HP Load Balancing Module Security Command Reference Part number: 5998-4226 Software version: Feature 3221 Document version: 6PW100-20130326
Legal and notice information © Copyright 2013 Hewlett-Packard Development Company, L.P. No part of this documentation may be reproduced or transmitted in any form or by any means without prior written consent of Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Contents Security zone configuration commands ····················································································································· 1 import interface························································································································································· 1 interzone····································································································································································
domain default enable ·········································································································································· 52 domain if-unknown ················································································································································ 53 self-service-url enable ············································································································································ 54 session-time i
display hwtacacs ················································································································································· 102 display stop-accounting-buffer (for HWTACACS) ···························································································· 105 hwtacacs nas-ip ··················································································································································· 106 hwtacacs scheme···················
public-key peer import sshkey ···························································································································· 149 PKI configuration commands ·································································································································· 150 attribute································································································································································· 150 ca identifier ·
SSH configuration commands ································································································································ 187 SSH server configuration commands ························································································································· 187 display ssh server ················································································································································ 187 display ssh user-informa
reset session ························································································································································· 228 reset session statistics ·········································································································································· 229 session aging-time ··············································································································································· 230 sessi
Connection limit configuration commands ············································································································ 276 connection-limit apply policy ······························································································································ 276 connection-limit policy········································································································································· 276 display connection-limit policy ·
Security zone configuration commands import interface Use import interface to add an interface to a security zone. Use undo import interface to remove an interface from a security zone. Syntax import interface interface-type interface-number [ vlan vlan-list ] undo import interface interface-type interface-number [ vlan vlan-list ] Default On an LB module, GigabitEthernet 0/1 belongs to security zone Management and the other interfaces are not added to any security zone.
[Sysname-zone-Trust] quit # Add Layer 2 Ethernet interface Gigabitethernet 0/2 and VLAN 10 to security zone Untrust. system-view [Sysname] zone name Untrust [Sysname-zone-Untrust] import interface gigabitethernet 0/2 vlan 10 [Sysname-zone-Untrust] quit Related commands zone interzone Use interzone to create an interzone instance and enter interzone instance view. Use undo interzone to remove an interzone instance.
[Sysname] interzone source Trust destination Untrust # Log in to VD test, create an interzone instance with the source security zone Zoffice and destination zone Zpublic. system-view [Sysname] switchto vd test [Sysname-vsys-test] interzone source Zoffice destination Zpublic Related commands zone priority Use priority to set the priority of a security zone.
undo share enable Default The share attribute of a security zone is disabled. Views Security zone view Default command level 2: System level Usage guidelines A security zone with its share attribute enabled can be used by other VDs' interzone instances as the destination security zone. A security zone with its share attribute disabled can only be used by an interzone instance of its native VD. Examples # Enable the share attribute of security zone zonetest (with the ID 7).
Usage guidelines When creating a security zone, you must specify a security zone name and a security zone ID that are respectively unique on the VD. To enter the view of an existing security zone, you can specify the security zone name, or specify both the security zone name and the security zone ID. If you specify both the security zone name and security zone ID, make sure the two arguments identify the same security zone.
Time range commands display time-range Use display time-range to display the configuration and status of the specified time range or all time ranges. Syntax display time-range { time-range-name | all } [ | { begin | exclude | include } regular-expression ] Views Any view Default command level 1: Monitor level Parameters time-range-name: Specifies a time range name, a case-insensitive string of 1 to 32 characters. It must start with an English letter.
time-range Use time-range to configure a time range. If you provide an existing time range name, the command adds a statement to the time range. Use undo time-range to delete a time range or a statement in the time range.
Usage guidelines You can create multiple statements in a time range. Each time statement can take one of the following forms: • Periodic statement in the start-time to end-time days format. A periodic statement recurs periodically on a day or days of the week. • Absolute statement in the from time1 date1 to time2 date2 format. An absolute statement does not recur. • Compound statement in the start-time to end-time days from time1 date1 to time2 date2 format.
ACL configuration commands acl Use acl to create an IPv4 basic, IPv4 advanced, or Ethernet frame header ACL, and enter its view. If the ACL has been created, you directly enter its view. Use undo acl to delete the specified ACLs. Syntax acl number acl-number [ name acl-name ] [ match-order { auto | config } ] undo acl { all | name acl-name | number acl-number } Default No ACL exists.
system-view [Sysname] acl number 2000 [Sysname-acl-basic-2000] # Create IPv4 basic ACL 2001 with the name flow, and enter its view. system-view [Sysname] acl number 2001 name flow [Sysname-acl-basic-2001-flow] acl accelerate Use acl accelerate to enable ACL acceleration for an IPv4 basic or IPv4 advanced ACL. Use undo acl accelerate to disable ACL acceleration for an IPv4 basic or IPv4 advanced ACL.
acl copy Use acl copy to create an IPv4 basic, IPv4 advanced, or Ethernet frame header ACL by copying an ACL that already exists. The new ACL has the same properties and content as the source ACL, but not the same ACL number and name.
Syntax acl ipv6 number acl6-number [ name acl6-name ] [ match-order { auto | config } ] undo acl ipv6 { all | name acl6-name | number acl6-number } Default No ACL exists. Views System view Default command level 2: System level Parameters number acl6-number: Specifies the number of an ACL: • 2000 to 2999 for IPv6 basic ACLs • 3000 to 3999 for IPv6 advanced ACLs name acl6-name: Assigns a name to the ACL for easy identification.
acl ipv6 copy Use acl ipv6 copy to create an IPv6 basic or IPv6 advanced ACL by copying an ACL that already exists. The new ACL has the same properties and content as the source ACL, but not the same ACL number and name.
Default command level 2: System level Parameters acl6-name: Specifies an IPv6 basic or IPv6 advanced ACL name, a case-insensitive string of 1 to 63 characters. It must start with an English letter. The ACL must already exist. Examples # Enter the view of IPv6 basic ACL flow. system-view [Sysname] acl ipv6 name flow [Sysname-acl6-basic-2001-flow] Related commands acl ipv6 acl name Use acl name to enter the view of an IPv4 basic, IPv4 advanced, or Ethernet frame header ACL that has a name.
Default An ACL has no ACL description. Views IPv4 basic/advanced ACL view, IPv6 basic/advanced ACL view, Ethernet frame header ACL view Default command level 2: System level Parameters text: Specifies an ACL description, a case-sensitive string of 1 to 127 characters. Examples # Configure a description for IPv4 basic ACL 2000. system-view [Sysname] acl number 2000 [Sysname-acl-basic-2000] description This is an IPv4 basic ACL. # Configure a description for IPv6 basic ACL 2000.
|: Filters command output by specifying a regular expression. For more information about regular expressions, see System Management Configuration Guide. begin: Displays the first line that matches the specified regular expression and all lines that follow. exclude: Displays all lines that do not match the specified regular expression. include: Displays all lines that match the specified regular expression. regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.
Field Description 2 times matched There have been two matches for the rule. The statistic counts only ACL matches performed in software. This field is not displayed when no packets have matched the rule. No statistics resource Resources are not enough for counting matches for the rules. The device does not support counting rule matches. Uncompleted Applying the rule to hardware failed because no sufficient resources were available or the hardware does not support the rule.
3000 ACC OOD 3001 ACC UTD 3002 UNACC UTD Table 3 Command output Field Description Group ACL number. Whether ACL acceleration is enabled: Accelerate • ACC—Enabled. • UNACC—Disabled. Whether ACL acceleration is using up to date criteria for rule matching: • UTD—The ACL criteria are up to date and have not changed since ACL acceleration was Status enabled. • OOD—The ACL criteria are out of date. This state is displayed, if you modified the ACL after ACL acceleration was enabled.
Usage guidelines This command displays ACL rules in config or depth-first order, whichever is configured. Examples # Display configuration and match statistics for all IPv6 basic and IPv6 advanced ACLs. display acl ipv6 all Basic IPv6 ACL 2000, named flow, 3 rules, This is an IPv6 basic ACL.
Field Description rule 10 comment This rule is used in VPN rd. Comment about ACL rule 10. reset acl counter Use reset acl counter to clear statistics for one or all IPv4 basic, IPv4 advanced, and Ethernet frame header ACLs.
• 2000 to 2999 for IPv6 basic ACLs • 3000 to 3999 for IPv6 advanced ACLs all: Clears statistics for all IPv6 basic and advanced ACLs. name acl6-name: Specifies an ACL by its name. The acl6-name argument takes a case-insensitive string of 1 to 63 characters. It must start with an English letter. Examples # Clear statistics for IPv6 basic ACL 2001.
dest-mac dest-address dest-mask: Matches a destination MAC address range. The dest-address and dest-mask arguments represent a destination MAC address and mask in H-H-H format. lsap lsap-type lsap-type-mask: Matches the DSAP and SSAP fields in LLC encapsulation. The lsap-type argument is a 16-bit hexadecimal number that represents the encapsulation format. The lsap-type-mask argument is a 16-bit hexadecimal number that represents the LSAP mask.
[ icmp-code ] | icmp-message } | logging | precedence precedence | reflective | source { source-address source-wildcard | any } | source-port operator port1 [ port2 ] | time-range time-range-name | tos tos | vpn-instance vpn-instance-name ] * undo rule rule-id [ { { ack | fin | psh | rst | syn | urg } * | established } | counting | destination | destination-port | dscp | fragment | icmp-type | logging | precedence | reflective | source | source-port | time-range | tos | vpn-instance ] * Default An IPv4 adv
Parameters Function Description Specifies a ToS preference The tos argument can be a number in the range of 0 to 15, or in words, max-reliability (2), max-throughput (4), min-delay (8), min-monetary-cost (1), or normal (0).
Table 6 TCP/UDP-specific parameters for IPv4 advanced ACL rules Parameters Function Description The operator argument can be lt (lower than), gt (greater than), eq (equal to), neq (not equal to), or range (inclusive range). source-port operator port1 [ port2 ] Specifies one or more UDP or TCP source ports. destination-port operator port1 [ port2 ] Specifies one or more UDP or TCP destination ports.
ICMP message name ICMP message type ICMP message code host-redirect 5 1 host-tos-redirect 5 3 host-unreachable 3 1 information-reply 16 0 information-request 15 0 net-redirect 5 0 net-tos-redirect 5 2 net-unreachable 3 0 parameter-problem 12 0 port-unreachable 3 3 protocol-unreachable 3 2 reassembly-timeout 11 1 source-quench 4 0 source-route-failed 3 5 timestamp-reply 14 0 timestamp-request 13 0 ttl-exceeded 11 0 Usage guidelines Within an ACL, the perm
[Sysname-acl-adv-3002] rule permit tcp source-port eq ftp-data [Sysname-acl-adv-3002] rule permit tcp destination-port eq ftp [Sysname-acl-adv-3002] rule permit tcp destination-port eq ftp-data # Create IPv4 advanced ACL rules to permit inbound and outbound SNMP and SNMP trap packets.
fragment: Applies the rule only to non-first fragments. A rule without this keyword applies to both fragments and non-fragments. logging: Logs matching packets. This function is available only when the application module that uses the ACL supports the logging function. source { source-address source-wildcard | any }: Matches a source address. The source-address source-wildcard arguments represent a source IP address and wildcard mask in dotted decimal notation.
dest-address/dest-prefix | any } | destination-port operator port1 [ port2 ] | dscp dscp | flow-label flow-label-value | fragment | icmp6-type { icmp6-type icmp6-code | icmp6-message } | logging | routing [ type routing-type ] | source { source-address source-prefix | source-address/source-prefix | any } | source-port operator port1 [ port2 ] | time-range time-range-name | vpn-instance vpn-instance-name ] * undo rule rule-id [ { { ack | fin | psh | rst | syn | urg } * | established } | counting | destinatio
Parameters Function Description dscp dscp Specifies a DSCP preference. The dscp argument can be a number in the range of 0 to 63, or in words, af11 (10), af12 (12), af13 (14), af21 (18), af22 (20), af23 (22), af31 (26), af32 (28), af33 (30), af41 (34), af42 (36), af43 (38), cs1 (8), cs2 (16), cs3 (24), cs4 (32), cs5 (40), cs6 (48), cs7 (56), default (0), or ef (46). flow-label flow-label-value Specifies a flow label value in an IPv6 packet header.
Parameters Function Description { ack ack-value | fin fin-value | psh psh-value | rst rst-value | syn syn-value | urg urg-value } * Specifies one or more TCP flags, including ACK, FIN, PSH, RST, SYN, and URG. The value for each argument can be 0 (flag bit not set) or 1 (flag bit set). Parameter specific to TCP. established Specifies the flags for indicating the established status of a TCP connection. Parameters specific to TCP. The TCP flags in a rule are ORed.
Usage guidelines Within an ACL, the permit or deny statement of each rule must be unique. If the ACL rule you are creating or editing has the same deny or permit statement as another rule in the ACL, your creation or editing attempt fails. To view rules in an ACL and their rule IDs, use the display acl ipv6 all command. Examples # Create an IPv6 advanced ACL rule to permit TCP packets with the destination port 80 from 2030:5060::/64 to FE80:5060::/96, and enable logging matching packets.
Syntax rule [ rule-id ] { deny | permit } [ counting | fragment | logging | routing [ type routing-type ] | source { source-address source-prefix | source-address/source-prefix | any } | time-range time-range-name | vpn-instance vpn-instance-name ] * undo rule rule-id [ counting | fragment | logging | routing | source | time-range | vpn-instance ] * Default An IPv6 basic ACL does not contain any rule.
Examples # Create an IPv6 basic ACL rule to deny the packets from any source IP segment but 1001::/16, 3124:1123::/32, or FE80:5060:1001::/48.
[Sysname-acl6-basic-2000] rule 0 comment This rule is used on GigabitEthernet 0/1. Related commands • display acl • display acl ipv6 rule remark Use rule remark to add a start or end remark for a range of rules that are created for the same purpose. Use undo rule remark to delete the specified or all rule range remarks. Syntax rule [ rule-id ] remark text undo rule [ rule-id ] remark [ text ] Default No rule range remarks are configured.
number for the rule-id argument. In this approach, the end rule appears below the end remark. Whichever approach you use, be consistent. Examples # Display the running configuration of IPv4 basic ACL 2000. system-view [Sysname] acl number 2000 [Sysname-acl-basic-2000] display this # acl number 2000 rule 0 permit source 14.1.1.0 0.0.0.255 rule 5 permit source 10.1.1.1 0 time-range work-time rule 10 permit source 192.168.0.0 0.0.0.255 rule 15 permit source 1.1.1.1 0 rule 20 permit source 10.1.1.
undo step Default The rule numbering step is 5. Views IPv4 basic/advanced ACL view, IPv6 basic/advanced ACL view, Ethernet frame header ACL view Default command level 2: System level Parameters step-value: ACL rule numbering step, in the range of 1 to 20. Usage guidelines The rule numbering step sets the increment by which the system numbers rules automatically. For example, the default ACL rule numbering step is 5.
AAA configuration commands General AAA configuration commands access-limit enable Use access-limit enable to set the maximum number of online users in an ISP domain. After the number of online users reaches the allowed maximum number, no more users are accepted. Use undo access-limit enable to restore the default. Syntax access-limit enable max-user-number undo access-limit enable Default There is no limit to the number of online users in an ISP domain.
Syntax accounting command hwtacacs-scheme hwtacacs-scheme-name undo accounting command Default The default accounting method for the ISP domain is used for command line accounting. Views ISP domain view Default command level 2: System level Parameters hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters. Usage guidelines The specified HWTACACS scheme must have been configured.
Parameters hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters. local: Performs local accounting. none: Does not perform any accounting. radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters. Usage guidelines The specified RADIUS or HWTACACS scheme must have been configured.
Parameters hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters. local: Performs local accounting. none: Does not perform any accounting. radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters. Usage guidelines The specified RADIUS or HWTACACS scheme must have been configured. Accounting is not supported for login users who use FTP.
Usage guidelines After you configure the accounting optional command for a domain, a user who would otherwise be disconnected can continue to use the network resources when no accounting server is available or when communication with the current accounting server fails. However, the device no longer sends real-time accounting updates for the user. The accounting optional feature applies to scenarios where accounting is not important.
Examples # Configure the default authentication method for ISP domain test to use RADIUS authentication scheme rd and use local authentication as the backup. system-view [Sysname] domain test [Sysname-isp-test] authentication default radius-scheme rd local Related commands • local-user • hwtacacs scheme • radius scheme authentication login Use authentication login to configure the authentication method for login users through the console port, Telnet, or FTP.
# Configure ISP domain test to use RADIUS authentication scheme rd for login users and use local authentication as the backup. system-view [Sysname] domain test [Sysname-isp-test] authentication login radius-scheme rd local Related commands • local-user • authentication default • hwtacacs scheme • radius scheme authentication super Use authentication super to configure the authentication method for user privilege level switching. Use undo authentication super to restore the default.
Related commands • hwtacacs scheme • radius scheme • super authentication-mode (System Management Command Reference) authorization command Use authorization command to configure the command line authorization method. Use undo authorization command to restore the default. Syntax authorization command { hwtacacs-scheme hwtacacs-scheme-name [ local | none ] | local | none } undo authorization command Default The default authorization method for the ISP domain is used for command line authorization.
• authorization default • hwtacacs scheme authorization default Use authorization default to configure the default authorization method for an ISP domain. Use undo authorization default to restore the default. Syntax authorization default { hwtacacs-scheme hwtacacs-scheme-name [ local ] | local | none | radius-scheme radius-scheme-name [ local ] } undo authorization default Default The default authorization method for the ISP domain of an ISP domain is local.
• radius scheme authorization login Use authorization login to configure the authorization method for login users through the console port, Telnet, or FTP. Use undo authorization login to restore the default. Syntax authorization login { hwtacacs-scheme hwtacacs-scheme-name [ local ] | local | none | radius-scheme radius-scheme-name [ local ] } undo authorization login Default The default authorization method for the ISP domain is used for login users.
• authorization default • hwtacacs scheme • radius scheme display connection Use display connection to display information about AAA user connections.
Examples # Display information about all AAA user connections. display connection Index=1 ,Username=telnet@system IP=10.0.0.1 Total 1 connection(s) matched. # Display information about AAA user connections using the index of 0. display connection ucibindex 0 Index=0 , Username=telnet@system IP=10.0.0.
display domain Use display domain to display the configuration of ISP domains. Syntax display domain [ isp-name ] [ | { begin | exclude | include } regular-expression ] Views Any view Default command level 1: Monitor level Parameters isp-name: Name of an existing ISP domain, a string of 1 to 24 characters. |: Filters command output by specifying a regular expression. For more information about regular expressions, see System Management Configuration Guide.
Field Description State Status of the ISP domain: active or blocked. Users in an active ISP domain can request network services, and users in a blocked ISP domain cannot. Access-limit Limit on the number of user connections. If there is no limit on the number, this field displays Disabled. Accounting method Indicates whether accounting is required. If accounting is required, when no accounting server is available or when communication with the accounting server fails, user connections are torn down.
Parameters isp-name: Specifies an ISP domain name, a case-insensitive string of 1 to 24 characters that cannot contain the slash (/), backslash (\), colon (:), asterisk (*), question mark (?), left angle bracket (<), right angle bracket (>), quotation marks ("), vertical bar (|), or at sign (@). Usage guidelines All ISP domains are in active state when they are created. The system predefined ISP domain system cannot be deleted, but you can modify its configuration.
Examples # Create a new ISP domain named test, and configure it as the default ISP domain. system-view [Sysname] domain test [Sysname-isp-test] quit [Sysname] domain default enable test Related commands • domain • state • display domain domain if-unknown Use domain if-unknown to specify an ISP domain for users with unknown domain names. Use undo domain if-unknown to restore the default.
Related commands domain default enable self-service-url enable Use self-service-url enable to enable the self-service server location function and specify the URL of the self-service server. Use undo self-service-url enable to restore the default. Syntax self-service-url enable url-string undo self-service-url enable Default The self-service server location function is disabled.
Views ISP domain view Default command level 2: System level Usage guidelines The device uploads to the server the online user time when a user is logged off. However, the online user time of an abnormally logged-off user can contain an idle timeout interval or a detection interval when the idle cut function is enabled. You can configure the device to include or exclude the idle cut time before the device uploads the online user time to the server according to your accounting policy.
Examples # Place the ISP domain test to the blocked state. system-view [Sysname] domain test [Sysname-isp-test] state block Local user configuration commands access-limit Use access-limit to limit the number of concurrent users of the same local user account. Use undo access-limit to remove the limitation. Syntax access-limit max-user-number undo access-limit Default There is no limit to the number of users who concurrently use the same local user account.
Syntax authorization-attribute { level level | user-role { guest | guest-manager | security-audit } | work-directory directory-name } * undo authorization-attribute { level | user-role | work-directory } * Default No authorization attribute is configured for a local user or user group.
[Sysname] local-user abc [Sysname-luser-abc] authorization-attribute level 2 # Configure the authorized user level of user group abc as 3. system-view [Sysname] user-group abc [Sysname-ugroup-abc] authorization-attribute level 3 bind-attribute Use bind-attribute to configure binding attributes for a local user. Use undo bind-attribute to remove binding attributes of a local user.
Default command level 1: Monitor level Parameters vd vd-name: Specifies the local users who belong to the specified VD. The vd-name argument represents the VD name, a case-insensitive string of 1 to 20 characters. service-type: Specifies the local users who use a specified type of service. • ftp: FTP users. • ssh: SSH users. • telnet: Telnet users. • terminal: Users logging in through the console port. • web: Web users. state { active | block }: Specifies local users in active or blocked state.
Field Description ServiceType Service types that the local user can use, including FTP, SSH, Telnet, terminal, and Web. Access-limit Whether or not to limit the number of concurrent connections of the username. Current AccessNum Number of connections that currently use the username. Bind attributes Binding attributes of the local user. Authorization attributes Authorization attributes of the local user. User Profile User profile for local user authorization.
Vlan ID: 1 User-Profile: 1 Password aging: Enabled (1 days) Password length: Enabled (4 characters) Password composition: Enabled (1 types, 1 characters per type) Total 1 user group(s) matched. Table 16 Command output Field Description Idle-cut Idle timeout interval, in minutes. Work Directory Directory that FTP/SFTP users in the group can access. Level Level of the local users in the group. ACL Number Authorization ACL for the local users in the group.
Usage guidelines For temporary network access requirements, create a guest account, and specify a validity time and an expiration time for the account to control the validity of the account. When a user uses the guest account for local authentication and passes the authentication, the access device checks whether the current system time is between the validity time and the expiration time. If it is, the device permits the user to access the network.
undo group-attribute allow-guest Default The guest attribute is not set for a user group, and guest users created by a guest manager through the Web interface cannot join the group. Views User group view Default command level 3: Manage level Usage guidelines The guest attribute is set for the system predefined user group system and you cannot remove the attribute for the user group. Examples # Set the guest attribute for user group test.
service-type: Specifies the users of a type. • ftp: FTP users. • ssh: SSH users. • telnet: Telnet users. • terminal: Users logging in through the console port. • web: Web users. Examples # Add a local user named user1. system-view [Sysname] local-user user1 [Sysname-luser-user1] Related commands • display local-user • service-type password Use password to configure a password for a local user. Use undo password to delete the password of a local user.
When the password control feature is globally enabled by using the password-control enable command, local user passwords, such as the length and complexity, are under the restriction of the password control feature and not displayed, and the password hash cipher command cannot be used. Examples # Set the password to 123456 in plain text for local user user1.
Usage guidelines You can assign multiple service types to the same user. Examples # Authorize user user1 to use the Telnet service. system-view [Sysname] local-user user1 [Sysname-luser-user1] service-type telnet state (local user view) Use state to set the status of a local user. Use undo state to restore the default. Syntax state { active | block } undo state Default A local user is in active state.
undo user-group group-name Views System view Default command level 3: Manage level Parameters group-name: User group name, a case-insensitive string of 1 to 32 characters. Usage guidelines A user group consists of a group of local users and has a set of local user attributes. You can configure local user attributes for a user group to implement centralized management of user attributes for the local users in the group.
and the range of DD depends on the month. Except for the zeros in 00:00:00, leading zeros can be omitted. For example, 2:2:0-2012/2/2 equals 02:02:00-2012/02/02. Usage guidelines For temporary network access requirements, create a guest account, and specify a validity time and an expiration time for the account to control the validity of the account.
Usage guidelines The accounting-on feature enables the device, after rebooting, to automatically send an accounting-on message to the RADIUS accounting server indicated by the RADIUS scheme to stop accounting for and log out online users. Parameters set with the accounting-on enable command take effect immediately. After executing the accounting-on enable command, issue the save command to make sure that the command takes effect after the device reboots.
Use undo data-flow-format to restore the default. Syntax data-flow-format { data { byte | giga-byte | kilo-byte | mega-byte } | packet { giga-packet | kilo-packet | mega-packet | one-packet } } * undo data-flow-format { data | packet } Default The unit for data flows is byte and that for data packets is one-packet.
|: Filters command output by specifying a regular expression. For more information about regular expressions, see System Management Configuration Guide. begin: Displays the first line that matches the specified regular expression and all lines that follow. exclude: Displays all lines that do not match the specified regular expression. include: Displays all lines that match the specified regular expression. regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.
Interval for realtime accounting(minute) : 12 Retransmission times of realtime-accounting packet : 5 Retransmission times of stop-accounting packet : 500 Quiet-interval(min) : 5 Username format : without-domain Data flow unit : Byte Packet unit : one NAS-IP address : 1.1.1.1 Attribute 25 : car -----------------------------------------------------------------Total 1 RADIUS scheme(s). Table 17 Command output Field Description SchemeName Name of the RADIUS scheme.
Field Description send times Retransmission times of accounting-on packets. interval Interval at which the device retransmits accounting-on packets. Interval for timeout(second) RADIUS server response timeout period, in seconds. Retransmission times for timeout Maximum number of attempts for transmitting a RADIUS packet to a single RADIUS server. Interval for realtime accounting(minute) Interval for real-time accounting, in minutes.
display radius statistics state statistic(total=1024): AuthProc = 0 AuthSucc = 0 AcctStart = 0 DEAD = 1024 RLTSend = 0 RLTWait = 0 AcctStop = 0 OnLine = 0 Stop = 0 Received and Sent packets statistic: Sent PKT total = 1547 Resend Times Resend total Received PKT total = 23 1 508 2 508 Total 1016 RADIUS received packets statistic: Code = 2 Num = 15 Err = 0 Code = 3 Num = 4 Err = 0 Code = 5 Num = 4 Err = 0 Code = 11 Num = 0 Err = 0 Running statistic: RADIUS received
Table 18 Command output Field Description state statistic User statistics, by state. DEAD Number of idle users. AuthProc Number of users waiting for authentication. AuthSucc Number of users who have passed authentication. AcctStart Number of users for whom accounting has been started. RLTSend Number of users for whom the system sends real-time accounting packets. RLTWait Number of users waiting for real-time accounting. AcctStop Number of users in the state of accounting waiting stopped.
Field Description Accounting on request Counts of accounting-on requests. Accounting on response Counts of accounting-on responses. Dynamic Author Ext request Counts of dynamic authorization extension requests. RADIUS sent messages statistic Statistics for sent RADIUS messages. Auth accept Number of accepted authentication packets. Auth reject Number of rejected authentication packets. Account success Number of accounting succeeded packets.
session-id session-id: Specifies the stop-accounting requests buffered for a session. The session ID is a string of 1 to 50 characters. time-range start-time stop-time: Specifies the stop-accounting requests buffered in a time range. The start time and end time must be in the format HH:MM:SS-MM/DD/YYYY or HH:MM:SS-YYYY/MM/DD. user-name user-name: Specifies the stop-accounting requests buffered for a user. The username is a case-sensitive string of 1 to 80 characters.
Default No shared key is configured. Views RADIUS scheme view Default command level 2: System level Parameters accounting: Sets the shared key for secure RADIUS accounting communication. authentication: Sets the shared key for secure RADIUS authentication/authorization communication. cipher: Sets a cipher text shared key. simple: Sets a plain text shared key. key: Specifies the shared key string. This argument is case sensitive. If simple is specified, it must be a string of 1 to 64 characters.
Use undo nas-ip to restore the default. Syntax nas-ip { ipv4-address | ipv6 ipv6-address } undo nas-ip Default The source IP address of an outgoing RADIUS packet is that configured by the radius nas-ip command in system view. If the radius nas-ip command is not configured, the source IP address is the IP address of the outbound interface. Views RADIUS scheme view Default command level 2: System level Parameters ipv4-address: IPv4 address in dotted decimal notation.
Syntax primary accounting { ipv4-address | ipv6 ipv6-address } [ port-number | key [ cipher | simple ] key | vpn-instance vpn-instance-name ] * undo primary accounting Default No primary RADIUS accounting server is specified. Views RADIUS scheme view Default command level 2: System level Parameters ipv4-address: Specifies the IPv4 address of the primary RADIUS accounting server.
If you remove an accounting server being used by users, the device can no longer send real-time accounting requests or stop-accounting requests for the users, and it does not buffer the stop-accounting requests. For secrecy, all shared keys, including keys configured in plain text, are saved in cipher text. Examples # For RADIUS scheme radius1, set the IP address of the primary accounting server to 10.110.1.2, the UDP port to 1813, and the shared key to hello in plain text.
vpn-instance vpn-instance-name: Specifies the VPN to which the primary RADIUS authentication/authorization server belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the server is on the public network, do not specify this option. probe: Enables the device to detect the status of the primary RADIUS authentication/authorization server. username name: Specifies the username in the authentication request for server status detection.
[Sysname] radius scheme radius1 [Sysname-radius-radius1] primary authentication 10.110.1.1 probe username test interval 120 Related commands • key • vpn-instance (RADIUS scheme view) radius client Use radius client enable to enable the RADIUS client service. Use undo radius client to disable the RADIUS client service. Syntax radius client enable undo radius client Default The RADIUS client service is enabled.
undo radius nas-ip { ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ] Default The source IP address of an outgoing RADIUS packet is the IP address of the outbound interface. Views System view Default command level 2: System level Parameters ipv4-address: IPv4 address in dotted decimal notation. It must be an address of the device and cannot be 0.0.0.0, 255.255.255.255, a class D address, or a class E address. ipv6 ipv6-address: Specifies an IPv6 address.
Default No RADIUS scheme is defined. Views System view Default command level 3: Manage level Parameters radius-scheme-name: RADIUS scheme name, a case-insensitive string of 1 to 32 characters. Usage guidelines A RADIUS scheme can be referenced by more than one ISP domain at the same time. A RADIUS scheme referenced by ISP domains cannot be removed. Examples # Create a RADIUS scheme named radius1 and enter RADIUS scheme view.
authentication-server-down: Sends traps when the reachability of the authentication server changes. Usage guidelines With the trap function for RADIUS, a NAS sends a trap message in the following cases: • When the status of a RADIUS server changes. If a NAS sends a request but receives no response before the maximum number of attempts is exceeded, it places the server to the blocked state and sends a trap message.
Parameters radius-scheme radius-scheme-name: Specifies buffered stop-accounting requests that are destined for the accounting server defined in a RADIUS scheme. The RADIUS scheme name is a case-insensitive string of 1 to 32 characters. session-id session-id: Specifies the stop-accounting requests buffered for a session. The session ID is a string of 1 to 50 characters. time-range start-time stop-time: Specifies the stop-accounting requests buffered in a time range.
retransmits the RADIUS request. If the number of transmission attempts exceeds the limit but the device still receives no response from the RADIUS server, the device considers the request a failure. The maximum number of packet transmission attempts multiplied by the RADIUS server response timeout period cannot be greater than 75. Examples # Set the maximum number of RADIUS request transmission attempts to 5 for RADIUS scheme radius1.
minutes, and retransmits the request if it sends the request but receives no response within 3 seconds. If the device receives no response after transmitting the request three times, it considers the accounting attempt a failure, and it makes another accounting attempt. If five consecutive accounting attempts fail, the device cuts the user connection. Examples # Set the maximum number of accounting attempts to 10 for RADIUS scheme radius1.
Examples # Set the maximum number of stop-accounting request transmission attempts to 1000 for RADIUS scheme radius1. system-view [Sysname] radius scheme radius1 [Sysname-radius-radius1] retry stop-accounting 1000 Related commands • retry • retry stop-accounting • timer response-timeout • display stop-accounting-buffer secondary accounting (RADIUS scheme view) Use secondary accounting to specify a secondary RADIUS accounting server.
Usage guidelines Make sure the port number and shared key settings of the secondary RADIUS accounting server are the same as those configured on the server. You can configure up to 16 secondary RADIUS accounting servers for a RADIUS scheme. After the configuration, if the primary server fails, the device looks for a secondary server in active state (a secondary RADIUS accounting server configured earlier has a higher priority) and tries to communicate with it.
Use undo secondary authentication to remove the configuration. Syntax secondary authentication { ipv4-address | ipv6 ipv6-address } [ port-number | key [ cipher | simple ] key | probe username name [ interval interval ] | vpn-instance vpn-instance-name ] * undo secondary authentication [ ipv4-address | ipv6 ipv6-address ] Default No secondary RADIUS authentication/authorization server is specified.
The IP addresses of the authentication/authorization servers and those of the accounting servers must be of the same IP version. The IP addresses of the primary and secondary authentication/authorization servers must be different from each other. Otherwise, the configuration fails. If the specified server resides on a VPN, specify the VPN by using the vpn-instance vpn-instance-name option.
• vpn-instance (RADIUS scheme view) security-policy-server Use security-policy-server to specify a security policy server for a RADIUS scheme. Use undo security-policy-server to remove one or all security policy servers for a RADIUS scheme. Syntax security-policy-server ip-address undo security-policy-server { ip-address | all } Default No security policy server is specified for a RADIUS scheme.
Default command level 2: System level Parameters extended: Specifies the extended RADIUS server (generally running on IMC), which requires the RADIUS client and RADIUS server to interact according to the procedures and packet formats provisioned by the proprietary RADIUS protocol. standard: Specifies the standard RADIUS server, which requires the RADIUS client and RADIUS server to interact according to the procedures and packet format of the standard RADIUS protocol (RFC 2865 and 2866 or their successors).
Examples # Set the status of the primary server in RADIUS scheme radius1 to blocked. system-view [Sysname] radius scheme radius1 [Sysname-radius-radius1] state primary authentication block Related commands • display radius scheme • state secondary state secondary Use state secondary to set the status of a secondary RADIUS server.
[Sysname] radius scheme radius1 [Sysname-radius-radius1] state secondary authentication block Related commands • display radius scheme • state primary stop-accounting-buffer enable (RADIUS scheme view) Use stop-accounting-buffer enable to enable the device to buffer stop-accounting requests to which no responses are received. Use undo stop-accounting-buffer enable to disable the buffering function.
undo timer quiet Default The server quiet period is 5 minutes. Views RADIUS scheme view Default command level 2: System level Parameters minutes: Server quiet period in minutes, ranging from 0 to 255. If you set this argument to 0, when the device attempts to send an authentication or accounting request but the current server is unreachable, the device sends the request to the next server in active state, without changing the current server's status.
Default command level 2: System level Parameters minutes: Real-time accounting interval in minutes. The value can be 0 or a multiple of 3, ranging from 3 to 60. Usage guidelines For real-time accounting, a NAS must transmit the accounting information of online users to the RADIUS accounting server periodically. This command sets the interval.
Default command level 2: System level Parameters seconds: RADIUS server response timeout period in seconds, ranging from 1 to 10. Usage guidelines If a NAS receives no response from the RADIUS server in a period of time after sending a RADIUS request (authentication/authorization or accounting request), it resends the request so that the user has more opportunity to obtain the RADIUS service. The NAS uses the RADIUS server response timeout timer to control the transmission interval.
If a RADIUS scheme defines that the username is sent without the ISP domain name, do not apply the RADIUS scheme to more than one ISP domain, avoiding the confused situation where the RADIUS server regards two users in different ISP domains but with the same userid as one. Examples # Specify the device to remove the domain name in the username sent to the RADIUS servers for the RADIUS scheme radius1.
Use undo data-flow-format to restore the default. Syntax data-flow-format { data { byte | giga-byte | kilo-byte | mega-byte } | packet { giga-packet | kilo-packet | mega-packet | one-packet } } * undo data-flow-format { data | packet } Default The unit for data flows is byte and that for data packets is one-packet.
Parameters hwtacacs-scheme-name: HWTACACS scheme name. statistics: Displays the statistics for the HWTACACS servers specified in the HWTACACS scheme. Without this keyword, the command displays the configuration of the HWTACACS scheme. |: Filters command output by specifying a regular expression. For more information about regular expressions, see System Management Configuration Guide. begin: Displays the first line that matches the specified regular expression and all lines that follow.
-------------------------------------------------------------------- Table 20 Command output Field Description HWTACACS-server template name Name of the HWTACACS scheme. Primary-authentication-server IP address and port number of the primary authentication server. If no primary authentication server is specified, this field displays 0.0.0.0:0. This rule also applies to the following eight fields. Primary-authorization-server IP address and port number of the primary authorization server.
HWTACACS authen client access request send password number: 0 HWTACACS authen client access connect abort number: 0 HWTACACS authen client access connect packet number: 5 HWTACACS authen client access response error number: 0 HWTACACS authen client access response failure number: 0 HWTACACS authen client access response follow number: 0 HWTACACS authen client access response getdata number: 0 HWTACACS authen client access response getpassword number: 5 HWTACACS authen client access response getuser number:
Syntax display stop-accounting-buffer hwtacacs-scheme hwtacacs-scheme-name [ | { begin | exclude | include } regular-expression ] Views Any view Default command level 2: System level Parameters hwtacacs-scheme hwtacacs-scheme-name: Specifies buffered stop-accounting requests that are destined for the accounting server defined in an HWTACACS scheme. The HWTACACS scheme name is a case-insensitive string of 1 to 32 characters. |: Filters command output by specifying a regular expression.
Parameters ip-address: IP address in dotted decimal notation. It must be an address of the device and cannot be 0.0.0.0, 255.255.255.255, a class D address, or a class E address. vpn-instance vpn-instance-name: Specifies the VPN to which the source IP address belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. With a VPN specified, the command specifies a private-network source IP address. With no VPN specified, the command specifies a public-network source IP address.
Usage guidelines An HWTACACS scheme can be referenced by more than one ISP domain at the same time. An HWTACACS scheme referenced by ISP domains cannot be removed. Examples # Create an HWTACACS scheme named hwt1, and enter HWTACACS scheme view. system-view [Sysname] hwtacacs scheme hwt1 [Sysname-hwtacacs-hwt1] key (HWTACACS scheme view) Use key to set the shared key for secure HWTACACS authentication, authorization, or accounting communication. Use undo key to remove the configuration.
[Sysname-hwtacacs-hwt1] key accounting simple hello # Set the shared key for secure HWTACACS accounting communication to hello in plain text for HWTACACS scheme hwt1. system-view [Sysname] hwtacacs scheme hwt1 [Sysname-hwtacacs-hwt1] key accounting hello # Set the shared key for secure HWTACACS accounting communication $c$3$jaeN0ej15fjuHKeuVh8mqicHzaHdMw== in cipher text for HWTACACS scheme hwt1.
Examples # Set the source address for outgoing HWTACACS packets to 10.1.1.1. system-view [Sysname] hwtacacs scheme hwt1 [Sysname-hwtacacs-hwt1] nas-ip 10.1.1.1 Related commands hwtacacs nas-ip primary accounting (HWTACACS scheme view) Use primary accounting to specify the primary HWTACACS accounting server. Use undo primary accounting to remove the configuration.
Examples # Specify the IP address and port number of the primary accounting server for HWTACACS scheme test1 as 10.163.155.12 and 49. system-view [Sysname] hwtacacs scheme test1 [Sysname-hwtacacs-test1] primary accounting 10.163.155.12 49 Related commands • display hwtacacs • vpn-instance (HWTACACS scheme view) primary authentication (HWTACACS scheme view) Use primary authentication to specify the primary HWTACACS authentication server.
The VPN specified by this command takes precedence over the VPN specified for the HWTACACS scheme. Examples # Specify the IP address and port number of the primary authentication server for HWTACACS scheme hwt1 as 10.163.155.13 and 49. system-view [Sysname] hwtacacs scheme hwt1 [Sysname-hwtacacs-hwt1] primary authentication 10.163.155.
You can remove an authorization server only when it is not used by any active TCP connection to send authorization packets. Removing an authorization server only affects authorization processes that occur after the remove operation. The VPN specified by this command takes precedence over the VPN specified for the HWTACACS scheme. Examples # Configure the IP address and port number of the primary authorization server for HWTACACS scheme hwt1 as 10.163.155.13 and 49.
Views User view Default command level 2: System level Parameters hwtacacs-scheme hwtacacs-scheme-name: Specifies buffered stop-accounting requests that are destined for the accounting server defined in an HWTACACS scheme. The HWTACACS scheme name is a case-insensitive string of 1 to 32 characters. Examples # Clear the stop-accounting requests buffered for HWTACACS scheme hwt1.
secondary accounting (HWTACACS scheme view) Use secondary accounting to specify a secondary HWTACACS accounting server. Use undo secondary accounting to remove the configuration. Syntax secondary accounting ip-address [ port-number | vpn-instance vpn-instance-name ] * undo secondary accounting Default No secondary HWTACACS accounting server is specified.
• vpn-instance (HWTACACS scheme view) secondary authentication (HWTACACS scheme view) Use secondary authentication to specify a secondary HWTACACS authentication server. Use undo secondary authentication to remove the configuration. Syntax secondary authentication ip-address [ port-number | vpn-instance vpn-instance-name ] * undo secondary authentication Default No secondary HWTACACS authentication server is specified.
Related commands • display hwtacacs • vpn-instance (HWTACACS scheme view) secondary authorization Use secondary authorization to specify a secondary HWTACACS authorization server. Use undo secondary authorization to remove the configuration. Syntax secondary authorization ip-address [ port-number | vpn-instance vpn-instance-name ] * undo secondary authorization Default No secondary HWTACACS authorization server is specified.
Related commands • display hwtacacs • vpn-instance (HWTACACS scheme view) stop-accounting-buffer enable (HWTACACS scheme view) Use stop-accounting-buffer enable to enable the device to buffer stop-accounting requests to which no responses are received. Use undo stop-accounting-buffer enable to disable the buffering function. Syntax stop-accounting-buffer enable undo stop-accounting-buffer enable Default The device buffers stop-accounting requests to which no responses are received.
Default The primary server quiet period is 5 minutes. Views HWTACACS scheme view Default command level 2: System level Parameters minutes: Primary server quiet period. The value ranges from 1 to 255, in minutes. Usage guidelines When the primary server is found unreachable, the device changes the status of the server from active to blocked and keeps the server in blocked state until the quiet timer expires. Examples # Set the quiet timer for the primary server to 10 minutes.
Consider the performance of the NAS and the HWTACACS server when you set the real-time accounting interval. A shorter interval requires higher performance. Use a longer interval when there are a large number of users (more than 1000, inclusive).
Related commands display hwtacacs user-name-format (HWTACACS scheme view) Use user-name-format to specify the format of the username to be sent to an HWTACACS server. Syntax user-name-format { keep-original | with-domain | without-domain } Default The ISP domain name is included in the username. Views HWTACACS scheme view Default command level 2: System level Parameters keep-original: Sends the username to the HWTACACS server as it is entered.
Views HWTACACS scheme view Default command level 2: System level Parameters vpn-instance-name: Name of the VPN instance, a case-sensitive string of 1 to 31 characters. Usage guidelines The VPN specified here takes effect for all servers in the HWTACACS scheme for which no specific VPN instance is specified. Examples # Specify VPN instance test for HWTACACS scheme hwt1.
Password control configuration commands display password-control Use display password-control to display password control configuration. Syntax display password-control [ super ] [ | { begin | exclude | include } regular-expression ] Views Any view Default command level 2: System level Parameters super: Displays the password control information of the super passwords. Without this keyword, the command displays the global password control configurations.
Super password control configurations: Password aging: Enabled (90 days) Password length: Enabled (10 characters) Password composition: Enabled (1 types, 1 characters per type) Table 22 Command output Field Description Password control Whether the password control feature is enabled. Password aging Whether password aging is enabled and, if enabled, the aging time. Password length Whether the minimum password length restriction function is enabled and, if enabled, the setting.
Parameters user-name name: Specifies a user by the name, a string of 1 to 80 characters. ip ipv4-address: Specifies the IPv4 address of a user. ipv6 ipv6-address: Specifies the IPv6 address of a user. |: Filters command output by specifying a regular expression. For more information about regular expressions, see System Management Configuration Guide. begin: Displays the first line that matches the specified regular expression and all lines that follow.
Views Local user view Default command level 2: System level Usage guidelines Valid characters for a local user password are from the following four types: • Uppercase letters A to Z • Lowercase letters a to z • Digits 0 to 9 • 32 special characters: blank space, tilde (~), back quote (`), exclamation point (!), at sign (@), pound sign (#), dollar sign ($), percent sign (%), caret (^), ampersand sign (&), asterisk (*), left parenthesis ("("), right parenthesis (")"), underscore (_), plus sign (+), m
Default command level 2: System level Parameters aging: Enables the password aging function. composition: Enables the password composition restriction function. history: Enables the password history function. length: Enables the minimum password length restriction function. Usage guidelines For these four functions to take effect, the password control feature must be enabled globally. You must enable a function for its relevant configurations to take effect.
Default The global password aging time is 90 days, the password aging time of a user group equals the global setting, and the password aging time of a local user equals that of the user group to which the local user belongs. The default aging time of a super password equals the global setting. Views System view, user group view, local user view Default command level 2: System level Parameters aging-time: Specifies the password aging time in days, in the range of 1 to 365.
Syntax password-control alert-before-expire alert-time undo password-control alert-before-expire Default A user is notified of pending password expiration during 7 days before the user's password expires. Views System view Default command level 2: System level Parameters alert-time: Specifies the number of days before a user's password expires during which the user is notified of the pending password expiration, in the range of 1 to 30.
password-control complexity Use password-control complexity to configure the password complexity checking policy. Complexity-incompliant passwords will be refused. Use undo password-control complexity check to remove a password complexity checking item.
Views System view, user group view, local user view Default command level 2: System level Parameters type-number type-number: Specifies the minimum number of character types that a password must contain, in the range of 1 to 4. type-length type-length: Specifies the minimum number of characters from each type that the password must contain, in the range of 1 to 63.
Syntax password-control enable undo password-control enable Default The password control feature is disabled globally. Views System view Default command level 2: System level Usage guidelines The password control functions take effect only after the password control feature is enabled globally. Examples # Enable the password control feature globally.
system-view [Sysname] password-control expired-user-login delay 60 times 5 Related commands display password-control password-control history Use password-control history to set the maximum number of history password records for each user. Use undo password-control history to restore the default. Syntax password-control history max-record-num undo password-control history Default The maximum number of history password records for each user is 4.
Default command level 2: System level Parameters length: Specifies the minimum password length in characters, in the range of 4 to 32. Usage guidelines The setting in system view has global significance and applies to all user groups, the setting in user group view applies to all local users in the user group, and the setting in local user view applies to only the local user. A minimum password length setting with a smaller application range has a higher priority.
Default command level 2: System level Parameters idle-time: Specifies the maximum account idle time in days, in the range of 0 to 365. 0 means no restriction for account idle time. Examples # Set the maximum account idle time to 30 days.
If prohibited temporarily, a user can log in again after the lock time elapses or an administrator removes the user from the password control blacklist. If not prohibited to log in, a user is removed from the password control blacklist as long as the user logs in successfully or after the blacklist aging time (1 minute) elapses. Examples # Set the maximum number of login attempts to 4 and permanently prohibit a user from logging in if the user fails to log in after four attempts.
Default The minimum password update interval is 24 hours. Views System view Default command level 2: System level Parameters interval: Specifies the minimum password update interval in hours, in the range of 0 to 168. 0 means no requirements for password update interval. Usage guidelines This function is not effective in the case that a user is prompted to change the password when the user logs in for the first time or after the password is aged out.
Examples # Set the aging time for super passwords to 10 days. system-view [Sysname] password-control super aging 10 Related commands password-control aging password-control super composition Use password-control super composition to configure the composition policy for super passwords. Use undo password-control super composition to restore the default.
Use undo password-control super length to restore the default. Syntax password-control super length length undo password-control super length Default The minimum password length of super passwords is the same as the global minimum password length. Views System view Default command level 2: System level Parameters length: Specifies the minimum length for super passwords in characters, in the range of 4 to 16.
Are you sure to delete the specified user in blacklist? [Y/N]: Related commands display password-control blacklist reset password-control history-record Use reset password-control history-record to delete history password records. Syntax reset password-control history-record [ user-name name | super [ level level ] ] Views User view Default command level 3: Manage level Parameters user-name name: Specifies the username of the user whose password records are to be deleted.
Public key configuration commands display public-key local public Use display public-key local public to display the public key information of local asymmetric key pairs. Syntax display public-key local rsa public [ | { begin | exclude | include } regular-expression ] Views Any view Default command level 1: Monitor level Parameters rsa: Specifies an RSA key pair. |: Filters command output by specifying a regular expression.
307C300D06092A864886F70D0101010500036B003068026100C51AF7CA926962284A4654B2AACC7B2AE12 B2B1EABFAC1CDA97E42C3C10D7A70D1012BF23ADE5AC4E7AAB132CFB6453B27E054BFAA0A85E113FBDE75 1EE0ECEF659529E857CF8C211E2A03FD8F10C5BEC162B2989ABB5D299D1E4E27A13C7DD10203010001 Table 24 Command output Field Description Time of Key pair created Date and time when the local asymmetric key pair was created. Key name: • HOST_KEY—Host public key. Key name • SERVER_KEY—Server public key.
You can use the public-key peer command or the public-key peer import sshkey command to get a local copy of a peer public key. Examples # Display detailed information about the peer host public key named idrsa.
Views Public key view Default command level 2: System level Related commands public-key peer Examples # Exit public key view. system-view [Sysname] public-key peer key1 [Sysname-pkey-public-key] peer-public-key end [Sysname] public-key-code begin Use public-key-code begin to enter public key code view. Then, enter the key data in the correct format to specify the peer public key. Spaces and carriage returns are allowed between characters, but are not saved.
• public-key-code end public-key-code end Use public-key-code end to return from public key code view to public key view and to save the configured public key. Syntax public-key-code end Views Public key code view Default command level 2: System level Usage guidelines The system verifies the key before saving it. If the key is not in the correct format, the system discards the key and displays an error message. If the key is valid, the system saves the key.
Views System view Default command level 2: System level Parameters rsa: Specifies an RSA key pair. Usage guidelines When using this command to create RSA key pairs, you are asked to provide the length of the key modulus. The modulus length is in the range of 512 to 2048 bits, and defaults to 1024 bits. If the type of key pair already exists, the system asks you whether you want to overwrite it. Examples # Create local RSA key pairs.
[Sysname] public-key local destroy rsa Warning: Confirm to destroy these keys? [Y/N]:y Related commands public-key local create public-key local export rsa Use public-key local export rsa without the filename argument to display the host public key of the local RSA key pairs in a specific key format. Use public-key local export rsa with the filename argument to export the host public key of the local RSA key pairs to a specific file.
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQDAo0dVYR1S5f30eLKGNKuqb5HU3M0TTSaGlER2GmcRI2sgSegbo1x6u t5NIc5+jJxuRCU4+gMc76iS8d+2d50FqIweEkHHkSG/ddgXt/iAZ6cY81bdu/CKxGiQlkUpbw4vSv+X5KeE7j +o0MpOpzh3W768/+u1riz+1LcwVTs51Q== rsa-key Related commands • public-key local create • public-key local destroy public-key peer Use public-key peer to specify a name for the peer public key and enter public key view. Use undo public-key peer to remove the public key.
public-key peer import sshkey Use public-key peer import sshkey to import a peer host public key from the public key file. Use undo public-key peer to remove the specified peer host public key. Syntax public-key peer keyname import sshkey filename undo public-key peer keyname Views System view Default command level 2: System level Parameters keyname: Specifies a public key name, a case-sensitive string of 1 to 64 characters. filename: Specifies the name of the file that saves the peer host public key.
PKI configuration commands attribute Use attribute to configure the attribute rules of the certificate issuer name, certificate subject name and alternative certificate subject name. Use undo attribute to delete the attribute rules of one or all certificates.
system-view [Sysname] pki certificate attribute-group mygroup [Sysname-pki-cert-attribute-group-mygroup] attribute 1 subject-name dn ctn abc # Create a certificate attribute rule, specifying that the FQDN in the issuer name cannot be the string of abc. [Sysname-pki-cert-attribute-group-mygroup] attribute 2 issuer-name fqdn nequ abc # Create a certificate attribute rule, specifying that the IP address in the alternative subject name cannot be 10.0.0.1.
Default No entity is specified for certificate request. Views PKI domain view Default command level 2: System level Parameters entity-name: Name of the entity for certificate request, a case-insensitive string of 1 to 15 characters. Examples # Specify the entity for certificate request as entity1.
certificate request mode Use certificate request mode to set the certificate request mode. Use undo certificate request mode to restore the default. Syntax certificate request mode { auto [ key-length key-length | password { cipher | simple } password ] * | manual } undo certificate request mode Default Manual mode is used. Views PKI domain view Default command level 2: System level Parameters auto: Requests a certificate in auto mode.
Syntax certificate request polling { count count | interval minutes } undo certificate request polling { count | interval } Default The polling is executed every 20 minutes for up to 50 times. Views PKI domain view Default command level 2: System level Parameters count count: Specifies the maximum number of attempts to poll the status of the certificate request, in the range of 1 to 100. interval minutes: Specifies the polling interval in minutes, in the range of 5 to 168.
Parameters url-string: URL of the server for certificate request, a case-insensitive string of 1 to 127 characters. It comprises the location of the server and the location of CGI command interface script in the format of http://server_location/ca_script_location, where server_location must be an IP address and does not support domain name resolution. Examples # Specify the URL of the server for certificate request.
undo country Default No country code is specified. Views PKI entity view Default command level 2: System level Parameters country-code-str: Country code for the entity, a 2-character case-insensitive string. Examples # Set the country code of an entity to CN. system-view [Sysname] pki entity 1 [Sysname-pki-entity-1] country CN crl check Use crl check to enable or disable CRL checking. Syntax crl check { disable | enable } Default CRL checking is enabled.
crl update-period Use crl update-period to set the CRL update period, that is, the interval at which a PKI entity with a certificate downloads the latest CRL from the LDAP server. Use undo crl update-period to restore the default. Syntax crl update-period hours undo crl update-period Default The CRL update period depends on the next update field in the CRL file. Views PKI domain view Default command level 2: System level Parameters hours: CRL update period in hours, in the range of 1 to 720.
Usage guidelines When the URL of the CRL distribution point is not set, you should acquire the CA certificate and a local certificate, and then acquire a CRL through SCEP. Examples # Specify the URL of the CRL distribution point. system-view [Sysname] pki domain 1 [Sysname-pki-domain-1] crl url ldap://169.254.0.30 display pki certificate Use display pki certificate to display the contents or request status of a certificate.
C=CN ST=Country A L=City X O=abc OU=bjs CN=new-ca Validity Not Before: Jan 13 08:57:21 2011 GMT Not After : Jan 20 09:07:21 2012 GMT Subject: C=CN ST=Country B L=City Y CN=pki test Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (512 bit) Modulus (512 bit): 00D41D1F … Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Alternative Name: DNS: hyf.xxyyzz.net X509v3 CRL Distribution Points: URI:http://1.1.1.1:447/myca.
display pki certificate access-control-policy Use display pki certificate access-control-policy to display information about one or all certificate attribute-based access control policies. Syntax display pki certificate access-control-policy { policy-name | all } [ | { begin | exclude | include } regular-expression ] Views Any view Default command level 1: Monitor level Parameters policy-name: Name of the certificate attribute-based access control policy, a string of 1 to 16 characters.
Views Any view Default command level 1: Monitor level Parameters group-name: Name of a certificate attribute group, a string of 1 to 16 characters. all: Specifies all certificate attribute groups. |: Filters command output by specifying a regular expression. For more information about regular expressions, see System Management Configuration Guide. begin: Displays the first line that matches the specified regular expression and all lines that follow.
Views Any view Default command level 1: Monitor level Parameters domain-name: Name of the PKI domain, a string of 1 to 15 characters. |: Filters command output by specifying a regular expression. For more information about regular expressions, see System Management Configuration Guide. begin: Displays the first line that matches the specified regular expression and all lines that follow. exclude: Displays all lines that do not match the specified regular expression.
Field Description Next Update Next update time. CRL extensions Extensions of CRL. X509v3 Authority Key Identifier CA issuing the CRLs. The certificate version is X.509 v3. ID of the public key. keyid A CA might have multiple key pairs. This field indicates the key pair used by the CRL's signature. Revoked Certificates Revoked certificates. Serial Number Serial number of the revoked certificate. Revocation Date Revocation date of the certificate.
ip (PKI entity view) Use ip to configure the IP address of an entity. Use undo ip to remove the configuration. Syntax ip ip-address undo ip Default No IP address is specified for an entity. Views PKI entity view Default command level 2: System level Parameters ip-address: IP address for an entity. Examples # Configure the IP address of an entity as 11.0.0.1. system-view [Sysname] pki entity 1 [Sysname-pki-entity-1] ip 11.0.0.
Examples # Specify an LDAP server for PKI domain 1. system-view [Sysname] pki domain 1 [Sysname-pki-domain-1] ldap-server ip 169.254.0.30 locality Use locality to configure the geographical locality of an entity, which can be, for example, a city name. Use undo locality to remove the configuration. Syntax locality locality-name undo locality Default No geographical locality is specified for an entity.
Default command level 2: System level Parameters org-name: Organization name, a case-insensitive string of 1 to 31 characters. No comma can be included. Examples # Configure the name of the organization to which an entity belongs as test-lab. system-view [Sysname] pki entity 1 [Sysname-pki-entity-1] organization test-lab organization-unit Use organization-unit to specify the name of the organization unit to which this entity belongs. Use undo organization-unit to remove the configuration.
undo pki certificate access-control-policy { policy-name | all } Default No access control policy exists by default. Views System view Default command level 2: System level Parameters policy-name: Name of the certificate attribute-based access control policy, a case-insensitive string of 1 to 16 characters. It cannot be "a", "al", or "all". all: Specifies all certificate attribute-based access control policies. Examples # Configure an access control policy named mypolicy and enter its view.
pki delete-certificate Use pki delete-certificate to delete the certificate locally stored for a PKI domain. Syntax pki delete-certificate { ca | local } domain domain-name Views System view Default command level 2: System level Parameters ca: Deletes the locally stored CA certificate. local: Deletes the locally stored local certificate. domain-name: Specifies a PKI domain by its name, a string of 1 to 15 characters. Examples # Delete the local certificate for PKI domain cer.
[Sysname] pki domain 1 [Sysname-pki-domain-1] pki entity Use pki entity to create a PKI entity and enter its view. Use undo pki entity to remove a PKI entity. Syntax pki entity entity-name undo pki entity entity-name Default No entity exists. Views System view Default command level 2: System level Parameters entity-name: Name for the entity, a case-insensitive string of 1 to 15 characters. Usage guidelines You can configure a variety of attributes for an entity in PKI entity view.
der: Specifies the certificate format of DER. p12: Specifies the certificate format of P12. pem: Specifies the certificate format of PEM. filename filename: Specifies the name of the certificate file to import, a case-insensitive string of 1 to 127 characters. If no file is specified, the system uses the default file name that is used when the certificate is retrieved, that is domain-name_ca.cer, domain-name_local.cer, or domain-name_peerentity_entity-name.cer.
[Sysname] pki request-certificate domain 1 pkcs10 -----BEGIN CERTIFICATE REQUEST----MIIBTDCBtgIBADANMQswCQYDVQQDEwJqajCBnzANBgkqhkiG9w0BAQEFAAOBjQAw gYkCgYEAw5Drj8ofs9THA4ezkDcQPBy8pvH1kumampPsJmx8sGG52NFtbrDTnTT5 ALx3LJijB3d/ndKpcHT/DfbJVDCn5gdw32tBZyCkEwMHZN3ol2z7Nvdu5TED6iN8 4m+hfp1QWoV6lty3o9pxAXuQl8peUDcfN6WV3LBXYyl1WCtkLkECAwEAAaAAMA0G CSqGSIb3DQEBBAUAA4GBAA8E7BaIdmT6NVCZgv/I/1tqZH3TS4e4H9Qo5NiCKiEw R8owVmA0XVtGMbyqBNcDTG0f5NbHrXZQT5+MbFJOnm5K/mn1ro5TJKMTKV46PlCZ JUjsugaY02GBY0BVcylpC9iIXLuXNIqjh1MBIq
Views System view Default command level 2: System level Parameters domain-name: Name of the PKI domain, a string of 1 to 15 characters. Usage guidelines CRLs help verify the validity of certificates. Examples # Retrieve CRLs. system-view [Sysname] pki retrieval-crl domain 1 Related commands pki domain pki validate-certificate Use pki validate-certificate to verify the validity of a certificate.
root-certificate fingerprint Use root-certificate fingerprint to configure the fingerprint to be used for verifying the validity of the CA root certificate. Use undo root-certificate fingerprint to remove the configuration. Syntax root-certificate fingerprint { md5 | sha1 } string undo root-certificate fingerprint Default No fingerprint is configured for verifying the validity of the CA root certificate.
Default command level 2: System level Parameters id: Number of the certificate attribute access control rule, in the range of 1 to 16. The default is the smallest unused number in this range. deny: Indicates that a certificate whose attributes match an attribute rule in the specified attribute group is considered invalid and denied. permit: Indicates that a certificate whose attributes match an attribute rule in the specified attribute group is considered valid and permitted.
[Sysname] pki entity 1 [Sysname-pki-entity-1] state country 175
SSL configuration commands ciphersuite Use ciphersuite to specify the cipher suites for an SSL server policy to support. Syntax ciphersuite [rsa_aes_128_cbc_sha | rsa_des_cbc_sha | rsa_rc4_128_md5 | rsa_rc4_128_sha ] * Default An SSL server policy supports all cipher suites. Views SSL server policy view Default command level 2: System level Parameters rsa_aes_128_cbc_sha: Specifies the key exchange algorithm of RSA, the data encryption algorithm of 128-bit AES_CBC, and the MAC algorithm of SHA.
Syntax client-verify enable undo client-verify enable Default The SSL server does not require certificate-based SSL client authentication. Views SSL server policy view Default command level 2: System level Usage guidelines If you configure the client-verify enable command and enable the SSL client weak authentication function, whether the client must be authenticated is up to the client.
Usage guidelines The client-verify weaken command takes effect only when the SSL server requires certificate-based client authentication. If the SSL server requires certificate-based client authentication and the SSL client weak authentication function is enabled, whether the client must be authenticated is up to the client. If the client chooses to be authenticated, the client must pass authentication before accessing the SSL server; otherwise, the client can access the SSL server without authentication.
display ssl client-policy Use display ssl client-policy to view information about one or all SSL client policies. Syntax display ssl client-policy { policy-name | all } [ | { begin | exclude | include } regular-expression ] Views Any view Default command level 1: Monitor level Parameters policy-name: SSL client policy name, a case-insensitive string of 1 to 16 characters. all: Displays information about all SSL client policies. |: Filters command output by specifying a regular expression.
Syntax display ssl server-policy { policy-name | all } [ | { begin | exclude | include } regular-expression ] Views Any view Default command level 1: Monitor level Parameters policy-name: SSL server policy name, a case-insensitive string of 1 to 16 characters. all: Displays information about all SSL server policies. |: Filters command output by specifying a regular expression. For more information about regular expressions, see System Management Configuration Guide.
Field Description Close mode of the SSL server policy: • wait disabled—In this mode, the server sends a close-notify alert message to Close-mode the client and then closes the connection immediately without waiting for the close-notify alert message of the client. • wait enabled—In this mode, the server sends a close-notify alert message to the client and then waits for the close-notify alert message of the client. The server close the connection only after it receives the expected message.
Use undo pki-domain to restore the default. Syntax pki-domain domain-name undo pki-domain Default No PKI domain is configured for an SSL server policy or SSL client policy. Views SSL server policy view, SSL client policy view Default command level 2: System level Parameters domain-name: Name of a PKI domain, a case-insensitive string of 1 to 15 characters.
Default command level 2: System level Parameters rsa_aes_128_cbc_sha: Specifies the key exchange algorithm of RSA, the data encryption algorithm of 128-bit AES_CBC, and the MAC algorithm of SHA. rsa_des_cbc_sha: Specifies the key exchange algorithm of RSA, the data encryption algorithm of DES_CBC, and the MAC algorithm of SHA. rsa_rc4_128_md5: Specifies the key exchange algorithm of RSA, the data encryption algorithm of 128-bit RC4, and the MAC algorithm of MD5.
session Use session to set the maximum number of cached sessions and the caching timeout time. Use undo session to restore the default. Syntax session { cachesize size | timeout time } * undo session { cachesize | timeout } * Default The maximum number of cached sessions is 500 and the caching timeout time is 3600 seconds. Views SSL server policy view Default command level 2: System level Parameters cachesize size: Specifies the maximum number of cached sessions. The range is 100 to 1000.
Views System view Default command level 2: System level Parameters policy-name: SSL client policy name, a case-insensitive string of 1 to 16 characters, which cannot be a, al, or all. all: Specifies all SSL client policies. Examples # Create SSL client policy policy1 and enter its view.
Related commands display ssl server-policy version Use version to specify the SSL protocol version for an SSL client policy. Use undo version to restore the default. Syntax version { ssl3.0 | tls1.0 } undo version Default The SSL protocol version for an SSL client policy is TLS 1.0. Views SSL client policy view Default command level 2: System level Parameters ssl3.0: Specifies SSL 3.0. tls1.0: Specifies TLS 1.0. Examples # Specify the SSL protocol version for SSL client policy policy1 as SSL 3.0.
SSH configuration commands SSH server configuration commands display ssh server Use the display ssh server command on an SSH server to display the status or session information of the SSH server. Syntax display ssh server { session | status } [ | { begin | exclude | include } regular-expression ] Views Any view Default command level 1: Monitor level Parameters session: Displays the session information of the SSH server. status: Displays the status information of the SSH server.
Field Description SSH protocol version. SSH version When the SSH supports SSH1, the protocol version is 1.99. Otherwise, the protocol version is 2. SSH authentication-timeout Authentication timeout timer. SSH server key generating interval SSH server key pair update interval. SSH Authentication retries Maximum number of SSH authentication attempts. SFTP Server Whether the Secure FTP (SFTP) server function is enabled. SFTP Server Idle-Timeout SFTP connection idle timeout timer.
Syntax display ssh user-information [ username ] [ | { begin | exclude | include } regular-expression ] Views Any view Default command level 1: Monitor level Parameters username: SSH username, a string of 1 to 80 characters. |: Filters command output by specifying a regular expression. For more information about regular expressions, see System Management Configuration Guide. begin: Displays the first line that matches the specified regular expression and all lines that follow.
Use undo sftp server enable to disable the SFTP server function. Syntax sftp server enable undo sftp server enable Default The SFTP server function is disabled. Views System view Default command level 3: Manage level Usage guidelines You can use the display ssh server command to view the status or session information of the SFTP server. Examples # Enable the SFTP server function.
Examples # Set the idle timeout timer for SFTP user connections to 500 minutes. system-view [Sysname] sftp server idle-timeout 500 Related commands display ssh server ssh server authentication-retries Use ssh server authentication-retries to set the maximum number of SSH connection authentication attempts. Use undo ssh server authentication-retries to restore the default.
ssh server authentication-timeout Use ssh server authentication-timeout to set the SSH user authentication timeout timer on the SSH server. If a user does not finish the authentication when the timer expires, the connection is down. Use undo ssh server authentication-timeout to restore the default. Syntax ssh server authentication-timeout time-out-value undo ssh server authentication-timeout Default The authentication timeout timer is 60 seconds.
Usage guidelines The configuration takes effect only for the clients at next login. Examples # Enable the SSH server to support SSH1 clients. system-view [Sysname] ssh server compatible-ssh1x enable Related commands display ssh server ssh server enable Use ssh server enable to enable the SSH server function so that the SSH clients use SSH to communicate with the server. Use undo ssh server enable to disable the SSH server function.
Default The update interval of the RSA server key is 0. That is, the system does not update the RSA server key pairs. Views System view Default command level 3: Manage level Parameters hours: Server key update interval in hours, in the range of 1 to 24. Usage guidelines Updating the RSA server key periodically can prevent malicious hacking of the key and enhance security of the SSH connections. Examples # Set the RSA server key pair update interval to 3 hours.
• stelnet: Specifies the service type of Stelnet. authentication-type: Specifies the authentication method of an SSH user: • password: Performs password authentication. This authentication method features easy and fast encryption, but it is vulnerable. It can work with AAA to implement user authentication, authorization, and accounting. • any: Performs either password authentication or publickey authentication.
[Sysname] ssh user user1 service-type sftp authentication-type publickey assign publickey key1 work-directory cfa0: Related commands • display ssh user-information • pki domain SSH client configuration commands bye Use bye to terminate the connection with the SFTP server and return to user view. Syntax bye Views SFTP client view Default command level 3: Manage level Usage guidelines This command functions as the exit and quit commands. Examples # Terminate the connection with the SFTP server.
You can use the cd / command to return to the root directory of the system. Examples # Change the working path to new1. sftp-client> cd new1 Current Directory is: /new1 cdup Use cdup to return to the upper-level directory. Syntax cdup Views SFTP client view Default command level 3: Manage level Examples # Return to the upper-level directory from the current working directory /new1. sftp-client> cdup Current Directory is: / delete Use delete to delete files from a server.
Are you sure to delete it? [Y/N]:y This operation might take a long time. Please wait... File successfully Removed dir Use dir to display information about the files and sub-directories under a specified directory. Syntax dir [ -a | -l ] [ remote-path ] Views SFTP client view Default command level 3: Manage level Parameters -a: Displays the names of the files and sub-directories under the specified directory.
Views Any view Default command level 1: Monitor level Parameters |: Filters command output by specifying a regular expression. For more information about regular expressions, see System Management Configuration Guide. begin: Displays the first line that matches the specified regular expression and all lines that follow. exclude: Displays all lines that do not match the specified regular expression. include: Displays all lines that match the specified regular expression.
Usage guidelines If neither source IP address nor source interface is specified for the Stelnet client, the system displays the message "Neither source IP address nor source interface was specified for the Stelnet client." Examples # Display the source IP address or source interface set for the Stelnet client. display ssh client source The source IP address you specified is 192.168.0.
Table 36 Command output Field Description Server Name(IP) Name or IP address of the server. Server public key name Name of the host public key of the server. Related commands ssh client authentication server exit Use exit to terminate the connection with the remote SFTP server and return to user view. Syntax exit Views SFTP client view Default command level 3: Manage level Usage guidelines This command functions as the bye and quit commands.
Usage guidelines If you do not specify the local-file argument, the file will be saved locally with the same name as that on the SFTP server. Examples # Download file temp1.c and save it as temp.c locally. sftp-client> get temp1.c temp.c Remote file:/temp1.c ---> Local file: temp.c Downloading file successfully ended help Use help to display all commands or the help information of an SFTP client command.
-l: Displays in a list form detailed information of the files and folders of the specified directory. remote-path: Name of the directory to be queried. Usage guidelines With the –a and –l keywords not specified, the command displays detailed information of files and folders under the specified directory in the form of a list. With the remote-path argument not specified, the command displays the file and folder information under the current working directory. This command functions as the dir command.
Views SFTP client view Default command level 3: Manage level Parameters local-file: Name of a local file. remote-file: Name for the file on an SFTP server. Usage guidelines If you do not specify the remote-file argument, the file will be saved remotely with the same name as the local one. Examples # Upload local file temp.c to the SFTP server and save it as temp1.c. sftp-client> put temp.c temp1.c Local file:temp.c ---> Remote file: /temp1.
Usage guidelines This command functions as the bye and exit commands. Examples # Terminate the connection with the SFTP server. sftp-client> quit Bye Connection closed. remove Use remove to delete files from a remote server. Syntax remove remote-file&<1-10> Views SFTP client view Default command level 3: Manage level Parameters remote-file&<1-10>: Names of files on an SFTP server. &<1-10> means that you can provide up to 10 filenames, which are separated by space.
Parameters oldname: Name of an existing file or directory. newname: New name for the file or directory. Examples # Change the name of a file on the SFTP server from temp1.c to temp2.c. sftp-client> rename temp1.c temp2.c File successfully renamed rmdir Use rmdir to delete the specified directories from an SFTP server. Syntax rmdir remote-path&<1-10> Views SFTP client view Default command level 3: Manage level Parameters remote-path&<1-10>: Names of directories on the remote SFTP server.
server: Specifies an IPv4 or IPv6 server by its address or host name. For an IPv4 server, it is a case-insensitive string of 1 to 20 characters. For an IPv6 server, it is a case-insensitive string of 1 to 46 characters. port-number: Specifies the port number of the server, in the range of 0 to 65535. The default is 22. get: Downloads the file. put: Uploads the file. source-file-path: Specifies the directory of the source file. destination-file-path: Specifies the directory of the target file.
prefer-kex { dh-group-exchange | dh-group1 | dh-group14 } | prefer-stoc-cipher { 3des | aes128 | des } | prefer-stoc-hmac { md5 | md5-96 | sha1 | sha1-96 } ] * Views User view Default command level 3: Manage level Parameters server: IPv4 address or host name of the server, a case-insensitive string of 1 to 20 characters. port-number: Port number of the server, in the range of 0 to 65535. The default is 22.
Input Username: sftp client ipv6 source Use sftp client ipv6 source to specify the source IPv6 address or source interface for the SFTP client. Use undo sftp client ipv6 source to remove the configuration. Syntax sftp client ipv6 source { interface interface-type interface-number | ipv6 ipv6-address } undo sftp client ipv6 source Default An SFTP client uses the IPv6 address of the interface specified by the route of the device to access the SFTP server.
Views System view Default command level 3: Manage level Parameters interface interface-type interface-number: Specifies a source interface by its type and number. ip ip-address: Specifies a source IPv4 address. Usage guidelines To make sure the SFTP client and the SFTP server can communicate with each other, and to improve the manageability of SFTP clients in the authentication service, HP recommends you to specify a loopback interface as the source interface.
prefer-ctos-cipher: Specifies the preferred encryption algorithm from client to server, defaulted to aes128. • 3des: Specifies the encryption algorithm 3des-cbc. • aes128: Specifies the encryption algorithm aes128-cbc. • des: Specifies the encryption algorithm des-cbc. prefer-ctos-hmac: Specifies the preferred HMAC algorithm from client to server, defaulted to sha1-96. • md5: Specifies the HMAC algorithm hmac-md5. • md5-96: HMAC algorithm hmac-md5-96.
Default command level 2: System level Parameters server: IP address or name of the server, a string of 1 to 80 characters. assign publickey keyname: Specifies the name of the host public key of the server, a string of 1 to 64 characters. Usage guidelines If the client does not support first-time authentication, it will reject unauthenticated servers.
Examples # Enable the first-time authentication function. system-view [Sysname] ssh client first-time enable ssh client ipv6 source Use ssh client ipv6 source to specify the source IPv6 address or source interface for the Stelnet client. Use undo ssh client ipv6 source to remove the configuration.
Default An Stelnet client uses the IP address of the interface specified by the route of the device to access the Stelnet server. Views System view Default command level 3: Manage level Parameters interface interface-type interface-number: Specifies a source interface by its type and number. ip ip-address: Specifies a source IPv4 address.
prefer-compress: Specifies the preferred compression algorithm. By default, the compression algorithm is not used. • zlib: Specifies the compression algorithm ZLIB. • zlib-openssh: Specifies the compression algorithm zlib@openssh.com. prefer-ctos-cipher: Specifies the preferred encryption algorithm from client to server, defaulted to aes128. • 3des: Specifies the encryption algorithm 3des-cbc. • aes128: Specifies the encryption algorithm aes128-cbc.
Default command level 0: Visit level Parameters server: IPv6 address or host name of the server, a case-insensitive string of 1 to 46 characters. port-number: Port number of the server, in the range of 0 to 65535. The default is 22. vpn-instance vpn-instance-name: Specifies the VPN that the server belongs to, where the vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the server is on the public network, do not specify this option.
RSH configuration commands rsh Use rsh to execute an OS command on a remote host. Syntax rsh host [ user username ] command remote-command Views User view Default command level 0: Visit level Parameters host: IP address or host name of the remote host, a string of 1 to 20 characters. user username: Specifies the username for remote login, a string of 1 to 20 characters. If you do not specify a username, the system name of the device, which can be set by using the sysname command, applies.
2012-06-21 10:51 192,512 wrshdnt.cpl 2012-12-09 16:41 38,991 wrshdnt.hlp 2012-12-09 16:26 1,740 wrshdnt.cnt 2012-06-22 11:14 452,230 wrshdnt.htm 2012-06-23 18:18 2012-06-23 18:18 2012-06-22 11:13 2012-09-02 15:41 2012-06-21 10:32 2012-01-02 15:54 196,608 wrshdsp.exe 2012-01-02 15:54 102,400 wrshdnt.exe 2012-07-30 18:05 766 wrshdnt.ico 2012-07-13 09:10 4,803 wrshdnt_header.htm 178 wrshdnt_filelist.xml 156,472 wrshdnt.pdf 49,152 wrshdrdr.exe 69,632 wrshdrun.exe 3,253 INSTALL.
Session management commands application aging-time Use application aging-time to set the aging timer for the sessions of an application layer protocol. Use undo application aging-time to restore the default. Syntax application aging-time { dns | ftp | msn | qq | sip } time-value undo application aging-time [ dns | ftp | msn | qq | sip ] Default The default session aging times for the application layer protocols are as follows: • dns: 60 seconds. • ftp: 3600 seconds. • msn: 3600 seconds.
display application aging-time Use display application aging-time to display the session aging timers for the application layer protocols. Syntax display application aging-time [ | { begin | exclude | include } regular-expression ] Views Any view Default command level 1: Monitor level Parameters |: Filters command output by specifying a regular expression. For more information about regular expressions, see System Management Configuration Guide.
Syntax display session aging-time [ | { begin | exclude | include } regular-expression ] Views Any view Default command level 1: Monitor level Parameters |: Filters command output by specifying a regular expression. For more information about regular expressions, see System Management Configuration Guide. begin: Displays the first line that matches the specified regular expression and all lines that follow. exclude: Displays all lines that do not match the specified regular expression.
Syntax display session relation-table [ vd vd-name ] [ | { begin | exclude | include } regular-expression ] Views Any view Default command level 1: Monitor level Parameters vd vd-name: Displays the relationship table entries of the specified virtual device. The vd-name argument specifies the name of a virtual device. It is a case-insensitive string of 1 to 20 characters, which can be numerals, letters and underlines. |: Filters command output by specifying a regular expression.
Field Description Pro Transport layer protocol, TCP, or UDP. TTL Remaining lifetime of the relationship table entry, in seconds. AllowConn Number of sessions allowed by the relationship table entry. Total find Total number of found relationship table entries. display session statistics Use display session statistics to display statistics for the sessions.
Current relation table(s): 50000 Session establishment rate: 184503/s TCP Session establishment rate: UDP Session establishment rate: 184503/s ICMP Session establishment rate: 0/s RAWIP Session establishment rate: 0/s Received TCP: Received UDP: 0/s 1538 packet(s) 86810494849 packet(s) 337567 byte(s) 4340524910260 byte(s) Received ICMP: Received RAWIP: 307232 packet(s) 0 packet(s) 17206268 byte(s) 0 byte(s) Dropped TCP: 0 packet(s) 0 byte(s) Dropped UDP: 0 packet(s) 0 byte(s
display session statistics history Use display session statistics history to display historical session statistics. Syntax display session statistics history [ vd vd-name ] [ | { begin | exclude | include } regular-expression ] Views Any view Default command level 2: System level Parameters vd vd-name: Specifies a virtual device by its name. The vd-name argument represents the name of a virtual device, a case-insensitive string of 1 to 20 characters.
display session table Use display session table to display information about session table entries.
Initiator: Source IP/Port : 192.168.1.18/2048 Dest IP/Port : 192.168.1.55/768 Pro : ICMP(ICMP(1)) VPN-Instance/VLAN ID/VLL ID: Initiator: Source IP/Port : 192.168.1.18/1212 Dest IP/Port : 192.168.1.55/23 Pro : TCP(TCP(6)) VPN-Instance/VLAN ID/VLL ID: Total find: 2 # Display detailed information about all session table entries. display session table verbose Initiator: Source IP/Port : 192.168.1.19/137 Dest IP/Port : 192.168.1.
Table 41 Command output Field Description Initiator: Initiator's session information. Responder: Responder's session information. Pro Transport layer protocol, TCP, UDP, ICMP, or Raw IP.. VLAN ID/VLL ID VLAN and INLINE that the session belongs to during Layer 2 forwarding. App Application layer protocol, FTP, DNS, MSN or QQ. Unknown indicates protocol type of a non-well-known port. Session status: • Accelerate. • SYN. • TCP-EST. • FIN. State • UDP-OPEN. • UDP-READY. • ICMP-OPEN. • ICMP-CLOSED.
Parameters vd-name vd-name: Clears the session table entries on the specified virtual device. The vd-name argument specifies the name of a virtual device. It is a case-insensitive string of 1 to 20 characters, which can be only numerals, letters and underlines. source-ip source-ip: Clears the session table entries with the specified source IP address of the initiator. destination-ip destination-ip: Clears the session table entries with the specified destination IP address of the initiator.
session aging-time Use session aging-time to set the aging timer for sessions of a specified protocol that are in a specified state. Use undo session aging-time to restore the default. If no keyword is specified, the command restores the session aging timers for all protocol states to the defaults.
Usage guidelines To display the session aging timers in different protocol states, use the display session aging-time command. Examples # Set the aging time for TCP sessions in the SYN_SENT or SYN_RCV state to 60 seconds. system-view [Sysname] session aging-time syn 60 session checksum Use session checksum to enable checksum verification for protocol packets. Use undo session checksum to disable checksum verification.
Views System view Default command level 2: System level Parameters bytes-value: Byte count threshold for session logging, in the range of 1 to 1000 megabytes. Examples # Set the byte count threshold for session logging to 10 megabytes. system-view [Sysname] session log byte-active 10 session log enable Use session log enable to enable the session logging function. Use undo session log enable to disable the specified session logging function.
Syntax session log packets-active packets-value undo session log packets-active Default The system does not output session logs based on the packet count threshold. Views System view Default command level 2: System level Parameters packets-value: Packet count threshold for session logging, in the range of 1 to 1000 mega-packets. Examples # Set the packet count threshold for session logging to 10 mega-packets.
Use undo session mode to configure the bidirectional mode. Syntax session mode hybrid undo session mode Default The session management feature operates in bidirectional mode to process only bidirectional sessions. Views System view Default command level 2: System level Usage guidelines In a unidirectional session, only the packets in one direction pass the device, and the packets in the opposite direction do not pass the device. In a bidirectional session, all packets in any direction pass the device.
Usage guidelines Persistent sessions will not be removed because they are not matched with any packets within the aging time. You can manually remove such sessions when necessary. A persistent session rule can reference only one ACL. Examples # Configure all sessions matching ACL 2000 as persistent sessions, setting the aging time of the sessions to 72 hours.
Virtual fragment reassembly commands display ip virtual-reassembly Use display ip virtual-reassembly to display the IP virtual fragment reassembly information on a security zone, including the maximum number of concurrent reassemblies, the maximum fragments per reassembly, the current numbers of concurrent reassemblies and fragments, and the reassembly timeout interval.
Virtual Fragment Reassembly is enabled. Concurrent reassemblies(max-reassemblies): 64 Fragments per reassembly(max-fragments): 16 Reassembly timeout(timeout): 3 second(s) Drop fragments: OFF Current reassembly count: 12 Current fragment count: 48 Total reassembly count: 6950 Total reassembly failures: 9 Table 42 Command output Field Description Concurrent reassemblies (max-reassemblies) Maximum number of concurrent reassemblies.
max-fragments number: Specifies the maximum number of fragments per reassembly. The value range is 1 to 255, and the default is 16. max-reassemblies number: Specifies the maximum number of concurrent reassemblies. The value range is 1 to 1024, and the default is 64. timeout seconds: Specifies the timeout interval of a reassembly, in the range of 1 to 64 seconds. The default value is 3 seconds.
Attack detection and protection configuration commands attack-defense apply policy Use attack-defense apply policy to apply an attack protection policy to a security zone. Use undo attack-defense apply policy to restore the default. Syntax attack-defense apply policy policy-number undo attack-defense apply policy Default No attack protection policy is applied to a security zone.
Syntax attack-defense logging enable undo attack-defense logging enable Default Attack protection logging is disabled. Views System view Default command level 2: System level Parameters None Examples # Enable attack protection logging. system-view [Sysname] attack-defense logging enable attack-defense policy Use attack-defense policy to create an attack protection policy and enter attack protection policy view. Use undo attack-defense policy to delete an attack protection policy.
blacklist enable Use blacklist enable to enable the blacklist function. Use undo blacklist enable to restore the default. Syntax blacklist enable undo blacklist enable Default The blacklist function is disabled. Views System view, VD system view Default command level 2: System level Usage guidelines After the blacklist function is enabled, you can add blacklist entries manually or configure the device to add blacklist entries automatically.
Parameters source-ip-address: IP address to be added to the blacklist, used to match the source IP address of packets. This IP address cannot be a broadcast address, 127.0.0.0/8, a class D address, or a class E address. all: Specifies all blacklist entries. timeout minutes: Specifies an aging time for the blacklist entry. minutes indicates the aging time and ranges from 1 to 1000, in minutes.
Related commands • defense dns-flood rate-threshold • defense dns-flood ip defense dns-flood ip Use defense dns-flood ip to configure the action and silence thresholds for DNS flood attack protection of a specific IP address. Use undo defense dns-flood ip to remove the configuration.
defense dns-flood rate-threshold Use defense dns-flood rate-threshold to configure the global action and global silence thresholds for DNS flood attack protection. The device uses the global attack protection thresholds to protect IP addresses for which you do not specifically configure attack protection parameters. Use undo defense dns-flood rate-threshold to restore the default.
defense icmp-flood action drop-packet Use defense icmp-flood action drop-packet to configure the device to drop ICMP flood attack packets. Use undo defense icmp-flood action to restore the default. Syntax defense icmp-flood action drop-packet undo defense icmp-flood action Default The device only outputs alarm logs if it detects an ICMP flood attack.
system-view [Sysname] attack-defense policy 1 [Sysname-attack-defense-policy-1] defense icmp-flood enable Related commands • defense icmp-flood action drop-packet • defense icmp-flood ip • defense icmp-flood rate-threshold • display attack-defense policy defense icmp-flood ip Use defense icmp-flood ip to configure the action and silence thresholds for ICMP flood attack protection of a specific IP address. Use undo defense icmp-flood ip to remove the configuration.
[Sysname] attack-defense policy 1 [Sysname-attack-defense-policy-1] defense icmp-flood ip 192.168.1.2 rate-threshold high 2000 low 1000 Related commands • defense icmp-flood action drop-packet • defense icmp-flood enable • display attack-defense policy defense icmp-flood rate-threshold Use defense icmp-flood rate-threshold to configure the global action and silence thresholds for ICMP flood attack protection.
Examples # Set the global action threshold to 3000 packets per second and the global silence threshold to 1000 packets per second for ICMP flood attack.
# Set the connection rate threshold for triggering scanning attack protection to 2000 connections per second. [Sysname-attack-defense-policy-1] defense scan max-rate 2000 # Enable the blacklist function for scanning attack protection, and specify the blacklist entry aging time as 20 minutes.
defense scan enable Use defense scan enable to enable scanning attack protection. Use undo defense scan enable to restore the default. Syntax defense scan enable undo defense scan enable Default Scanning attack protection is disabled. Views Attack protection policy view Default command level 2: System level Usage guidelines With scanning attack protection enabled, a device checks the connection rate by IP address.
Default command level 2: System level Parameters rate-number: Threshold of the connection establishment rate (number of connections established in a second) that triggers scanning attack protection, in the range of 1 to 10000. Usage guidelines With scanning attack protection enabled, a device checks the connection rate by IP address.
trigger-tcp-proxy: Adds a protected IP address entry for the attacked IP address and triggers the TCP proxy function. Examples # Configure the SYN flood protection policy to drop SYN flood attack packets.
undo defense syn-flood ip ip-address [ rate-threshold ] Default No SYN flood attack protection thresholds are configured for an IP address. Views Attack protection policy view Default command level 2: System level Parameters ip-address: IP address to be protected. This IP address cannot be a broadcast address, 127.0.0.0/8, a class D address, or a class E address. high rate-number: Sets the action threshold for SYN flood attack protection of the specified IP address.
undo defense syn-flood rate-threshold Default The global action threshold is 1000 packets per second and the global silence threshold is 750 packets per second. Views Attack protection policy view Default command level 2: System level Parameters high rate-number: Sets the global action threshold for SYN flood attack protection. The rate-number argument indicates the number of SYN packets sent to an IP address per second and is in the range of 1 to 64000.
Default The device only outputs alarm logs if it detects a UDP flood attack. Views Attack protection policy view Default command level 2: System level Examples # Configure attack protection policy 1 to drop UDP flood packets.
defense udp-flood ip Use defense udp-flood ip to configure the action and silence thresholds for UDP flood attack protection of a specific IP address. Use undo defense udp-flood ip to remove the configuration. Syntax defense udp-flood ip ip-address rate-threshold high rate-number [ low rate-number ] undo defense udp-flood ip ip-address [ rate-threshold ] Default No UDP flood attack protection thresholds are configured for an IP address.
defense udp-flood rate-threshold Use defense udp-flood rate-threshold to configure the global action and silence thresholds for UDP flood attack protection. The device uses the global attack protection thresholds to protect the IP addresses for which you do not specifically configure attack protection parameters. Use undo defense udp-flood rate-threshold to restore the default.
• display attack-defense policy display attack-defense policy Use display attack-defense policy to display the configuration information of one or all attack protection policies. Syntax display attack-defense policy [ policy-number ] [ vd vd-name ] [ | { begin | exclude | include } regular-expression ] Views Any view Default command level 1: Monitor level Parameters policy-number: Sequence number of an attack protection policy. The value ranges from 1 to 128.
LAND attack-defense : Enabled Source route attack-defense : Enabled Route record attack-defense : Enabled Scan attack-defense : Enabled Add to blacklist : Enabled Blacklist timeout : 10 minutes Max-rate : 1000 connections/s Signature-detect action : Drop-packet -------------------------------------------------------------------------DNS flood attack-defense : Enabled DNS flood high-rate : 2000 packets/s DNS flood low-rate : 750 packets/s DNS Flood attack-defense for specific IP address
Filed Description Bound zones Security zones to which the attack protection policy is applied. Smurf attack-defense Indicates whether Smurf attack protection is enabled. ICMP redirect attack-defense Indicates whether ICMP redirect attack protection is enabled. ICMP unreachable attack-defense Indicates whether ICMP unreachable attack protection is enabled. Large ICMP attack-defense Indicates whether large ICMP attack protection is enabled. Max-length Maximum length allowed for an ICMP packet.
Filed Description UDP flood low-rate Global silence threshold for UDP flood attack protection. UDP flood attack on IP UDP flood attack protection settings for specific IP addresses. SYN flood attack-defense Indicates whether SYN flood attack is enabled. SYN flood action Action to be taken when a SYN flood attack is detected. It can be Drop-packet (dropping subsequent packets) or Syslog (outputting an alarm log). SYN flood high-rate Global action threshold for SYN flood attack protection.
Include: Displays all lines that match the specified regular expression. regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters. Examples # Display the attack protection statistics of security zone untrust.
Field Description Attack policy number Sequence number of attack protection policy. Fraggle attacks Number of Fraggle attacks. Fraggle packets dropped Number of Fraggle packets dropped. ICMP redirect attacks Number of ICMP redirect attacks. ICMP redirect packets dropped Number of ICMP redirect packets dropped. ICMP unreachable attacks Number of ICMP unreachable attacks. ICMP unreachable packets dropped Number of ICMP unreachable packets dropped. LAND attacks Number of LAND attacks.
• attack-defense apply policy display blacklist Use display blacklist to display information about one or all blacklist entries. Syntax display blacklist { all | ip source-ip-address } [ vd vd-name ] [ | { begin | exclude | include } regular-expression ] Views Any view Default command level 1: Monitor level Parameters all: Displays information about all blacklist entries. ip source-ip-address: Displays information about the blacklist entry for an IP address.
Table 45 Command output Field Description Blacklist Indicates whether the blacklist function is enabled. Blacklist items Number of blacklist entries. IP IP address of the blacklist entry. Type of the blacklist entry: Type • manual—The entry was added manually. • auto—The entry was added automatically by the scanning attack protection function. Aging started Time when the blacklist entry is added. Aging finished Aging time of the blacklist entry. Never means that the entry never gets aged.
include: Displays all lines that match the specified regular expression. regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters. Examples # Display the traffic statistics of source IP address 192.168.1.2. display flow-statistics statistics source-ip 192.168.1.2 Flow Statistics Information ----------------------------------------------------------IP Address : 192.168.1.
Field Description RAWIP sessions Number of RAWIP connections. RAWIP session establishment rate RAWIP connection establishment rate. TCP packet count Number of TCP packets. TCP byte count Number of TCP bytes. UDP packet count Number of UDP packets. UDP byte count Number of UDP bytes. ICMP packet count Number of ICMP packets. ICMP byte count Number of ICMP bytes. RAWIP packet count Number of RAWIP packets. RAWIP byte count Number of RAWIP bytes.
display flow-statistics statistics zone trust inbound Flow Statistics Information -----------------------------------------------------------Zone : trust -----------------------------------------------------------Total number of existing sessions : 70 Session establishment rate : 10/s TCP sessions : 10 Half-open TCP sessions : 10 Half-close TCP sessions : 10 TCP session establishment rate : 10/s UDP sessions : 10 UDP session establishment rate : 10/s ICMP sessions : 10
Default command level 1: Monitor level Parameters vd vd-name: Displays the protected IP addresses of the specified VD. The vd-name argument refers to the VD name, a case-insensitive string of 1 to 20 characters. If you do not specify this option, this command displays the protected IP addresses of the default VD. Examples # Display information about all IP addresses protected by the TCP proxy function.
inbound: Collects statistics on packets to the security zone. outbound: Collects statistics on packets sent out of the security zone. source-ip: Collects statistics on packets to the security zone by source IP address. Usage guidelines You can enable multiple types of traffic statistics collections for a security zone. The collection results can be viewed by related display commands. Examples # In security zone trust, enable traffic statistics collection by destination IP address.
signature-detect Use signature-detect to enable signature detection of a single-packet attack. Use undo signature-detect to disable signature detection of a single-packet attack.
Syntax signature-detect action drop-packet undo signature-detect action Default The device only outputs alarm logs if it detects a single-packet attack. Views Attack protection policy view Default command level 2: System level Examples # Configure attack protection policy 1 to drop single-packet attack packets.
Examples # Enable signature detection of large ICMP attack, set the ICMP packet length threshold that triggers large ICMP attack protection to 5000 bytes, and configure the device to drop ICMP packets longer than the specified maximum length.
• display tcp-proxy protected-ip tcp-proxy mode Use tcp-proxy mode to set the TCP proxy operating mode. Use undo tcp-proxy mode to restore the default. Syntax tcp-proxy mode unidirection undo tcp-proxy mode Default TCP proxy operates in bidirectional mode when enabled. Views System view Default command level 2: System level Parameters unidirection: Operates in the unidirectional mode. Examples # Set the TCP proxy operating mode to unidirectional.
Parameters destination-ip-address: Specifies the IP address protected by TCP proxy. port: Specifies the port number protected by TCP proxy. port-number: Destination port number of a TCP connection, in the range of 1 to 65535. any: Specifies TCP connections with the specified destination IP address and any destination port number. Usage guidelines Add multiple IP addresses protected by TCP proxy by executing this command multiple times. Examples # Configure a TCP proxy entry to protect IP address 2.2.2.
Connection limit configuration commands connection-limit apply policy Use connection-limit apply policy to apply a connection limit policy to the NAT module. Use undo connection-limit apply policy to remove the application. Syntax connection-limit apply policy policy-number undo connection-limit apply policy policy-number Views System view Default command level 2: System level Parameters policy-number: Number of an existing connection limit policy. The value must be 0.
Default command level 2: System level Parameters policy-number: Specifies the number of a connection limit policy. The value must be 0. all: Specifies all connection limit policies. Usage guidelines A connection limit policy contains a set of rules for limiting the number of connections of a specific user. A policy number uniquely identifies a connection limit policy. After applying a connection limit policy in system view, you cannot modify, add, or remove connection limit rules in the policy.
limit 0 source ip 3.3.3.0 24 source-vpn vpn1 destination ip any protocol tcp max-connections 200 per-source Table 49 Command output Field Description Connection-limit policy Number of the connection limit policy. refcount 1, 2 limits Number of times that the policy is applied and number of rules in the policy. limit xxx Rule in the policy. For more information, see the limit command. Related commands limit limit Use limit to configure an IP address-based connection limit policy rule.
• http: Specifies the HTTP protocol. • ip: Specifies the IP protocol. • tcp: Specifies the TCP protocol. • udp: Specifies the UDP protocol. max-connections max-num: Maximum number of the connections, in the range of 1 to 1100000. per-destination: Limits connections by destination IP address. per-source: Limits connections by source IP address. per-source-destination: Limits connections by source-desitnation IP address pair.
TCP attack protection configuration commands display tcp status Use display tcp status to display status of all TCP connections for monitoring TCP connections. Syntax display tcp status [ | { begin | exclude | include } regular-expression ] Views Any view Default command level 1: Monitor level Parameters |: Filters command output by specifying a regular expression. For more information about regular expressions, see System Management Configuration Guide.
Use undo tcp anti-naptha enable to disable the protection against Naptha attack. Syntax tcp anti-naptha enable undo tcp anti-naptha enable Default The protection against Naptha attack is disabled. Views System view Default command level 2: System level Usage guidelines The configurations made by using the tcp state and tcp timer check-state commands are removed after the protection against Naptha attack is disabled. Examples # Enable the protection against Naptha attack.
last-ack: LAST_ACK state of a TCP connection. syn-received: SYN_RECEIVED state of a TCP connection. connection-number number: Maximum number of TCP connections in a certain state. The argument number is in the range of 0 to 500. Usage guidelines You need to enable the protection against Naptha attack before executing this command. Otherwise, an error is prompted. You can respectively configure the maximum number of TCP connections in each state.
Syntax tcp timer check-state time-value undo tcp timer check-state Default The TCP connection state check interval is 30 seconds. Views System view Default command level 2: System level Parameters time-value: TCP connection state check interval in seconds, in the range of 1 to 60. Usage guidelines The device periodically checks the number of TCP connections in each state.
ND attack defense configuration commands ipv6 nd mac-check enable Use ipv6 nd mac-check enable to enable source MAC consistency check for ND packets. Use undo ipv6 nd mac-check enable to disable source MAC consistency check for ND packets. Syntax ipv6 nd mac-check enable undo ipv6 nd mac-check enable Default Source MAC consistency check is disabled for ND packets.
Support and other resources Contacting HP For worldwide technical support information, see the HP support website: http://www.hp.
Conventions This section describes the conventions used in this documentation set. Command conventions Convention Description Boldface Bold text represents commands and keywords that you enter literally as shown. Italic Italic text represents arguments that you replace with actual values. [] Square brackets enclose syntax choices (keywords or arguments) that are optional. { x | y | ... } Braces enclose a set of required syntax choices separated by vertical bars, from which you select one.
Network topology icons Represents a generic network device, such as a router, switch, or firewall. Represents a routing-capable device, such as a router or Layer 3 switch. Represents a generic switch, such as a Layer 2 or Layer 3 switch, or a router that supports Layer 2 forwarding and other Layer 2 features. Represents a security product, such as a firewall, a UTM, or a load-balancing or security card that is installed in a device.
Index ABCDEFGHIKLMNOPQRSTUVWZ certificate request entity,151 A certificate request from,152 access-limit,56 certificate request mode,153 access-limit enable,38 certificate request polling,153 accounting command,38 certificate request url,154 accounting default,39 ciphersuite,176 accounting login,40 client-verify enable,176 accounting optional,41 client-verify weaken,177 accounting-on enable,68 close-mode wait,178 acl,9 common-name,155 acl accelerate,10 connection-limit apply policy,276
display user-group,60 delete,197 description,14 Documents,285 dir,198 domain,51 display acl,15 domain default enable,52 display acl accelerate,17 domain if-unknown,53 display acl ipv6,18 E display application aging-time,220 exit,201 display attack-defense policy,258 expiration-date,61 display attack-defense statistics zone,261 display blacklist,264 F display connection,48 flow-statistics enable,269 display connection-limit policy,277 fqdn,163 display domain,50 G display flow-statistic
public-key local destroy,146 O public-key local export rsa,147 organization,165 public-key peer,148 organization-unit,166 public-key peer import sshkey,149 P public-key-code begin,144 password,64 public-key-code end,145 password,125 put,203 password-control { aging | composition | history | length } enable,126 pwd,204 Q password-control aging,127 password-control alert-before-expire,128 quit,204 password-control authentication-timeout,129 R password-control complexity,130 radius client,8
ssh2 ipv6,215 ssl client-policy,184 ssl server-policy,185 state,174 state (ISP domain view),55 state (local user view),66 state primary,95 state secondary,96 step,36 stop-accounting-buffer enable (HWTACACS scheme view),118 stop-accounting-buffer enable (RADIUS scheme view),97 Subscription service,285 S scp,206 secondary accounting (HWTACACS scheme view),115 secondary accounting (RADIUS scheme view),90 secondary authentication (HWTACACS scheme view),116 secondary authentication (RADIUS scheme view),91 secon
