RG-WALL 1600-AF 系列千兆多功能应用防火墙

fortigate-cli-50.book

cli check-template-status ........................................................................................................................................... 369
cli status-msg-only ..................................................................................................................................................... 369
router restart ............................................................................................................................................................. 385
set-next-reboot ......................................................................................................................................................... 386
sfp-mode-sgmii ......................................................................................................................................................... 387
shutdown .................................................................................................................................................................. 387
ssh ............................................................................................................................................................................. 387
sync-session .............................................................................................................................................................. 388
vpn sslvpn del-all ....................................................................................................................................................... 395
vpn sslvpn del-tunnel ................................................................................................................................................. 395
vpn sslvpn del-web .................................................................................................................................................... 396
vpn sslvpn list ............................................................................................................................................................ 396
router info gwdetect .................................................................................................................................................. 410
router info kernel ....................................................................................................................................................... 410
router info multicast .................................................................................................................................................. 410
router info ospf .......................................................................................................................................................... 410
router info protocols .................................................................................................................................................. 411
router info rip ............................................................................................................................................................ 412
router info routing-table ............................................................................................................................................ 412
router info vrrp .......................................................................................................................................................... 413
system admin list ....................................................................................................................................................... 413
system admin status .................................................................................................................................................. 413
system interface physical ........................................................................................................................................... 418
system performance firewall ..................................................................................................................................... 419
system performance status ........................................................................................................................................ 420
system performance top ............................................................................................................................................ 421
system session list ..................................................................................................................................................... 421
vpn status l2tp ........................................................................................................................................................... 431
vpn status pptp .......................................................................................................................................................... 431

RG SecOS™ 5.0 CLI CLI RG-
WALL

5.0 CLI
“config” “config”
“get”
CLI “?”

• RG-WALL RG-WALL RG-WALL
aggregate interface type config system interface
RG-WALL Web execute restore
RG-WALL BIOS
19

“Press any key” BIOS

C R T F I B QH
“Enter”
“H" ”Q“

BIOS RG-WALL TFTP IP

[0]: 1 - 7
20
DHCP
DHCP
[S]:
TFTP
[F]:

BIOS
RG-WALL

antivirus

heuristic
end
| disable}
detected files.

set analytics-max-upload <mbytes>
set extended-utm-log {eanble | disable}
set inspection-mode {flow-based | proxy}
config {http | https | ftp | ftps | imap | imaps | mapi | pop3 | pop3s | smb | smtp | smtps
| nntp | im}
set options {avmonitor | avquery | quarantine | scan}
config nac-quar
set expiry <duration_str>
filepattern.
0
analytics-max-upload
10
block-botnet-connections

extended-utm-log
inspection-mode
23
config {http | https | ftp | ftps | imap | imaps | mapi | pop3 | pop3s | smb | smtp | smtps | nntp | im}

quarantine —
RG-WALL
for viruses.
config nac-quar
###d##h##m 5
infected none
5m
quarantine
WALL
24
set drop-heuristic {ftp ftps http im imap nntp pop3 smtp}
set drop-infected {ftp ftps http im imap mapi nntp pop3 smtp}
set drop-intercepted {ftp http imap pop3 smtp}
set lowspace {drop-new | ovrw-old}
set store-heuristic {ftp http im imap nntp pop3 smtp}
set store-infected {ftp ftps http https im imap imaps nntp pop3 pop3s smtp smtps}
set store-intercepted {ftp http imap pop3 smtp}
end
TTL

0
NULL
smtp}
drop-heuristic http {ftp ftps http im imap mm1 im
mm3 mm4 mm7 nntp pop3 NNTP imap nntp
smtp} pop3 smtp
drop-infected im {ftp ftps http im imap mapi imap nntp
nntp
drop-intercepted
{ftp http imap pop3 smtp} RG SecOS

imap smtp
pop3 http

drop-new
ovrw-old
RG-WALL
0

0
smtp} NNTP

smtp}

store-infected
imaps nntp pop3 pop3s

store-intercepted
{ftp http imap pop3 smtp} RG SecOS Carrier

ftp
service
RG-WALL HTTP HTTPS FTP POP3 IMAP SMTP

IM IMAP NNTP POP3 SMTP
block-page-status-code
CPU
scan-bzip2
2 100. arj
bzip2 cab gzip lha lzh msc rar tar
zip Bzip2
1 “?”
RG-WALL 0

set grayware {enable | disable}
extreme | normal}
extended
“zoo”
extended
“zoo”

{enable | disable} RAT

application
27

0
comment
<comment_str>
protocol <protocol_str | All> All
set protocols ?
0—Network protocol
set vendor ?
set application [<app1_int><app2_int> ...]
set behavior {0 | 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8}
set block-audio {enable | disable}
set block-encrypt {enable | disable}
set block-file {enable | disable}
set block-im {enable | disable}
set block-photo {enable | disable}
set block-video {enable | disable}
set category {<cat_int> | All}
set session-ttl <ttl_int>
set shaper <shaper_str>
set shaper-reverse <shaper_str>
set other-application-action {block | pass}
set other-application-log {enable | disable}
set unknown-application-action {block | pass}
set unknown-application-log {disable | enable}

behavior {0 | 1 | 2 | 3 | 4 | 5 | 6 |
7 | 8}
0 — Other
1 — Reasonable
2 — Botnet
3 — Evasion
{enable | disable} AIM ICQ MSN Yahoo

{enable | disable} application AIM ICQ MSN Yahoo




application MSN
disable

category im application
All

im-no-content- disable

{enable | disable} AIM ICQ MSN Yahoo

options [allow-dns
allow-http allow-icmp

{enable | disable}
protocols

TTL config system session-ttl CLI

0
shaper-reverse <shaper_str>
sub-category “all” all
{<subcat_int> | all}
0—Other
unknown-application- disable
allset
vendor ?
all
name

name ?
IP IP IP
IP

set visibility {enable | disable}
set start-port <port_int>
type fqdn
0
1
0
comment
null
end-ip
fqdn
33
start-ip
subnet type ipmask IP 0.0.0.0
<address_ipv4mask CIDR 0.0.0.0
>
type {ipmask ipmask
| iprange | fqdn IP | geography
| network-service
| wildcard}
{enable | disable}
<address_ip4mask> 0.0.0.0
<service_id> ID 0 ID
end-port <port_int> 0

enable
0
auth-portal

central-nat
RG-WALL NAT

orig-addr <name_ip> IP
nat-ippool <name_ip> IP
orig-port <port_int> IP 0
nat-port <port_int-
HTTPS FTPS SMTPS firewall profile-protocol-options

set ssl-ca-list {enable | disable}
set status {enable | disable}
set unsupported-ssl {bypass | block}
set ip <ipv4_addr>
end
end
37
SSL

extended-utm-log
ssl-invalid-server-
allow-invalid-server-cert

bypass
ssl-ca-list

disable
unsupported-ssl
config https
allow-invalid-server-ce

disable
client-cert-request

bypass
38
ssl-ca-list
status
unsupported-ssl
config imaps
allow-invalid-server- SSL disable
cert {enable | disable}
{bypass | inspect | block} SSL SSL

ssl-ca-list

unsupported-ssl
config pop3s
{bypass | inspect | block} SSL SSL

ssl-ca-list
status
unsupported-ssl
39
{bypass | inspect | block}

ssl-ca-list
status
unsupported-ssl
config ssl
SSL

disable

ftps-client-cert-request

bypass
https-client-cert- HTTPS bypass
request RG-WALL SSL {block | bypass | inspec t} SSL SSL

40
imaps-client-cert-
request

bypass
pops3-client-cert- POP3S bypass

smtps-client-cert- SMTPS bypass

{block | bypass | inspec RG-WALL SSL t}
SSL SSL

dnstranslation
DNS DNS IP
IP RG-WALL IP .
DNS
dst

0.0.0.0
netmask
<address_ipv4mask
src dst IP src
dst

dst
TCP UDP ICMP

42
log {enable | disable} DoS disable
quarantine {attacker RG-WALL none
| both | interface | none}
IP
IP IP
IP
threshold <threshold_int>
1 2147483647
interface-policy
DoS CLI DoS RG-WALL
DoS

Interface-policy IPS
DoS

disable
application-list-status enable

av-profile-status

disable

enable
webfilter-profile-status
IP/MAC RG-WALL / IP IP
IP RG-WALL IP
MAC
IP MAC

44
IP / MAC IP/ MAC IP MAC IP
IP/ MAC IP/ MAC

“ipmacbinding table”
RG-WALL DHCP IP MAC
IP/ MAC IP / MAC
DHCP IP/ MAC DHCP

WALL

disable
{allow | block} IP/ MAC IP MAC

ipmacbinding table
IP/ MAC IP MAC IP
MAC MAC IP
IP/ MAC “ipmacbinding setting” RG-
WALL IP/ MAC ipmac “system interface”
IP / MAC IP/ MAC IP MAC IP
IP/ MAC IP/ MAC
RG-WALL
RG-WALL DHCP IP MAC
IP/ MAC IP / MAC
DHCP IP/ MAC DHCP

MAC IP
IP 0.0.0.0
0.0.0.0
IP MAC 00
MAC 00:00:00:00:00:00
name <name_str> IP/MAC noname
status IP/MAC disable
{enable | disable} IP/MAC
IP/ MAC
RG SecOS™ IP IP RG-WALL CLI
IP IP IP IP IP IP
IP 1.1.1.1 IP 1.1.1.1 1.1.1.1
RG-WALL IP IP IP
IP ARP
RG-WALL port1 port2 IP
• port1 IP 1.1.1.1/255.255.255.0 1.1.1.0-1.1.1.255
• port2 IP 2.2.2.2/255.255.255.0 2.2.2.0-2.2.2.255
IP
46
• (2.2.2.0-2.2.2.255) & (2.2.2.10-2.2.2.20) = 2.2.2.10-2.2.2.20
• (2.2.2.0-2.2.2.255) & (2.2.2.30-2.2.2.40) = 2.2.2.30-2.2.2.40
• port2 2.2.2.10-2.2.2.20 2.2.2.30-2.2.2.40 ARP
NAT Dynamic IP Pool IP RG-WALL
IP
end
arp-intf
arp-reply
block-size <size_int> type port-block-allocation
64 4096
128
endip
<address_ipv4> IP IP IP IP
IP IP
0.0.0.0
num-blocks-per-user
1 128
source-endip
startip
IP
endip <ipv4_addr> IP 0.0.0.0
map-startip 0.0.0.0
local-in-policy,
edit <index_int>
ID
48
action

deny
auto-asic-offload
intf <name_str> RG-WALL
srcaddr

schedule

OSPF, all_hosts, all_routers.
0
comment
start-ip
subnet <ip4mask> IP/ type
broadcastmask

ip
multicastrang
e
visibility

enable
multicast-policy

IP IP IP
multicast-forward {enable | disable} tp-mc-skip-policy{enable | disable}

action
NAT/Route

logtraffic
srcaddr
firewall address
status

0
start-port

set action {accept | deny | ipsec | ssl-vpn}
set active-auth-method {basic | digest | form | ntlm}
set application {enable | disable}
set logtraffic-app {enable | disable}
set logtraffic-start {enable | disable}
set log-unmatched-traffic {disable | enable}
set match-vip {enable | disable}
set nat {enable | disable}
set natinbound {enable | disable}
set sslvpn-ccert {enable | disable}
set application-list <name_str>
set av-profile <name_str>
{accept | deny | ipsec | ssl-vpn} accept —
nat NAT NAT /
ippool NAT
IP
fixedport NAT
ipsec vpntunnel
inbound outbound natoutbound natinbound
/ natip
vpn sslvpn-authsslvpn-ccert
sslvpn-cipher
{basic identity-based | digest | form | ntlm} sso-auth-method
basic — ID
URI MD5
54
enable

disable
auth-redirect-addr IP <domainname_str> HTTP URL

auto-asic-offload NP SP enable
{enable | disable}
enable av-profile
profile-protection-options
disable
capture-packet
{enable | disable} logtraffic all utm

disable
client-reputation
disable
learning

disable}

IP
IPSec VPN IP
action ssl-vpn IP
RG-WALL

disable
56

email-collection-portal

disable
unauthenticated {enable | disable}
{enable | disable}

IP
auto-profiling

disable
identity-based-route

identity-from
web-proxy
IPSec VPN
{enable | disable} IP

57
identity-based disable utm-status
enable

disable

NAT
ippool fixedport
disable
natinbound
WALL IP
disable
natip action ipsec natoutbound 0.0.0.0
<address_ipv4mask> IP 0.0.0.0

RG-WALL
IP
192.168.1.0/24
58
{enable | disable} RG-WALL IP
natip
IP

disable

disable
ntlm-enabled-browsers

outbound
IPSec VPN
firewall shaper per-ip-
shaper

permit-any-host
disable
permit-stun-host
NAT’d iPhones FaceTime
disable
nat ippool enable

identity-based
enable config identity-based-

enable identity-based enable
config identity-based-policy
enable identity-based enable
config identity-based-policy
URL

replacemsg-group

enable
require-tfa
rtp-addr

send-deny-packet
deny-tcp-with-icmp ICMP
TCP TCP
disable

service-negate

disable
auto-profiling
ttl

IP
only all
IP

disable
60
proxy web-proxy

{any | ldap | local | radius | tacacs+}
• RG-WALL
sslvpn-ccert
SSLVPN
| medium | high} SSL
• 164-bit
• 128-bit
<maximumsize_int> RG-WALL PPPoE ISP
PPPoE
“ ICMP ”
Web
timeout-send-rst

traffic-shaper-reverse <name_str> 1 2
2 1
utm-status {disable | UTM UTM disable
enable} UTM
identity-based
enable config identity-based-
identity-based disable utm-status
enable
action ipsec

enable webfilter-profile
profile-protection-options

application-list
identificatio
n
deep-inspection-
options
<profile_name>
logtraffic
profile-group {group |
(null)
profile-protocol-
profile-type {group |

single
schedule
action ssl-vpn

traffic-shaper
enable} UTM
webfilter-profile
IPS Web VoIP
UTM
63

set application-list <name_str>
set voip-profile <name_str>
set replacemsg-group <name_str>
deep-inspection- options “firewall deep-inspection-options”
<profile_name>
<name_str> profile profile-protection-options

<name_str> webfilter-profile profile-protection-options

ips-sensor
application-chart
{top10-app
| top10-media-user
| top10-p2p-user}

(null)
application-list
replacemsg-group

default
profile-protocol-options
HTTP FTP SMTP UTM

64

| servercomfort}
set oversize-limit <size_int>
set retry-count <retry_int>
| no-content-summary | oversize | splice}
set comfort-interval <interval_int>
set comfort-amount <amount_int>

intercept
config http
inspect-all {enable |

disable
{chunkedbypass summary

comfort-amount 1
Ruijie-bar
Ruijie-bar-port
<port_int> Ruijie Bar 8011
post-lang <charset1> HTTPS post HTTPS post [<charset2>...<charset 5>] RG-WALL
HTTPS POST UTF-8 RG-
WALL
<size_int> oversize-limit
oversize HTTP
RG-WALL
Web

switching-protocols
inspect-all {disable |

disable
comfort-amount 1
options FTP no-
{bypass-mode-comma content-
d | clientcomfort “block” “compressed”
| no-content-summary
0
oversize-limit
RG-WALL 10
config dns

53
status
config imaps
68
inspect-all

disable
| no-content-summar no-

oversize-limit
RG-WALL 10
config mapi
options {fragmail MAPI fragmail

oversize-limit
RG-WALL 10
config pop3
inspect-all

disable
| no-content-summar
oversize-limit
RG-WALL 10
config smtp
inspect-all

disable
content- summary
SMTP
oversize-limit
RG-WALL 10
{enable | disable}
RG-WALL

status
config nntp
inspect-all

disable
no-content-summary content-
| oversize | splice} no-content-summary —
oversize-limit
RG-WALL 10
config im
no-content-summary content-
| oversize} no-content-summary — summary
oversize-limit
RG-WALL 10
config mail-signature
RG-WALL
(‘ ")

0
end <hh:mm> 00:00 <yyyy/mm/dd> • hh - 00 23 2001/01/01
• mm - 00 15 30 45
• yyyy - 1992
• yyyy - 1992
1-100 0

• mm 00 15 30 45
00:00
• mm 00 15 30 45
00:00
0
73

0
Authentication Remote Access Tunneling
VoIP Messaging\ &\ Other Applications
Web Proxy
“Web Access“ ”Web\ Access“

74
comment
set category <category_name>
set color <color_int>
set comment <string>
set protocol-number <protocol_int>
<srcporthigh_int>]
<srcporthigh_int>]
<srcporthigh_int>]
{disable | strict
• strict — RG-WALL IP(A,B) |
TCP(C,D) ICMP RG
SecOS A:C->B:D
TCP
ICMP
“log-invalid-packet {enable | disable}”
anti-replay
protocol TCP/UDP/SCTP
explicit-proxy
0
{enable | disable}
icmpcode

icmptype <type_int> ICMP type_int 0 255
www.iana.org ICMP
protocol

ALL
protocol-number
http://www.iana.org
0
0-65535

session-ttl per-VDOM session-ttl
0
86400
tcp-halfopen-timer 0
0 system global
protocol TCP/UDP/SCTP
tcp-portrange TCP <dstportlow_int>[- <dstporthigh_int>:
0-65535

<seconds_int> 793 ”TIME-WAIT state represents waiting for
enough time to pass to be sure the remote TCP received
the acknowledgment of its connection termination
request“

0 300 0 TCP TIME-WAIT 0

udp-idle-timer UDP 1 86400 0
<seconds>
udp-portrange UDP <dstportlow_int>[- <dstporthigh_int>:
0-65535

disable

set member ?
0
IP
{enable | disable} DSCP
diffservcode-forward
{enable | disable} DSCP
diffservcode-rev
max-bandwidth
0 16776000 Kbits/second 0

0
max-concurrent-
session
<sessions_int>
0 2097000 0
0
IP
end
end
QoS
0
0
per-policy disable
{enable | disable}
ttl-policy

“253-255”
null
vip
IP ARP RG-WALL
ARP ARP RFC 1027
IP RG-WALL
DMZ
(NAPT) / (NAT)
IP NAT NAT
• NAT
(DNAT)
80
PAT / NAT IP
NAT NAT IP IP

IP IP
IP
NAT
NAT IP IP

IP IP IP IP
IP IP

NAT IP IP
IP IP IP
IP
IP IP 0.0.0.0 IP
IP
DNAT
IP RG-WALL IP

arp-reply
comment
82

RG-WALL extip IP
IP IP
IP
0.0.0.0

server-type http 443 server-type https
0
gratuitous-arp-interval
ARP 0
ARP
[<start_ipv4>- <end_ipv4>]
RG-WALL extip IP
IP IP
IP

RG-WALL

ssl ” not off“
1000
83
nat-source-vip
RG-WALL IP
IP NAT
RG-WALL RG-WALL
disable
outlook-web-access
Front-End-Https: on HTTP
outlook-web-access
RG-WALL HTTP
type http https
disable
portforward
mappedport
1-to-1
protocol
src-filter <addr_str> IP/
x.x.x.x/n x.x.x.x-y.y.y.y
{load-balance | server-load-balance |
static-nat}
vipgrp
IP DMZ IP
VIP VIP external-to-
DMZ

interface
member
gui

console
console
Status
Web CLI

imp2p
imp2p Instant Messaging Peer-to-Peer

icq-user
msn-user
old-version
86
effort | block}
best-effort
best-effort
best-effort
best-effort

imp2p VDOM imp2p allow

ips
DoS
sensor
setting
IPS MAC IPS
Peer VDOM
custom
RG-WALL RG-WALL

set anomaly-mode {continuous | periodical}
set database {regular | extended}
set session-limit-mode {accurate | heuristic}

engine-count RG-WALL 0
<integer>

{enable | disable}

hardware-accel- CP NP engine-pick
mode {engine-pick none engine-pick | cp-only | np-only | np-cp | none}
session-limit-mode
heuristic
RG-WALL Skype

rule

get
90

set severity {all | info low medium high critical}
set protocol <protocol_str>
set application <app_str>
set tags <tags_str>
set log-packet {disable | enable}
set quarantine-expiry <minutes_int>
set rule [<rule1_int> <rule2_int> ...] get
config exempt-ip
edit <exempt-ip_id>
”?“ IPS

comment

<filter_int> ID IPS ID
”?“ ID ID
location {all | client | all
server} • client
protocol
Other
Other
disable
disable} • enable

enable} PCAP
RG-WALL
| pass | reject} • block
both | interface | none}
IP
92
IP
<minutes_int> 259200
<count_int> 65535 0
rate-duration 60
rate-mode
<continuous
| periodical>
• periodical — action rate-duration rate-
count
ID
null
• count-enabled IPS
• count
93
• os
• application
“pass all”“block all”“reset all”
“default”
edit <exempt-ip_id> exempt-ip ID IPS
exempt-ip ”?“ ID ID
exempt-ip
0.0.0.0
0.0.0.0
setting

0
<packets_int>
IPS 6
packet-log-history 1 255 1
packet-log-history 1 RG-
WALL
packet-log-post-attack IPS 0
<packets_int> packet-log-post- attack 10 RG-WALL
IPS 10
packet-log-attack 0 255 0
log
SSL VPN
custom-field
diisk setting eventfilter
Ruijieguard setting gui-
display memory setting

# 16

95
{disk | memory | syslogd | syslogd2 | syslogd3 | webtrends } filter

RG-WALL
config log {disk |memory | syslogd | syslogd2 | syslogd3 | webtrends | Ruijieguard} filter
set analytics {enable | disable}
set anomaly {enable | disable}
set app-crtl {enable | disable}
set app-crtl-all {enable | disable}
set attack {enable | disable}
set blocked {enable | disable}
set discovery {enable | disable}
set email {enable | disable}
set email-log-google {enable | disable}
set email-log-imap {enable | disable}
set email-log-msn {enable | disable}
set email-log-pop3 {enable | disable}
set email-log-smtp {enable | disable}
set email-log-yahoo {enable | disable}
set forward-traffic {enable | disable}
set ftgd-wf-block {enable | disable}
set ftgd-wf-errors {enable | disable}
set local-traffic {enable | disable}
set gtp {enable | disable}
set infected {enable | disable}
set multicast-traffic {enable | disable}
set netscan {enable | disable}
set oversized {enable | disable}
set scanerror {enable | disable}
set signature {enable | disable}
set suspicious {enable | disable}
set switching-protocols {enable | disable}
set traffic {enable | disable}
set url-filter {enable | disable}
set virus {enable | disable}
set voip {enable | disable}
set vulnerability {enable | disable}
set web {enable | disable}
set web-content {enable | disable}
set web-filter-activex {enable | disable}
set web-filter-applet {enable | disable}
set web-filter-command-block {enable | disable}
anomaly
<377 attack </377

ftgd-wf-errors
web
{enable | disable}
gtp {enable | disable} GTP RG SecOS Carrier
infected virus {enable | disable} </614
multicast-traffic
oversized virus {enable | disable} </660
scanerror
severity {alert | RG-WALL critical | debug | emergency | error | error </686 error </687critical </688alert information | notification | warning}
</689 emergency </690
emergency </694 -
alert </698 -
critical </702 -
attack
<788 web </788

virus
vulnerability
web-content
web </851

web-filter-activex
web-filter-applet
web-filter-command-
block
web-filter-ftgd-quota
web-filter-ftgd-quota-
counting
98
FTP
RG-WALL AMC disk setting </964AMC
RG-WALL RG-WALL AMC
AMC Log&Report > Log Access > Disk
SQL SQL SQLlite
SQL

conn {default | high | low | disable} set uploaddir
<dir_name_str>
set uploadtype {attack event im spamfilter traffic virus voip webfilter}
set uploaduser <user_str>
overwrite

<0-19800>
threshold
threshold
threshold
maximum-log-age
<integer max> RG-WALL

max-policy-packet-
capture-size
<size_int>
roll-schedule
RG-WALL
source-ip
<address_ipv4>

upload {enable | disable} upload </1377 FTP
uploaddir uploadipuploadpass uploadport
uploaduser FTP
100

upload-delete-files

uploaddir FTP <dir_name_str> FTP
uploadip
uploadpass
uploadport
FTP
RG-WALL
uploadsched enable </1554.
0

uploadzip

app-ctr
attack
event
traffic
virus
webfilter
101
eventfilter

admin
dns
network
{enable | disable} DHCP L2TP/PPTP/PPPoE VIP SSL
GTP
AMC
{enable | disable} UTM NAC
vpn
wan-opt
{syslogd} override-filter
VDOM config log {syslogd} filter </1904
“{disk | memory | syslogd | syslogd2 | syslogd3 | webtrends } filter”
gui-display

resolve-apps
memory setting
RG-WALL RG-
WALL

memory global-setting
RG-WALL RG-
WALL
100
98
setting

local-in-admin
local-in-other
{enable | disable}
log-invalid-packet VDOM ICSA {enable | disable}
• ICMP
• IP
neighbor-event
resolve-port
syslogd override-setting

set override {enable | disable}
set csv {enable | disable}
set facility {alert | audit | auth | authpriv | clock | cron | daemon | ftp | kernel | local0 | local1 | local2
| local3 | local4 | local5 | local6 | local7 | lpr | mail | news | ntp | syslog | user | uucp}
set port <port_integer>
setting
csv {enable | disable} enable </3077 RG-WALL
CSV CSV
RG- WALL
facility {alert | audit facility </3090 local7
| auth | authpriv | clock facility RG-WALL | cron | daemon | ftp | kernel | local0 | local1 | local2 | local3 | local4 • alert:
105
| local5 | local6 | local7 • audit </3100 | lpr | mail | news | ntp
| syslog | user | uucp} • auth </3104 /
• authpriv: /
RG-WALL RFC 3195 RAW TCP

source-ip
<address_ipv4> syslogd syslog2 syslog3 IP 0.0.0.0
{syslogd | syslogd2 | syslogd3} setting

set csv {enable | disable}
set facility {alert | audit | auth | authpriv | clock | cron | daemon | ftp | kernel | local0 | local1 | local2
| local3 | local4 | local5 | local6 | local7 | lpr | mail | news | ntp | syslog | user | uucp}
set port <port_integer>
csv {enable | disable} enable </3321 RG-WALL
CSV CSV RG-WALL

facility {alert | audit | facility </3341 local7
auth | authpriv | clock | facility RG-WALL cron | daemon | ftp | kernel | local0 | local1 | local2 | local3 | local4 | • alert:
local5 | local6 | local7 | • audit </3351 lpr | mail | news | ntp |
syslog | user | uucp} • auth </3355 /
• authpriv: /
port <port_integer> 514
reliable {enable | disable} RG-WALL RFC 3195 RAW

RFC1035
<address_ipv4> syslogd syslog2 syslog3 IP 0.0.0.0
webtrends setting
4.1
status {enable | disable} enable </3560
chart
end config report chart
config report
chart comments CLI
comments

config report chart edit
set group <group_str>
set header-value <string>
set legend {enable | disable}
set period {last24 | last7d}
set scale-format {YYYY MM DD HH MM | YYYY-MM-DD | HH | YYYY-MM-DD | YYYY MM |
YYYY | HH MM | MM DD}
set scale-number-of-step <steps_int>
set scale-step <step_int>
set scale-type datetime
set style {auto | manual}
manual type table

style manual type graph
config y-series y
style manual type graph
<chart_name> CLI
<chart_name> comments

0x 0xff0000

<size_int> 5 20
color-palette HTML <palette_hex> 0x
comments <comment_str> Web

report dataset
detail-value <value str>
displayname <name_str>
extra-y-legend
5 20
0
footer-value <value str>
graph-type {bar | flow | line

is-category {no | yes} x
label-angle {45 degree | x y vertical | horizontal}
legend {enable | disable}
legend-font-size 0 0
<size_int> 5 20
110
scale-format {YYYY MM
DD-HH-MM
scale-number-of-step
scale-origin {max | min} x
X max scale-start

2001

style {auto | manual} style auto
style

comments
5 20
0

value1 {<value_int>
| <value_str>}
value2 {<value_int>
| <value_str>}
dataset
end
end
SQL
edit <field-id> SQL 1 SQL

displayname
layout

set cutoff-time <time_str>
set description <text>
set email-recipients <recipients_str>
set time <HH:MM>
112
set style-theme <theme name>
set options {include table of contents | auto numbering heading | view chart as heading
| show html navbar before-heading} config page
set paper{A4|letter}
set options {header on first page | footer-on-first-page}
set style <style name>
set description <text>
set content <text>
set img-src <text>
set misc-component {hline | page break | column break | section-start}
set parameter1 <value_str>

604 800 1
86400
113
custom
send email-send
schedule-type
00:00
schedule-type weekly
numbering heading
view-chart-as-heading —
column-break-before

content <text> type text

image

image

description <text> type text misc

image
img-src <chart name> type chart

115

config report style
edit <style name>
set options {font | text | color | align | size | margin | border | padding | column}
set font-family {Verdana | Arial | Helvetica | Courier | Times}
set font-style {normal|italic}
set font-weight {normal | bold}
set font-size {xx small | x small | small | medium | large | x large | xx large} | 5-28
set line-height <integer | percentage>
set fg-color {aqua | black | blue | fuchsia | gray | green | lime | maroon | navy | olive
| purple | red | silver | teal | white | yellow | <color value>}
set bg-color {aqua | black | blue | fuchsia | gray | green | lime | maroon | navy | olive
| purple | red | silver | teal | white | yellow | <color value>}
set align {left | center | right | justify}
set height <integer | percentage>
set width <integer | percentage>
set border-top <topwidth_int> {none | dotted | dashed | solid} {aqua | black | blue
| fuchsia | gray | green | lime | maroon | navy | olive | purple | red | silver | teal
| white | yellow | <color value>}
set border-bottom <bottomwidth_int> {none | dotted | dashed | solid} {aqua | black
| blue | fuchsia | gray | green | lime | maroon | navy | olive | purple | red | silver
| teal | white | yellow | <color value>}
set border-left <leftwidth_int> {none | dotted | dashed | solid} {aqua | black | blue
| fuchsia | gray | green | lime | maroon | navy | olive | purple | red | silver | teal
| white | yellow | <color value>
set border-right <rightwidth_int> {none | dotted | dashed | solid} {aqua | black
| blue| fuchsia | gray | green | lime | maroon | navy | olive | purple | red | silver
| teal | white | yellow | <color value>
set padding-top <integer>
set padding-bottom <integer>
set padding-left <integer>
set padding-right <integer>
options {font | text
| color | align | size

{normal | bold}
font-size {xx small 5 28 | x small | small | medium | large | x large | xx large} | 5-
28
line-height
10 120%
fg-color {aqua 6 | black | blue 0033CC | fuchsia | gray
| green | lime
| maroon | navy
value>}
bg-color {aqua 6 | black | blue FF0000 | fuchsia | gray | green | lime
| maroon | navy

margin-top
border-top <topwidth_int> 6 {none | dotted
| dashed | solid}
| dashed | solid}
| dashed | solid}
118
column-gap
set schedule {daily | weekly}
day {sunday
| monday | tuesday
schedule

00:00
widget

set default-html-style <style_name>
set default-pdf-style <style_name>
set page-style <style_name>
set page-header-style <style_name>
page-orient
120
default-pdf-style
page-style
page-footer-style
report-title-style ? <style name>
report-subtitle-style ? <style_name>
heading1-style 1 ? 1 <style_name>
heading4-style
toc-title-style
toc-heading1-style 1 ? <style_name> 1
normal-text-style ? <style_name>
bullet-text-style ? <style_name>
numbered-text-style ? <style_name>
image-style
hline-style
table-chart-caption- ?
router
RG-WALL RG-WALL

RG-WALL RIP OSPF

deny

122
config rule
exact-match
any
wildcard IP <address_ipv4> 0.0.255.0 0 <wildcard_mask> 1

any
interface <if_name>
123

set server <servername_string>
set source-ip <ipv4_addr>
failtime <attempts_int>
ha-priority <priority_int> HA 1 50
1
HA

RIP 2

RG-WALL
RG-WALL “config system global”

hh:mm: ss day month year end

infinite —
hh — 0 23
mm — 0 59
ss — 0 59
day — 1 31
month — 1 12
year — 1993 2035
hh mm ss day month 1

125
mm:ss day month year end
hh:mm:ss day month year
infinite —
hh — 0 23
mm — 0 59
ss —0 59
day — 1 31
month — 1 12
year — 1993 2035
hh mm ss day month 1

ospf
RG-WALL OSPF RFC 2328
OSPF
AS
ABR LSA

BRF BFD
CLI BFD

auto-cost-ref-bandwidth <mbps_integer> set bfd
set default-information-route-map <name_str>
set default-metric <metric_integer>
set distance <distance_integer>
set distance-external <distance_integer>
set distance-inter-area <distance_integer>
set distance-intra-area <distance_integer>
set distribute-list-in <access_list_name>
set restart-period
set default-cost <cost_integer>
set stub-type {no-summary | summary}
config filter-list
edit <filter-list_id>
set authentication-key <password_str>
set dead-interval <seconds_integer>
set hello-interval <seconds_integer>
end end
config neighbor
edit <neighbor_id>
set authentication-key <password_str>
set cost <cost_integer>
set metric <metric_integer>
128
WALL OSPF ABR
ABR
bfd {enable | disable | global} BFD
• enable - BFD
• disable - BFD
• global -

database-overflow-max-lsas
LSA OSPF
OSPF lsas_integer
lsas_integer 0
4294967294
10000
database-overflow-time-to-
seconds_integer 0
RG-WALL
300
default-information-metric
16777214
10
default-information-metric-
OSPF
{always | disable | enable} always RG-WALL

10

<distance_integer> 255
“router

WALL
rfc1583-compatible RFC 1583 disable
{enable | disable} OSPF RFC 1583 RFC 1583

IP
ID
0.0.0.0 ID
<hold_integer>
SPF
hold_integer 0 4294967295
SPF OSPF
CPU spf-timers 0
CPU
config router ospf
ABR
OSPF

OSPF NSSA AS
AS

OSPF
ABR

ABR
direction list

none | text}

<cost_integer>
nssa-default-information-
originate
disable
nssa-default-information-
originate-metric
<metric>
{enable | disable} NSSA enable
nssa-translator-role NSSA NSSA candidate
{always | candidate | Type 7 LSA OSPF never} Type 5 LSA NSSA NSSA
NSSA
NSSA NSSA

NSSA
NSSA
summary

direction {in | out} in out

out
edit <range_id> ID 0
4294967295
substitute-status {enable |

none —
text —

<password_str> 15
authentication-key
text
dead-interval hello-interval
40
hello-interval
seconds_integer 1 65535
10
md5-key md5 <id_integer><key_str> MD5 ID
set md5-key 6 "ENC yYKaPSrY89CeXn66WUybbLZQ5YM="
ID
16
0.0.0.0
<seconds_integer> seconds_integer
1 65535
transmit-delay 1

133

id 15.1.1.1 summary 20 MD5

config router ospf config
config router ospf
end

access-list <name_str> Null
config router ospf config

cost <cost_integer> cost_integer 1
65535
10
poll-interval
10
priority
255

prefix <address_ipv4mask> OSPF IP 0.0.0.0
0.0.0.0

10.1.1.1
end

RG-WALL interface <name_str>

{md5 | none | text}

authentication-key text <password_str> text
authentication-key

136
database-filter-out
dead-interval
dead-interval hello-interval
40
hello-interval
1 65535
IPSec GRE
IP OSPF

0.0.0.0
MD5 ID
set md5-key 6 "ENC yYKaPSrY89CeXn66WUybbLZQ5YM="
ID

16
65535
mtu-ignore OSPF MTU

137

broadcast
prefix-length <int> OSPF hello 0 32 0
priority 1

<integer>
<seconds_integer> seconds_integer 1
65535
transmit-delay 1

static | rip}

16777214
10
routemap <name_str>
tag <tag_integer>
0

config router ospf
ASBR LSA
OSPF

prefix <address_ipv4mask> IP
0.0.0.0 0.0.0.0
0
policy,
139
IP
RG-WALL
move

RG-WALL

<policy_integer>

dst
0.0.0.0 0.0.0.0
destination-port-range
start-port end-port
start-port end-port
port_integer 0 65535
6 TCP 17 UDP 132 SCTP

65 535
protocol 6 TCP 17 UDP 132
SCTP
65 535
0 255
0
UDP 1 ICMP 47 GRE
92

0.0.0.0 0.0.0.0
destination-port-range
start-port end-port
start-port end-port
port_integer 0 65535
6 TCP 17 UDP 132 SCTP

protocol 6 TCP 17 UDP 132
SCTP
1
prefix-list,
RIP OSPF
IP permit
deny
config router setting

comments <string> 127

ge
0
32
{<address_ipv4mask> | any ge 0.0.0.0
any} any ge le
prefix-list
RIP
15 X 16
RIP RG SecOS RIP 1 RFC 1058 RIP 2 RFC 2453 RIP
2 RIP
142

set auth-string <password_str>
set metric <metric_integer>
set routemap <name_str>
default-metric 1
1 16

RIP

<timer_integer> RIP
version {1 2} RIP RIP 1
RIP 2
receive-version {1 2} send-version {1 2}
“config interface”
1 5 -
config router rip

distance

Null
distance

0
prefix
config router rip config

“router access-list “router prefix-list”
direction listname
145
direction {in | out}
in

out

RIP 2 RIP
RIP 2 receive-version send-version 1 1
2 1 auth-mode none

IPSec GRE

auth-keychain

none —
<password_str> auth-
string 35
receive-version {1 2} RIP 520 UDP

1 — RIP RIP 1
2 — RIP RIP 2
1 2 — RIP RIP 1 2

send-version {1 2} RIP 520 UDP

1 — RIP RIP 1
2 — RIP RIP 2
1 2 — RIP RIP 1 2

{enable | disable} RIP 2 RIP 1

{poisoned | regular}
test1

ip <address_ipv4> IPv4 0.0.0.0

prefix

0.0.0.0

config router rip
end
access-list <name_str>

5 10
15
acc_list1

ospf | static}

16
setting

149
show-filter <prefix_list> prefix-list

RG-WALL
ECMP IP NAT
IP IP
Source based ECMP Weighted Spill-over config system setting CLI set v4-ecmp-mode Source Based Weighted ECMP spill-over usage-based ECMP RG-WALL RG-WALL ECMP ECMP “system settings”

end
blackhole dst gateway blackhole dst

blackhole disable
{enable | disable}
150

config system interface “distance
<distance_integer>”
10

disable
IPv4
IP NAT IP
0 4294967295

CLI

0
weighted
weight-based
3g-modem custom interface replacemsg nac-quar
accprofile ipip-tunnel replacemsg nntp
amc mac-address-table replacemsg sslvpn
arp-table modem replacemsg traffic-quota
dedicated-mgmt replacemsg alertmail storage
dns replacemsg ec vdom-dns
dns-database replacemsg Ruijieguard-wf vdom-link
dns-server replacemsg ftp vdom-property
email-server replacemsg http vdom-radius-server
fips-cc replacemsg im vdom-sflow
Ruijieguard replacemsg mail virtual-switch

class-id <cid_hex> USB 0x00 - 0xFF
152

end
end
end

<access-group>
153
LDAP
fwgrp firewall configuration
get system status
autoupdate
utmgrp UTM
vpngrp VPN
<access-level> none

none
read
read-write
address
device
others
policy
profile

service
config loggrp-permission loggrp custom
config
data-access
154
antivirus
application-control
ips
netscan
voip
webfilter
admin
RG-WALL
Web
admin super_admin
super_admin_readonly super_admin_readonly
super_admin super-admin

RADIUS RG-WALL
super_admin CLI
super_admin ITAdmin 123456
config system admin
“null”
“empty” “null”

vdom
vdom-override

| trusthost9 | trusthost10} <address_ipv4mask>

super_admin
<comments_string>

gui-log-display Web {
| memory |disk}
password-expire <date> 0 0000-00-00
<time> 00:00:00
{disable | enable}
config user group
HTTPS

disable
remote-auth
TACACS+

schedule Null
ssh-public-key1 SSH "<key-type> SSH
157
type>
<key-value>"
DSA <key type> ssh-dss RSA
ssh-rsa
ssh-public-key3 "<key-
{trusthost1 | trusthost2 IPv4 0.0.0.0 0.0.0.0
| trusthost3 | trusthost4 RG-WALL | trusthost5 | trusthost6 | trusthost7 | trusthost8 RG-WALL
| trusthost9 | trusthost10} 0.0.0.0 0.0.0.0
<address_ipv4mask>
wildcard
RG-WALL

set widget-type ?
<column_number>

name <name_str>

IP
(msg-counts) bytes
top-n <results_int> —
10 10
-
0
refresh-interval <interval_int> — 10 240 0 bytes
sort-by {bytes | msg-counts}— bytes
(msg-counts)
10

show-local-traffic
ID
disable
sort-by
chart-color <color_int> —
MAC
ip <address_ipv4> ARP IP
mac <mac_address> MAC xx:xx:xx:xx:xx:xx
auto-install
U
U U FAT16
U RG-WALL
“exe usb-disk format”.
U Windows “format <drive_letter>:/FS:
FAT /V:<drive_label>” where <drive_letter> USB <drive_label>
U
RG-WALL USB U U

auto-install-image
default-config-file U system.conf
default-image-file U image.out
autoupdate push-update
RG-WALL

RG-WALL RG-WALL SETUP FDN
FDN RG-WALL
60 RG-WALL FDN
IP
FDN NAT RG-WALL NAT

NAT IP PPPoE DHCP
NAT
override
FDN
NAT

9443

set time <hh:mm>
set day <day_of_week>
frequency
interval
time
00:00
Monday
IP

RG-WALL HTTP CONNECT RFC 2616 RG-WALL
HTTP CONNECT FDN
IP FDN RG-WALL FDN
163

HTTPS RG-
WALL HTTPS 8890 FDN

port <proxy_port> 0
username <name>

<baudrate> 9600 19200 38400 57600 115200
9600
no
server <servername> SMTP
Ruijievirussubmit.com
bug_report

username-smtp
bug_report

bypass

set bypass-watchdog {enable | disable}
set poweroff-bypass {enable | disable}

10
bypass-watchdog

set Ruijiemanager-fds-override {enable | disable}
schedule-script-restore
allow-monitor
allow-push-
configuration
57600 115200
mode {batch | line} line
output {standard | more} standard more

more
ddns

DDNS

ddns-password
dipdns.net
DDNS
genericDDNS — ddns-server-ip DDNS
(RFC 2136)
now.net.cn — ip.todayisp.com
ods.org — ods.org
tzo.com — rh.tzo.com
vavic.com — ph001.oray.net
ddns-username

monitor-interface
dedicated-mgmt
VDOM CLI

default-gateway <IPv4_addr> 192.168.1.1
interface <port_name> mgmt
DHCP IP 200

database
regular
IP
“system dhcp reserved-address”
set domain <domain_name_str>
set interface <interface_name>
set option1 <option_code> [<option_hex>]
set server-type {ipsec | regular}
RG- WALL
auto-configuration
1 100
dns-server1
dns-service specify
0.0.0.0
dns-server2
dns-service specify
0.0.0.0
dns-server3
dns-service specify
0.0.0.0
dns-service {default
| specify | local} config system dns DNS
RG-WALL DHCP
specify DHCP DHCP
DNS dns-server# DNS
DHCP
specify
domain
interface
DHCP IP
DHCP
IPsec VPN IP
server-type ipsec
range
ipsec-lease-hold
DHCP-over-IPSec
server-type ipsec
60
lease-time <seconds> DHCP DHCP 604800
300 864000 10 7

netmask <mask> DHCP DHCP 0.0.0.0
ntp-server1 NTP IP 0.0.0.0 <ipv4_addr>
ntp-server2 <ipv4_addr> 0.0.0.0
ntp-server3 <ipv4_addr> 0.0.0.0
DHCP

specify
171
option1
<option_code>
[<option_hex>]
option2
<option_code>
[<option_hex>]
option3
<option_code>
[<option_hex>]
option4
<option_code>
[<option_hex>]
option5
<option_code>
[<option_hex>]
option6
<option_code>
[<option_hex>]
option_code 1 255 DHCP option_hex
DHCP
RFC 2132 DHCP BOOTP
0
server-type
regular
vci-match
DHCP

wifi-ac2 <ipv4_addr> 0.0.0.0
wifi-ac3 <ipv4_addr> 0.0.0.0

0.0.0.0
wins-server2

0.0.0.0
wins-server3

0.0.0.0
IP DHCP
16 RG-WALL DHCP DHCP
IP
end-ip <end_ipv4> IP IP IP

0.0.0.0
start-ip <start_ipv4> IP IP IP

0.0.0.0
DHCP DHCP IP
16 RG-WALL DHCP
172
end-ip <address_ipv4> DHCP DHCP IP IP
I start-ip end-ip IP

I start-ip end-ip IP

IP DHCP
16
mac <mac_addr> IP MAC MAC
DHCP
DNS RG-WALL URL
DNS
dns-cache-limit <integer> DNS 5000
dns-cache-ttl <int> DNS 1800
domain <domain_name>
primary <dns_ipv4> DNS IP 208.91.112.53
secondary <dns_ip4> DNS IP 208.91.112.52
source-ip <ipv4_addr> DNS IP 0.0.0.0
dns-database
RG-WALL DNS RG-WALL DNS DNS
173
IPv4 A NS CNAME MX

end
end

authoritative {enable | disable} enable
contact <email_string>

example.com
primary-name <name_string> DNS dns
source-ip <ipv4_addr> DNS IP 0.0.0.0
status {enable | disable} DNS enable
ttl <int> 0
2,147,483,647
86400
mailto:[email protected]
174

DNS

Null
hostname <hostname_string> Null
ip <ip_address> IP IPv4 type A

0.0.0.0

10
ttl <entry_ttl_value> 0 2147483
647
0
type {A | AAAA | MX | NS A — IPv4 A | CNAME}
CNAME —
MX —
NS —
end
| non-recursive | recursive} forward-only — RG-WALL DNS
175

system dns-database
email-server

set server {<name-str> | <address_ipv4>}
SMTP

disable

server
TCP SMTP 25 SMTP

security {none | smtps | starttls} none
server
smtp.domain.com RG-WALL
SMTP RG-WALL
176
SMTP

Ruijieguard
• RuijieGuard Antivirus IPS
IP
RuijieGuard
177
ddns-server-port
service-account-id
ID

load-balance-servers
RG-WALL RuijieGuard
balance-servers 1 RG-WALL
RuijieGuard
load-balance-servers 2 RuijieGuard
RG-WALL
1
{enable | disable} RG-WALL
FDN IP
URL

<ttl_int> TTL RG-WALL
FDN

avquery-cache-
1 15
avquery-license RuijieGuard

N/A
avquery-timeout
7
central-mgmt-auto-
backup

WALL service-account-id
RuijieGuard
webfilter-cache-ttl TTL 3600
<ttl_int> TTL RG-
WALL FDN
86400
N/A
webfilter-force-off

disable
RuijieGuard

webfilter-sdns-

0.0.0.0
webfilter-sdns-

443
webfilter-timeout
15
geoip-override

179
global
runtime-only config RG-
WALL runtime-only
set cfg-save {automatic | manual | revert}
set cfg-revert-timeout <seconds> execute cfg reload

set auth-cert <cert-name>
set auth-http-port <http_port>
set auth-https-port <https_port>
set av-failopen-session {enable | disable}
set batch-cmdb {enable | disable}
set cfg-revert-timeout <seconds>
set fmc-xg2-load-balance {disable | enable}
set gui-antivirus {enable | disable}
set gui-application-control {enable | disable}
set gui-ap-profile {disable | enable}
set gui-central-nat-table {disable | enable}
set gui-certificates {enable | disable}
set gui-client-reputation {enable | disable}
set gui-dns-database {disable | enable}
set gui-dynamic-profile-display {disable | enable}
set gui-dynamic-routing {enable | disable}
set gui-implicit-policy {disable | enable}
set gui-ips {enable | disable}
set gui-ipsec-manual-key {enable | disable}
set ie6workaround {enable | disable}
set internal-switch-speed {100full | 100half | 10full | 10half | auto}
set ip-src-port-range <start_port>-<end_port>
set ipsec-hmac-offload {disable | enable}
two-factor-email-expiry <seconds_int> set
admin IP

15 300
0
admin-https-pki-required

admin

disable
admin-lockout-duration
{enable | disable}

admin-reset-button
30
enable
admin-scp
admin-server-cert { HTTPS self-sign | <certificate> }
Ruijie_Factory self-sign
admin-ssh-grace-time
120
admin-ssh-port
admin-ssh-v1
admin-telnet-port
admintimeout 5
5
enable
183
anti-replay {disable | loose TCP TCP strict
| strict} SYN TCP
SYN ACK TCP
TCP
TCP

• RG-WALL TCP
RG-WALL
RST

self-sign
auth-http-port <http_port> HTTP <http_port> 1 65535 1000
auth-https-port
65535
1003
{enable | disable} IP
av-failopen pass
{idledrop | off | one-shot | idledrop off one-shot pass} pass
• idledrop —

184

{enable | disable} failopen av-failopen

{enable | disable}
cert-chain-max <int> 8
manual | revert} runtime-only
• automatic —

600

check-protocol-header loose

{disable | strict} • — RG-WALL ICMP
• strict — RG-WALL IP(A,B) |
185
A:C->RG SecOSB:D
TCP
ICMP
ICMP
anti-replay

disable
csr-ca-attribute
CA CSR
restart-time
dst {enable | disable}
AV/IPS HA

enable
fds-statistics-period
<minutes> FDS 1 1440 60
fgd-alert-subscription
latest-attack — RuijieGuard
latest-threat — RuijieGuard
latest-virus — RuijieGuard
new-attack-db — RuijieGuard IPS
fwpolicy-implicit log
gui-antivirus
gui-application-control
{enable | disable} Web enable
gui-ap-profile {disable | Web AP enable} 30D

disable
186
gui-dns-database {disable |
gui-dynamic-profile-
display {disable | enable} Web enable
gui-dynamic-routing Web {enable | disable} System > Network > Routing
System > Monitor > Routing Monitor

gui-ipsec-manual-key
gui-lines-per-page
gui-load-balance Web disable
{disable | enable}
gui-multiple-utm-profiles

enable
{enable | disable}
VPN
gui-sslvpn-personal-
bookmarks
gui-sslvpn-realms
gui-voip-profile {disable |
gui-vpn {enable | disable} Web VPN enable
gui-vulnerability-scan
gui-webfilter
hostname <unithostname> RG-WALL RG-WALL

16
CLI
URL
header-only — HTTP

disable
| interface | switch}
RG-WALL

100full
100half
10full
10half
auto
100 10 100M 10M Full half

<start_port>-<end_port> <start_port> <end_port> 1
65535 1 65535
FDN
IPsec HMAC
english french japanese korean
portuguese spanish simch ( ) trach
( )

disable
ldapconntimeout
login-timestamp
TCP/IP TCP/IP
telnet 23 HTTP 80
disable
log-user-in-upper
VDOM
max-report-db-size <size> MByte 1024
miglogd-children <int> miglogd 0 15 0
num-cpus <int> CPU
optimize antivirus
{antivirus | throughput}
throughput
phase1-rekey 1 IKE enable
{enable | disable}
<limit_int> 100 0
per-user-bwl
pre-login-banner
“system replacemsg
post-login-banner
radius-port <radius_port> RADIUS RADIUS
1812 RADIUS 1645
CLI RG-WALL
RADIUS

enable
189
300 0
RADIUS 5

reset-sessionless-tcp

RESET
daily-restart

disable
revision-image-auto-
scanunit-count <count_int> CPU
CPU RG-WALL

Web
{enable | disable}
sp-load-balance 3950B 3951B 3140B SP disable
{enable | disable}

sslvpn-max-worker-count
CPU
CPU
190
sslvpn-worker-count SSL CPU <count_int> CPU 1
strict-dirty-session-check disable
{enable | disable} 3DES SHA1 HTTPS/ SSH

Netscape 7.2 Netscape 8.0 Firefox
Microsoft Internet Explorer 7.0 (beta)
Internet Explorer 5.0
6.0
syncinterval
NTPsyncinterval
0
tcp-halfopen-timer 60
tcp-option
{enable | disable} SACKtimestamp MSS TCP
tcp-option
tcp-timewait-timer TCP TIME-WAIT 1
<seconds_int> RFC 793 ”TIME-WAIT state represents waiting
for enough time to pass to be sure the remote TCP
received the acknowledgment of its connection
termination request“

0 300 0 TCP TIME-WAIT
0
<timezone_number> RG-WALL

tp-mc-skip-policy
two-factor-email-expiry 60
udp-idle-timer <seconds> UDP 1
86400

disable
http://www.faqs.org/rfcs/rfc793.html
191
sign
vdom-admin
ARP
8192 ARP
ARP
<integer> CPU
gre-tunnel
NAT/Route
• IP ping

ha
RG-WALL (HA)
RG-WALL DHCP PPPoE IP HA
192
HA
• override
• config system interface RG-WALL HA

set encryption {enable | disable}
set gratuitous-arps {enable | disable}
set hc-eth-type <type_int>
set helo-holddown <holddown_integer>
set l2ep-eth-type <type_int>
set minimum-worker-threshold <threshold_int>
set monitor <interface_names>
set override {enable | disable}
set priority <priority_integer>
set session-pickup {enable | disable}
set session-pickup-connectionless {enable | disable}
set session-pickup-delay {enable | disable}
set session-pickup-expectation {enable | disable}
set session-pickup-nat {enable | disable}
set sync-config {enable | disable}
set uninterruptible-upgrade {enable | disable}
set update-all-session-timer {enable | disable}
set weight <priority_integer> <weight_integer>
ARP
<interval_integer>
IP MAC
1 20
authentication
194
encryption {enable | disable} / AES-128 SHA1
HA
link-failed-signal ARP
enable
group-id <id_integer> HA ID ID 0 255 HA
ID ID
MAC
32
<type_int> 4
8890
ha-mgmt-status
{enable | disable} HA disable
ha-mgmt-interface RG-WALL HA <interface_name> “config system interface” IP

HA
<diff_int>

hb-interval 2
<interval_integer> 1 20 100* hb-interval 2
200
hb-lost-threshold 6
hbdev <interface_name> RG-WALL <priority_integer> RG-WALL
[<interface_name> <priority_integer>]...

8891
<holddown_integer>
l2ep-eth-type <type_int> HA HA telnet
<type_int> 4
8893

TCP UTM
UTM
disable
load-balance-udp
mode a-a schedule weight-round-robin
0
HA “minimum-
worker-threshold”
mode {a-a | a-p | standalone} HA
a-p Active-Passive
a-a Active-Passive
standalone HA
RG-WALL dhcp pppoe

standalone
monitor <interface_names>
RG-WALL
Enter the names of the interfaces to monitor.Use a space to separate each interface name.
802.3ad

64
<weight_int> <low_int>
196
0

HA
15
<threshold_integer> 0 50
0 HA IP ping
HA
<timeout_integer> HA IP
IP
2147483647
IP
<weight_int> <low_int> <high_int> <high_int>
0

HA
10

0
| leastconnection | none
| weight-round-robin} IP IP

{enable | disable}
UDP ICMP
mode a-a a-p mode standalone
TCP
{enable | disable} session-pickup

session-pickup-expectation
mode standalone
disable
session-pickup-nat
session-pickup
mode standalone
number <process_id_int>
session-sync-dev RG-WALL <interface_name> 8 [<interface_name>]...
slave-switch-standby FS-5203B disable
198
<weight_int> <low_int> <high_int> <high_int>
0
round-robin weight

4
priority_integer 0 3

1 1

1
2
vdom
domain_2 set vdom domain_1 domain_2

VDOM
2 2
config secondary-vcluster 2
1
2
config secondary-vcluster 2 monitor 1
override priority vdom
HA priority override

active-interface
IPSec
edit VLAN
RG-WALL “internal” internal-
switch-mode

config system interface
set bfd-desired-min-tx <interval_msec>
set bfd-detect-mult <multiplier>
set bfd-required-min-rx <interval_msec>
set lacp-speed {fast | slow}
set sample-rate <rate_int>
set sflow-sampler {disable | enable}
link | vlan }
set defaultgw {enable | disable}

allowaccess IP <access_types> append clear
set
probe-response — config system server-probe

alias <name_string>
25
physical
DHCP MS Windows Client ARP
enable
atm-protocol
{ipoa | none} IPoA IPoA ADSL none
auth-type PPP auto
<ppp_auth_method> auto —

global} — BFD BFD
— BFD

bfd-desired-min-tx BFD 1 50
<interval_msec> 100000 msec
<interval_msec> 100000 msec
bfd
disable
defaultgw
DHCP PPPoE
disable
dedicated-to
static “mgmt”

DHCP DHCP
RG-WALL
RG-WALL DHCP RG-WALL MAC

dhcp-relay-ip
<dhcp_relay1_ipv4>
{...<dhcp_relay8_ipv4
8 DHCP
DHCPREQUEST ACKNOWLEDGE
DHCP
dhcp-relay-type
regular
regular
mode pppoe NAT/Route

<admin_distance>
“distance <distance>”
NAT/Route
DNS
enable
drop-fragment
edit <secondary_ip_id> 1 IP

205
SIP NAT
ping (detectserver) detectserver
NAT
<collision_group_num 0 ber>
ARP

RG-WALL
disable
<pppoe_timeout_secon 0 ds>
mode pppoe
inbandwidth Kbit/sec 0
<bandwidth_integer>

ip IP <interface_ipv4mask> dhcp pppoe
IP

MAC “ipmacbinding
setting” “ipmacbinding table”
disable
ipunnumbered IP PPPoE <unnumbered_ipv4> IP IP IP
IP
IP ISP
IP IP
{enable | disable} 2 IPX PPTP L2TP
RG-WALL
{enable | disable}
RG-WALL
HA

5
lcp-max-echo-fails
mode pppoe
3

macaddr MAC <mac_address> MAC xx:xx:xx:xx:xx:xx

Independent Interface)
SFP
SFP 1000 Mbps
sgmii-sfp SGMII SGMII
10 100 1000 Mbps
mode
NAT/Route
eoa — Ethernet over ATM
NAT/Route
MTU
• RG-WALL
RG-WALL MTU 1500

MTU
1 500
{enable | disable} 1500
IPsec
VLAN MTU
1500 MTU
Windows Internet Name Service (WINS)
wins-ip <wins_server_ip> WINS
IP
NAT/Route
208

<padt_retry_seconds> PPPoE
mode pppoe NAT/Route

password

RG-WALL
PoE
<interval_int> sFlow collector 1
255
pptp-client PPTP disable
{disable | enable} l2forward
HA
HA
pptp-password
pptp-server-ip
209
pptp-auth-type
pptp-timeout <pptp_idletimeout> PPTP 0

priority
pppoe dhcp
0
ip
captive-portal
tx)

rate 10 99999
sample-rate
sFlow

sample-rate
{enable | disable}
security-groups
captive-portal
sample-rate polling-interval sample-direction
sFlow RG-WALL
VLAN
sFlow “system sflow”
disable
speed auto
ECMP v4-ecmp-mode
config system settings
usage-based spillover-

{enable | disable}

STP RG-WALL VLAN
VDOM
rpl-bridge-ext-id ID

xx:xx:xx:xx:xx:xx
trust-ip-1 <ipmask>
trust-ip-2 <ipmask>
trust-ip-3 <ipmask>

“mgmt”
0.0.0.0/24
type {aggregate | hard- vlan switch | hdlc | loopback | physical |
redundant | tunnel | vap-
802.3ad 8
physical
switch-hardware
T1/E1
DNS CLI Web

type {aggregate | hard- physical — RG-WALL vlan switch | hdlc | type physical loopback | physical | physical redundant | tunnel | vap-
switch | vdom- redundant — 2
link | vlan }

intf phase1 IPSec
vdom-link —
NAT/Route
vdom <vdom_name>
IP
root
vlanforward
VLAN VLAN
enable
VLAN ID
VLAN ID 1 4094 0
4095 IEEE
VLAN
VLAN
RG-WALL
MAC VRRP MAC
RFC 3768

0
wins-ip

pap —
password <password> L2TP n/a
peer-host <ipv4_addr> L2TP IP n/a
peer-mask <netmask> L2TP

255.255.255.255

0
gwaddr <IPv4> IP
mux-type
ISP
vci <integer> VCI 0 255
ISP
0 65535 ISP
35
algorithm L4

L2
lacp-ha-slave
LACP Active-
Passive HA lacp-mode static
enable LACP slave

enable
passive | static} active — LACP PDU
214

{fast | slow} slow — 30 LACP PDU

LACP PDU
slow
member <if_name1> <if_name 2> ...
VDOM vdom
member
• DHCP
• VLAN
• VIP
•
port1 5
1
VRRP RFC 3768
<VRID_int> VRRP ID 1 255 VRRP

adv-interval
preempt VRRP enable
{enable | disable}
VRRP
<seconds_int>
ipip-tunnel
ips-urlfilter-dns

status {enable | disable} enable
mac-address-table

11:22:33:00:ff:aa
reply-substitute

modem

set auto-dial {enable | disable}
set holddown-timer <seconds>
set idle-timer <minutes>
set interface <name>
set lockdown-lac <lac_str>
set network-init <init_str>
set phone1 <phone-number>
set pin-init <init_str>
set redial <tries_integer>
{equal | fallback} equal —

authtype1 {pap chap
pap chap

standalone
dial-on-demand
idle-timer
standalone
IP
“distance <distance>”

extra-init3 <init_str>
holddown-timer 60
1-60
idle-timer <minutes>
5

mode standalone

PCMCIA
internal pcmcia-wireless internal
3G PCMCIA pcmcia-wireless

AT+COPS=<mode>,[<format>,<oper>[,<AcT>]]
<mode>
generic
generic
generic
phone2 <phone-number>
pin-init <init_str> AT PIN

null
{disable | enable} ppp-echo-request1

{disable | enable} ppp-echo-request2

{enable | disable} ppp-echo-request3

“router
ISP 1 10 none

disable
wireless-port <port_int> 3G TTY 0

0
monitors

widget-type
| virus | webfilter} — monitor
sort-by {bytes | msg-counts}— bytes
(msg-counts)
report-by {source | destination | destination-port}
resolve-host {enable | disable} —
show-auth-user {enable | disable} —
(msg-counts)
refresh-interval <interval_int> —
RG-WALL CPU
“traffic-shaping-mode” bidirection 2

IPSEC FB4
{enable | disable}
{enable | disable}
IPSEC FB4
{enable | disable} FB4
server-mode

disable
source-ip <ipv4_addr> NTP IP 0.0.0.0
syncinterval <interval_int> NTP
1 1440
ntpsync
d
edit <serverid_int> NTP
authentication {enable | disable} MD5 disable
key <password_str> MD5 null
key-id <int> MD5 Key-ID 0
ntpv3 {enable | disable} NTPv3 NTPv4 disable
server
object-tag

minimum-length
min-lower-case-letter
90
status
probe-response

http-probe-value <string> OK

http-probe

interface <port> IP
ip <ipv4_address> IP
225

CLI RG-WALL Web CLI RG-WALL

set buffer <message>
set format <format>
set header <header_type>

%%TIMEOUT%%
“system email-server”
HTTP HTML
set format <format>
buffer <message>
8bit
http
none

Send alert email for logs based on severity

AntivirusFileFilter
level Alert Emergency
alertmail-disk-full Diskusage
alertmail-nids-event Intrusion detected IPS DoS

227
%%VIRUS%% %%VIRUS%%
%%URL%% HTTP
URL
%%PROTOCOL%%

HTTP HTTPS HTML
FTP Telnet

HTML
•
228
• <INPUT TYPE="text" NAME="%%USERNAMEID%%" size=25>
• <INPUT TYPE="password" NAME="%%PASSWORDID%%" size=25>
HTTP HTML

set format <format>
8,192

RADIUS challenge-access auth
challenge-access Reply-Message
“Please enter new PIN”
RADIUS
PIN
SecurID PIN
Web
8192 16384 24576

config system global
set auth-keepalive enable
%%TIMEOUT%%

HTML

auth-reject-page Disclaimer page URL URL
RG-WALL

%%TIMEOUT%%
• ACTION =“/” METHOD =“POST” HTML
•
• The form must contain the following visible controls:
• <INPUT TYPE="text" NAME="%%USERNAMEID%%" size=25>
• <INPUT TYPE="password" NAME="%%PASSWORDID%%" size=25>
replacemsg device-detection-portal
set format <format>

RuijieGuardWeb
RuijieGuard URL RG-WALL HTTP 8
RuijieGuard Web HTTP 4xx 5xx
RuijieGuard RuijieGuard HTTP
RG-WALL SSL HTTPS

set format <format>
8,192
ftgd-block Enable RuijieGuard Web Filtering Web HTTP
HTTPS ftgd-block
8: RuijieGuard

“web filter override”

232
http-err Provide details for blocked HTTP 4xx and 5xx errors Web
HTTP HTTPS http-err

FTP FTP
set format <format>
8,192
FTP

233
%%URL%% HTTP
URL
%%PROTOCOL%%
IP
IP
HTTP HTTP HTTP HTML
RG-WALL SSL HTTPS

set format <format>
8,192
bannedword
http-block Antivirus File Filter Web HTTP
HTTPS HTTP GET
http-block

http-client-archive-
block

http-client-bannedword
http-client-block Antivirus File Filter HTTP HTTPS
HTTP POST
http-client-block

http-client-filesize Oversized File/Email Block HTTP HTTPS HTTP
PUT http-client-filesize

http-contenttype-
block
http-contenttype-block
http-filesize HTTP HTTPS Antivirus Oversized File/Email Block
HTTP GET http-filesize

http-post-block HTTP POST Action Block RG-WALL HTTP POST
http-post-block
URL infcache-block
URL “firewall policy”
url-block URL URL
URL url-block
235
%%VIRUS%% %%VIRUS%%
%%URL%% HTTP
URL
%%PROTOCOL%%
IP
set format <format>
8,192
Message name

Message name
AIM ICQ MSN Yahoo CLI
im-photo-share-block block-photo CLI
MSN Yahoo CLI
im-voice-chat-block block-long-chatBlock Audio
AIM ICQ MSN Yahoo!
im-video-chat-block block-video CLI
MSN CLI

%%VIRUS%% %%VIRUS%%
%%PROTOCOL%%
IP
IP
set format <format>
8,192
Message name

Message name
email-filesize
partial
RG-WALL SMTP 554 SMTP
smtp-block
RG-WALL SMTP RG-WALL
SMTP 554 SMTP smtp-
filesize
%%VIRUS%% %%VIRUS%%
%%PROTOCOL%%
8,192
comment <comment_str>
http

SSL VPN
<msg_category>

replacemsg-group

message mm1 mm3 mm4 mm7 buffer

set group-type {auth | captive-portal | ec | utm}
config {auth | ec | Ruijieguard-wf | ftp | http | mail | mm1 | mm3 | mm4 | mm7 | nntp | spam}
edit <msgkey_integer>
VDOM
comment <string>
captive-portal — captive-portal
utm — UTM

message <string>
buffer
SMIL image-base64 image-type

242
NAC DoS IPS
HTTP HTML

set format <format>
8,192
Message name
nac-quar-dos DoS CLI quarantine attacker interface
DoS DoS IP IP RG-WALL
RG-WALL 80
HTTP RG-WALL
quarantine both
17: nac-quar message types
Message name
RG-WALL 80 HTTP
RG-WALL 80 HTTP
RG-WALL method
Attacker and Victim IP Address
nac-quar-virus Antivirus Quarantine Virus Sender IP RG-WALL
RG-WALL 80 HTTP
RG-WALL

set format <format>
8,192
Message name
NNTP RG-WALL nntp-dl-blocked
FTP
nntp-dl-filesize NNTP Antivirus Oversized File/Email Block RG-WALL
NNTP nntp-dl-
filesize
sslvpn-logon RG-WALL SSL VPN
sslvpn-limit SSL VPN
RG-WALL
HTTP HTML

set format <format>
8,192
RG-WALL RG-WALL HTTP per-IP
HTTP HTML

set format <format>
8,192

set format <format>
8,192
virus-text
23:
%%VIRUS%% %%VIRUS%%
%%PROTOCOL%%
VDOM
VDOM VDOM 100 VPN IPSec Phase1

d end
100 VPN IPSec Phase 1 VDOM
VDOM VDOM
“system vdom-property”
RG-WALL RG-WALL
RG-WALL RG-WALL Maximum
Values Matrix
0
0

firewall-address
log-disk-quota
IP
port <port_int> HTTP-GET TCP 80
protocol {ping | http-get} ping
response-v

RG-WALL 1600-AF 系列千兆多功能应用防火墙

Documents

Transcript of RG-WALL 1600-AF 系列千兆多功能应用防火墙