFFF. This 0x100
r> number must be added to the
Local SPI at the opposite end of
the tunnel.

Example
Use the following command to add a route-based (interface-
mode) IPSec VPN tunnel having the following characteristics:
Tunnel name: Manual-inf_tunnel
Local SPI: 1000ff
Remote SPI: 2000ff
VLAN interface name: vlan_1
Remote gateway IP address: 206.37.33.45
Encryption algorithm: 3DES
Encryption keys: 003f2b01a9002f3b 004f4b0209003f01--
3b00f23bff003eff
Authentication algorithm: MD5
Authentication keys: ff003f012ba900bb 00f402303f0100ff
config vpn ipsec-intf manualkey-interface edit Manual-inf_tunnel
set auth-alg md5
set auth-key ff003f012ba900bb-00f402303f0100ff set enc-alg 3des
set enc-key 003f2b01a9002f3b-004f4b0209003f01-
3b00f23bff003eff set interface vlan_1
set local-spi 1000ff set remote-spi 2000ff
set remote-gw 206.37.33.45
end
Related topics

Confidential and Proprietary Information of ZTE CORPORATION 615

ZXSEC US CLI Reference Guide

vpn ipsec phase2-interface

Ipsec phase1
Use this command to add or edit IPSec tunnel-mode phase 1
configurations. When you add a tunnel- mode phase 1
configuration, you define how the ZXSEC US unit and a remote
VPN peer (gateway or client) authenticate themselves to each
other as part of establishing an IPSec VPN tunnel.
The phase 1 configuration specifies the name of a remote VPN
peer, the nature of the connection (static IP, dialup, or dynamic
DNS), the encryption and authentication keys for the phase 1
proposal, and the authentication method (preshared key or
certificate). For authentication to be successful, the ZXSEC US
unit and the remote VPN peer must be configured with
compatible phase 1 settings.
You can change all settings except the type setting after you
define the configuration: if the address type of a remote peer
changes, you must delete the original phase 1 configuration and
define a new one. As a general rule, create only one phase 1
configuration per remote VPN peer.
syntax
config vpn ipsec phase1
edit <gateway_name>
set add-gw-route {enable | disable}
set authmethod <authentication_method>
set authpasswd <password>
set authusr <user_name>
set authusrgrp <group_name>
set dhgrp {1 2 5}
set dpd {disable | enable}
set dpd-retrycount <retry_integer>
set dpd-retryinterval <seconds> [<milliseconds>]
set interface <interface_name>
set keepalive <seconds>
set keylife <seconds>
set local-gw <address_ipv4>
set localid <local_id>
set mode {aggressive | main}
set nattraversal {disable | enable}
set peer <CA_certificate_name>

616 Confidential and Proprietary Information of ZTE CORPORATION

Chapter 15 Vpn

set peerid <peer_id>

624 Confidential and Proprietary Information of ZTE CORPORATION

Chapter 15 Vpn

Variables Description Default

Select a minimum of one and a

maximum of three encryption-
message digest combinations for the
phase 1 proposal. The remote peer
must be configured to use at least
one of the proposals that you define.
Use a space to separate the
combinations. You can enter any of
the following symmetric-key
encryption algorithms:
3des-md5
3des-sha1
aes128-md5
aes128-sha1
aes192-md5
aes192-sha1
aes256-md5
aes256-sha1
des-md5
des-sha1
proposal
Here is an explanation of the No
<encryption_com abbreviated combinations: default.
bination>
des-Digital Encryption Standard,
a 64-bit block algorithm that uses
a 56-bit key.
3des-Triple-DES, in which plain
text is encrypted three times by
three keys.
aes128-A 128-bit block algorithm
that uses a 128-bit key.
aes192-A 128-bit block algorithm
that uses a 192-bit key.
aes256-A 128-bit block algorithm
that uses a 256-bit key. You can
select either of the following
message digests to check the
authenticity of messages during
an encrypted session.
md5-Message Digest 5, the hash
algorithm developed by RSA Data
Security.
sha1-Secure Hash Algorithm 1,
which produces a 160-bit
message digest.

Confidential and Proprietary Information of ZTE CORPORATION 625

ZXSEC US CLI Reference Guide

Variables Description Default

This keyword is available when
authmethod is set to psk. Enter the
pre-shared key. The pre-shared key
must be the same on the remote VPN
gateway or client and should only be *
psksecret
known by network administrators.
<preshared_key (No
The key must consist of at least 6
> default.)
printable characters. For optimum
protection against currently known
attacks, the key should consist of a
minimum of 16 randomly chosen
alphanumeric characters.
This keyword is available when type
remote-gw
is set to static. Enter the static IP 0.0.0.0
<address_ipv4>
address of the remote VPN peer.
This keyword is available when type
is set to ddns.
Enter the identifier of the remote
peer (for example, a fully qualified
remotegw-ddns domain name).
Use this setting when the remote Null.
<domain_name>
peer has a static domain name and a
dynamic IP address (the IP address is
obtained dynamically from an ISP
and the remote peer subscribes to a
dynamic DNS service).
This keyword is available when
authmethod is set to rsa- signature.
Enter the name of the signed
rsa-certificate personal certificate for the ZXSEC US
<server_certificat unit. You must install the server Null.
e> certificate before you enter the server
certificate name. For more
information, see “vpn certificate
local”.
Enter the connection type of the
remote gateway:
If the remote VPN peer has a
static IP address, type static. Use
the remotegw keyword to enter
the IP address.

type If the remote VPN peer has a

<remote_gw_typ dynamically assigned IP address static
e> (DHCP or PPPoE), type dynamic.
If the remote VPN peer has a
dynamically assigned IP address
and subscribes to a dynamic DNS
service, type ddns. Use the
remotegw-ddns keyword to enter
the domain name of the remote
VPN peer.

626 Confidential and Proprietary Information of ZTE CORPORATION

Chapter 15 Vpn

Variables Description Default

This keyword is available when type
is set to dynamic, authmethod is set
to psk, and peertype is set to dialup.
Enter the name of the group of dialup
usrgrp VPN clients to authenticate. The user
Null.
<group_name> group must be added to the ZXSEC
US configuration before it can be
cross-referenced here. For more
information, see “user group”, “user
ldap”, “user local”, and “user radius”.
Optionally configure XAuth (eXtended
Authentication):
Type disable to disable XAuth.
Type client to configure the
ZXSEC US unit to act as an XAuth
client. Use the authuser keyword
xauthtype to add the XAuth user name and
password. disable
<XAuth_type>
Type auto, pap, or chap to
configure the ZXSEC US unit as
an XAuth server. Use the
authusrgrp keyword to specify
the user group containing
members that will be
authenticated using XAuth.

Example
Use the following command to add a tunnel-mode IPSec VPN
phase 1 configuration with the following characteristics:
Phase 1 configuration name: Simple_GW
Physical interface name: port6
Remote peer address type: Dynamic
Encryption and authentication proposal: des-md5
Authentication method: psk
Pre-shared key: Qf2p3O93jIj2bz7E
Mode: aggressive
Dead Peer Detection: disable
config vpn ipsec phase1
edit Simple_GW
set interface port6
set type dynamic
set proposal des-md5
set authmethod psk
set psksecret Qf2p3O93jIj2bz7E
set mode aggressive set dpd disable

Confidential and Proprietary Information of ZTE CORPORATION 627

ZXSEC US CLI Reference Guide

end
Related topics
vpn ipsec phase2
user group
user local
user peer
user peergrp
user radius
execute vpn certificate local
vpn certificate ca

Ipsec phase1-interface
Use this command to define a phase 1 definition for a route-
based (interface mode) IPSec VPN tunnel that generates
authentication and encryption keys automatically. A new
interface of type “tunnel” with the same name is created
automatically as the local end of the tunnel. To complete the
configuration of an IPSec tunnel, you need to:
configure phase 2 settings
configure a firewall policy to pass traffic from the local
private network to the tunnel interface
configure a static route to the private network at the remote
end of the tunnel using the IPSec tunnel“device”
optionally, define the IP addresses for each end of the tunnel
to enable dynamic routing through the tunnel or to enable
pinging of each end of the tunnel for testing
syntax
config vpn ipsec phase1-interface
edit <gateway_name>
set add-gw-route {enable | disable}
set authmethod <authentication_method>
set authpasswd <password>
set authusr <user_name>
set authusrgrp <group_name>
set dhgrp {1 2 5}
set dpd {disable | enable}
set dpd-retrycount <retry_integer>
set dpd-retryinterval <seconds> [<milliseconds]

628 Confidential and Proprietary Information of ZTE CORPORATION

Chapter 15 Vpn

set interface <interface_name>

set ip-version <4 | 6> set keepalive <seconds>
set keylife <seconds>
set local-gw <address_ipv4>
set local-gw6 <address_ipv6>
set localid <local_id>
set mode {aggressive | main}
set monitor-phase1 <phase1>
set nattraversal {disable | enable}
set peer <CA_certificate_name>
set peerid <peer_id>
set peergrp <certificate_group_name>
set peertype <authentication_method>
set priority <prio>
set proposal <encryption_combination>
set psksecret <preshared_key>
set remote-gw <address_ipv4>
set remote-gw6 <address_ipv6>
set remotegw-ddns <domain_name>
set rsa-certificate <server_certificate>
set type <remote_gw_type>
set usrgrp <group_name>
set xauthtype <XAuth_type>
end
ZXSEC US CLI Version 3.0 MR5 Reference
426 01-30005-0015-20070622
vpn ipsec phase1-interface

Chapter 15 Vpn

Variables Description Default

This keyword is available when type is

set to ddns and
ip-version is set to 4.
Enter the identifier of the remote peer
(for example, a fully qualified domain
remotegw-ddns name). Null.
<domain_name> Use this setting when the remote peer
has a static domain name and a
dynamic IP address (the IP address is
obtained dynamically from an ISP and
the remote peer subscribes to a
dynamic DNS service).
This keyword is available when
authmethod is set to rsa- signature.
rsa-certificate Enter the name of the signed personal
certificate for the ZXSEC US unit. You Null.
<server_certificate
must install the server certificate before
>
you enter the server certificate name.
For more information, see “vpn
certificate local”.

Confidential and Proprietary Information of ZTE CORPORATION 639

ZXSEC US CLI Reference Guide

Variables Description Default

Enter the connection type of the
remote gateway:
If the remote VPN peer has a
static IP address, type static.
Use the remotegw keyword to
enter the IP address.
If the remote VPN peer has a
dynamically assigned IP address
type (DHCP or PPPoE), type dynamic. static
<remote_gw_type>
If the remote VPN peer has a
dynamically assigned IP
address and subscribes to a
dynamic DNS service, type
ddns. Use the remotegw-ddns
keyword to enter the domain
name of the remote VPN peer.
This option is not available if
ip-version is 6.

This keyword is available when type is

set to dynamic, authmethod is set to
psk, and peertype is set to dialup.
Enter the name of the group of dialup
usrgrp VPN clients to authenticate. The user
Null.
<group_name> group must be added to the ZXSEC US
configuration before it can be cross-
referenced here. For more information,
see “user group”, “user ldap”, “user
local”, and “user radius”.
Optionally configure XAuth (eXtended
Authentication):
Type disable to disable XAuth.
Type client to configure the
ZXSEC US unit to act as an
XAuth client. Use the authuser
xauthtype keyword to add the XAuth user
name and password. disable
<XAuth_type>
Type auto, pap, or chap to
configure the ZXSEC US unit as
an XAuth server. Use the
authusrgrp keyword to specify
the user group containing
members that will be
authenticated using XAuth.

Example
In this example, an IPSec tunnel is needed between two sites
using ZXSEC US units. Users on the 192.168.2.0/24 network at
Site A need to communicate with users on the 192.168.3.0/24
network at Site B. At Site A, the public IP address is
172.16.67.199 and at Site B it is 172.16.68.198. At both ends:
Port 2 of the ZXSEC US unit: connects to the private network

640 Confidential and Proprietary Information of ZTE CORPORATION

Chapter 15 Vpn

Port 1 of the ZXSEC US unit: connects to the Internet

Encryption and authentication proposal: des-md5
Authentication method: psk
Pre-shared key: Qf2p3O93jIj2bz7
Mode: main
Dead Peer Detection: enable
Site A configuration Site B configuration
config vpn ipsec phase1-interface
edit toSiteB
set type static
set remote-gw 172.16.68.198
set interface port1
set proposal des-md5
set authmethod psk
set psksecret Qf2p3O93jIj2bz7
set mode main
set dpd enable
end
config vpn ipsec phase1-interface
edit toSiteA
set type static
set remote-gw 172.16.68.199
set interface port1
set proposal des-md5
set authmethod psk
set psksecret Qf2p3O93jIj2bz7
set mode main
set dpd enable
end
config vpn ipsec phase2-interface
edit New_Tunnel
set phase1name toSiteB
set proposal 3des-sha1
set keylife-type seconds
set keylifeseconds 18001
set dhgrp 2
set replay enable

Confidential and Proprietary Information of ZTE CORPORATION 641

ZXSEC US CLI Reference Guide

set pfs enable

set keepalive enable
end
config firewall policy
edit 1
set src-intf port2
set dst-intf toSiteB
set srcaddr all
set dstaddr all
set action accept
set service ANY
set schedule always next
edit 2
set src-intf toSiteB
set dst-intf port2
set srcaddr all
set dstaddr all
set action accept
set service ANY
set schedule always
end
config vpn ipsec phase2-interface
edit New_Tunnel
set phase1name toSiteA set proposal 3des-sha1
set keylife-type seconds
set keylifeseconds 18001
set dhgrp 2
set replay enable
set pfs enable
set keepalive enable
end
config firewall policy
edit 1
set src-intf port2 set dst-intf toSiteA set srcaddr all
set dstaddr all set action accept set service ANY
set schedule always next
edit 2
set src-intf toSiteA set dst-intf port2 set srcaddr all

642 Confidential and Proprietary Information of ZTE CORPORATION

Chapter 15 Vpn

set dstaddr all set action accept set service ANY

set schedule always
end
config route static
edit 1
set device toSiteB
set dst 192.168.3.0/24
end
config route static
edit 1
set device toSiteA
set dst 192.168.2.0/24
end
In this example, the user defines IP addresses for each end of
the tunnel to enable dynamic routing through the tunnel or to
enable pinging of each end of the tunnel for testing. The Site A
end has the IP address 10.0.0.1 and the SiteB end is 10.0.0.2.
Site A configuration Site B configuration
(Optional)
config system interface
edit toSiteB
set ip 10.0.0.1/32
set remote-ip 10.0.0.2
set allowaccess ping
end
(Optional)
config system interface
edit toSiteA
set ip 10.0.0.2/32
set remote-ip 10.0.0.1
set allowaccess ping
end
Related topics
vpn ipsec phase2-interface
user group
user local
user peer
user peergrp

Confidential and Proprietary Information of ZTE CORPORATION 643

ZXSEC US CLI Reference Guide

user radius
vpn certificate local
vpn certificate ca

Ipsec phase2
Use this command to add or edit an IPSec tunnel-mode phase 2
configuration. The ZXSEC US unit uses the tunnel-mode phase 2
configuration to create and maintain an IPSec VPN tunnel with a
remote VPN peer (the VPN gateway or client).
The phase 2 configuration consists of a name for the VPN tunnel,
the name of an existing phase 1 configuration, the proposal
settings (encryption and authentication algorithms) and DH
group used for phase 2. For phase 2 to be successful, the ZXSEC
US unit and the remote VPN peer must be configured with
compatible proposal settings.
syntax
config vpn ipsec phase2
edit <tunnel_name>
set auto-negotiate {enable | disable}
set dhcp-ipsec {disable | enable}
set dhgrp {1 | 2 | 5}
set dst-addr-type <type>
set dst-end-ip <address_ipv4>
set dst-name <address_name>
set dst-port <destination_port_number>
set dst-start-ip <address_ipv4>
set dst-subnet <address_ipv4mask>
set keepalive {disable | enable}
set keylife-type <keylife_type>
set keylifekbs <kb_integer>
set keylifeseconds <seconds>
set pfs {disable | enable}
set phase1name <gateway_name>
set proposal <encryption_combination>
set protocol <protocol_integer>
set replay {disable | enable}
set route-overlap {overlap_option}
set selector-match <match_type>

644 Confidential and Proprietary Information of ZTE CORPORATION

Chapter 15 Vpn

set single-source {disable | enable}

Example
Use the following command to add a tunnel-mode phase 2
configuration with the following characteristics:

Name: New_Tunnel
Phase 1 name: Simple_GW
Encryption and authentication proposal: 3des-sha1
des-md5
aes256-sha1
Keylife type: seconds
Keylife seconds: 18001

654 Confidential and Proprietary Information of ZTE CORPORATION

Chapter 15 Vpn

Diffie-Hellman group: 2
Replay detection: enable
Perfect forward secrecy: enable
Keepalive: enable
Authentication keys: ff003f012ba900bb
00f402303f0100ff
config vpn ipsec phase2

config vpn ipsec manualkey edit Manual_Tunnel

set localspi 1000ff set remotespi 2000ff
set remote-gw 206.37.33.45
set encryption 3des
set enckey 003f2b01a9002f3b-004f4b0209003f01-
3b00f23bff003eff set authentication md5
set authkey ff003f012ba900bb-00f402303f0100ff
end
Related topics
vpn ipsec phase2

Ipsec phase2-interface
Use this command to add a phase 2 configuration for a route-
based (interface mode) IPSec tunnel or edit an existing
interface-mode phase 2 configuration. This command is available
only in NAT/Route mode.
Syntax
config vpn ipsec phase2-interface
edit <tunnel_name>
set auto-negotiate {enable | disable}
set dhgrp {1 | 2 | 5}
set dst-addr-type <type>
set dst-end-ip <address_ipv4>
set dst-end-ip6 <address_ipv6>
set dst-name <address_name>
set dst-port <destination_port_number>
set dst-start-ip <address_ipv4>
set dst-start-ip6 <address_ipv6>
set dst-subnet <address_ipv4mask>
set dst-subnet6 <address_ipv6mask>

Confidential and Proprietary Information of ZTE CORPORATION 655

ZXSEC US CLI Reference Guide

set keepalive {disable | enable}

Confidential and Proprietary Information of ZTE CORPORATION 661

ZXSEC US CLI Reference Guide

If the ZXSEC US unit is a dialup

server, enter the type of source
address that corresponds to the
local sender(s) or network behind
the ZXSEC US dialup server:
• To specify the IPv4 IP
address of a server or host, type
ip. Enter the IP address using the
src-start-ip keyword.
• To specify the IPv6 IP
address of a server or host, type
ip6. Enter the IP address using
the src-start-ip6 keyword.
• To specify a range of IPv4
IP addresses, type range. Enter
the starting and ending addresses
using the
src-start-ip and src-end-ip
keywords.
To specify a range of IPv6 IP
addresses, type range6. Enter
the starting and ending addresses
src-addr-type using the
subnet
<ip_source_name> src-start-ip6 and src-end-ip6
keywords.
To specify an IPv4 network
address, type subnet. Enter the
network address using the src-
subnet keyword.
To specify an IPv6 network
address, type subnet6. Enter the
network address using the src-
subnet6 keyword.
To specify an address defined in a
firewall address or address group,
type name. Enter the address
name using the src-name
keyword. You must also select
the name option for dst-addr-
type. This is available only for
IPv4 addresses.
If the ZXSEC US unit is a dialup
client, src-addr-type must refer
to the server(s), host(s), or
private network behind the
ZXSEC US dialup client.
This keyword is available when
src-addr-type is set to range.
src-end-ip
Enter the highest source IP 0.0.0.0
<address_ipv4>
address in the range of IP
addresses.

662 Confidential and Proprietary Information of ZTE CORPORATION

Chapter 15 Vpn

This keyword is available when

src-addr-type is set to range6.
src-end-ip6
Enter the highest source IP ::
<address_ipv6>
address in the range of IP
addresses.
This keyword is available when
src-name src-addr-type is set to
<address_name> name. Enter the firewall address
or address group name.
If the ZXSEC US unit is a dialup
server, enter the port number
that the ZXSEC US dialup server
uses to transport traffic related to
the specified service (see
src-port protocol). If the ZXSEC US unit is
a dialup client, enter the port 0
<source_port_numbe
number that
r>
the ZXSEC US dialup client uses
to transport traffic related to the
specified service. The src-port
range is 1 to 65535.
To specify all ports, type 0.
This keyword is available when
src-addr-type is set to range.
src-start-ip
Enter the lowest source IP 0.0.0.0
<address_ipv4> address in the range of IP
addresses.
This keyword is available when
src-addr-type is set to range6.
src-start-ip6
Enter the lowest source IP ::
<address_ipv6> address in the range of IP
addresses.
If the ZXSEC US unit is a dialup
server, enter the IPv4 IP address
and network mask that identifies
src-subnet the private network behind the
ZXSEC US dialup server. If the 0.0.0.0
<address_ipv4mask ZXSEC US unit is a dialup client, 0.0.0.0
> enter the IP address and network
mask that identifies the private
network behind the ZXSEC US
dialup client.
If the ZXSEC US unit is a dialup
server, enter the IPv6 IP address
and network mask that identifies
src-subnet6 the private network behind the
ZXSEC US dialup server. If the
<address_ipv6mask ::/0
ZXSEC US unit is a dialup client,
> enter the IP address and network
mask that identifies the private
network behind the ZXSEC US
dialup client.

Example

Confidential and Proprietary Information of ZTE CORPORATION 663

ZXSEC US CLI Reference Guide

Use the following command to add a route-based (interface

mode) phase 2 configuration with the following characteristics:
Name: Interface_Tunnel
Phase 1 name: Interface_GW
Encryption and authentication proposal: 3des-sha1 aes256-
sha1 des-md5
Keylife type: seconds
Keylife seconds: 18001
Diffie-Hellman group: 2
Replay detection: enable
Perfect forward secrecy: enable
Keepalive: enable
config vpn ipsec phase2-interface
edit Interface_Tunnel
set phase1name Interface_GW
set proposal 3des-sha1 aes256-sha1 des-md5
set keylife-type seconds
set keylifeseconds 18001
set dhgrp 2
set replay enable
set pfs enable
set keepalive enable
end
Related topics
vpn ipsec phase1-interface
alertemail setting
alertemail setting
firewall policy, policy6

L2tp
Use this command to enable L2TP and specify a local address
range to reserve for remote L2TP clients. When a remote L2TP
client connects to the internal network through a L2TP VPN, the
client is assigned an IP address from the specified range.
L2TP clients must authenticate with the ZXSEC US unit when a
L2TP session starts. To support L2TP authentication on the
ZXSEC US unit, you must define the L2TP users who need

664 Confidential and Proprietary Information of ZTE CORPORATION

Ssl monitor
Use this command to display information about logged in SSL
VPN users and current SSL VPN sessions.
syntax
get vpn ssl monitor
Output
Related topics
vpn ssl settings

Ssl settings
Use this command to configure basic SSL VPN settings including
interface idle-timeout values and SSL encryption preferences. If
required, you can also enable the use of digital certificates for
authenticating remote clients.
You can optionally specify the IP address of any Domain Name
Service (DNS) server and/or Windows Internet Name Service
(WINS) server that resides on the private network behind the
ZXSEC US unit. The DNS and/or WINS server will find the IP
addresses of other computers whenever a connected SSL VPN
user sends an email message or browses the Internet.

Note:
You can configure SSL VPNs on ZXSEC US units that run in
NAT/Route mode. The commands are available in NAT/Route
mode only.
syntax
config vpn ssl settings
set algorithm <cipher_suite>
set auth-timeout <auth_seconds>
set dns-server1 <address_ipv4>

668 Confidential and Proprietary Information of ZTE CORPORATION

Chapter 15 Vpn

set dns-server2 <address_ipv4>

set idle-timeout <idle_seconds>
set portal-heading <caption>
set reqclientcert {disable | enable}
set route-source-interface {disable | enable}
set servercert <server_cert_name>
set sslv2 {disable | enable}
set sslvpn-enable {disable | enable}
set tunnel-endip <address_ipv4>
set tunnel-startip <address_ipv4>
set url-obscuration {disable | enable}
set wins-server1 <address_ipv4>
set wins-server2 <address_ipv4>
end

This keyword is available when
sslv2 {disable | sslvpn-enable is set to enable.
disable
enable} Disable or enable SSL version 2
encryption.
sslvpn-enable
{disable | Disable or enable remote-client
disable
access.
enable}
This keyword is available when
sslvpn-enable is set to enable.
tunnel-endip This attribute is required for tunnel-
mode access only. Enter the ending 0.0.0.0
<address_ipv4>
address in the range of IP
addresses reserved for remote
clients.
This keyword is available when
sslvpn-enable is set to enable.
tunnel-startip This attribute is required for tunnel-
mode access only. Enter the 0.0.0.0
<address_ipv4>
starting address in the range of IP
addresses reserved for remote
clients.
This keyword is available when
sslvpn-enable is set to enable.
url-obscuration Enable to encrypt the url in the
{disable display column of the browser for disable
| enable} web mode only. This is a
requirement for ICSA ssl vpn
certification.
Enter the IP address of the primary
WINS server that SSL VPN clients
wins-server1 will be able to access after a
connection has been established. If 0.0.0.0
<address_ipv4> required, you can specify a
secondary WINS server through the
wins-server2 attribute.
wins-server2 Enter the IP address of a secondary
0.0.0.0
<address_ipv4> WINS server if required.

Example
The following command enables the ZXSEC US unit to assign
virtual IP addresses in the 10.10.10.100 to 10.10.10.105 range
to authenticated clients (an IP address range is needed to
support tunnel-mode access). The command also sets timeout
values for authenticated connections and connection inactivity
respectively.
config vpn ssl settings
set sslvpn-enable enable
set tunnel-startip 10.10.10.100
set tunnel-endip 10.10.10.105

Confidential and Proprietary Information of ZTE CORPORATION 671

ZXSEC US CLI Reference Guide

set web-auth-timeout 600

set web-idle-timeout 1500
end
Related topics
system replacemsg sslvpn
execute vpn sslvpn del-tunnel
vpn ssl monitor
user group
log {disk | Usla | memory | syslogd | webtrends | Usservice}
filter
firewall policy, policy6

Ssl web bookmarks

Use this command to pre-define one or more bookmarks for an
SSL VPN user. A bookmark is associated with a service and an
application server. The bookmarks that you define are displayed
in the Predefined Bookmarks section of the user’s web portal
page. Users can select the associated hyperlink to initiate a
session with the target server application. These bookmarks
cannot be edited by the user.
Syntax
config vpn ssl web favorite
edit <bookmark_name>
set apptype <service_type>
set folder <folder_name>
set host <host_name>
set url <target_ip>
end

Variables Description Default

edit No
Enter a name for the bookmark.
<bookmark_name> default.

672 Confidential and Proprietary Information of ZTE CORPORATION

Chapter 15 Vpn

Variables Description Default

Example
The following command creates a bookmark named
Company_intranet to the corporate Intranet home page at
www.example.com:
config vpn ssl web bookmarks edit Company_intranet
set apptype web set url http://www.example.com
end
Related topics
vpn ssl settings
vpn ssl web bookmarks-group
vpn ssl web favorite

Ssl web bookmarks-group

Use this command to define a group of bookmarks to associate
to an SSL VPN user group.
syntax
config vpn ssl web bookmarks-group
edit <bkmark_groupname>

Confidential and Proprietary Information of ZTE CORPORATION 673

ZXSEC US CLI Reference Guide

set bookmarks <bookmark_names>

end

Variables Description Default

edit
Enter the name of the No
<bkmark_groupname
bookmark group. default.
>
Enter the list of bookmarks to
include in the bookmark group.
bookmarks Enclose the bookmark name in No
<bookmark_names> quotation marks, and separate default.
each bookmark in the list with
a space.

Note:
The user, group and title keywords are required. Other keywords
might be required depending on apptype. See Variables
description above.
Example
The following command creates a bookmark group that includes
the bookmark to the corporate Intranet home page at
www.example.com named Company_intranet and a link to the
Google search site named Google_site:
config vpn ssl web bookmarks-group
edit <bkmark_groupname>
set “Company_intranet” “Google_site”
end
Related topics
vpn ssl settings
vpn ssl web bookmarks
vpn ssl web favorite

Ssl web favorite

Use this command to define one or more bookmarks for an SSL
VPN user. A bookmark is associated with a service and an
application server. The bookmarks that you define are displayed
in the My Bookmarks section of the user’s web portal page.
Users can select the associated hyperlink to initiate a session
with the target server application.
syntax
config vpn ssl web favorite
edit <bookmark_name>

674 Confidential and Proprietary Information of ZTE CORPORATION

Chapter 15 Vpn

set apptype <service_type>

set folder <folder_name>
set group <group_name>
set host <host_name>
set title <display_text>
set url <target_ip>
set user <user_name>
end

Variables Description Default

Enter the identifier of the service
to associate with the bookmark:
Type ftpfor FTP services.
Type rdpfor Windows Terminal
services.
apptype Type smbfor Samba (Windows
file share) services. web
<service_type>
Type sshfor SSH services.
Type telnet for telnet services.
Type vncfor VNC services.
Type webfor HTTP and/or HTTPS
services.
Enter the remote folder name, if
apptypeis smbor ftp. The folder
folder name must include the server No
<folder_name> name, default.
//172.20.120.103/myfolder, for
example.
group Enter the SSL VPN user group No
<group_name> name. default.
Enter the host name, if apptypeis No
host <host_name>
telnet or rdp. default.
Enter a text string to display as
the hyperlink on the user’s web
portal page. Enclose the string in
quotation marks if it contains No
title <display_text>
spaces. default.
User entries are automatically
named <user>+<timestamp>.
Enter the URL of the web page, if No
url <target_ip>
apptype is web. default.
Enter the user name from the No
user <user_name>
SSL VPN user group. default.

Example
The following command creates a bookmark to the corporate
Intranet home page at www.example.com for the user juser who
is a member of the SSL VPN user group sslusergroup:

Confidential and Proprietary Information of ZTE CORPORATION 675

ZXSEC US CLI Reference Guide

config vpn ssl web favorite

edit Company_intranet
set apptype web
set title "Company Home Page"
set url http://www.example.com
set group sslusergroup
set user juser
end
ZXSEC US CLI Version 3.0 MR5 Reference
01-30005-0015-20070622 459
ssl web favorite vpn
Related topics
vpn ssl settings
vpn ssl web bookmarks
vpn ssl web bookmarks-group

676 Confidential and Proprietary Information of ZTE CORPORATION

Chapter 16 Vpn

Chapter 16

Webfilter

Overview
Use webfilter commands to add banned words to the banned word list,
filter URLs, and configure Usservice-Web category filtering.
This chapter contains the following sections:
Bword
Exmword
Usservice
ussrv-local-cat
ussrv-local-rating
ussrv-ovrd
urlfilter

Bword
Control web content by blocking specific words or patterns. If enabled in
the protection profile, the ZXSEC US unit searches for words or patterns
on requested web pages. If matches are found, values assigned to the
words are totalled. If a user-defined threshold value is exceeded, the web
page is blocked.
Use this command to add or edit and configure options for the Web
content block list. Banned words can be one word or a text string up to 80
characters long. The maximum number of banned words and patterns in
the list is 9000.
When a single word is entered, the ZXSEC US unit checks Web pages for
that word. Add phrases by enclosing the phrase in ‘single quotes’. When a
phrase is entered, the ZXSEC US unit checks Web pages for any word in
the phrase. Add exact phrases by enclosing the phrases in “quotation
marks”. If the phrase is enclosed in quotation marks, the ZXSEC US
checks Web pages for the exact phrase.

Confidential and Proprietary Information of ZTE CORPORATION 677

ZXSEC US CLI Reference Guide

Create banned word patterns using wildcards or Perl regular expressions.

See “Using Perl regular expressions”.
You can add multiple banned word lists, and then select the best web
content block list for each protection profile. Choose the command syntax
list below according to your ZXSEC US unit model.

Note:
Perl regular expression patterns are case sensitive for Web Filter content
block. To make a word or phrase case insensitive, use the regular
expression /i. For example, /bad language/i blocks all instances of bad
language regardless of case. Wildcard patterns are not case sensitive.
syntax
config webfilter bword
edit <banned_word_list_integer>
set name <banned_word_list>
set comment <banned_word_list_comment>
config entries edit <word_str>
set lang {french | japanese | korean | simch | thai | trach |
western}
set pattern-type {regexp | wildcard}
set score <integer_value>
set status {enable | disable}
end

Keywords and
Description Default
variables
<banned_word_list_ A unique number to identify the
integer> banned word list.
<banned_word_list
The name of the banned word list.
>
<banned_word_list_ The comment attached to the
comment> banned word list.
<word_str> The word to be blocked.
Enter the language character set
lang {french | used for the banned word or
japanese | korean | phrase. Choose from French,
western
simch | thai | trach | Japanese, Korean, Simplified
western} Chinese, Thai, Traditional Chinese,
or Western.
Set the pattern type for the
pattern-type banned word. Choose from regexp
or wildcard.Create patterns for wildcard
{regexp | wildcard} banned words using Perl regular
expressions or wildcards.

678 Confidential and Proprietary Information of ZTE CORPORATION

Chapter 16 Vpn

Keywords and
Description Default
variables
A numerical weighting applied to
the banned word. The score values
of all the matching words
appearing on a web page are
added, and if the total is greater
than the webwordthreshold value
score set in the protection profile, the
page is processed according to 10
<integer_value>
whether the bannedword option is
set with the http command in the
protection profile. The score for a
banned word is counted once even
if the word appears multiple times
on the web page.
status {enable | Enable or disable the banned
disable
disable} word.

Related topics
exmword
webfilter Usservice
webfilter ussrv-local-cat
webfilter ussrv-local-rating
webfilter ussrv-ovrd
webfilter urlfilter

Exmword
Web content exempt allows overriding of the web content block feature. If
any patterns defined in the web content exempt list appear on a web page,
the page will not be blocked even if the web content block feature would
otherwise block it.
Use this command to add or edit and configure options for the Web
content exempt list. Exempt words can be one word or a text string up to
80 characters long. The maximum number of exempt words and patterns
in the list is 9000.
When a single word is entered, the ZXSEC US unit checks Web pages for
that word. Add phrases by enclosing the phrase in ‘single quotes’. When a
phrase is entered, the ZXSEC US unit checks Web pages for any word in
the phrase. Add exact phrases by enclosing the phrases in “quotation
marks”. If the phrase is enclosed in quotation marks, the ZXSEC US
checks Web pages for the exact phrase.
Create exempt word patterns using wildcards or Perl regular expressions.
See “Using Perl regular expressions”.
You can add multiple exempt word lists, and then select the best web
content exempt list for each protection profile. Choose the command
syntax list below according to your ZXSEC US unit model.

Confidential and Proprietary Information of ZTE CORPORATION 679

ZXSEC US CLI Reference Guide

Note:
Perl regular expression patterns are case sensitive for Web Filter content
exempt. To make a word or phrase case insensitive, use the regular
expression /i. For example, /good language/i exempts all instances of
good language regardless of case. Wildcard patterns are not case sensitive.
syntax
config webfilter exmword
edit <exempt_word_list_integer>
set name <exempt_word_list>
set comment <exempt_word_list_comment>
config entries
edit <word_str>
set lang {french | japanese | korean | simch | thai | trach |
western}
set pattern-type {regexp | wildcard}
set status {enable | disable}
end

Keywords and
Description Default
variables
<exempt_word_list_ A unique number to identify the
integer> exempt word list.
<exempt_word_list
The name of the exempt word list.
>
<exempt_word_list_ The comment attached to the
comment> exempt word list.
<word_str> The word to be exempted.
Enter the language character set
lang {french | used for the exempt word or
japanese | korean | phrase. Choose from French,
western
simch | thai | trach | Japanese, Korean, Simplified
western} Chinese, Thai, Traditional Chinese,
or Western.
Set the pattern type for the
pattern-type exempt word. Choose from regexp
or wildcard.Create patterns for wildcard
{regexp | wildcard} exempt words using Perl regular
expressions or wildcards.
status {enable | Enable or disable the exempt
disable
disable} word.

Related topics
bword
webfilter Usservice
webfilter ussrv-local-cat

680 Confidential and Proprietary Information of ZTE CORPORATION

Chapter 16 Vpn

webfilter ussrv-local-rating
webfilter ussrv-ovrd
webfilter urlfilter

Usservice
Use this command to enable Web filtering by specific categories using
Usservice-Web URL filtering.
Usservice-Web category blocking
Usservice-Web is a web filtering solution provided by USnet. Usservice-
Web sorts thousands of Web pages into a wide variety of categories that
users can allow, block, or monitor. Categories are also organized into
broader groups to make configuration fast and easy. The ZXSEC US unit
accesses the nearest Usservice-Web server to determine the category of a
requested web page and then follows the firewall policy configured for that
user or interface. Usservice-Web servers are located worldwide.
Usservice-Web licensing
Every ZXSEC US unit comes with a free 30 day Usservice-Web trial license.
Usservice-Web license management is done by the Usservice-Web server,
so there is no need to enter a license number.
The ZXSEC US unit automatically contacts the Usservice-Web servers
when Usservice-Web category blocking is enabled.
To renew the Usservice-Web license after the free trial, contact USnet
Technical Support.
Usservice-Web configuration
Once enabled, Usservice-Web category block settings apply globally. After
enabling Usservice-Web, configure different categories for each firewall
protection profile create.
See “firewall profile” to configure Usservice-Web category blocking in a
protection profile. See “Usservice-Web categories” in the ZXSEC US
Administration Guide for a complete list and description of the Usservice-
Web web filter categories.
HTTP and HTTPS Usservice override traffic
The Usservice override for HTTP and HTTPS is no longer a single global
forward rule. Instead, a separate rule is created for each protection profile
to redirect both the Usservice override HTTP and HTTPS ports, as required,
into the authentication daemon. This ensures that these ports only appear
open when the appropriate options are enabled in the profile. A matrix of
how the profile options affect the port status follows:

TABLE 146 PORT STATUS IN DIFFERENT PROFILES

HTTP HTTP HTTPS ovrd via HTTP HTTPS

WF ovrd WF HTTPS Port Port
0 0 0 0 closed closed

Confidential and Proprietary Information of ZTE CORPORATION 681

ZXSEC US CLI Reference Guide

HTTP HTTP HTTPS ovrd via HTTP HTTPS

WF ovrd WF HTTPS Port Port
0 0 0 1 closed closed
0 0 1 0 closed open
0 0 1 1 closed open
0 1 0 0 closed closed
0 1 0 1 closed closed
0 1 1 0 closed open
0 1 1 1 closed open
1 0 0 0 open closed
1 0 0 1 open closed
1 0 1 0 open open
1 0 1 1 open open
1 1 0 0 open closed
1 1 0 1 open open
1 1 1 0 open open
1 1 1 1 open open

There are two separate ports for HTTP and HTTPS override traffic which
can be configured independently.
In addition, HTTPS uses the HTTPS override form regardless of the ovrd-
auth-https status. If ovrd-auth-https is enabled, any attempts to use the
HTTP version of the override form will transparently be re-directed to the
HTTPS version.
syntax
config webfilter Usservice
set cache-mode {ttl | db-ver}
set cache-mem-percent <percent_integer> set ovrd-auth-port-http <port_integer>
set ovrd-auth-https <enable | disable> set ovrd-auth-port-https <port_integer>
set cache-prefix-match <enable | disable>
end

Keywords and
Description Default
variables

682 Confidential and Proprietary Information of ZTE CORPORATION

Chapter 16 Vpn

Keywords and
Description Default
variables
Change the cache entry
expiration mode. Choices are ttl
or db-ver.
Using ttl, cache entries are
deleted after a number of
seconds determined by the
cache-mode {ttl | cache-ttlsetting, or until newer
ttl
db-ver} cache entries force the removal
of older ones.
When set to db-ver, cache
entries are kept until the
Usservice database changes, or
until newer cache entries force
the removal of older ones.
Change the maximum
cache-mem-percent percentage of memory the
2
<percent_integer> cache will use. Enter a value
from 1 to 15 percent.
The port to use for Usservice
ovrd-auth-port-http
Web Filter HTTP 8008
<port_integer>
override authentication.
ovrd-auth-https Enable to use HTTPS for
disable
<enable | disable> override authentication.

ovrd-auth-port- The port to use for Usservice

https Web filtering HTTPS 8010
<port_integer> override authentication.
Enable and disable prefix
matching.
If enabled the ZXSEC US unit
attempts to match a packet
cache-prefix-match against the rules in a prefix list
enable
<enable | disable> starting at the top of the list.
For information on prefix lists
see the section “prefix- list” of
the Router chapter in the US
CLI Guide.

Related topics
webfilter bword
webfilter ussrv-local-cat
webfilter ussrv-local-rating
webfilter ussrv-ovrd
webfilter urlfilter

Confidential and Proprietary Information of ZTE CORPORATION 683

ZXSEC US CLI Reference Guide

Ussrv-local-cat
Use this command to add local categories to the global URL category list.
The categories defined here appear in the global URL category list when
configuring a protection profile. Users can rate URLs based on the local
categories.
syntax
config webfilter ussrv-local-cat edit <local_cat_str>
set id <id_integer>
end

Keywords and
Description Default
variables
The description of the local
<local_cat_str>
category.
The local category unique ID
id <id_integer> 0
number.

Example
This example shows how to add the category local_block with an ID of 10.
config webfilter ussrv-local-cat
edit local_block
set id 10
end
Related topics
webfilter bword
webfilter Usservice
webfilter ussrv-local-rating
webfilter ussrv-ovrd
webfilter urlfilter

Ussrv-local-rating
Use this command to rate URLs using local categories.
Users can create user-defined categories then specify the URLs that belong
to the category. This allows users to block groups of web sites on a per
profile basis. The ratings are included in the global URL list with associated
categories and compared in the same way the URL block list is processed.
The user can also specify whether the local rating is used in conjunction
with the Usservice rating or is used as an override.
syntax
config webfilter ussrv-local-rating edit <local_url_str>

684 Confidential and Proprietary Information of ZTE CORPORATION

Chapter 16 Vpn

set rating [[<category_integer>] [group_str] [class_str]...]

set status {enable | disable}
end

Keywords and
Description Default
variables
<local_url_str> The URL being rated.

rating Set categories, groups, and

Example
This example shows how to configure a local rating for the web site
www.example.com. with a rating including category 12, all categories in
group 4, and classification 1.
config webfilter ussrv-local-rating edit www.example.com
set rating 12 g4 c1
end
Related topics
webfilter bword
webfilter Usservice
webfilter ussrv-local-cat
webfilter ussrv-ovrd
webfilter urlfilter

Ussrv-ovrd
Use this command to configure Usservice-Web filtering overrides.
Users may require access to web sites that are blocked by a policy. In this
case, an administrator can give the user the ability to override the block
for a specified period of time.
When a user attempts to access a blocked site, if override is enabled, a
link appears on the block page directing the user to an authentication form.
The user must provide a correct user name and password or the web site
remains blocked. Authentication is based on user groups and can be
performed for local, RADIUS, and LDAP users.
syntax
config webfilter ussrv-ovrd edit <override_integer>
set expires

Confidential and Proprietary Information of ZTE CORPORATION 685

ZXSEC US CLI Reference Guide

set ext-ref <allow | deny>

set ip <ipv4_address>
set profile <profile_str>
set rating [[<category_integer>] [group_str] [class_str]...]
set scope {user | user-group | ip | profile}
set status {enable | disable}
set type {dir | domain | rating}
set url <url_str>
set user <user_str>
set user-group <user_group_str>
end
get webfilter ussrv-ovrd <override_integer>

Keywords and
Description Default
variables
The unique ID number of the
<override_integer>
override.
The date and time the override
expires
expires.
ext-ref <allow | Allow or deny access to off-site
allow
deny> URLs.
The user who initiated the override
initiator
rule. This keyword is get- only.
When the scope is IP, the IP
ip <ipv4_address> address for which the override rule 0.0.0.0
applies.
When the scope is profile, the
profile <profile_str> profile for which the override rule
applies.

686 Confidential and Proprietary Information of ZTE CORPORATION

Chapter 16 Vpn

Keywords and
Description Default
variables
The URL for which the override
url <url_str>
rule applies.
When the scope is user, the user
user <user_str>
for which the override rule applies.

user-group When the scope is user group, the

user group for which the override
<user_group_str> rule applies.

Example
This example shows how to set an override (13).
config webfilter ussrv-ovrd
edit 13
set rating 12 g4 c1
end
Use the following command to get information about an override.
get webfilter ussrv-ovrd 1
id :1
expires : Wed Jul 6 07:00:30 2005
ext_ref : allow initiator : admin scope : user status : enable type : dir
url : 192.168.2201.23
user : user_1
Related topics
webfilter bword
webfilter Usservice
webfilter ussrv-local-cat
webfilter ussrv-local-rating
webfilter urlfilter

Urlfilter
Use this command to control access to specific URLs by adding them to the
URL filter list. The ZXSEC US unit exempts or blocks Web pages matching
any specified URLs and displays a replacement message instead.
Configure the ZXSEC US unit to allow, block, or exempt all pages on a
website by adding the top-level URL or IP address and setting the action to
allow, block, or exempt.
Block individual pages on a website by including the full path and filename
of the web page to block. Type a top-level URL or IP address to block
access to all pages on a website. For example, www.example.com or
172.16.144.155 blocks access to all pages at this website.

Confidential and Proprietary Information of ZTE CORPORATION 687

ZXSEC US CLI Reference Guide

Type a top-level URL followed by the path and filename to block access to
a single page on a website. For example, www.example.com/news.html or
172.16.144.155/news.html blocks the news page on this website.
To block all pages with a URL that ends with example.com, add
example.com to the block list. For example, adding example.com blocks
access to www.example.com, mail.example.com,
www.finance.example.com, and so on.
Use this command to exempt or block all URLs matching patterns created
using text and regular expressions (or wildcard characters). For example,
example.* matches example.com, example.org, example.net and so on.
The ZXSEC US unit exempts or blocks Web pages that match any
configured pattern and displays a replacement message instead.
The maximum number of entries in the list is 9000.
syntax
config webfilter urlfilter
edit <url_filter_list_integer>
set name <urlfilter_list>
set comment <urlfilter_list_comment>
config entries edit <url_str>
set action {allow | block | exempt}
set status {enable | disable}
set type {simple | regex}
end
end

Keywords and
Description Default
variables
<url_filter_list_integ A unique number to identify the
er> URL filter list.
<urlfilter_list> The name of the URL filter list.
<urlfilter_list_comm The comment attached to the URL
ent> filter list.
<url_str> The URL to added to the list.
The action to take for matches.
An allow match exits the URL filter
list and checks the other web
action filters.
{allow | block | An exempt match stops all further exempt
exempt} checking including AV
scanning.
A block match blocks the URL and
no further checking will be done.
status {enable |
The status of the filter. enable
disable}

688 Confidential and Proprietary Information of ZTE CORPORATION

Chapter 16 Vpn

Keywords and
Description Default
variables
type {simple | The type of URL filter: simple or
simple
regex} regular expression.

Related topics
webfilter bword
webfilter Usservice
webfilter ussrv-local-cat
webfilter ussrv-local-rating
webfilter ussrv-ovrd

Confidential and Proprietary Information of ZTE CORPORATION 689

ZXSEC US CLI Reference Guide

This page is intentionally blank.

690 Confidential and Proprietary Information of ZTE CORPORATION

Chapter 17

Execute

Overview
The execute commands perform immediate operations on the
ZXSEC US unit. You can:
Back up and restore the system configuration, or reset the
unit to factory settings.
Execute the run but not save feature
Set the unit date and time.
View and clear DHCP leases.
Clear arp table entries.
View and delete log messages. Delete old log files.
Manually dial or hang up the modem (models 70, 120 only).
Use ping or traceroute to diagnose network problems.
Restart the router or the entire ZXSEC US unit.
Update the antivirus and attack definitions on demand.
Generate certificate requests and install certificates for VPN
authentication.
This chapter contains the following sections:
backup
batch
central-mgmt
CUS reload
CUS save
clear system arp table
cli status-msg-only
cli check-template-status
date

Confidential and Proprietary Information of ZTE CORPORATION 691

ZXSEC US CLI Reference Guide

deploy
dhcp lease-clear
dhcp lease-list
disconnect-admin-session
factoryreset
formatlogdisk
Usservice-log update
fsae refresh
ha disconnect
ha manage
ha synchronize
interface dhcpclient-renew
interface pppoe-reconnect
log delete-all
log delete-filtered
log delete-rolled
log display
log filter
log USanalzyer test-connectivity
log list
log roll
modem dial
modem hangup
mrouter clear
ping
ping-options
ping6
reboot
restore
router clear bgp
router clear bfd
router clear ospf process
router restart
send-fds-statistics
set-next-reboot
shutdown

692 Confidential and Proprietary Information of ZTE CORPORATION

Chapter 17 Execute

ssh
telnet
time
traceroute
update-av
update-ips
update-now
upd-vd-license
usb-disk
vpn certificate ca
vpn certificate crl
vpn certificate local
vpn certificate remote
vpn sslvpn del-tunnel
vpn sslvpn del-web

Backup
Back up the ZXSEC US configuration files, logs, or IPS user-
defined signatures file to a TFTP server. When virtual domain
configuration is enabled (in system global, vdom-admin is
enabled), the content of the backup file depends on the
administrator account that created it.
A backup of the system configuration from the super admin
account contains the global settings and the settings for all
of the VDOMs. Only the super admin can restore the
configuration from this file.
When you back up the system configuration from a regular
administrator account, the backup file contains the global
settings and the settings for the VDOM to which the
administrator belongs. Only a regular administrator account
can restore the configuration from this file.
syntax
execute backup {disk | memory} alllogs <tftp_ipv4>
execute backup config tftp <filename> <tftp_ipv4> [<password>]
execute backup config usb <filename> [<password>]
execute backup full-config tftp <filename> <tftp_ipv4> [<password>]
execute backup full-config usb <filename> [<password>]
execute backup ipsuserdefsig <filename> <tftp_ipv4>
execute backup {disk | memory} log <tftp_ipv4> <log_type>

Confidential and Proprietary Information of ZTE CORPORATION 693

ZXSEC US CLI Reference Guide

Keywords and variables Description

Back up either all memory or all
hard disklog files for this VDOM to
a TFTP server. This command is
{disk | memory} alllogs effective only on models that log
<tftp_ipv4> to a hard disk. The file name has
the form:
<log_file_name>_<VDOM>_<dat
e>_<time>
Back up the system configuration
config tftp <filename> to a file on a TFTP server.
<tftp_ipv4> Optionally, you can specify a
[<password>] password to protect the saved
data.
Back up the system configuration
config usb <filename> to a file on a USB disk. Optionally,
[<password>] you can specify a password to
protect the saved data.
Back up the full system
full-config tftp <filename> configuration to a file on a TFTP
server. Optionally, you can specify
<tftp_ipv4> [<password>] a password to protect the saved
data.
Back up the full system
full-config usb <filename> configuration to a file on a USB
disk. Optionally, you can specify a
[<password>] password to protect the saved
data.
Back up IPS user-defined
ipsuserdefsig <filename> signatures to a file on a TFTP
<tftp_ipv4>
server.
Back up the selected type of log
file from either hard disk or
memory to a TFTP server.
<log_type> can be one of:
traffic
{disk | memory} log
<tftp_ipv4> event
<log_type> ids
virus
webfilter
spam
im

Example
This example shows how to backup the ZXSEC US unit system
configuration to a file named US.CUS on a TFTP server at IP
address 192.168.1.23. execute backup config tftp USt.CUS
192.168.1.23
Related topics

694 Confidential and Proprietary Information of ZTE CORPORATION

Chapter 17 Execute

execute restore
ips custom

Batch
Execute a series of CLI commands.

Note:
execute batch commands are controlled by the Maintenance
(mntgrp) access control group.
Syntax
execute batch [<cmd_cue>]
where <cmd_cue> is one of:
end - exit session and run the batch commands
lastlog - read the result of the last batch commands
start - start batch mode
status - batch mode status reporting if batch mode is
running or stopped
Example
To start batch mode:
execute batch start Enter batch mode...
To enter commands to run in batch mode:
config system global
set refresh 5
end
To execute the batch commands:
execute batch end Exit and run batch commands...

CUS reload
Use this command to restore the saved configuration when the
configuration change mode is manual or revert. This command
has no effect if the mode is automatic, the default. The set CUS-
save command in system global sets the configuration change
mode.
When you reload the saved system configuration, the your
session ends and the ZXSEC US unit restarts.

Confidential and Proprietary Information of ZTE CORPORATION 695

ZXSEC US CLI Reference Guide

In the default configuration change mode, automatic, CLI

commands become part of the saved unit configuration when
you execute them by entering either next or end.
In manual mode, commands take effect but do not become part
of the saved configuration unless you execute the execute CUS
save command. When the ZXSEC US unit restarts, the saved
configuration is loaded. Configuration changes that were not
saved are lost.
The revert mode is similar to manual mode, except that
configuration changes are saved automatically if the
administrative session is idle for more than a specified timeout
period. This provides a way to recover from an erroneous
configuration change, such as changing the IP address of the
interface you are using for administration. You set the timeout in
system global using the set CUS-revert-timeout command.
Syntax
execute CUS reload
Example
This is sample output from the command when successful:
# exec CUS reload
configs reloaded. system will reboot.This is sample output from
the command when not in runtime-only configuration mode:
# exec CUS reload
no config to be reloaded.
Related topics
execute CUS save
system global

CUS save
Use this command to save configuration changes when the
configuration change mode is manual or revert. If the mode is
automatic, the default, all changes are added to the saved
configuration as you make them and this command has no effect.
The set CUS-save command in system global sets the
configuration change mode.
In manual mode, commands take effect but do not become part
of the saved configuration unless you execute the execute CUS
save command. When the ZXSEC US unit restarts, the saved
configuration is loaded. Configuration changes that were not
saved are lost.
The revert mode is similar to manual mode, except that
configuration changes are saved automatically if the
administrative session is idle for more than a specified timeout

696 Confidential and Proprietary Information of ZTE CORPORATION

Chapter 17 Execute

period. This provides a way to recover from an erroneous

configuration change, such as changing the IP address
of the interface you are using for administration. To change the
timeout from the default of 600 seconds, go to system global
and use the set CUS-revert-timeout command.
Syntax
execute CUS save
Example
This is sample output from the command:
# exec CUS save config saved.
This is sample output when not in runtime-only configuration
mode. It also occurs when in runtime-only configuration mode
and no changes have been made:
# exec CUS save
no config to be saved.
Related topics
execute CUS reload
system global

Clear system arp table

Clear all the entries in the arp table.
Syntax
exec clear system arp table
Related topics
execute router restart
get router info routing-table
get system arp

Cli status-msg-only
Enable standardized CLI error output messages. If executed, this
command stops other debug messages from displaying in the
current CLI session.
Syntax
exec cli status-msg-only <enable | disable>
The message format is:
[error code]: text message

Confidential and Proprietary Information of ZTE CORPORATION 697

ZXSEC US CLI Reference Guide

There are two error categories: Keyword Error, and Data Error.
The error code provides details about the type of error.
An ERROR message indicates that the command generated an
error. A Keyword Error [1000x] indicates that the keyword is not
supported, or the attempted command is not recognized. A Data
Error [2000x] indicates that the data source is already in use.

Keywords and
Description
variables
status-msg-only
<enable | Enables standardized CLI error output
messages.
disable>

Cli check-template-status
Reports the status of the SCP script template.
Syntax
exec cli check-template-status

Date
Get or set the system date.
Syntax
execute date [<date_str>]
date_str has the form yyyy-mm-dd, where
yyyy is the year and can be 2001 to 2037
mm is the month and can be 01 to 12
dd is the day of the month and can be 01 to 31
If you do not specify a date, the command returns the current
system date. Shortened values, such as
‘ 06’ instead of ‘2006’ for the year or ‘1’ instead of ‘01’ for
month or day, are not valid.
Example
This example sets the date to 17 September 2004:
execute date 2004-09-17
Related topics
execute time

698 Confidential and Proprietary Information of ZTE CORPORATION

Chapter 17 Execute

Dhcp lease-clear
Clear all DHCP address leases.
Syntax
execute dhcp lease-clear
Related topics
execute dhcp lease-list
system dhcp server
system dhcp reserved-address

Dhcp lease-list
Display DHCP leases on a given interface
Syntax
execute dhcp lease-list [interface_name]
If you specify an interface, the command lists only the leases
issued on that interface. Otherwise, the list includes all leases
issued by DHCP servers on the ZXSEC US unit.
If there are no DHCP leases in user on the ZXSEC US unit, an
error will be returned.
Related topics
execute deploy
system dhcp server
system dhcp reserved-address

Disconnect-admin-session
Disconnect an administrator who is logged in.
Syntax
execute disconnect-admin-session <index_number>
To determine the index of the administrator that you want to
disconnect, view the list of logged-in administrators by using the
following command:
execute disconnect-admin-session ?
The list of logged-in administrators looks like this:
Connected:
TIME

Confidential and Proprietary Information of ZTE CORPORATION 699

ZXSEC US CLI Reference Guide

Mon Aug 14 12:57:23 2006

Mon Aug 14 12:57:23 2006
Example
This example shows how to disconnect a logged in administrator.
execute disconnect-admin-session 1
Related topics
system mac-address-table
get system info admin status

Factoryreset
Reset the ZXSEC US configuration to factory default settings.
Syntax
execute factoryreset

Caution:
This procedure deletes all changes that you have made to the
ZXSEC US configuration and reverts the system to its original
configuration, including resetting interface addresses.
Related topics
execute backup
execute reboot

Formatlogdisk
Format the ZXSEC US hard disk to enhance performance for
logging.
Syntax
execute formatlogdisk

Caution:
This operation will erase all quarantine files and logging data on
the hard disk.

Usservice-log update
Update the Usservice Analysis and Management Service contract.

700 Confidential and Proprietary Information of ZTE CORPORATION

Chapter 17 Execute

Syntax
execute Usservice-log update
Related topics
system Usservice
log Usla setting
{disk | Usla | memory | syslogd | webtrends | Usservice}
filter

Fsae refresh
Use this command to manually refresh user group information
from Windows AD servers connected to the ZXSEC US unit using
the USnet Server Authentication Extensions (FSAE).
syntax
execute fsae refresh
Related topics
user fsae

Ha disconnect
Use this command to disconnect a ZXSEC US unit from a
functioning cluster. You must specify the serial number of the
unit to be disconnected. You must also specify an interface name
and assign an IP address and netmask to this interface of the
disconnected unit. You can disconnect any unit from the cluster
even the primary unit. After the unit is disconnected the cluster
responds as if the disconnected unit has failed. The cluster may
renegotiate and may select a new primary unit.
To disconnect the unit from the cluster, the execute ha
disconnect command sets the HA mode of the disconnected unit
to standalone. In addition, all interface IP addresses of the
disconnected unit are set to 0.0.0.0. The interface specified in
the command is set to the IP address and netmask that you
specify in the command. In addition all management access to
this interface is enabled. Once the ZXSEC US unit is
disconnected you can use SSH, telnet, HTTPS, or HTTP to
connect to and manage the ZXSEC US unit.
syntax
execute ha disconnect <cluster-member-serial_str> <interface_str>
<address_ipv4> <address_ipv4mask>

Confidential and Proprietary Information of ZTE CORPORATION 701

ZXSEC US CLI Reference Guide

Keywords and
Description
variables
cluster-member- The serial number of the cluster unit to be
serial_str disconnected.
The name of the interface to configure. The
command configures the IP address and
interface_str
netmask for this interface and also enables
all management access for this interface.

Example
This example shows how to disconnect a cluster unit with serial
number US0900. The internal interface of the disconnected unit
is set to IP address 1.1.1.1 and netmask 255.255.255.0.
execute ha disconnect US0900 internal 1.1.1.1 255.255.255.0
Related topics
execute ha manage
execute ha synchronize
system ha

Ha manage
Use this command from the CLI of a ZXSEC US unit in an HA
cluster to log into the CLI of another unit in the cluster. Usually
you would use this command from the CLI of the primary unit to
log into the CLI of a subordinate unit. However, if you have
logged into a subordinate unit CLI, you can use this command to
log into the primary unit CLI, or the CLI of another subordinate
unit.
You can use CLI commands to manage the cluster unit that you
have logged into. If you make changes to the configuration of
any cluster unit (primary or subordinate unit) these changes are
synchronized to all cluster units.
syntax
execute ha manage <cluster-index>

702 Confidential and Proprietary Information of ZTE CORPORATION

Chapter 17 Execute

Keywords and
Description
variables
The cluster index number of the cluster unit to
log into. The first
subordinate unit has a cluster index of zero. If
there are more subordinate
units their index numbers are 1, 2, and so on.
The primary unit has the
highest index number. So in a cluster of three
ZXSEC US units:
cluster-index The first subordinate unit has a cluster
index of 0
The second subordinate unit has a cluster
index of 1
The primary unit has a cluster index of 2
Enter ?to list the cluster units that you can log
into. The list does not show the unit that you
are already logged into.

Example
This example shows how to log into a subordinate unit in a
cluster of three ZXSEC US units. In this example you have
already logged into the primary unit. The primary unit has serial
number UST3082103000056. The subordinate units have serial
numbers UST3012803021709 and UST3082103021989.
execute ha manage ?
<id> please input slave cluster index.
<0> Subsidary unit UST3012803021709
<1> Subsidary unit UST3082103021989
Type 0 and press enter to connect to the subordinate unit with
serial number UST3012803021709. The CLI prompt changes to
the host name of this unit. To return to the primary unit, type
exit.
From the subordinate unit you can also use the execute ha
manage command to log into the primary unit or into another
subordinate unit. Enter the following command:
execute ha manage ?
<id> please input slave cluster index.
<1> Subsidary unit UST3082103021989
<2> Subsidary unit UST3082103000056
Type 2 and press enter to log into the primary unit or type 1 and
press enter to log into the other subordinate unit. The CLI
prompt changes to the host name of this unit.
ZXSEC US CLI Version 3.0 MR5 Reference
494 01-30005-0015-20070622

Confidential and Proprietary Information of ZTE CORPORATION 703

ZXSEC US CLI Reference Guide

execute ha manage
Related topics
execute ha disconnect
execute ha synchronize
system ha

Ha synchronize
Use this command from a subordinate unit in an HA cluster to
manually synchronize its configuration with the primary unit.
Using this command you can synchronize the following:
Configuration changes made to the primary unit (normal
system configuration, firewall configuration, VPN
configuration and so on stored in the ZXSEC US configuration
file),
Antivirus engine and antivirus definition updates received by
the primary unit from the Usservice Distribution Network
(UDN),
IPS attack definition updates received by the primary unit
from the UDN,
Web filter lists added to or changed on the primary unit,
Email filter lists added to or changed on the primary unit,
Certification Authority (CA) certificates added to the primary
unit,
Local certificates added to the primary unit.
You can also use the start and stop keywords to force the cluster
to synchronize its configuration or to stop a synchronization
process that is in progress.
Syntax
execute ha synchronize {config| avupd| attackdef| weblists|
emaillists|ca| localcert| all | start | stop}

Variables Description
config Synchronize the ZXSEC US configuration.
Synchronize the antivirus engine and antivirus
avupd
definitions.
attackdef Synchronize attack definitions.
weblists Synchronize web filter lists.
emaillists Synchronize email filter lists.
ca Synchronize CA certificates.
localcert Synchronize local certificates.

704 Confidential and Proprietary Information of ZTE CORPORATION

Chapter 17 Execute

Variables Description
all Synchronize all of the above.
start Start synchronizing the cluster configuration.
Stop the cluster from completing synchronizing its
stop
configuration.

Example
From the CLI of a subordinate unit, use the following commands
to synchronize the antivirus and attack definitions on the
subordinate ZXSEC US unit with the primary unit after the UDN
has pushed new definitions to the primary unit.
execute ha synchronize avupd execute ha synchronize attackdef
Related topics
execute ha disconnect
execute ha manage
system ha

Interface dhcpclient-renew
Renew the DHCP client for the specified DHCP interface and
close the CLI session. If there is no
DHCP connection on the specified port, there is no output.
syntax
execute interface dhcpclient-renew <port>
Example
This is the output for renewing the DHCP client on port1 before
the session closes:
# exec interface dhcpclient-renew port1
renewing dhcp lease on port1
Related topics
execute deploy
execute dhcp lease-list

Interface pppoe-reconnect
Reconnect to the PPPoE service on the specified PPPoE interface
and close the CLI session. If there is no PPPoE connection on the
specified port, there is no output.
syntax

Confidential and Proprietary Information of ZTE CORPORATION 705

ZXSEC US CLI Reference Guide

execute interface pppoe-reconnect <port>

Related topics
execute modem dial
execute modem hangup

Log delete-all
Use this command to clear all log entries in memory and current
log files on hard disk. If your ZXSEC US unit has no hard disk,
only log entries in memory will be cleared. You will be prompted
to confirm the command.
syntax
execute log delete-all
Related topics
execute log delete-filtered
execute log delete-rolled
execute log display
execute log filter
execute log list
execute log stats display
execute log stats reset

Log delete-filtered
Use this command to delete log messages that match the
current filter. You need to first set the log filter with the execute
log filter <filter> command.
syntax
execute log delete-filtered
Example
To delete all traffic logs, enter the following commands: execute
log filter category traffic execute log delete-filtered
Related topics
execute log filter
execute log delete-rolled
execute log display
execute log list
execute log stats display

706 Confidential and Proprietary Information of ZTE CORPORATION

Chapter 17 Execute

execute log stats reset

Log delete-rolled
Use this command to delete rolled log files.
syntax
execute log delete-rolled <category> <start> [<end>]

Variable Description
Enter the category of rolled log files that you want to
delete:
event
ids
<category>
spam
traffic
virus
webfilter
Enter the number of the first log to delete. If you are
<start> deleting multiple rolled log files, you must also enter
a number for end.
Enter the number of the last log to delete, if you are
<end>
deleting multiple rolled log files.

<category> must be one of: event, ids, spam, traffic, virus or

webfilter. The <start>
and <end> values represent the range of log files to delete. If
<end> is not specified, only the
<start> log number is deleted.
Example
To delete all of the rolled traffic log files, enter the following
command:
execute log delete-rolled traffic 1 9999
Related topics
log Usla setting
execute log delete-filtered
execute log filter
execute log delete-all

Log display
Use this command to display log messages that you have
selected with the execute log filter command.

Confidential and Proprietary Information of ZTE CORPORATION 707

ZXSEC US CLI Reference Guide

syntax
execute log display
The console displays the first 10 log messages. To view more
messages, run the command again. You can do this until you
have seen all of the selected log messages. To restart viewing
the list from the beginning, use the commands
execute log filter start_index 1
execute log display
You can restore the log filters to their default values using the
command
execute log filter reset
Related topics
execute log filter
execute log delete-filtered

Log filter
Use this command to select log messages for viewing or deletion.
You can view one log category on one device at a time.
Optionally, you can filter the messages to select only specified
date ranges or severities of log messages. For traffic logs, you
can filter log messages by source or destination IP address.
Commands are cumulative. If you omit a required variable, the
command displays the current setting.
syntax
execute log filter category <category_name>
execute log filter device {disk | memory}
execute log filter field action <action> [action2 action3 ..] execute log filter
field date <from_date> <to_date> <negate> execute log filter field detail
<string> [string1 string2 ...] execute log filter field log_id <logid> [logid2
logid3 ...] execute log filter field msg <string> [string2 string3 ...]
execute log filter field pri <priority> [priority2 priority3 ...]
execute log filter field reason <string> [string1 string2 ...] execute log filter
field status <string> [string1 string2 ...] execute log filter field subtype
<subtype> [subtype2 subtype3 ...] execute log filter field time <from_time>
<to_time> <negate>
execute log filter field type <type> [type2 type3 ...]
execute log filter field ui <string> [string1 string2 ...] execute log filter field
user <user_id> [user_id2 user_id3 ...] execute log filter lines_per_view
<count>
execute log filter list
execute log filter reset

708 Confidential and Proprietary Information of ZTE CORPORATION

Chapter 17 Execute

execute log filter rolled_number <number>

execute log filter start_line <line_number>

TABLE 147 EXECUTE LOG FILTER COMM AND KEYWORDS AND VARI ABLES

Variables Description Default

Enter the type of log you want to
select, one of:
event
ids
category
spam event
<category_name>

traffic
virus
webfilter

device {disk |
Device where the logs are stored. disk
memory}
field action <action> Filter according to action. You can No
[action2 action3 ..] specify up to five actions. default.

Filter according to date range.

field date Specify dates in the format yyyy-
<from_date> No
mm-dd. To exclude the date
default.
<to_date> <negate> range, specify 1 for negate. By
default, negate is 0.

field detail <string> Filter by log detail. You specify up

No
to five strings to match in the log
[string1 string2 ...] default.
details.

field log_id <logid> Filter by log ID number. Enter

No
one of more log IDs to match.
[logid2 logid3 ...] default.
You can specify up to five log IDs.

field msg <string> Filter by log message content.

No
You specify up to five strings to
[string2 string3 ...] default.
match in the log message.
Filter by priority. Priorities are:
field pri <priority> emergency, alert, critical, error,
No
[priority2 warning, notice, information and
default.
priority3 ...] debug. You can specify up to five
priority levels.

field reason <string> Filter by reason. You can specify

No
five strings to match in the
[string1 string2 ...] default.
reason field.

field status <string> Filter by status. You can specify

No
five strings to match in the status
[string1 string2 ...] default.
field.
field subtype Filter by logs by subtype.
<subtype> Subtypes depend on type. You No
[subtype2 can specify up to five log default.
subtype3 ...] subtypes.

Confidential and Proprietary Information of ZTE CORPORATION 709

ZXSEC US CLI Reference Guide

Variables Description Default

field time Filter according to time range.

<from_time> Specify times in the format
No
hh:mm:ss. To exclude the time
<to_time> default.
range, specify 1 for negate. By
<negate> default, negate is 0.
Filter by log type. Types are:
field type <type> attack, content, event, spamfilter, No
[type2 type3 ...] traffic, virus and webfilter. You default.
can specify up to five log types.

field ui <string> Filter by user interface field. You

No
can specify up to five strings to
[string1 string2 ...] default.
match in the user interface field.
field user <user_id>
Filter by user ID. You can specify No
[user_id2 up to five user IDs. default.
user_id3 ...]
lines_per_view Set lines per view. Range: 5 to
10
<count> 1000
No
list Display current filter settings.
default.
Number of log entries displayed
number <integer> 10
per page.
Execute this command to reset all No
reset
filter settings. default.
rolled_number Select logs from rolled log file. 0
0
<number> selects current log file.
start_line Select logs starting at specified
1
<line_number> line number.

Use as many execute log filter commands as you need to define

the log messages that you want to view.
Related topics
execute log delete-filtered
execute log display

Log USanalzyer test-

connectivity
Use this command to test the connection to the Usla unit. This
command is available only when Usla is configured.
syntax
execute log Usla test-connectivity
The spelling of Usla in this command will be corrected in a later
release.

710 Confidential and Proprietary Information of ZTE CORPORATION

Chapter 17 Execute

Example
When Usla is connected, the output looks like this:
Usla Host Name: Usla-800
ZXSEC US Device ID: US0550
Registration: registered
Connection: allow
Disk Space (Used/Allocated): 0/1000 MB Total Free Space:
456690 MB
Log: Tx & Rx
Report: Tx & Rx
Content Archive: Tx & Rx
Quarantine: Tx & Rx
When Usla is not connected, the output is: Connect Error
Related topics
log Usla setting

Log list
You can view the list of current and rolled log files on the
console. The list shows the file name, size and timestamp.
syntax
execute log list <category>
<category> must be one of: event, ids, spam, traffic, virus or
webfilter.

Example
The output looks like this:
elog 8704 Fri Jan 28 14:24:35 2005
elog.1 1536 Thu Jan 27 18:02:51 2005
elog.2 35840 Wed Jan 26 22:22:47 2005

At the end of the list the total number of files in the category is
displayed. For example:
501 event log file(s) found.
Related topics
execute log delete-rolled

Confidential and Proprietary Information of ZTE CORPORATION 711

ZXSEC US CLI Reference Guide

Log roll
Use this command to roll all log files.
syntax
execute log roll
Related topics
execute log delete-rolled

Modem dial
Dial the modem.
The dial command dials the accounts configured in config system
modem until it makes a connection or it has made the maximum
configured number of redial attempts.
This command applies only to models 70, 120 and 120W and is
effective only if the modem is in Standalone mode.
Syntax
execute modem dial
Related topics
system modem
execute modem hangup

Modem hangup
Hang up the modem.
This command applies only to models 70, 120 and 120W and is
effective only if the modem is in Standalone mode.
Syntax
execute modem hangup
Related topics
system modem
execute modem dial

Mrouter clear
Clear multicast routes, RP-sets, IGMP membership records or
routing statistics.

712 Confidential and Proprietary Information of ZTE CORPORATION

Chapter 17 Execute

Syntax
Clear IGMP memberships:
execute mrouter clear igmp-group {{<group-address>} <interface-name>}
execute mrouter clear igmp-interface <interface-name>
Clear multicast routes:
execute mrouter clear <route-type> {<group-address> {<source-address>}}
Clear PIM-SM RP-sets learned from the bootstrap router (BSR):
execute mrouter clear sparse-mode-bsr
Clear statistics:
execute mrouter clear statistics {<group-address> {<source-address>}}

TABLE 148 EXECUTE MROUTER CLEAR COMM AND KEYWORDS AND V ARIABLES

Variables Description
<interface- Enter the name of the interface on which you want
name> to clear IGMP memberships.
<group- Optionally enter a group address to limit the
address> command to a particular group.
Enter one of:
dense-routes - clear only PIM dense routes
<route-type>
routes- clear all types of multicast routes
sparse-routes - clear only sparse routes

Optionally, enter a source address to limit the

<source-
command to a particular source address. You must
address>
also specify group-address.

Related topics
router multicast
get router info bgp

Ping
Send an ICMP echo request (ping) to test the network
connection between the ZXSEC US unit and another network
device.
Syntax
execute ping {<address_ipv4> | <host-name_str>}
<host-name_str> should be an IP address, or a fully qualified domain
name.
Example
This example shows how to ping a host with the IP address
172.20.120.16.

Confidential and Proprietary Information of ZTE CORPORATION 713

ZXSEC US CLI Reference Guide

execute ping 172.20.120.16

PING 172.20.120.16 (172.20.120.16): 56 data bytes
64 bytes from 172.20.120.16: icmp_seq=0 ttl=128 time=0.5 ms
64 bytes from 172.20.120.16: icmp_seq=1 ttl=128 time=0.2 ms
64 bytes from 172.20.120.16: icmp_seq=2 ttl=128 time=0.2 ms
64 bytes from 172.20.120.16: icmp_seq=3 ttl=128 time=0.2 ms
64 bytes from 172.20.120.16: icmp_seq=4 ttl=128 time=0.2 ms
--- 172.20.120.16 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss round-trip
min/avg/max = 0.2/0.2/0.5 ms
Related topics
execute ping-options
execute ping6
execute traceroute

Ping-options
Set ICMP echo request (ping) options to control the way ping
tests the network connection between the ZXSEC US unit and
another network device.
Syntax
execute ping-options data-size <bytes> execute ping-options df-bit {yes |
no} execute ping-options pattern <2-byte_hex> execute ping-options
repeat-count <repeats>
execute ping-options source {auto | <source-intf_ip>}
execute ping-options timeout <seconds> execute ping-options tos
<service_type> execute ping-options ttl <hops>
execute ping-options validate-reply {yes | no}

TABLE 149 EXECUTE PING-OPTIONS VIEW-SETTINGS

Keyword Description Default

data-size <bytes> Specify the datagram size in bytes. 56
Set df-bit to yesto prevent the ICMP
packet from being fragmented. Set
df-bit {yes | no} no
df-bit to noto allow the ICMP packet
to be fragmented.

714 Confidential and Proprietary Information of ZTE CORPORATION

Chapter 17 Execute

Keyword Description Default

Used to fill in the optional data
buffer at the end of the ICMP
packet. The size of the buffer is
pattern <2- specified using the data_size No
byte_hex> parameter. This allows you to send default.
out packets of different sizes for
testing the effect of packet size on
the connection.
repeat-count Specify how many times to repeat
5
<repeats> ping.
Specify the ZXSEC US interface
from which to send the ping. If you
specify auto, the ZXSEC US unit
selects the source address and
source interface based on the route to the
{auto | <source- <host-name_str> or auto
intf_ip>} <host_ip>. Specifying the IP
address of a ZXSEC US interface
tests connections to different
network segments from the
specified interface.
Specify, in seconds, how long to
timeout <seconds> 2
wait until ping times out.
Set the ToS (Type of Service) field
in the packet header to provide an
indication of the quality of service
wanted.
lowdelay = minimize delay
tos <service_type> 0
throughput = maximize
throughput
reliability = maximize reliability
lowcost = minimize cost

Specify the time to live. Time to live

is the number of hops the ping
ttl <hops> 64
packet should be allowed to make
before being discarded or returned.
validate-reply {yes
Select yesto validate reply data. no
| no}
Display the current ping-option No
view-settings
settings. default

Example
Use the following command to increase the number of pings sent.
execute ping-options repeat-count 10
Use the following command to send all pings from the ZXSEC US
interface with IP address
192.168.10.23.
execute ping-options source 192.168.10.23

Confidential and Proprietary Information of ZTE CORPORATION 715

ZXSEC US CLI Reference Guide

Related topics
execute ping
execute ping6
execute traceroute
system tos-based-priority

Ping6
Send an ICMP echo request (ping) to test the network
connection between the ZXSEC US unit and an IPv6 capable
network device.
Syntax
execute ping6 {<address_ipv6> | <host-name_str>}
Example
This example shows how to ping a host with the IPv6 address
12AB:0:0:CD30:123:4567:89AB:CDEF.
execute ping6 12AB:0:0:CD30:123:4567:89AB:CDEF
Related topics
execute ping
execute ping-options
f router static6

Reboot
Restart the ZXSEC US unit.
Syntax
execute reboot <comment “comment_string”>
<comment “comment_string”> allows you to optionally add a
message that will appear in the hard disk log indicating the
reason for the reboot. If the message is more than one word it
must be enclosed in quotes.
Example
This example shows the reboot command with a message
included.
execute reboot comment “December monthly maintenance”
Related topics
execute backup
execute factoryreset

716 Confidential and Proprietary Information of ZTE CORPORATION

Chapter 17 Execute

Restore
Use this command to
restore the configuration from a file
change the ZXSEC US firmware
change the ZXSEC US backup firmware
restore an IPS custom signature file
When virtual domain configuration is enabled (in system
global, vdom-admin is enabled), the content of the backup
file depends on the administrator account that created it.
A backup of the system configuration from the super admin
account contains the global settings
and the settings for all of the VDOMs. Only the super admin
account can restore the configuration from this file.
A backup file from a regular administrator account contains
the global settings and the settings for the VDOM to which
the administrator belongs. Only a regular administrator
account can restore the configuration from this file.
Syntax
execute restore av <filename> <ftp_ipv4 [ftp_port]> <password>
execute restore av tftp <avfile> <tftp_ip4>
execute restore config ftp <filename> <ftp_ipv4 [ftp_port]> <password>
execute restore config management-station <type> <revision> execute
restore config tftp <filename> <tftp_ipv4> [<password>] execute restore
config usb <filename> [<password>]
execute restore image ftp <filename> <ftp_ipv4>
execute restore image management-station <image_version>
execute restore image tftp <filename> <tftp_ipv4>
execute restore image usb <filename>
execute restore ips ftp <filename> <ftp_ipv4 [ftp_port]> <password>
execute restore ips tftp <filename> <tftp_ipv4>
execute restore ipsuserdefsig <filename> <ftp_ipv4 [ftp_port]>
<password>
execute restore ipsuserdefsig <filename> <tftp_ipv4>
execute restore secondary-image ftp <filename> <ftp_ipv4
[ftp_port]><password>
execute restore secondary-image tftp <filename> <tftp_ipv4>
execute restore secondary-image usb <filename>
execute restore USDesktop <fc_filename> <tftp_ipv4>

Confidential and Proprietary Information of ZTE CORPORATION 717

ZXSEC US CLI Reference Guide

Variables Description
Restore the system configuration from
a file on a TFTP server. The new
configuration replaces the existing
config tftp <filename> configuration, including administrator
<tftp_ipv4> [<password>] accounts and passwords.
If the backup file was created with a
password, you must specify that
password.
Restore the system configuration from
a file on a USB disk. The new
configuration replaces the existing
config usb <filename> configuration, including administrator
[<password>] accounts and passwords.
If the backup file was created with a
password, you must specify that
password.
Upload the antivirus database file from
av tftp <avfile> a TFTP server to the
<tftp_ip4>
ZXSEC US unit.
Upload the USDesktop image from a
TFTP server to the ZXSEC US unit. The
filename must have the format:
USDesktop <fc_filename>
USDesktopSetup_versionmajor.version
<tftp_ipv4> minor.build.exe.
For example,
USDesktopSetup.3.0.377.exe.
Upload a firmware image from an FTP
server to the ZXSEC US unit. The
image ftp <filename> ZXSEC US unit reboots, loading the
<ftp_ipv4> new firmware.
This command is not available in
multiple VDOM mode.
Upload a firmware image from a TFTP
server to the ZXSEC US unit. The
image tftp <filename> ZXSEC US unit reboots, loading the
<tftp_ipv4> new firmware.
This command is not available in
multiple VDOM mode.
Upload a firmware image from a USB
disk to the ZXSEC US unit. The ZXSEC
image usb <filename>
US unit reboots, loading the new
firmware.
ips tftp <ipsfile> Upload the IPS database file from a
<tftp_ip4> TFTP server to the ZXSEC US unit.

ipsuserdefsig <filename> Restore an IPS custom signature file.

The file will overwrite the existing IPS
<tftp_ipv4> custom signature file.

secondary-image tftp Upload a firmware image from a TFTP

<filename> server as the backup firmware of the
ZXSEC US unit. This is available only
<tftp_ipv4> on models numbered 100 and higher.

718 Confidential and Proprietary Information of ZTE CORPORATION

Chapter 17 Execute

Variables Description
Upload a firmware image from a USB
disk as the backup
firmware of the ZXSEC US unit. The
secondary-image usb unit restarts when the upload
<filename>
is complete. This is available only on
models numbered 100 and
higher.

Example
This example shows how to upload a configuration file from a
TFTP server to the ZXSEC US unit and restart the ZXSEC US unit
with this configuration. The name of the configuration file on the
TFTP server is backupconfig. The IP address of the TFTP server
is 192.168.1.23.
execute restore config tftp backupconfig 192.168.1.23
Related topics
execute backup
ips custom

Router clear bgp

Use this command to clear BGP peer connections.
Command syntax
execute router clear bgp all [soft] [in | out]
execute router clear bgp as <as_number> [soft] [in | out]
execute router clear bgp dampening {ip_address | ip/netmask}
execute router clear bgp external {in prefix-filter} [soft] [in | out] execute
router clear bgp flap-statistics {ip_address | ip/netmask} execute router
clear bgp ip <ip_address> [soft] [in | out]

Variables Description
all Clear all BGP peer connections.
Clear BGP peer connections by AS
as <as_number>
number.
dampening {ip_address | Clear route flap dampening
ip/netmask} information for peer or network.
external {in prefix-filter} Clear all external peers.
Clear BGP peer connections by IP
ip <ip_address>
address.
Clear all members of a BGP peer-
peer-group
group.
Optionally limit clear operation to
[in | out]
inbound only or outbound only.

Confidential and Proprietary Information of ZTE CORPORATION 719

ZXSEC US CLI Reference Guide

Variables Description
flap-statistics {ip_address | Clear flap statistics for peer or
ip/netmask} network.

Do a soft reset that changes the

soft configuration but does not disturb
existing sessions.

Router clear bfd

Use this command to clear bi-directional forwarding session.
syntax
execute router clear bfd session <src_ip> <dst_ip> <interface>

Variables Description
Select the source IP address of the
<src_ip>
session.
Select the destination IP address of
<dst_ip>
the session.
<interface> Select the interface for the session.

Router clear ospf process

Use this command to clear and restart the OSPF router.
Syntax
execute router clear ospf process
Related topics
router ospf

Router restart
Use this command to restart the routing software.
Syntax
execute router restart
Related topics

720 Confidential and Proprietary Information of ZTE CORPORATION

Chapter 17 Execute

router

Send-fds-statistics
Use this command to send an UDS statistics report now, without
waiting for the UDS statistics report interval to expire.
Syntax
execute send-fds-statistics

Et-next-reboot
Use this command to start the ZXSEC US unit with primary or
secondary firmware after the next reboot. This command is
useful only on models numbered 100 and higher which are able
to store two firmware images. By default, the ZXSEC US unit
loads the firmware from the primary partition.
VDOM administrators do not have permission to run this
command. It must be executed by a super administrator.
Syntax
execute set-next-reboot {primary | secondary}
Related topics
execute reboot
execute shutdown

Shutdown
Shut down the ZXSEC US unit now. You will be prompted to
confirm this command.
Syntax
execute shutdown <comment> <comment_string> <comment>
allows you to optionally add a message that will appear in the
hard disk log indicating the reason for the shutdown. If the
message is more than one word it must be enclosed in quotes.
Example
This example shows the reboot command with a message
included.
execute shutdown comment “emergency facility shutdown”
Related topics
execute factoryreset

Confidential and Proprietary Information of ZTE CORPORATION 721

ZXSEC US CLI Reference Guide

execute reboot

Ssh
Use this command to establish an ssh session with another
system.
Syntax
execute ssh <destination> <destination> - the destination in the form
user@ip or user@host.
Related topics
execute ping
execute traceroute
system interface

Telnet
Use telnet client. You can use this tool to test network
connectivity.
Syntax
execute telnet <telnet_ipv4> <telnet_ipv4> is the address to connect with.
Type exit to close the telnet session.
Related topics
execute ping
execute traceroute
system interface

Time
Get or set the system time.
Syntax
execute time [<time_str>]
time_str has the form hh:mm:ss, where
hh is the hour and can be 00 to 23
mm is the minutes and can be 00 to 59
ss is the seconds and can be 00 to 59
If you do not specify a time, the command returns the current
system time.

722 Confidential and Proprietary Information of ZTE CORPORATION

Chapter 17 Execute

You are allowed to shorten numbers to only one digit when

setting the time. For example both 01:01:01 and 1:1:1 are
allowed.
Example
This example sets the system time to 15:31:03:
execute time 15:31:03
Related topics
execute date

Traceroute
Test the connection between the ZXSEC US unit and another
network device, and display information about the network hops
between the device and the ZXSEC US unit.
Syntax
execute traceroute {<ip_address> | <host-name>}
Example
This example shows how to test the connection with
http://docs.UScare.com. In this example the traceroute
command times out after the first hop indicating a possible
problem.
#execute traceoute docs.UScare.com
traceroute to docs.UScare.com (65.39.139.196), 30 hops max,
38 byte packets
1. 172.20.120.2 (172.20.120.2) 0.324 ms 0.427 ms
0.360 ms
2. * * *
If your ZXSEC US unit is not connected to a working DNS server,
you will not be able to connect to remote host-named locations
with traceroute.
Related topics
execute ping
execute ping-options

Update-av
Use this command to manually initiate the virus definitions and
engines update. To update both virus and attack definitions, use
the execute update-now command.
Syntax

Confidential and Proprietary Information of ZTE CORPORATION 723

ZXSEC US CLI Reference Guide

execute update-av
Related topics
execute update-now
system autoupdate override
system autoupdate push-update
system autoupdate schedule

Update-ips
Use this command to manually initiate the Intrusion Prevention
System (IPS) attack definitions and engine update. To update
both virus and attack definitions, use the execute update-now
command.
Syntax
execute update-ips
Related topics
execute update-now
system autoupdate override
system autoupdate override
system autoupdate push-update
system autoupdate schedule

Update-now
Use this command to manually initiate both virus and attack
definitions and engine updates. To initiate only virus or attack
definitions, use the execute update-av or execute update-ids
command respectively.
Syntax
execute update-now
Related topics
execute update-av
execute update-ips
system autoupdate override
system autoupdate push-update
system autoupdate schedule

724 Confidential and Proprietary Information of ZTE CORPORATION

Chapter 17 Execute

Upd-vd-license
Use this command to enter a license key. If your ZXSEC US unit
is model 3000 or higher, you can purchase a license key from
USnet to increase the maximum number of VDOMs to 25, 50,
100 or 250. By default, ZXSEC US units support a maximum of
10 VDOMs.
syntax
execute upd-vd-license <license_key>

Variables Description
The license key is a 32-character string
supplied by USnet. USnet requires your
<license_key>
unit serial number to generate the
license key.

Usb-disk
Use these commands to manage your USB disks.
syntax
execute usb-disk delete <filename>
execute usb-disk format execute usb-disk list
execute usb-disk rename <old_name> <new_name>

Variables Description
Delete the named file from the USB
delete <filename>
disk.
format Format the USB disk.
list List the files on the USB disk.
rename <old_name>
Rename a file on the USB disk.
<new_name>

Related topics
execute backup
execute restore

Vpn certificate ca
Use this command to import a CA certificate from a TFTP or
SCEP server to the ZXSEC US unit, or to export a CA certificate
from the ZXSEC US unit to a TFTP server.
Before using this command you must obtain a CA certificate
issued by a CA.

Confidential and Proprietary Information of ZTE CORPORATION 725

ZXSEC US CLI Reference Guide

Digital certificates are used to ensure that both participants in

an IPSec communications session are trustworthy, prior to an
encrypted VPN tunnel being set up between the participants. The
CA certificate is the certificate that the ZXSEC US unit uses to
authenticate itself to other devices.

Note:
VPN peers must use digital certificates that adhere to the X.509
standard.

Note:
Digital certificates are not required for configuring ZXSEC US
VPNs. Digital certificates are an advanced feature provided for
the convenience of system administrators. This manual assumes
the user has prior knowledge of how to configure digital
certificates for their implementation.

Syntax
execute vpn certificate ca export tftp <certificate-name_str>
<file-name_str> <tftp_ip>
execute vpn certificate ca import auto <ca_server_url> <ca_identifier_str>
execute vpn certificate ca import tftp <file-name_str> <tftp_ip>

Keyword/variable Description
Import the CA certificate from a TFTP
import
server to the ZXSEC US unit.
Export or copy the CA certificate from the
export ZXSEC US unit to a file on the
TFTP server. Type ? for a list of certificates.
<certificate-
Enter the name of the CA certificate.
name_str>
<file-name_str> Enter the file name on the TFTP server.
<tftp_ip> Enter the TFTP server address.
Retrieve a CA certificate from a SCEP
auto
server.
Import the CA certificate to the ZXSEC US
tftp unit from a file on a TFTP
server (local administrator PC).
<ca_server_url> Enter the URL of the CA certificate server.
CA identifier on CA certificate server
<ca_identifier_str>
(optional).

Examples
Use the following command to import the CA certificate named
trust_ca to the ZXSEC US unit from a

726 Confidential and Proprietary Information of ZTE CORPORATION

Chapter 17 Execute

TFTP server with the address 192.168.21.54.

execute vpn certificate ca import trust_ca 192.168.21.54
Related topics
execute vpn certificate local
execute vpn certificate remote
execute vpn certificate crl
execute vpn sslvpn del-tunnel
execute vpn sslvpn del-web
vpn certificate ca
vpn certificate local
vpn certificate crl
vpn certificate remote

Vpn certificate crl

Use this command to get a CRL via LDAP, HTTP, or SCEP
protocol, depending on the auto-update configuration.
In order to use the command execute vpn certificate crl, the
authentication servers must already be configured.
Digital certificates are used to ensure that both participants in
an IPSec communications session are trustworthy, prior to an
encrypted VPN tunnel being set up between the participants. The
CA certificate is the certificate that the ZXSEC US unit uses to
authenticate itself to other devices.

Note:
VPN peers must use digital certificates that adhere to the X.509
standard.

syntax
execute vpn certificate crl import auto <crl-name>

Keyword/variable Description

Confidential and Proprietary Information of ZTE CORPORATION 727

ZXSEC US CLI Reference Guide

Keyword/variable Description
Import the CRL from the configured LDAP,
import HTTP, or SCEP
authentication server to the ZXSEC US unit.
<crl-name> Enter the name of the CRL.
Trigger an auto-update of the CRL from the
auto configured LDAP, HTTP, or
SCEP authentication server.

Related topics
execute vpn certificate ca
execute vpn certificate local
execute vpn certificate remote
execute vpn sslvpn del-tunnel
execute vpn sslvpn del-web
vpn certificate ca
vpn certificate local
vpn certificate crl
vpn certificate remote

Vpn certificate local

Use this command to generate a local certificate, to export a
local certificate from the ZXSEC US unit to a TFTP server, and to
import a local certificate from a TFTP server to the ZXSEC US
unit.
Digital certificates are used to ensure that both participants in
an IPSec communications session are trustworthy, prior to an
encrypted VPN tunnel being set up between the participants. The
local certificate is the certificate that the ZXSEC US unit uses to
authenticate itself to other devices.
When you generate a certificate request, you create a private
and public key pair for the local ZXSEC US unit. The public key
accompanies the certificate request. The private key remains
confidential.
When you receive the signed certificate from the CA, use the
vpn certificate local command to install it on the ZXSEC US unit.

Note:
VPN peers must use digital certificates that adhere to the X.509
standard.
Digital certificates are not required for configuring ZXSEC US
VPNs. Digital certificates are an advanced feature provided for

728 Confidential and Proprietary Information of ZTE CORPORATION

Chapter 17 Execute

the convenience of system administrators. This manual assumes

the user has prior knowledge of how to configure digital
certificates for their implementation.

Syntax - generate
execute vpn certificate local generate <certificate-name_str>
<key-length> {<host_ip> | <domain-name_str> | email-
addr_str>}[<optional_information>]

Variable Description
Enter a name for the certificate. The name can
contain numbers (0-9), uppercase and lowercase
<certificate-
letters (A-Z, a-z), and the special characters - and
name_str>
_. Other special characters and spaces are not
allowed.
<host_ip>
Enter the host IP address (host_ip), the domain
name
(domain-name_str), or an email address (email-
addr_str) to
identify the ZXSEC US unit being certified.
Preferably use an IP address
or domain name. If this is impossible (such as
with a dialup client), use
an e-mail address.
For host_ip, enter the IP address of the ZXSEC US
unit.
{<host_ip> | For domain-name_str, enter the fully qualified
domain name of the
<domain-
name_str> | ZXSEC US unit.
email- For email-addr_str, enter an email address that
addr_str>} identifies the
ZXSEC US unit.
If you specify a host IP or domain name, use the
IP address or domain name associated with the
interface on which IKE negotiations will take place
(usually the external interface of the local ZXSEC
US unit). If the IP address in the certificate does
not match the IP address of this interface
(or if the domain name in the certificate does not
match a DNS query of the ZXSEC US unit’s IP),
then some implementations of IKE may reject
the connection. Enforcement of this rule varies for
different IPSec products.
Enter 1024, 1536 or 2048 for the size in bits of
<key-length>
the encryption key.

Confidential and Proprietary Information of ZTE CORPORATION 729

ZXSEC US CLI Reference Guide

Variable Description
Enter optional_information as required to further
identify the certificate. See “Optional information
variables” for the list of optional information
variables. You must enter the optional variables
in order that they are listed in the table. To enter
[<optional_info any optional variable you must enter all of the
rmation>] variables that come before it in the list. For
example, to enter the organization_name_str, you
must first enter the country_code_str,
state_name_str, and city_name_str. While
entering optional variables, you can type ? for help
on the next required variable.

Optional information variables

Variable Description
Enter the two-character country code.
Enter execute vpn certificates local
generate <name_str> country followed by
<country_code_str>
a ? for a list of country codes. The country
code is case sensitive. Enter nullif you do
not want to specify a country.
Enter the name of the state or province
<state_name_str>
where the ZXSEC US unit is located.
Enter the name of the city, or town, where
<city_name_str> the person or organization certifying the
ZXSEC US unit resides.
Enter the name of the organization that is
<organization-
requesting the certificate for the ZXSEC
name_str>
US unit.
Enter a name that identifies the
<organization- department or unit within the organization
unit_name_str> that is requesting the certificate for the
ZXSEC US unit.
Enter a contact e-mail address for the
<email_address_str>
ZXSEC US unit.
Enter the URL of the CA (SCEP) certificate
<ca_server_url> server that allows auto- signing of the
request.
Enter the challenge password for the SCEP
<challenge_password>
certificate server.

Example - generate
Use the following command to generate a local certificate
request with the name branch_cert, the domain name
www.example.com and a key size of 1536.
execute vpn certificate local generate branch_cert 1536
www.example.com
Syntax - import/export
execute vpn certificate local import tftp <file-name_str> <tftp_ip>

730 Confidential and Proprietary Information of ZTE CORPORATION

Chapter 17 Execute

execute vpn certificate local export tftp <certificate-name_str>

<file-name_str> <tftp_ip>

Keyword/variable Description
Import the local certificate from a TFTP
import
server to the ZXSEC US unit.
Export or copy the local certificate from the
export ZXSEC US unit to a file on the TFTP server.
Type ? for a list of certificates.
<certificate-
Enter the name of the local certificate.
name_str>
<tftp_ip> Enter the TFTP server address.
<file-name_str> Enter the file name on the TFTP server.
list List local certificates.

Examples - import/export
Use the following command to export the local certificate
request generated in the above example from the ZXSEC US
unit to a TFTP server. The example uses the file name testcert
for the downloaded file and the TFTP server address
192.168.21.54.
exec vpn certificate local export branch_cert testcert
192.168.21.54 Use the following command to import the signed
local certificate named branch_cert to the ZXSEC US unit from a
TFTP server with the address 192.168.21.54.
exec vpn certificate local import branch_cert 192.168.21.54
Related topics
execute vpn certificate ca
execute vpn certificate remote
execute vpn certificate crl
execute vpn sslvpn del-tunnel
execute vpn sslvpn del-web
vpn certificate ca
vpn certificate local
vpn certificate crl
vpn certificate remote

Vpn certificate remote

Use this command to import a remote certificate from a TFTP
server, or export a remote certificate from the ZXSEC US unit to
a TFTP server. The remote certificates are public certificates

Confidential and Proprietary Information of ZTE CORPORATION 731

ZXSEC US CLI Reference Guide

without a private key. They are used as OCSP (Online Certificate

Status Protocol) server certificates.
syntax
execute vpn certificate remote import tftp <file-name_str> <tftp_ip>
execute vpn certificate remote export tftp <certificate-name_str> <file-
name_str> <tftp_ip>

Keyword/variable Description
Import the remote certificate from the TFTP
import
server to the ZXSEC US unit.
Export or copy the remote certificate from
export the ZXSEC US unit to a file on the TFTP
server. Type ? for a list of certificates.
<certificate-ame_str> Enter the name of the public certificate.
<file-name_str> Enter the file name on the TFTP server.
<tftp_ip> Enter the TFTP server address.
Import/export the remote certificate via a
tftp
TFTP server.

Related topics
execute vpn certificate ca
execute vpn certificate local
execute vpn certificate crl
execute vpn sslvpn del-tunnel
execute vpn sslvpn del-web
vpn certificate ca
vpn certificate local
vpn certificate crl
vpn certificate remote

Vpn sslvpn del-tunnel

Use this command to delete an SSL tunnel connection.
syntax
execute vpn sslvpn del-tunnel <tunnel_index>
<tunnel_index> identifies which tunnel to delete if there is more
than one active tunnel.
Related topics
vpn ssl settings

732 Confidential and Proprietary Information of ZTE CORPORATION

Chapter 17 Execute

Vpn sslvpn del-web

Use this command to delete an active SSL VPN web connection.
syntax
execute vpn sslvpn del-web <web_index>
<web_index> identifies which web connection to delete if there
is more than one active connection.
Related topics
vpn ssl settings

Confidential and Proprietary Information of ZTE CORPORATION 733

Chapter 18

Get

Overview
The get commands retrieve information about the operation and
performance of your ZXSEC US unit. This chapter contains the
following sections:
chassis status
firewall service predefined
gui console status
gui topology status hardware status
ips decoder
ips rule
ipsec tunnel list
router info bgp
router info bfd
router info multicast
router info ospf
router info protocols
router info rip
router info routing-table
system admin list
system admin status
system arp
system central-mgmt status
system checksum
system cmdb status
system dashboard

Confidential and Proprietary Information of ZTE CORPORATION 735

ZXSEC US CLI Reference Guide

system Usla-connectivity
system Usservice-log-service status
system Usservice-service status
system ha status
system info admin ssh
system info admin status
system performance status
system session list
system session status
system status

Chassis Status
For ZXSEC US series modules installed in a ZXSEC US9005 or
ZXSEC US9014 chassis, you can use the get chassis status
command to view real-time operating status information about
the hardware components installed in the chassis.
Information displayed depends on the ZXSEC US series chassis
and not on the ZXSEC US series module that you are connecting
to. You can use this command to view information about all of
the hardware components installed in the chassis (including
ZXSEC US, USController and other USnet modules installed in
the chassis as well as the chassis shelf managers).
The get chassis status command displays information received
from the chassis shelf manager. The command only displays
information if at least one shelf manager is functioning in the
chassis and only if the ZXSEC US module that you have
connected to can communicate with a shelf manager.
Syntax
get chassis status
The command display includes the following fields. For more
information see the example that follows.

TABLE 150 CHASSIS STATUS SETTING

Keyword Description
Chassis type The ZXSEC US chassis type: 5050 or 5140.
Active shelfmanager The number of the shelf manager slot
containing the active shelf manager: 1 or 2.
Current blade The slot number that the ZXSEC US module
that you are connected to is installed in.
Shelfmanager 2 Indicates whether a shelf manager is
operating in shelf manager slot 2. exist if a

736 Confidential and Proprietary Information of ZTE CORPORATION

Chapter 18 Execute

Keyword Description
shelf manager is installed and operating in
slot 2. empty if shelf manager slot 2 is empty
or if the shelf manager in slot 2 is not
operating.
Shelfmanager 1 Indicates whether a shelf manager is
operating in shelf manager slot 1. exist if a
shelf manager is installed and operating in
slot 1. empty if shelf manager slot 1 is empty
or if the shelf manager in slot 1 is not
operating.
Blade <slot_integer> indicated the slot number in
<slot_integer>: the chassis. Slots 1 to 5 are listed for the
ZXSEC US9005 chassis and slots 1 to 14 are
<module_name>
listed for the ZXSEC US5140 chassis.
<module_name> indicates the name of the
module installed in the chassis slot.
<module_name> can be 8004 for the ZXSEC
US8005, for the US8005, and empty if the
slot is empty.
The command displays voltage and
temperature information for each module in
the chassis. The voltage and temperature
information that is displayed is different for
each module and depends on the voltage and
temperature sensors on the module.
Voltage, V For each slot in the chassis the command
displays voltages detected by the voltage
sensors in the module installed in the slot.
The information displayed for each sensor
includes the design voltage (for example
3.3V) followed by the actual voltage (for
example, 3.488V). The design voltage
depends on the sensor.
The voltages that are displayed are different
for each module type.
Temp For each slot in the chassis the command
displays temperatures in degrees Celsius
detected by the temperature sensors in the
module. The information displayed for each
sensor includes the name of the temperature
sensor and the temperature reading.
The temperatures that are displayed are
different for each module type.

Example
The following example shows the get chassis status output for a
ZXSEC US9000 chassis that contains the following modules:
Slot 1: empty
Shelf Manager: one shelf manager in shelf manager slot 1
Chassis type: 5050
Active shelfmanager: 1

Confidential and Proprietary Information of ZTE CORPORATION 737

ZXSEC US CLI Reference Guide

Current blade: 3
Shelfmanager 2: empty
Shelfmanager 1: exist
Blade 4: 9005
CPU1 Voltage: 1.1956V
CPU2 Voltage: 1.1858V
+5.0V: 4.8755V
+3.3V: 3.321V
+2.5V CPU 1: 2.5742V
+2.5V CPU 2: 2.5376V
+1.2V 1: 1.2054V
+1.2V 2: 1.2348V
Incoming Air-Flo: 35C
CPU Board Temp: 42C
CPU1 Temp: 59C
CPU2 Temp: 60C
Blade 4: 8004
5V: 5.0739V
3.3V: 3.4992V
2.5V: 2.497V
1.8V: 1.8124V
1.5V: 1.5345V
TEMP1: 41C
TEMP2: 35C
Blade 1: empty

Firewall Service Predefined

Use this command to retrieve information about predefined
services. The following information is available:
destination port
source port
ICMP code
ICMP type
protocol
protocol-number

738 Confidential and Proprietary Information of ZTE CORPORATION

Chapter 18 Execute

Syntax
get firewall service predefined <service_name>
Example output
ZXSEC US350 # get firewall service predefined FTP
name : FTP
icmpcode :
icmptype :
protocol : TCP/UDP
protocol-number: 6
tcpport-range : 21-21:0-65535
udpport-range :
ZXSEC US350 # get firewall service predefined SIP
name : SIP
icmpcode :
icmptype :
protocol : TCP/UDP
protocol-number: 17
tcpport-range :
udpport-range: 5060-5060:0-65535
ZXSEC US350 # get firewall service predefined AOL
name : AOL
icmpcode :
icmptype :
protocol : TCP/UDP
protocol-number: 6
tcpport-range : 5190-5194:0-65535
udpport-range:

GUI Console Status

Display information about the CLI console.
Syntax
get gui console status
Example
The output looks like this:
Preferences: User: admin

Confidential and Proprietary Information of ZTE CORPORATION 739

ZXSEC US CLI Reference Guide

Colour scheme (RGB): text=FFFFFF, background=000000

Font: style=monospace, size=10pt
History buffer=50 lines, external input=disabled
Related topics
get gui topology status

GUI Topology Status

Display information about the topology viewer database.
Syntax
get gui topology status
Example
The output looks like this:
Preferences:
Canvas dimensions (pixels): width=780, height=800
Colour scheme (RGB): canvas=12ff08, lines=bf0f00,
exterior=ddeeee
Background image: type=none, placement: x=0, y=0
Line style: thickness=2
Custom background image file: none
Topology element database:
__ZXSEC US__: x=260, y=340
Office: x=22, y=105
ISPnet: x=222, y=129
__Text__: x=77, y=112: "Ottawa"
__Text__: x=276, y=139: "Internet"
Related topics
get gui console status

Hardware Status
Report information about the ZXSEC US unit hardware.
Syntax
get hardware status
Example
The output looks like this:

740 Confidential and Proprietary Information of ZTE CORPORATION

Chapter 18 Execute

Model name: ZXSEC US1300

ASIC version: CP4
SRAM: 64M
CPU: Mobile Genuine Intel(R) processor 1400MHz
RAM: 1009 MB
Compact Flash: 122 MB /dev/hdc
Hard disk: 76308 MB /dev/hda
USB Flash: not available
Network Card chipset: Intel(R) PRO/1000 Network
Connection (rev.0x01)
Network Card chipset: Intel(R) PRO/100 M Desktop
Adapter (rev.0x0010)
Related topics
get system status

IPS Decoder
Displays all the port settings of all the IPS decoders.
Syntax
get ips decoder
Related topics
ips decoder
get ips rule

IPS Rule
Displays all the port settings of all the IPS decoders.
Syntax
get ips rule
get ips rule status
Enter get ips rule to display a list of all the intrusion protection
signatures. Enter get ips rule status to list the default settings of
all the signatures. The default settings of any individual
signature can be displayed using the config ips rule command.
Related topics
ips decoder
get ips decoder

Confidential and Proprietary Information of ZTE CORPORATION 741

ZXSEC US CLI Reference Guide

ips rule

IPSec Tunnel List

List the current IPSec VPN tunnels and their status.
Syntax
get ipsec tunnel list
Example
The output looks like this:
NAME REMOTE-GW PROXY-ID-SOURCE
PROXY-ID-DESTINATION STATUS TIMEOUT
VPN1
172.20.120.5:500 0.0.0.0/255.255.255.255
172.20.120.5/172.20.120.5
up 1786
NAME The name of the configured tunnel.
REMOTE-GW The public IP address and UDP port of the
remote host device, or if a NAT device
exists in front of the remote host, the
public IP address and UDP port of the NAT
device.
PROXY- ID-SOURCE
The IP address range of the hosts, servers,
or private networks behind the ZXSEC US
unit that are available through the VPN
tunnel.
PROXY- ID-DESTINATION
This field displays IP addresses as a range.
When a USDesktop dialup client establishes
a tunnel:
If VIP addresses are not used, the Proxy ID
Destination field displays the public IP
address of the remote host Network
Interface Card (NIC).
If VIP addresses were configured (manually
or through ZXSEC US DHCP relay), the
Proxy ID Destination field displays either
the VIP address belonging to the
USDesktop dialup client, or the subnet
address from which VIP addresses were
assigned.

742 Confidential and Proprietary Information of ZTE CORPORATION

Chapter 18 Execute

When a ZXSEC US dialup client establishes a

tunnel, the Proxy ID Destination field displays
the IP address of the remote private network.
STATUS Tunnel status: up or down.
TIMEOUT The number of seconds before the next phase 2
key exchange. The time is calculated by
subtracting the time elapsed since the last key
exchange from the keylife duration setting. When
the phase 2 key expires, a new key is generated
without interrupting service.
Related topics
vpn ipsec phase1
vpn ipsec phase1-interface
vpn ipsec manualkey
vpn ipsec manualkey-interface

Router Info BGP

Use this command to display information about the BGP
configuration.
Syntax
get router info bgp <keyword>

TABLE 151 ROUTER INFO BGP SETTING

Keyword Description
cidr-only Show all BGP routes having non-natural
network masks.
community Show all BGP routes having their COMMUNITY
attribute set.
community-info Show general information about the
configured BGP communities, including the
routes in each community and their
associated network addresses.
community-list Show all routes belonging to configured BGP
community lists.
dampening Display information about dampening:
{dampened-paths |
Type dampened-paths to show all paths
flap- statistics |
that have been suppressed due to
parameters}
flapping.
Type flap-statistics to show flap statistics
related to BGP routes.
Type parameters to show the current
dampening settings.

Confidential and Proprietary Information of ZTE CORPORATION 743

ZXSEC US CLI Reference Guide

Keyword Description
filter-list Show all routes matching configured AS-path
lists.
inconsistent-as Show all routes associated with inconsistent
autonomous systems of origin.
memory Show the BGP memory table.
neighbors Show information about connections to TCP
[<address_ipv4> | and BGP neighbors.
<address_ipv4>
advertised-routes |
<address_ipv4>
received prefix-filter
|
<address_ipv4>
received-routes |
<address_ipv4>
routes]
network Show general information about the
[<address_ipv4mas configured BGP networks, including their
k>] network addresses and associated prefixes.
network-longer- Show general information about the BGP
prefixes route that you specify (for example,
<address_ipv4mask 12.0.0.0/14) and any specific routes
> associated with the prefix.

paths Show general information about BGP AS

paths, including their associated network
addresses.
prefix-list <name> Show all routes matching configured prefix
list <name>.
quote-regexp Enter the regular expression to compare to
<regexp_str> the AS_PATH attribute of BGP routes (for
example, ^730$) and enable the use of
output modifiers (for example, include,
exclude, and begin) to search the results.
regexp Enter the regular expression to compare to
<regexp_str> the AS_PATH attribute of BGP routes (for
example, ^730$).
route-map Show all routes matching configured route
maps.
scan Show information about next-hop route
scanning, including the scan interval setting.
summary Show information about BGP neighbor status.

Example
For the command get router info bgp memory, the output looks
like:
Memory type Alloc count Alloc bytes

744 Confidential and Proprietary Information of ZTE CORPORATION

Chapter 18 Execute

===================================
============= ===============
BGP structure : 2 1408
BGP VR structure: 2 104
BGP global structure: 1 56
BGP peer: 2 3440
BGP as list master: 1 24
Community list handler: 1 32
BGP Damp Reuse List Array :2 4096
BGP table: 62 248
----------------------------------- ------------- ---------------
Temporary memory: 4223 96095
Hash: 7 140
Hash index: 7 28672
Hash bucket: 11 132
Thread master: 1 564
Thread : 4 144
Link list: 32 636
Link list node: 24 288
Show: 1 396
Show page: 1 4108
Show server: 1 36
Prefix IPv4: 10 80
Route table: 4 32
Route node: 63 2772
Vector: 2180 26160
Vector index: 2180 18284
Host config: 1 2
Message of The Day: 1 100
IMI Client: 1 708
VTY master: 1 20
VTY if: 11 2640
VTY connected: 5 140
Message handler: 2 120
NSM Client Handler: 1 12428
NSM Client: 1 1268
Host: 1 64

Confidential and Proprietary Information of ZTE CORPORATION 745

ZXSEC US CLI Reference Guide

Log information: 2 72
Context: 1 232
----------------------------------- ------------- ---------------
bgp proto specifc allocations:9408 B
bgp generic allocations: 196333 B
bgp total allocations: 205741 B
Related topics
router aspath-list
router bgp
router community-list

Router Info BFD

Use this command to list state information about the neighbors
in the bi-directional forwarding table.
Syntax
get router info bfd neighbour

Router Info Multicast

Use this command to display information about a Protocol
Independent Multicasting (PIM) configuration.
Multicast routing is supported in the root virtual domain only.
Syntax
get router info multicast <keywords>

746 Confidential and Proprietary Information of ZTE CORPORATION

Chapter 18 Execute

TABLE 152 ROUTER INFO MULTICAST SETTING

Keyword Description
Show Internet Group Management
Protocol (IGMP) membership information
according to one of these qualifiers:
Type groups [{<interface-name> |
<group-address>}] to show IGMP
information for the multicast group(s)
associated with the specified interface
or multicast group address.

igmp Type groups-detail [{<interface-

name> | <group- address>}] to
show detailed IGMP information for
the multicast group(s) associated
with the specified interface or
multicast group address.
Type interface [<interface-name>] to
show IGMP information for all
multicast groups associated with the
specified interface.

Show information related to dense mode

operation according to one of these
qualifiers:
Type interface to show information
about PIM-enabled interfaces.
Type interface-detail to show detailed
information about PIM- enabled
interfaces.
Type neighbor to show the current
status of PIM neighbors.
pim dense-mode
Type neighbor-detail to show detailed
information about PIM neighbors.
Type next-hop to show information
about next-hop PIM routers.
Type table [<group-
address>][<source-address>] to
show the multicast routing table
entries associated with the
specified multicast group address
and/or multicast source address.

Confidential and Proprietary Information of ZTE CORPORATION 747

ZXSEC US CLI Reference Guide

Keyword Description
Show information related to sparse mode
operation according to one of these
qualifiers:
Type bsr-info to show Boot Strap
Router (BSR) information.
Type interface to show information
about PIM-enabled interfaces.
Type interface-detail to show detailed
information about PIM- enabled
interfaces.
Type neighbor to show the current
status of PIM neighbors.
pim sparse-mode
Type neighbor-detail to show detailed
information about PIM neighbors.
Type next-hop to show information
about next-hop PIM routers.
Type rp-mapping to show
Rendezvous Point (RP) information.
Type table [<group-
address>][<source-address>] to
show the multicast routing table
entries associated with the specified
multicast group address and/or
multicast source address.

Show the multicast routing table entries

table [<group-address>] associated with the specified multicast
[<source-address>] group address and/or multicast source
address.
table-count Show statistics related to the specified
[<group-address>] multicast group address and/or multicast
[<source-address>] source address.

Examples
This example displays all of the PIM entries in the multicast
routing table:
get router info multicast table
This example displays IGMP information for the multicast group
associated with multicast group address 239.254.2.0:
get router info multicast igmp groups 239.254.2.0
Related topics
router multicast
execute mrouter clear

748 Confidential and Proprietary Information of ZTE CORPORATION

Chapter 18 Execute

Router Info OSPF

Use this command to display information about the ZXSEC US
OSPF configuration and/or the Link- State Advertisements (LSAs)
that the ZXSEC US unit obtains and generates. An LSA identifies
the interfaces of all OSPF-enabled routers in an area, and
provides information that enables OSPF- enabled routers to
select the shortest path to a destination.
Syntax
get router info ospf <keyword>

TABLE 153 ROUTER INFO MULTICAST SETTING

Keyword Description
Show OSPF routing table entries that have an
Area Border Router (ABR) or Autonomous
border-routers
System Boundary Router (ASBR) as a
destination.
Show information from the OSPF routing
database according to one of these qualifiers.
target can be one of the following values:
Type adv_router <address_ipv4> to limit
database
the information to LSAs originating from
<qualifier>
the router at the specified IP address.
Type self-originate <address_ipv4> to
limit the information to LSAs originating
from the ZXSEC US unit.

adv-router Type adv-router <address_ipv4> to show

ospf Advertising Router link states for the
<address_ipv4> router at the given IP address.
asbr-summary Type asbr-summary to show information
<target> about ASBR summary LSAs.

Type brief to show the number and type of

brief
LSAs associated with each OSPF area.
external Type external to show information about
<target> external LSAs.
Type max-age to show all LSAs in the MaxAge
max-age
list.
network Type network to show information about
<target> network LSAs.
nssa-external Type nssa-external to show information about
<target> not-so-stubby external LSAs.

opaque-area Type opaque-area <address_ipv4> to show

information about opaque Type 10 (area-
<address_ipv4> local) LSAs (see RFC 2370).

opaque-as Type opaque-as <address_ipv4> to show

information about opaque Type 11 LSAs (see
<address_ipv4>
RFC 2370), which are flooded throughout the

Confidential and Proprietary Information of ZTE CORPORATION 749

ZXSEC US CLI Reference Guide

Keyword Description
AS.

opaque-link Type opaque-link <address_ipv4> to show

information about opaque Type 9 (link-local)
<address_ipv4> LSAs (see RFC 2370).
Type router to show information about router
router <target>
LSAs.
Type self-originate to show self-originated
self-originate
LSAs.
summary Type summary to show information about
<target> summary LSAs.

interface Show the status of one or all ZXSEC US

interfaces and whether OSPF is enabled on
[<interface_name>] those interfaces.
Show general information about OSPF
neighbors, excluding down-status neighbors:
Type all to show information about all
neighbors, including down- status
neighbors.
Type <neighbor_id> to show detailed
information about the specified neighbor
neighbor [all |
only.
<neighbor_id> |
detail | Type detail to show detailed information
about all neighbors, excluding down-
detail all | interface
status neighbors.
<address_ipv4>]
Type detail all to show detailed
information about all neighbors, including
down-status neighbors.
Type interface <address_ipv4> to show
neighbor information based on the ZXSEC
US interface IP address that was used to
establish the neighbor’s relationship.

route Show the OSPF routing table.

Show general information about the OSPF
status
routing processes.
virtual-links Show information about OSPF virtual links.

Examples
The following example shows how to display information from
LSAs originating from a neighboring router at IP address
10.2.4.1:
get router info ospf database router adv_router 10.2.4.1
The following example shows how to display the number and
type of LSAs associated with each OSPF area to which the
ZXSEC US unit is linked:
get router info ospf database brief
The following command shows the status of all ZXSEC US
interfaces and whether OSPF is enabled on those interfaces.

750 Confidential and Proprietary Information of ZTE CORPORATION

Chapter 18 Execute

get router info ospf interface

Related topics
execute router restart
get router info protocols
get router info routing-table
system interface
router ospf

Router Info Protocols

Use this command to show the current states of active routing
protocols. Inactive protocols are not displayed.
Syntax
#get router info protocols
Routing Protocol is "rip"
Sending updates every 30 seconds with +/-50%
Timeout after 180 seconds, garbage collect after 120
seconds
Outgoing update filter list for all interface is not set
Incoming update filter list for all interface is not set
Default redistribution metric is 1
Redistributing:
Default version control: send version 2, receive version 2
Interface Send Recv Key-chain
Routing for Networks:
Routing Information Sources:
Gateway Distance Last Update Bad Packets
Bad Routes
Distance: (default is 120)
Routing Protocol is "ospf 0"
Invalid after 0 seconds, hold down 0, flushed after 0
Outgoing update filter list for all interfaces is Incoming
update filter list for all interfaces is Redistributing:
Routing for Networks:
Routing Information Sources: Gateway Distance
Last Update
Distance: (default is 110) Address Mask Distance List
Routing Protocol is "bgp 5"

Confidential and Proprietary Information of ZTE CORPORATION 751

ZXSEC US CLI Reference Guide

IGP synchronization is disabled

Automatic route summarization is disabled
Default local-preference applied to incoming route is 100
Redistributing:
Neighbor(s):
Address AddressFamily FiltIn FiltOut DistIn DistOut
RouteMapIn
RouteMapOut Weight
192.168.20.10 unicast
Related topics
execute router restart
get router info rip
get router info routing-table
router rip
router ospf

Router Info RIP

Use this command to display information about the RIP
configuration.
Syntax
get router info rip <keyword>

TABLE 154 ROUTER INFO RIP SETTING

Keyword Description
database Show the entries in the RIP routing
database.
interface Show the status of the specified ZXSEC US
[<interface_name>] unit interface <interface_name> and
whether RIP is enabled.
If interface is used alone it lists all the
ZXSEC US unit interfaces and whether RIP
is enabled on each.

Example
The following command displays the RIP configuration
information for the port1 interface:
get router info rip interface port1
Related topics
get router info protocols
get router info routing-table

752 Confidential and Proprietary Information of ZTE CORPORATION

Chapter 18 Execute

router rip
system interface

Router Info Routing-table

Use this command to display the routes in the routing table.
Syntax
get router info routing-table <keyword>
Example
The following command displays the entire routing table:
get router info routing-table all
Related topics
execute router restart
get router info ospf
get router info protocols
get router info rip
router policy
router rip
router static
router static6
system interface

System Admin List

View a list of all the current administration sessions.
Syntax
get system admin list
Example
The output looks like this:
# get system admin list

TABLE 155 ADMIN LIST OUTPUT

Username Local Device Remote Started

port1:172.2 172.20.120. 2006-08-
admin sshv2 0.120.148:2 16:4167 09
2 12:24:20

Confidential and Proprietary Information of ZTE CORPORATION 753

ZXSEC US CLI Reference Guide

Username Local Device Remote Started

port1:172.2
172.20.120. 2006-08-09
admin https 0.120.148:4
161:56365 12:24:20
43
port1:172.2
172.20.120. 2006-08-09
admin https 0.120.148:4
16:4214 12:25:29
43

TABLE 156 SYSTEM ADMIN LIST SETTING

Keyword Description
Name of the admin account
username admin
for this session
The protocol this session
local used to connect to the sshv2
ZXSEC US unit.
The interface, IP address,
and port used by this session port1:172.20.1
device
to connect to the ZXSEC US 20.148:22
unit.
The IP address and port used
by the originating computer 172.20.120.16:
remote
to connect to the ZXSEC US 4167
unit.
The time the current session 2006-08-09
started
started. 12:24:20

System Admin Status

View the status of the currently logged in admin and their
session.
Syntax
get system admin status
Example
The output looks like this:
# get system admin status username: admin
login local: sshv2
login device: port1:172.20.120.148:22
login remote: 172.20.120.16:4167
login vdom: root
login started: 2006-08-09 12:24:20
current time: 2006-08-09 12:32:12

754 Confidential and Proprietary Information of ZTE CORPORATION

Chapter 18 Execute

TABLE 157 SYSTEM ADMIN STATUS SETTING

Keyword Description
Name of the admin account username:
username
currently logged in. admin
The protocol used to start login local:
login local
the current session. sshv2
The login information from login remote:
the ZXSEC US unit including
login device 172.20.120.16:
interface, IP address, and
port number. 4167

The computer the user is login remote:

login remote logging in from including the 172.20.120.16:
IP address and port number. 4167
The virtual domain the admin login vdom:
login vdom
is current logged into. root
login started:
The time the current session 2006-08-
login started
started.
09 12:24:20
current time:
The current time of day on 2006-08-
current time
the ZXSEC US unit
09 12:32:12

System ARP
View the ARP table entries on the ZXSEC US unit.
This command is not available in multiple VDOM mode.
Syntax
get system arp

TABLE 158 SYSTEM ARP SETTING

Keyword Description
The IP address that is
Address linked to the MAC 0.0.0.0
address.
Current duration of the
Age 0
ARP entry in minutes.
The hardware, or MAC
Hardware address, to link with this
IP 00:00:00:00:00:00:
Addr
address.
The physical interface the
Interface
address is on.

Example

Confidential and Proprietary Information of ZTE CORPORATION 755

ZXSEC US CLI Reference Guide

The output looks like this:

# get system arp
Address Age(min) Hardware Addr Interface
172.20.120.16 0 00:0d:87:5c:ab:65 internal
172.20.120.138 0 00:08:9b:09:bb:01 internal
Related topics
system arp-table
system proxy-arp

System Central-mgmt Status

View information about the Central Management System status.
Syntax
get system central-mgmt status
Example
The output looks like this:
# get system central-mgmt status Central Management
Service License: 1.0
Expiry date: 2007-12-31 00:00:00

System Checksum
View the checksums for global, root, and all.
Syntax
get system checksum status
Example
The output looks like this:
# get system checksum status
global: 7a 87 3c 14 93 bc 98 92 b0 58 16 f2 eb bf a4 15
root: bb a4 80 07 42 33 c2 ff f1 b5 6e fe e4 bb 45 fb all:
1c 28 f1 06 fa 2e bc 1f ed bd 6b 21 f9 4b 12 88

System CMDB Status

View information about cmbdsvr on the ZXSEC US unit.
Syntax

756 Confidential and Proprietary Information of ZTE CORPORATION

Chapter 18 Execute

get system cmdb status

Example
The output looks like this:
# get system cmdb status version: 1
owner id: 18
update index: 6070
config checksum: 12879299049430971535
last request pid: 68 last request type: 29 last request: 78

TABLE 159 SYSTEM CMDB STATUS SETTING

Keyword Description
version Version of the cmdb software.
owner id Process ID of the cndbsvr daemon.
The updated index shows how many changes
update index
have been made in cmdb.
last request pid The last process to access the cmdb.
last requst type Type of the last attempted access of cmdb.
The number of the last attempted access of
last request
cmdb.

System Dashboard
Display organization of the modules on the dashboard. The order
the modules are listed in is the order they appear - top to
bottom, left to right.
Syntax
get system cmdb status
Example
The output looks like this:
# get system dashboard
== [ sysinfo ]
name: sysinfo help: system information
== [ licinfo ]
name: licinfo help: license information
== [ sysop ]
name: sysop help: system operation
== [ sysres ]
name: sysres help: system resource

Confidential and Proprietary Information of ZTE CORPORATION 757

ZXSEC US CLI Reference Guide

== [ alert ]
name: alert help: alert console
== [ statistics ]
name: statistics help: statistics
== [ jsconsole ]
name: jsconsole help: CLI console

System Usla-Connectivity
Display connection and remote disk usage information about a
connected Usla unit.
Syntax
get Usla-connectivity status
Example
The output looks like this:
# get system Usla-connectivity status
Status: connected
Disk Usage: 0%

System Usservice-log-
Service Status
Command returns information about the status of the Usservice
Log & Analysis Service including license and disk information.
Syntax
get system Usservice-log-service status
Example
This shows a sample output.
# get system Usservice-log-service status
Usservice Log & Analysis Service
Expire on: 20071231
Total disk quota: 1111 MB Max daily volume: 111 MB
Current disk quota usage: n/a

758 Confidential and Proprietary Information of ZTE CORPORATION

Chapter 18 Execute

System Usservice-service
Status
COMMAND REPLACED. Command returns information about the
status of the Usservice service including the name, version late
update, method used for the last update and when the update
expires. This information is shown for the AV Engine, virus
definitions, attack definitions, and the IPS attack engine.
Syntax
get system Usservice-service status
Example
This shows a sample output.

TABLE 160 SYSTEM USSERVICE-SERVICE STATUS SETTING

LAST
AME VERSION METHOD EXPIRE
UPDATE
2006-01-26 2006-06-12
AV Engine 2.002 manual
19:45:00 08:00:00

Virus 2006-06-02 2006-06-12

6.513 manual
Definitions 22:01:00 08:00:00

Attack 2006-06-09 2006-06-12

2.299 manual
Definitions 19:19:00 08:00:00

IPS Attack 2006-05-09 2006-06-12

1.015 manual
Engine 23:29:00 08:00:00

System HA Status
Use this command to display information about an HA cluster.
The command displays general HA configuration settings. The
command also displays information about how the cluster unit
that you have logged into is operating in the cluster.
Usually you would log into the primary unit CLI using SSH or
telnet. In this case the get system ha status command displays
information about the primary unit first, and also displays the HA
state of the primary unit (the primary unit operates in the work
state). However, if you log into the primary unit and then use
the execute ha manage command to log into a subordinate unit,
(or if you use a console connection to log into a subordinate unit)
the get system status command displays information about this
subordinate unit first, and also displays the HA state of this
subordinate unit. The state of a subordinate unit is work for an
active-active cluster and standby for an active-passive cluster.

Confidential and Proprietary Information of ZTE CORPORATION 759

ZXSEC US CLI Reference Guide

For a virtual cluster configuration, the get system ha status

command displays information about how the cluster unit that
you have logged into is operating in virtual cluster 1 and virtual
cluster 2. For example, if you connect to the cluster unit that is
the primary unit for virtual cluster 1 and the subordinate unit for
virtual cluster 2, the output of the get system ha status
command shows virtual cluster 1 in the work state and virtual
cluster 2 in the standby state. The get system ha status
command also displays additional information about virtual
cluster 1 and virtual cluster 2.
Syntax
get system ha status
The command display includes the following fields. For more
information see the examples that follow.

TABLE 161 SYSTEM USSERVICE-SERVICE STATUS SETTING

Keyword Description
Model The ZXSEC US model number.
Mode The HA mode of the cluster: a-a or a-p.
Group The group ID of the cluster.
Debug The debug status of the cluster.
The status of session pickup: enable or
ses_pickup
disable.
The status of the load-balance-all
load_balance keyword: enable or disable. Displayed for
active-active clusters only.
The active-active load balancing schedule.
schedule
Displayed for active-active clusters only.
Master displays the device priority, host
name, serial number, and actual cluster
index of the primary (or master) unit.
Slave displays the device priority, host
name, serial number, and actual cluster
index of the subordinate (or slave, or
backup) unit or units.
The list of cluster units changes depending
Master on how you log into the CLI. Usually you
would use SSH or telnet to log into the
Slave
primary unit CLI. In this case the primary
unit would be at the top the list followed
by the other cluster units.
If you use execute ha manage or a console
connection to log into a subordinate unit
CLI, and then enter get system ha status
the subordinate unit that you have logged
into appears at the top of the list of cluster
units.

760 Confidential and Proprietary Information of ZTE CORPORATION

Chapter 18 Execute

Keyword Description
The number of virtual clusters. If virtual
domains are not enabled, the cluster has
number of vcluster one virtual cluster. If virtual domains are
enabled the cluster has two virtual
clusters.

Confidential and Proprietary Information of ZTE CORPORATION 761

ZXSEC US CLI Reference Guide

Keyword Description
The HA state (hello, work, or standby) and
HA heartbeat IP address of the cluster unit
that you have logged into in virtual cluster
1. If virtual domains are not enabled,
vcluster 1 displays information for the
cluster. If virtual domains are enabled,
vcluster 1 displays information for virtual
cluster 1.
The HA heartbeat IP address is 10.0.0.1 if
you are logged into a the primary unit of
virtual cluster 1 and 10.0.0.2 if you are
logged into a subordinate unit of virtual
cluster 1. vcluster 1 also lists the primary
unit (master) and subordinate units
(slave) in virtual cluster 1. The list
includes the operating cluster index and
serial number of each cluster unit in virtual
cluster 1. The cluster unit that you have
logged into is at the top of the list.
If virtual domains are not enabled and you
connect to the primary unit CLI, the HA
state of the cluster unit in virtual cluster 1
is work. The display lists the cluster units
starting with the primary unit.
If virtual domains are not enabled and you
connect to a subordinate unit CLI, the HA
vcluster 1 state of the cluster unit in virtual cluster 1
is standby. The display lists the cluster
units starting with the subordinate unit
that you have logged into.
If virtual domains are enabled and you
connect to the virtual cluster 1 primary
unit CLI, the HA state of the cluster unit in
virtual cluster 1 is work. The display lists
the cluster units starting with the virtual
cluster 1 primary unit.
If virtual domains are enabled and you
connect to the virtual cluster 1 subordinate
unit CLI, the HA state of the cluster unit in
virtual cluster 1 is standby. The display
lists the cluster units starting with the
subordinate unit that you are logged into.
In a cluster consisting of two cluster units
operating without virtual domains enabled
all clustering actually takes place in virtual
cluster 1. HA is designed to work this way
to support virtual clustering. If this cluster
was operating with virtual domains
enabled, adding virtual cluster 2 is similar
to adding a new copy of virtual cluster 1.
Virtual cluster 2 is visible in the get system
ha status command output when you add
virtual domains to virtual cluster 2.

762 Confidential and Proprietary Information of ZTE CORPORATION

Chapter 18 Execute

Keyword Description
vcluster 2 only appears if virtual domains
are enabled. vcluster 2 displays the HA
state (hello, work, or standby) and HA
heartbeat IP address of the cluster unit
that you have logged into in virtual cluster
2. The HA heartbeat IP address is 10.0.0.2
if you are logged into the primary unit of
virtual cluster 2 and 10.0.0.1 if you are
logged into a subordinate unit of virtual
cluster 2.
vcluster 2 also lists the primary unit
(master) and subordinate units (slave) in
virtual cluster 2. The list includes the
cluster index and serial number of each
vcluster 2
cluster unit in virtual cluster 2. The cluster
unit that you have logged into is at the top
of the list.
If you connect to the virtual cluster 2
primary unit CLI, the HA state of the
cluster unit in virtual cluster 2 is work. The
display lists the cluster units starting with
the virtual cluster 2 primary unit.
If you connect to the virtual cluster 2
subordinate unit CLI, the HA state of the
cluster unit in virtual cluster 2 is standby.
The display lists the cluster units starting
with the subordinate unit that you are
logged into.

Examples
The following example shows get system ha status output for a
cluster of two ZXSEC US units operating in active-active mode.
The cluster group ID, session pickup, load balance all, and the
load balancing schedule are all set to the default values. The
device priority of the primary unit is also set to the default value.
The device priority of the subordinate unit has been reduced to
100. The host name of the primary unit is 8004_Slot_4. The
host name of the subordinate unit in is 8004_Slot_3.
The command output was produced by connecting to the
primary unit CLI (host name 8004_Slot_4).
Model: 5000
Mode: a-a
Group: 0
Debug: 0
ses_pickup: disable load_balance: disable schedule:
round robin
Master:128 8004_Slot_4 US0900 1
Slave :100 8004_Slot_3 US0900 0
number of vcluster: 1

Confidential and Proprietary Information of ZTE CORPORATION 763

ZXSEC US CLI Reference Guide

vcluster 1: work 10.0.0.2

Master:0 US0900
Slave :1 US0900
The following command output was produced by using execute
HA manage 0 to log into the subordinate unit CLI of the cluster
shown in the previous example. The host name of the
subordinate unit is 8004_Slot_3.
Model: 5000
Mode: a-a
Group: 0
Debug: 0
ses_pickup: disable load_balance: disable schedule:
round robin
Slave :100 8004_Slot_3 US0900 0
Master:128 8004_Slot_4 US0900 1
number of vcluster: 1
vcluster 1: work 10.0.0.2
Slave :1 US0900
Master:0 US0900

About the HA cluster index and the

execute ha manage command
When a cluster starts up the ZXSEC US Cluster Protocol (USCP)
assigns a cluster index and a HA heartbeat IP address to each
cluster unit based on the serial number of the cluster unit. The
USCP selects the cluster unit with the highest serial number to
become the primary unit. The USCP assigns a cluster index of 0
and an HA heartbeat IP address of 10.0.0.1 to this unit. The
USCP assigns a cluster index of 1 and an HA heartbeat IP
address of 10.0.0.2 to the cluster unit with the second highest
serial number. If the cluster contains more units, the cluster unit
with the third highest serial number is assigned a cluster index
of 2 and an HA heartbeat IP address of 10.0.0.3, and so on. You
can display the cluster index assigned to each cluster unit using
the get system ha status command. Also when you use the
execute ha manage command you select a cluster unit to log
into by entering its cluster index.
The cluster index and HA heartbeat IP address only change if a
unit leaves the cluster or if a new unit joins the cluster. When
one of these events happens, the USCP resets the cluster index
and HA heartbeat IP address of each cluster unit again according
to serial number.

764 Confidential and Proprietary Information of ZTE CORPORATION

Chapter 18 Execute

Each cluster unit keeps its assigned cluster index and HA

heartbeat IP address even as the units take on different roles in
the cluster. For example, after the initial cluster index and HA
heartbeat IP addresses are set, the USCP checks other primary
unit selection criteria such as device priority and monitored
interfaces. Checking these criteria could result in selecting a
cluster unit without the highest serial number to operate as the
primary unit.
Even if the cluster unit without the highest serial number now
becomes primary unit, the cluster indexes and HA heartbeat IP
addresses assigned to the individual cluster units do not change.
Instead the USCP assigns a second cluster index, which could be
called the operating cluster index, to reflect this role change.
The operating cluster index is 0 for the primary unit and 1 and
higher for the other units in the cluster. By default both sets of
cluster indexes are the same. But if primary unit selection
selects the cluster unit that does not have the highest serial
number to be the primary unit then this cluster unit is assigned
an operating cluster index of 1. The operating cluster unit is
used by the USCP only. You can display the operating cluster
index assigned to each cluster unit using the get system ha
status command. There are no CLI commands that reference the
operating cluster index.
Even though there are two cluster indexes there is only one HA
heartbeat IP address and the HA heartbeat address is not
affected by a change in the operating cluster index.
Using the execute ha manage command
When you use the CLI command execute ha manage
<index_integer> to connect to the CLI of another cluster unit,
the <index_integer> that you enter is the cluster index of the
unit that you want to connect to.
Using get system ha status to display cluster indexes
You can display the cluster index assigned to each cluster unit
using the CLI command get system ha status. The following
example shows the information displayed by the get system ha
status command for a cluster consisting of two ZXSEC US units
operating in active-passive HA mode with virtual domains not
enabled and without virtual clustering.
get system ha status
Model: 5000
Mode: a-p
Group: 0
Debug: 0
ses_pickup: disable
Master:128 8004_slot_7 US0900 0
Slave :128 8004_slot_11 US0900 1
number of vcluster: 1

Confidential and Proprietary Information of ZTE CORPORATION 765

ZXSEC US CLI Reference Guide

vcluster 1: work 10.0.0.1

Master:0 US0900
Slave :1 US0900
In this example, the cluster unit with serial number US0900 has
the highest serial number and so has a cluster index of 0 and
the cluster unit with serial number US0900 has a cluster index of
1. From the CLI of the primary (or master) unit of this cluster
you can connect to the CLI of the subordinate (or slave) unit
using the following command:
execute ha manage 1
This works because the cluster unit with serial number US0900
has a cluster index of 1. The get system ha status command
output shows two similar lists of indexes and serial numbers.
The listing on the sixth and seventh lines of the command output
are the cluster indexes assigned according to cluster unit serial
number. These are the cluster indexes that you enter when
using the execute ha manage command. The cluster indexes
shown in the last two lines of the command output are the
operating cluster indexes that reflect how the cluster units are
actually operating in the cluster. In this example both sets of
cluster indexes are the same.
The last three lines of the command output display the status of
vcluster 1. In a cluster consisting of two cluster units operating
without virtual domains enabled all clustering actually takes
place in virtual cluster 1. HA is designed to work this way to
support virtual clustering. If this cluster was operating with
virtual domains enabled, adding virtual cluster 2 is similar to
adding a new copy of virtual cluster 1. Virtual cluster 2 is visible
in the get system ha status command output when you add
virtual domains to virtual cluster 2.
The HA heartbeat IP address displayed on line 8 is the HA
heartbeat IP address of the cluster unit that is actually operating
as the primary unit. For a default configuration this IP address
will always be 10.0.0.1 because the cluster unit with the highest
serial number will be the primary unit. This IP address changes if
the operating primary unit is not the primary unit with the
highest serial number.
Example: actual and operating cluster indexes do not
match
This example shows get system ha status command output for
same cluster of two ZXSEC US units. However, in this example
the device priority of the cluster unit with the serial number
US0900 is increased to 200. As a result the cluster unit with the
lowest serial number becomes the primary unit. This means the
actual and operating cluster indexes of the cluster units do not
match.
get system ha status
Model: 5000

766 Confidential and Proprietary Information of ZTE CORPORATION

Chapter 18 Execute

Mode: a-p
Group: 0
Debug: 0
ses_pickup: disable
Master:128 8004_slot_7 US0900 0
Slave :200 8004_slot_11 US0900 1
number of vcluster: 1
vcluster 1: work 10.0.0.2
Master:1 US0900
Slave :0 US0900
The actual cluster indexes have not changed but the operating
cluster indexes have. Also, the HA heartbeat IP address
displayed for vcluster 1 has changed to 10.0.0.2.
Virtual clustering example output
The get system ha status command output is the same if a
cluster is operating with virtual clustering turned on but with all
virtual domains in virtual cluster 1. The following get system ha
status command output example shows the same cluster
operating as a virtual cluster with virtual domains in virtual
cluster 1 and added to virtual cluster 2. In this example the
cluster unit with serial number US0900 is the primary unit for
virtual cluster 1 and the cluster unit with serial number US0900
is the primary unit for virtual cluster 2.
get system ha status
Model: 5000
Mode: a-p
Group: 0
Debug: 0
ses_pickup: disable
Master:128 8004_slot_7 US0900 0
Slave :200 8004_slot_11 US0900 1
number of vcluster: 2
vcluster 1: work 10.0.0.2
Master:1 US0900
Slave :0 US0900
vcluster 2: standby 10.0.0.1
Master:0 US0900
Slave :1 US0900
This example shows three sets of indexes. The indexes in lines
six and seven are still used by the execute ha manage command.
The indexes on lines ten and eleven are for the primary and

Confidential and Proprietary Information of ZTE CORPORATION 767

ZXSEC US CLI Reference Guide

subordinate units in virtual cluster 1 and the indexes on the last

two lines are for virtual cluster 2.
Related topics
system ha
execute ha disconnect
execute ha manage
execute ha synchronize

System Info Admin SSH

Use this command to display information about the SSH
configuration on the ZXSEC US unit such as:
the SSH port number
the interfaces with SSH enabled
the hostkey DSA fingerprint
the hostkey RSA fingerprint
Syntax
get system info admin ssh
Example
This shows sample output.
# get system info admin ssh
SSH v2 is enabled on port 22
SSH is enabled on the following 1 interfaces:
internal
SSH hostkey DSA fingerprint =
cd:e1:87:70:bb:f0:9c:7d:e3:7b:73:f7:44:23:a5:99
SSH hostkey RSA fingerprint =
c9:5b:49:1d:7c:ba:be:f3:9d:39:33:4d:48:9d:b8:49
Related topics
system accprofile
execute disconnect-admin-session

System Info Admin Status

Use this command to display administrators that are logged into
the ZXSEC US unit.
Syntax

768 Confidential and Proprietary Information of ZTE CORPORATION

Chapter 18 Execute

get system info admin status

Example
This shows sample output.
Index User name Login type From
0 admin CLI ssh(172.20.120.16)
1 admin WEB 172.20.120.16

TABLE 162 SYSTEM INFO ADMIN STATUS SETTING

Keyword Description
The order the administrators
Index 0
logged in.
The name of the user account
User name admin
logged in.
Which interface was used to log
Login type CLI
in.
The IP address this user logged
From 172.20.120.16
in from.

Related topics
get system info admin ssh

System Performance Status

Use this command to display ZXSEC US CPU usage, memory
usage, network usage, sessions, virus, IPS attacks, and system
up time.
Syntax
get system performance status
Example
The output looks like this:
# get sys per status
CPU states: 0% user 0% system 0% nice 100% idle
Memory states: 18% used
Average network usage: 0 kbps in 1 minute, 0 kbps in 10 minutes,
1 kbps in 30 minutes
Average sessions: 5 sessions in 1 minute, 6 sessions in 10
minutes, 5 sessions in 30 minutes
Virus caught: 0 total in 1 minute
IPS attacks blocked: 0 total in 1 minute
Uptime: 9days, 22 hours, 0 minutes

Confidential and Proprietary Information of ZTE CORPORATION 769

ZXSEC US CLI Reference Guide

TABLE 163 SYSTEM INFO ADMIN STATUS SETTING

Keyword Description
The percentages of CPU cycles 0% user 0% system
CPU states used by user, system, nice and
idle categories of processes. 0% nice 100% idle

Memory The percentage of memory

18% used
states used.
0 kbps in
1 minute,
Average The average amount of network
0 kbps in
network traffic in kbps in the last
usage 10 minutes,
1, 10 and 30 minutes.
1 kbps in
30 minutes
5 sessions in
The average number of 1 minute,
Average sessions connected to the 6 sessions in
sessions ZXSEC US unit over the list 1, 10 minutes,
10 and 30 minutes. 5 sessions in
30 minutes
The number of viruses the
Virus
ZXSEC US unit has caught in 0 total in 1 minute
caught
the last 1 minute.
The number of IPS attacks that
IPS attacks
have been blocked in the last 1 0 total in 1 minute
blocked
minute.

How long since the ZXSEC US 9 days, 22 hours,

Uptime
unit has been restarted. 0 minutes

System Session List

Command returns a list of all the sessions active on the ZXSEC
US unit. or the current virtual domain if virtual domain mode is
enabled.
Syntax
get system session list
Example
The output looks like this:

TABLE 164 SYSTEM SESSION LIST

DESTINA
PRO EXPI SOURC DESTINA
SOURCE TION-
TO RE E-NAT TION
NAT
127.0.0.1:
tcp 0 127.0.0.1:1083 - -
514

770 Confidential and Proprietary Information of ZTE CORPORATION

Chapter 18 Execute

DESTINA
PRO EXPI SOURC DESTINA
SOURCE TION-
TO RE E-NAT TION
NAT
127.0.0.1:
tcp 0 127.0.0.1:1085 - -
514
127.0.0.1:
tcp 10 127.0.0.1:1087 - -
514
127.0.0.1:
tcp 20 127.0.0.1:1089 - -
514
127.0.0.1:
tcp 30 127.0.0.1:1091 - -
514
127.0.0.1:
tcp 40 127.0.0.1:1093 - -
514
127.0.0.1:
tcp 60 127.0.0.1:1097 - -
514
127.0.0.1:
tcp 70 127.0.0.1:1099 - -
514
127.0.0.1:
tcp 80 127.0.0.1:1101 - -
514
90 127.0.0.1:
tcp 127.0.0.1:1103 - -
514
127.0.0.1:
tcp 100 127.0.0.1:1105 - -
514
127.0.0.1:
tcp 110 127.0.0.1:1107 - -
514
172.20.120.16: 172.20.12
tcp 103 - -
3548 0.133:22
172.20.120.16: 172.20.12
tcp 3600 - -
3550 0.133:22
127.0.0.1:
udp 175 127.0.0.1:1026 - -
53
127.0.0.1:
tcp 5 127.0.0.1:1084 - -
514
127.0.0.1:
tcp 5 127.0.0.1:1086 - -
514
127.0.0.1:
tcp 15 127.0.0.1:1088 - -
514
127.0.0.1:
tcp 25 127.0.0.1:1090 - -
514
127.0.0.1:
tcp 45 127.0.0.1:1094 - -
514
127.0.0.1:
tcp 59 127.0.0.1:1098 - -
514
127.0.0.1:
tcp 69 127.0.0.1:1100 - -
514
127.0.0.1:
tcp 79 127.0.0.1:1102 - -
514

Confidential and Proprietary Information of ZTE CORPORATION 771

ZXSEC US CLI Reference Guide

DESTINA
PRO EXPI SOURC DESTINA
SOURCE TION-
TO RE E-NAT TION
NAT
127.0.0.1:
tcp 99 127.0.0.1:1106 - -
514
127.0.0.1:
tcp 109 127.0.0.1:1108 - -
514
127.0.0.1:
tcp 119 127.0.0.1:1110 - -
514

TABLE 165 SYSTEM SESSION LIST SETTING

Keyword Description
The transfer protocol
PROTO tcp
of the session.
How long before this
EXPIRE session will 3600
terminate.
The source IP
SOURCE address and port 127.0.0.1:1083
number.
The source of the
SOURCE-NAT NAT. ‘-’ indicates -
there is no NAT.
The destination IP
DESTINATION address and port 127.0.0.1:514
number.
The destination of the
DESTINATION-NAT NAT. ‘-’ indicates -
there is no NAT.

System Session Status

Command returns the number of active sessions on the ZXSEC
US unit, or if virtual domain mode is enabled it returns the
number of active sessions on the current VDOM. In both
situations it will say ‘the current VDOM’.
Syntax
get system session status
Example
The output looks like this:
The total number of sessions for the current VDOM: 31

772 Confidential and Proprietary Information of ZTE CORPORATION

Chapter 18 Execute

System Status
Use this command to display system status information including:
ZXSEC US firmware version, build number and branch point
virus and attack definitions version
ZXSEC US unit serial number and BIOS version
log hard disk availability
host name
operation mode
virtual domains status: current VDOM, max number of
VDOMs, number of NAT and TP mode VDOMs and VDOM
status
current HA status
system time
Syntax
get system status
Example output
Version: ZXSEC US700 3.00,build0305,060512
Virus-DB: 6.473(2006-05-12 10:21)
IPS-DB: 2.295(2006-05-09 11:30)
Serial-Number: US0900
BIOS version: 03006000
Log hard disk: Available
Hostname: ZXSEC US700
Operation Mode: NAT
Current virtual domain: root
Max number of virtual domains: 10
Virtual domains status: 1 in NAT mode, 0 in TP mode
Virtual domain configuration: disable
Common Criteria mode: disable
Current HA mode: standalone
Distribution: International
Branch point: 305
System time: Mon May 15 13:39:03 2006
Related topics
hardware status

Confidential and Proprietary Information of ZTE CORPORATION 773

ZXSEC US CLI Reference Guide

This page is intentionally blank.

774 Confidential and Proprietary Information of ZTE CORPORATION

Figures

Figure 1 Example HA remote IP monitoring topology........... 464

Figure 2 Standalone session synchronization ..................... 538
Figure 3 Example standalone session synchronization network
configuration ................................................................. 542

Confidential and Proprietary Information of ZTE CORPORATION 775

ZXSEC US CLI Reference Guide

782 Confidential and Proprietary Information of ZTE CORPORATION

Index

790 Confidential and Proprietary Information of ZTE CORPORATION

Internal
logging neighbor changes
memory table
RFC 1771
RFC 1997
storing updates from neighbor
bgp
router
router info routing-table
bindthroughfw
firewall ipmacbinding setting
bindtofw
firewall ipmacbinding setting
bittorrent
firewall profile
bittorrent-limit
firewall profile
blackhole 302
router static
blackhole route
blocked
log filter
BOOTP Vendor Extensions
border-routers
router info ospf
bridged mode
broadcast_ssid
system wireless settings
bsr-allow-quick-refresh
router multicast interface pim-smglobal
buffer
system replacemsg auth
system replacemsg Usservice-wf
system replacemsg ftp
system replacemsg http
system replacemsg im

Confidential and Proprietary Information of ZTE CORPORATION 791

ZXSEC US CLI Reference Guide

system replacemsg mail

system replacemsg spam
system replacemsg sslvpn
bug-report system
bword
spamfilter
webfilter

C
ca
execute ha synchronize
cache
spamfilter USshield
cache-mem-percent webfilter Usservice
cache-mode
webfilter Usservice
cache-notfound-responses
system dns
capability-default-originate
router bgp neighbor
capability-dynamic
router bgp neighbor
capability-graceful-restart
router bgp neighbor
capability-orf
router bgp neighbor
capability-route-refresh
router bgp neighbor
case sensitivity
Perl regular expressions
Central Management Service
certificate
vpn ca
vpn crl
vpn local
certificate ca

792 Confidential and Proprietary Information of ZTE CORPORATION

vpn
certificate crl
vpn
certificate local
vpn
CUS reload
execute
CUS save
execute
channel
system wireless settings
CHAP
chassis status
get
check-reset-range
system global
China, PPP option
Chinese, Simplified
Chinese, Traditional
CIDR
cidr-only
router info bgp
cisco-exclude-genid
router multicast interface
Classless Interdomain Routing (CIDR)
clear system arp table
execute
CLI basics
CLI structure
client certificate for SSL-VPN
client certificate, require for logon
client-to-client-reflection
router bgp
clt-cert-req
system global
cluster

Confidential and Proprietary Information of ZTE CORPORATION 793

ZXSEC US CLI Reference Guide

virtual
cluster-id
router bgp
cnid
user ldap
command abbreviation
command completion
command help
comment
firewall profile
comments
firewall policy
Common Criteria (CC)
community
router info bgp
community-info
router info bgp
community-list router
router info bgp
confederation-identifier
router bgp
config
execute backup
ha synchronize
restore
config checksum
system cmdb status
config limit
ips anomaly
config router
config srv-ovrd-list
system Usservice
connected
router info routing-table
connecting to the CLI
through the console

794 Confidential and Proprietary Information of ZTE CORPORATION

using SSH
using Telnet
connect-timer
router bgp neighbor
conn-tracking
system global
console
system
console status
get
console, gui
contact-info
system snmp sysinfo
cost
router ospf neighbor
router ospf ospf-interface
counting to infinity loop
CPU usage, SNMP event
csv
log syslogd setting
syslogd setting
custom
ips
custom field log
customer service

E
EBGP
RFC 3065
ebgp-enforce-multihop router bgp neighbor
ebgp-multihop-ttl
router bgp neighbor
edit
system accprofile
system gre-tunnel
system mac-address-table
editing commands
editing the configuration file
edonkey
edonkey-limit
eip
vpn l2tp
vpn pptp
email
log filter
log report output
email when virus or spam detected
email-attachment-name log report output
email-body
log report output
emailbwl spamfilter
emaillists
execute ha synchronize
email-log-imap log filter
email-log-pop3
log filter
email-log-smtp log filter
email-pattern
spamfilter emailbwl
email-subject
log report output
enable

Confidential and Proprietary Information of ZTE CORPORATION 803

ZXSEC US CLI Reference Guide

system dhcp server

enc-alg
vpn ipsec manualkey-interface
enc-key
vpn ipsec manualkey-interface
enckey
vpn ipsec manualkey
encrypted password support
encryption
ipsec manualkey
system ha
end
command in a table shell
command in an edit shell
firewall schedule onetime
firewall schedule recurring
end-ip
firewall address
system dhcp server
system dhcp server config exclude-range
endip
firewall ippool
end-port
router policy
enforce-first-as router bgp
enhanced packet-matching
Equal Cost Multi-Path (ECMP)
equal cost multi-path (ECMP)
event
log filter
events
system snmp communities
exact-match
router access-list
example command sequences
exclude-summary

804 Confidential and Proprietary Information of ZTE CORPORATION

log report scope
execute
execute command backup
batch
CUS reload 581 CUS save
clear system arp table
date
deploy
dhcp lease-clear
dhcp lease-list
disconnect-admin-session
factoryreset
formatlogdisk
Usservice-log delete
Usservice-log update
fsae refresh
ha disconnect
ha manage
ha synchronize
interface dhcpclient-renew
execute command (continued)
interface pppoe-reconnect
log delete-all
log delete-filtered
log delete-rolled
log display
log filter
log USanalzyer test-connectivity
log list
log roll
modem dial
modem hangup
ping
ping6
ping-options
reboot

Confidential and Proprietary Information of ZTE CORPORATION 805

ZXSEC US CLI Reference Guide

restore
router clear bfd
router clear bgp
router restart
set-next-reboot
shutdown
ssh
telnet
time
traceroute
update-av
update-ips
update-now
upd-vd-license
usb-disk
vpn certificate ca
vpn certificate crl
vpn certificate local
vpn sslvpn del-tunnel
expires
webfilter ussrv-ovrd
export
execute vpn certificate ca
extintf
firewall vip
extip
firewall vip
extport
firewall vip
ext-ref
webfilter ussrv-ovrd

F
facility
log syslogd setting
factoryreset, execute

806 Confidential and Proprietary Information of ZTE CORPORATION

failed connection attempts
fail-open
system global
failopen mode, av-failopen
failtime
system global
fast-external-failover router bgp
FB4
UDN
proxy server
RFC 2616
service
UDS
override server
Federal Information Processing Standards (FIPS)
fieldbody
spamfilter mheader
fieldname
spamfilter mheader
file
log report output
file transfer protocol (FTP)
filepattern antivirus
filter
log
filter-list
router info bgp
filter-list-in
router bgp neighbor
filter-list-out
router bgp neighbor
filter-string
log report filter
FIN packet
Firefox
firewall

Confidential and Proprietary Information of ZTE CORPORATION 807

ZXSEC US CLI Reference Guide

address
addrgrp
multicast-policy
profile
firewall configuration
access profile setting
firmware performance optimization
fixedport
firewall policy
footer-option
log report customization
format
system replacemsg auth
system replacemsg Usservice-wf
system replacemsg ftp
system replacemsg http
system replacemsg im
system replacemsg mail
system replacemsg spam
system replacemsg sslvpn 442
formatlogdisk, execute
USLA system
USLA filter log
USLA setting log
ZXSEC US SNMP agent
ZXSEC US system configuration
ZXSEC US6110
ZXSEC US-ASM-FB4
Usservice
system
webfilter
Usservice Distribution Network (UDN)
Usservice filter log
Usservice Log & Analysis configuration
Usservice setting log
Usservice updates

808 Confidential and Proprietary Information of ZTE CORPORATION

Usservice-log system
Usservice-log delete
execute
Usservice-log update
execute
USM
scripts
USM-discover-helper
system interface
USnet customer service
USOS v3.0
MR2 363
USshield spamfilter
120W
wireless MAC filter
wireless settings
120W
interface settings
wireless MAC filter
forward-domain
system interface
fqdn
firewall address
fragment_threshold
system wireless settings
frequency
system autoupdate schedule
FSAE 367
fsae
firewall policy
user
fsae refresh execute
ussrv-local-cat webfilter
ussrv-local-rating webfilter
ussrv-ovrd webfilter
ussrv-wf-allow

ZXSEC US CLI Reference Guide

firewall profile
imoversizelimit
firewall profile
imp2p
imp2pgrp
access group for system accprofile
import
execute vpn certificate ca
execute vpn certificate crl
inbandwidth
config system interface
inbound
firewall policy
inbound traffic, limiting
include-nodata
log report scope
include-summary
log report scope
include-table-of-content log report scope
inconsistent-as
router info bgp
infected
log filter
info ospf
router
info protocols
router
info rip
router
info routing-table
router
initiator
webfilter ussrv-ovrd
input-device
router policy
interface

816 Confidential and Proprietary Information of ZTE CORPORATION

firewall ippool
loopback
proxy ARP
router bgp neighbor
router info ospf
router info RIP
router ospf ospf-interface
router rip distribute-list
router rip offset-list
system
system dhcp server
system gre-tunnel
system ipv6tunnel
system mac-address-table
system modem
system snmp community hosts
system zone
vpn ipsec manualkey
vpn ipsec manualkey-interface
vpn ipsec phase1
vpn ipsec phase1-interface
interface dhcpclient-renew execute
interface pppoe-reconnect execute
interior gateway protocol (IGP)
International characters
Internet Explorer
interval
system global
inter-VDOM routing
intrazone
system zone
Intrusion protection
DoS sensor, protection profile
ip
firewall ipmacbinding table
router ospf neighbor

Confidential and Proprietary Information of ZTE CORPORATION 817

ZXSEC US CLI Reference Guide

router ospf ospf-interface

router rip neighbor
system dhcp reserved-address
system Usservice
system interface
system settings
system snmp community hosts
webfilter ussrv-ovrd
IP address formats
IP address overlap
IP address spoofing
IP datagram
TOS bits
IP pool
proxy ARP
ip/subnet
spamfilter ipbwl
spamfilter iptrust
ip6
firewall address6
ip6-address
system interface config ipv6
ip6-default-life
system interface config ipv6
ip6-hop-limit
system interface config ipv6
ip6-link-mtu
system interface config ipv6
ip6-manage-flag
system interface config ipv6
ip6-max-interval
system interface config ipv6
ip6-min-interval
system interface config ipv6
ip6-other-flag
system interface config ipv6

818 Confidential and Proprietary Information of ZTE CORPORATION

ip6-reachable-time
system interface config ipv6
ip6-retrans-time
system interface config ipv6
ip6-send-adv
system interface config ipv6
ipbwl
spamfilter
ipmacbinding setting firewall
ipmacbinding table firewall
ippool
firewall
firewall policy
ips
IPS decoder
ips-anomaly
firewall profile
IPSec
ipsec
log filter
ipsec concentrator vpn
ipsec manualkey vpn
ipsec manualkey-interface vpn
ipsec phase1
vpn
ipsec phase1-interface vpn
ipsec phase2
vpn
ipsec phase2-interface vpn
IPSec tunnel
listing
ipsec tunnel list get
ipsgrp
access group for system accprofile
ips-signature
firewall profile

Confidential and Proprietary Information of ZTE CORPORATION 819

ZXSEC US CLI Reference Guide

ipsuserdefsig
execute backup
execute restore
iptrust
spamfilter
ipunnumbered
system interface
IPv6
6-to-4 address prefix
ipv6-tunnel system
ISP

J
join-group
router multicast interface
jumbo frames

K
kazaa
firewall profile
kazaa-limit
firewall profile
keepalive
vpn ipsec phase1
vpn ipsec phase1-interface
vpn ipsec phase2
vpn ipsec phase2-interface
keep-alive-timer router bgp
router bgp neighbor
key
system wireless settings
key-chain router
keylife
vpn ipsec phase1
keylifekbs
vpn ipsec phase2-interface

820 Confidential and Proprietary Information of ZTE CORPORATION

keylifeseconds
vpn ipsec phase2-interface
keylife-type
vpn ipsec phase2-interface
key-string
router key-chain

L
l2forward
system interface
l2tp
vpn
lacp-ha-slave
system interface
lacp-mode
system interface
lacp-speed
system interface
language
spamfilter bword
system global
webfilter bword
last request
system cmdb status
last request pid
system cmdb status
last requst type
system cmdb status
lcdpin
system global
lcdprotection
system global
lcp-echo-interval
system interface
lcp-max-echo-failures
system interface

Confidential and Proprietary Information of ZTE CORPORATION 821

ZXSEC US CLI Reference Guide

LDAP
ldap
user
ldapconntimeout
system global
ldap-server
user local
le
router prefix-list
lease-time
system dhcp server
license
spamfilter USshield
license key entry
line continuation
lines_per_view
execute logfilter
Link Aggregation Control Protocol (LACP)
link-failed-signal system ha
list
router ospf area filter-list
listname
router rip distribute-list
load-balance-all system ha
local
user
localcert
execute ha synchronize
local-gw
system gre-tunnel
vpn ipsec manualkey
vpn ipsec manualkey-interface
vpn ipsec phase1
localid 527
vpn ipsec phase1
local-spi

822 Confidential and Proprietary Information of ZTE CORPORATION

vpn ipsec manualkey-interface
localspi
vpn ipsec manualkey
location
system snmp sysinfo
log
execute backup
system interface
log delete-all,
execute
log delete-filtered,
execute
log delete-rolled,
execute
log display,
execute
log filter,
execute
log USanalzyer test-connectivity
execute
log list,
execute
log roll,
execute
log settings
log-av-block
firewall profile
log-av-oversize
firewall profile
log-av-virus
firewall profile
loggrp
access group for system accprofile
system accprofile
log-im
firewall profile

Confidential and Proprietary Information of ZTE CORPORATION 823

ZXSEC US CLI Reference Guide

loglocaldeny
system global
log-neighbor-changes
router bgp
log-spam
logtraffic
firewall policy
log-web-content
firewall profile
log-web-filter-activex
firewall profile
log-web-filter-applet
firewall profile
log-web-filter-cookie
firewall profile
log-web-ussrv-err
firewall profile
log-web-url
firewall profile
loopback interface
lowspace
antivirus quarantine

M
mac
firewall ipmacbinding table
system arp-table
system dhcp reserved-address
system interface, config wifi-mac_list
system wireless mac-filter 466
MAC address 396
arp-table
macaddr
system interface
mac-address-table system
mac-list

824 Confidential and Proprietary Information of ZTE CORPORATION

system wireless mac-filter
mail-sig
firewall profile
mailsig-status
firewall profile
mailto
system bug-report
mailto1, mailto2, mailto3
alertemail setting
maintenance commands
manageip
system settings
management traffic
management VDOM
management-tunnel
system
management-vdom
system global
mappedip
firewall vip
mappedport
firewall vip
match-as-path
router route-map rule
match-community
router route-map rule
match-community-exact
router route-map rule
match-interface
router route-map
match-ip-address
router route-map
match-ip-nexthop
router route-map
match-metric
router route-map

Confidential and Proprietary Information of ZTE CORPORATION 825

ZXSEC US CLI Reference Guide

match-origin
match-route-type
router route-map
match-tag
router route-map
maxbandwidth
firewall policy
maxfilesize
antivirus quarantine
maximum transmission unit (MTU)
maximum-prefix
router bgp neighbor
maximum-prefix-threshold
router bgp neighbor
maximum-prefix-warning-only
router bgp neighbor
max-log-file-size
log disk setting
mc-ttl-notchange
system global
md5-key
router ospf area virtual-link
router ospf ospf-interface
member
firewall addrgrp
firewall service group
system interface
user group
user peergrp
vpn ipsec concentrator
memory
router info bgp
memory filter log
memory global setting log
memory setting log
metric

826 Confidential and Proprietary Information of ZTE CORPORATION

router ospf redistribute
router rip redistribute
metric-type
router ospf redistribute
mheader spamfilter
mntgrp
access group for system accprofile
system accprofile
mode
antivirus heuristic
config system ha
system console
system interface
system modem
system wireless settings
vpn ipsec phase1
vpn ipsec phase1-interface
modem
auto-dial
backup switchover
dial-on-demand
execute modem dial command
execute modem hangup command
redundant
standalone
system
monitor
system ha
monitor-phase1
vpn ipsec phase1-interface
move
MS Windows Client
msn
firewall profile
imp2p old-version
imp2p policy

Confidential and Proprietary Information of ZTE CORPORATION 827

ZXSEC US CLI Reference Guide

msn-user imp2p
MSS TCP
mtu
router ospf ospf-interface
system interface
mtu-ignore
router ospf ospf-interface
Multi Exit Discriminator (MED)
Multi Protocol Label Switching (MPLS)
multicast
BSR, Cisco
dense mode
IGMP 258
router
RP 261
system global
multicast memberships
multicast-forward
system global
multicast-policy firewall
multicast-routing
multi-report
USLA setting
log USLA setting

N
name
firewall ipmacbinding table
log report summary-layout
system session-helper
system snmp community
Netscape
network
router info bgp
network address translation (NAT)
Network Layer Reachability Information (NLRI)

828 Confidential and Proprietary Information of ZTE CORPORATION

Network Processing Unit (NPU)
Network Time Protocol (NTP)
network-import-check router bgp
network-longer-prefixes router info bgp
network-type
router ospf ospf-interface
next
next-hop-self
router bgp neighbor
NRLI prefix
router bgp
nssa-default-information-originate router ospf area
nssa-default-information-originate-metric router ospf area
nssa-default-information-originate-metric-type
nssa-redistribution
nssa-translator-role
ntpserver
system global
ntpsync
system global
nat
firewall multicast-policy
firewall policy
NAT device
NAT mode, changing
NAT traversal
NAT/Route mode
natinbound
firewall policy
natip
firewall policy
natoutbound
firewall policy
nattraversal
vpn ipsec phase1
vpn ipsec phase1-interface

Confidential and Proprietary Information of ZTE CORPORATION 829

ZXSEC US CLI Reference Guide

neighbor
router info ospf
neighbors
router info bgp
neighbour-filter
router multicast interface
NetBIOS
netbios-forward
system interface
netgrp
access group for system accprofile
system accprofile
netmask
firewall dnstranslation
system dhcp server
obfuscated
obfuscate-user
log report scope
offset
router rip offset-list
old-version imp2p
onlink-flag
system interface config ipv6-prefix
operating mode
system settings
opmode
system settings
optimize
system global
option
system dhcp server
options
spamfilter
order
log report summary-layout
OSPF

830 Confidential and Proprietary Information of ZTE CORPORATION

RFC 2328
TOS application routing
ospf
ABR
RFC 3509
router
router info routing-table
OSPF, clear router
other-traffic
log filter
outbound
firewall policy
Outbound Routing Filter (ORF)
output-device
router policy
override
system autoupdate push-update
system ha
override-capability
router bgp neighbor
oversized
log filter
ovrd-auth-https
webfilter Usservice
ovrd-auth-port
webfilter Usservice
owner id
system cmdb status

P
p2p 134
packet size
for wireless network
padt-retry-timeout
system interface
PAP

Confidential and Proprietary Information of ZTE CORPORATION 831

ZXSEC US CLI Reference Guide

passive
router bgp neighbor
router multicast interface
passive-interface router ospf
router rip
passphrase
system wireless settings
passwd
system modem
user local
password
system alertemail
system autoupdate tunneling
system bug-report
system ha
system interface
user ldap
PAT
virtual IPs
paths
router info bgp
pattern
execute ping-options
log filter
spamfilter bword
pattern-type
spamfilter bword
spamfilter emailbwl
spamfilter mheader
webfilter bword
peer
router ospf area virtual-link
vpn ipsec phase1
vpn ipsec phase1-interface
peergrp
vpn ipsec phase1

832 Confidential and Proprietary Information of ZTE CORPORATION

peerid
vpn ipsec phase1
Peer-to-Peer, message if blocked
peertype
vpn ipsec phase1
performance info
Perl regular expressions, using
pfs
vpn ipsec phase2
vpn ipsec phase2-interface
phase1name
vpn ipsec phase2
vpn ipsec phase2-interface
phone
system modem
PIM, dense-mode
PIM, sparse-mode
pim-mode
router multicast interface
ping, execute
ping6, execute
ping-options, execute
poisoned split horizon
policy
firewall
imp2p
router
policy check
policy check, skipping
poll-interval
router ospf neighbor
poolname
firewall policy
pop3
firewall profile
pop3oversizelimit firewall profile

Confidential and Proprietary Information of ZTE CORPORATION 833

ZXSEC US CLI Reference Guide

pop3-spamaction firewall profile

pop3-spamtagmsg firewall profile
pop3-spamtagtype firewall profile
port
antivirus service
log syslogd setting
system autoupdate push-update
system autoupdate tunneling
system Usservice
system session-helper
user fsae
user ldap
port 8890 341
port address translation virtual IPs
port forwarding
port range
portal-heading
vpn ssl settings
portforward
firewall vip
power_level
system wireless settings
ppp
log filter
PPPoE
PPPoE Active Discovery Terminate (PADT)
PPPoE auth
pptp
vpn
preferences
GUI console
GUI topology viewer
preferred-life-time
system interface config ipv6-prefix
prefix
router access-list

834 Confidential and Proprietary Information of ZTE CORPORATION

router bgp aggregate-address
router bgp network
router ospf area range
router ospf network
router ospf summary-address
router prefix-list
router rip distance
router rip network
prefix-list
router info bgp
router prefix-list
prefix-list-in
router bgp neighbor
prefix-list-out
router bgp neighbor
preserve source port number
Pre-shared Key (PSK)
primary
system dns
priority
firewall policy
router ospf neighbor
router ospf ospf-interface
system ha
system interface
system modem
profile
firewall
firewall policy
webfilter ussrv-ovrd
profile-status
firewall policy
propagation-delay
router multicast interface
proposal
vpn ipsec phase1

Confidential and Proprietary Information of ZTE CORPORATION 835

ZXSEC US CLI Reference Guide

vpn ipsec phase2

vpn ipsec phase2-interface
protection profile
DoS sensor
protocol
firewall service custom
firewall vip
router ospf distribute-list
router policy
system session-helper
vpn ipsec phase2
vpn ipsec phase2-interface
Protocol Independent Multicast (PIM)
protocol-number
firewall service custom
proxy ARP
ZXSEC US interface
IP pool
virtual IP
Proxy ID Destination
IPSec interface mode
Proxy ID Source
IPSec interface mode
proxy-arp system
psksecret
vpn ipsec phase1
purge

Q
quarantine antivirus
quarfilepattern antivirus
quar-to-USLA antivirus quarantine
query-v1-port
system snmp community
query-v1-status
system snmp community

836 Confidential and Proprietary Information of ZTE CORPORATION

query-v2c-port
system snmp community
query-v2c-status
system snmp community
quotafull
log Usservice setting
quote-regexp
router info bgp

topology, gui
tos
execute ping-options
tos-based-priority system
tp-mc-skip-policy system global
traceroute, execute
traffic
log filter
Traffic Indication Messages (TIM)
system wireless settings
traffic shaping
trafficfilter log
trafficshaping
firewall policy
transmit-delay
router ospf area virtual-link
router ospf interface
transparent mode, changing
trap-v1-lport
system snmp community
trap-v1-rport
system snmp community
trap-v1-status
system snmp community
trap-v2c-lport
system snmp community
trap-v2c-rport
system snmp community
trap-v2c-status
system snmp community
troubleshooting memory low
trusthost1, trusthost2, trusthost3
system admin
ttl
execute ping-options
ttl-threshold

854 Confidential and Proprietary Information of ZTE CORPORATION

router multicast interface
tunnel, GRE
system
tunnel-endip
tunnel-startip
vpn ssl settings
type
firewall address
firewall vip
log report period
log report schedule
router ospf area
system dhcp reserved-address
user ldap
user local
vpn ipsec phase1
vpn ipsec phase1-interface
webfilter ftdg-ovrd
webfilter urlfilter
Type of Service (TOS)
type of service (TOS) RFC 1583
RFC 791

U
UDP
udp-portrange
firewall service custom
uncompnestlimit antivirus service
uncompsizelimit antivirus service
undefinedhost
firewall ipmacbinding setting
unicast
uninterruptable-upgrade system ha
unset
unsuppress-map
router bgp neighbor

Confidential and Proprietary Information of ZTE CORPORATION 855

ZXSEC US CLI Reference Guide

update index
system cmdb status
update-av, execute
updategrp
system accprofile
update-ips, execute
update-now, execute
update-source
router bgp neighbor
update-timer router rip
updgrp
access group for system accprofile
upd-vd-license, execute
upload
log disk setting
log report output
upload-delete
log report output
upload-delete-files
log disk setting
upload-destination
log disk setting
upload-dir
log report output
uploaddir
log disk setting
upload-gzipped
log report output
upload-ip
log report output
uploadip
log disk setting
uploadpass
log disk setting
upload-password
log report output

856 Confidential and Proprietary Information of ZTE CORPORATION

uploadport
log disk setting
uploadsched
log disk setting
upload-server-type
log report output
uploadtime
log disk setting
uploadtype
log disk setting
uploaduser
log disk setting
upload-username
log report output
uploadzip
log disk setting
url
webfilter ussrv-ovrd
url-filter
log filter
urlfilter
webfilter
usb-disk, execute
user
webfilter ussrv-ovrd
user-group
webfilter ussrv-ovrd
username
alertemail setting
status modem
system alertemail
system autoupdate tunneling
system bug-report
system interface
user ldap
username-smtp

Confidential and Proprietary Information of ZTE CORPORATION 857

ZXSEC US CLI Reference Guide

system bug-repor
using the CLI
usrgrp
vpn ipsec phase1
vpn l2tp
vpn pptp

V
validate-reply
execute ping-options
valid-life-time
system interface config ipv6-prefix
vcluster2
system ha
VDOM
management
vdom 368
configure VDOMs
system admin
system ha
system interface
vdom-link system
ver-1
system USLA
version
IGMP
router multicast interface igmp
router rip
system cmdb status
view-settings
execute ping-options
violation
log filter
vip
firewall
vip group, grouping vip, vipgrp

858 Confidential and Proprietary Information of ZTE CORPORATION

VIP range
vip-arp-range
system global
virtual clustering
Virtual Domain (VDOM)
virtual IP
NAT
PAT
port address translation
virtual-links
router info ospf
virus
log filter 200
vlanforward
system interface
vlanid
system interface
vpn 501
vpn certificate ca
execute
vpn certificate crl execute
vpn certificate local, execute
VPN configuration
vpn sslvpn del-tunnel, execute
vpngrp
access group for system accprofile
system accprofile
vpntunnel
firewall policy

W
web
log filter
web browser support
web filtering, blocked pages
web-content

Confidential and Proprietary Information of ZTE CORPORATION 859

ZXSEC US CLI Reference Guide

log filter
webfilter
webfilter configuration
web-filter-activex log filter
web-filter-applet log filter
webfilter-cache
system Usservice
webfilter-cache-ttl
system Usservice
web-filter-cookie log filte
webfilter-status
system Usservice
webfilter-timeout
system Usservice
webgrp
access group for system accprofile
system accprofile
weblists
execute ha synchronize
webtrends filter log
webtrends setting log
webwordthreshold
weight
router bgp neighbor
system ha
WEP key
where
spamfilter bword
wifi-acl
system interface
wifi-broadcast_ssid system interface
wifi-fragment_threshold
system interface
wifi-key
system interface
wifi-mac-filter

860 Confidential and Proprietary Information of ZTE CORPORATION

system interface
wifi-passphrase
system interface
wifi-radius-server
system interface
wifi-rts_threshold
system interface
wifi-security
system interface
wifi-ssid
system interface
wildcard
router access-list
system admin
wildcard pattern matching
Windows Active Directory configuring FSAE
refresh user group info via FSAE
winny
firewall profile
winny-limit
wins-ip
system interface
wins-server
system dhcp server
wireless interface access control
wireless mac-filter system
wireless settings system
wireless, synchronize
word boundary
Perl regular expressions

X
xauthtype
vpn ipsec phase1
vpn ipsec phase1-interface

Confidential and Proprietary Information of ZTE CORPORATION 861

ZXSEC US CLI Reference Guide

Y
yahoo
firewall profile
imp2p old-version
imp2p policy
yahoo-user imp2p

Z
zone, system

862 Confidential and Proprietary Information of ZTE CORPORATION

ZXSEC US Certificate Management User Guide
No ratings yet
ZXSEC US Certificate Management User Guide
29 pages
ZXMSG 5200 (V2.0.2) Multiplex Service Gateway Command Manual (Vol I)
100% (1)
ZXMSG 5200 (V2.0.2) Multiplex Service Gateway Command Manual (Vol I)
284 pages
ZXMSG 5200 (V2.0.2) Multiplex Service Gateway Command Manual (Vol I)
100% (3)
ZXMSG 5200 (V2.0.2) Multiplex Service Gateway Command Manual (Vol I)
284 pages
MGS-3600-24F/XGS-3600-26F Command Line Interface CLI GUIDE: Publication Date: Feb., 2012 Revision A1
No ratings yet
MGS-3600-24F/XGS-3600-26F Command Line Interface CLI GUIDE: Publication Date: Feb., 2012 Revision A1
281 pages
ZXSEC US Administrator Guide
67% (3)
ZXSEC US Administrator Guide
457 pages
ZXSEC US User Authentication User Guide
No ratings yet
ZXSEC US User Authentication User Guide
66 pages
B CLI Reference Guide
No ratings yet
B CLI Reference Guide
320 pages
ZXSEC US Multicast Technical Note
No ratings yet
ZXSEC US Multicast Technical Note
73 pages
Zyxel Ethernet Switch CLI 4.00 Ed3
No ratings yet
Zyxel Ethernet Switch CLI 4.00 Ed3
360 pages
ECS4510-Series CLI-R03 0904
No ratings yet
ECS4510-Series CLI-R03 0904
954 pages
Lgb5124a-R2 Cli Rev2
No ratings yet
Lgb5124a-R2 Cli Rev2
238 pages
GS2210-48 3
No ratings yet
GS2210-48 3
385 pages
Ecs4130-28t Cli-R01 20210706
No ratings yet
Ecs4130-28t Cli-R01 20210706
894 pages
Ecs4120-Ec Cli R01 20160627 PDF
No ratings yet
Ecs4120-Ec Cli R01 20160627 PDF
917 pages
Zyxel Cli Commands
No ratings yet
Zyxel Cli Commands
388 pages
ZXSEC US Hardware Acceleration Technical Note
No ratings yet
ZXSEC US Hardware Acceleration Technical Note
33 pages
EM-GS-5220 Series Command Guide - Add - GS-5220 Ultra PoE & PoE Series - v1.7
No ratings yet
EM-GS-5220 Series Command Guide - Add - GS-5220 Ultra PoE & PoE Series - v1.7
433 pages
Planet Switch Cli
No ratings yet
Planet Switch Cli
433 pages
6-68449 DXi 3.4.0 Command Line Interface Guide
No ratings yet
6-68449 DXi 3.4.0 Command Line Interface Guide
218 pages
Zxuas 10600 Vol II
No ratings yet
Zxuas 10600 Vol II
242 pages
11-TECS Openpalette (V7.22.30) CLI Reference
No ratings yet
11-TECS Openpalette (V7.22.30) CLI Reference
61 pages
ECS4150 Series CLI Reference Guide R02
No ratings yet
ECS4150 Series CLI Reference Guide R02
936 pages
c02586087 PDF
No ratings yet
c02586087 PDF
1,103 pages
Comandos de Referencia Zyxel
No ratings yet
Comandos de Referencia Zyxel
384 pages
Configuracion Switch Zyxel PDF
100% (1)
Configuracion Switch Zyxel PDF
384 pages
ZIXEL
No ratings yet
ZIXEL
351 pages
Mes3500-10 - 1 2
No ratings yet
Mes3500-10 - 1 2
356 pages
Zxuas 10600 Vol I
No ratings yet
Zxuas 10600 Vol I
185 pages
ECS4210 - Series - CLI Manual
No ratings yet
ECS4210 - Series - CLI Manual
712 pages
ZYXEL - GS2220 Switch CLI Reference Guide
No ratings yet
ZYXEL - GS2220 Switch CLI Reference Guide
435 pages
NXC5500 2 PDF
No ratings yet
NXC5500 2 PDF
283 pages
CP R81.10 CLI ReferenceGuide
No ratings yet
CP R81.10 CLI ReferenceGuide
1,710 pages
Introduction To MCRNC SCLI Commands
No ratings yet
Introduction To MCRNC SCLI Commands
32 pages
4200g 12port
No ratings yet
4200g 12port
422 pages
Zyxel Cli-Reference-Guide Usg Flex 200 v5.37
No ratings yet
Zyxel Cli-Reference-Guide Usg Flex 200 v5.37
674 pages
3com WX1200 Datasheet
No ratings yet
3com WX1200 Datasheet
646 pages
T1600G-28TS (TL-SG2424) CLI Reference Guide PDF
No ratings yet
T1600G-28TS (TL-SG2424) CLI Reference Guide PDF
473 pages
ZXSEC US IM P2P VoIP Technical Note
No ratings yet
ZXSEC US IM P2P VoIP Technical Note
29 pages
Mobility 05200 ControllerCLIGuide PDF
No ratings yet
Mobility 05200 ControllerCLIGuide PDF
854 pages
4 ZXMSG 5200 (V2 (1) .0.2) Operation Manual
83% (12)
4 ZXMSG 5200 (V2 (1) .0.2) Operation Manual
304 pages
Lenovo CNOS AG 10-7 PDF
No ratings yet
Lenovo CNOS AG 10-7 PDF
746 pages
Emp Cli User Guide
No ratings yet
Emp Cli User Guide
162 pages
Emp Cli User Guide
No ratings yet
Emp Cli User Guide
162 pages
Jatp Cli Reference Guide
No ratings yet
Jatp Cli Reference Guide
120 pages
Powerconnect 5424 Switch Manual
No ratings yet
Powerconnect 5424 Switch Manual
512 pages
3com 4210 CLI Guide
No ratings yet
3com 4210 CLI Guide
921 pages
Usg Flex 100 - V5.20
No ratings yet
Usg Flex 100 - V5.20
657 pages
Aw Iht 1271climanual - en
No ratings yet
Aw Iht 1271climanual - en
303 pages
SLS 83
No ratings yet
SLS 83
680 pages
SJ-20130329092338-003-ZXR10 5250-H Series (V2.05.10) All Gigabit Intelligent Switch Command Reference
100% (1)
SJ-20130329092338-003-ZXR10 5250-H Series (V2.05.10) All Gigabit Intelligent Switch Command Reference
706 pages
VMG1312-B10A CLI Reference Manual
No ratings yet
VMG1312-B10A CLI Reference Manual
124 pages
ServerIron 12400 AdminGuide
No ratings yet
ServerIron 12400 AdminGuide
194 pages
QLogic CLI Reference Guide
No ratings yet
QLogic CLI Reference Guide
130 pages
01 Basic Configuration
No ratings yet
01 Basic Configuration
219 pages
Using Performance Tools 0503
No ratings yet
Using Performance Tools 0503
118 pages
WWW - Cbec.gov - in WWW - Icegate.gov - in
No ratings yet
WWW - Cbec.gov - in WWW - Icegate.gov - in
4 pages
Marine Drafting
100% (1)
Marine Drafting
462 pages
Networking Protocol Basics
100% (1)
Networking Protocol Basics
6 pages
Course Syllabus - Ranjith Krishnan
No ratings yet
Course Syllabus - Ranjith Krishnan
2 pages
EEE 3132 - Microprocessors Lecture Notes
No ratings yet
EEE 3132 - Microprocessors Lecture Notes
56 pages
PB Connectx 4 LX en Card
No ratings yet
PB Connectx 4 LX en Card
4 pages
Inline Function in C
No ratings yet
Inline Function in C
15 pages
ServiceNow Data Import Guide
No ratings yet
ServiceNow Data Import Guide
7 pages
Linearly Compressed Pages
No ratings yet
Linearly Compressed Pages
13 pages
Collection Development in The Electronic Environment: Challenges Before Library Professionals
No ratings yet
Collection Development in The Electronic Environment: Challenges Before Library Professionals
11 pages
Oracle Data Integrator Guide
No ratings yet
Oracle Data Integrator Guide
4 pages
Eigenvalues & Eigenvectors Applications
No ratings yet
Eigenvalues & Eigenvectors Applications
13 pages
System Admin Duties & Checklist
No ratings yet
System Admin Duties & Checklist
2 pages
TW 347
No ratings yet
TW 347
64 pages
Arabic Jazz Enthusiasts' Hub
100% (1)
Arabic Jazz Enthusiasts' Hub
1 page
RGM UserManual PDF
No ratings yet
RGM UserManual PDF
43 pages
Cp1l - em Entradas Analogicas
No ratings yet
Cp1l - em Entradas Analogicas
3 pages
Hash Map
No ratings yet
Hash Map
13 pages
Xii-Informatics Practices-Qp-Set B-18-11-2021
No ratings yet
Xii-Informatics Practices-Qp-Set B-18-11-2021
14 pages
(Ebook) Puppet 4 Essentials, 2nd Edition: Acquire Skills To Manage Your IT Infrastructure Effectively With Puppet by Felix Frank, Martin Alfke ISBN 9781785881107, 1785881108 PDF Download
100% (1)
(Ebook) Puppet 4 Essentials, 2nd Edition: Acquire Skills To Manage Your IT Infrastructure Effectively With Puppet by Felix Frank, Martin Alfke ISBN 9781785881107, 1785881108 PDF Download
39 pages
C THR81 2405
No ratings yet
C THR81 2405
8 pages
Sprint Technical Summary EN
No ratings yet
Sprint Technical Summary EN
5 pages
Connected Components Workbench - 12.00.00 (Released 3 - 2019)
No ratings yet
Connected Components Workbench - 12.00.00 (Released 3 - 2019)
9 pages
Algebra Cheat Sheets PDF
100% (2)
Algebra Cheat Sheets PDF
10 pages
Advance Database Management Systems
100% (1)
Advance Database Management Systems
5 pages
Ridham's CV
No ratings yet
Ridham's CV
1 page
Online Quiz Project
63% (8)
Online Quiz Project
19 pages
Activity Template - Project Plan
No ratings yet
Activity Template - Project Plan
48 pages
Log 202
No ratings yet
Log 202
3 pages