HP Load Balancing Module Security Command Reference Part number: 5998-2693 Document version: 6PW101-20120217
Legal and notice information © Copyright 2012 Hewlett-Packard Development Company, L.P. No part of this documentation may be reproduced or transmitted in any form or by any means without prior written consent of Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Contents ACL configuration commands ····································································································································· 1 acl ·············································································································································································· 1 acl accelerate ················································································································································
pki validate-certificate ··········································································································································· 40 root-certificate fingerprint······································································································································ 40 rule (PKI CERT ACP view) ····································································································································· 41 state···········
idle-cut enable························································································································································ 82 local-user ································································································································································ 82 local-user password-display-mode ······················································································································· 83 nas-id bin
connection-limit policy········································································································································· 128 display connection-limit policy ··························································································································· 129 limit ······································································································································································· 130 Web filt
ACL configuration commands acl Syntax acl number acl-number [ name acl-name ] [ match-order { auto | config } ] undo acl { all | name acl-name | number acl-number } View System view Default level 2: System level Parameters number acl-number: Specifies the number of an IPv4 access control list (ACL): • 2000 to 2999 for IPv4 basic ACLs • 3000 to 3999 for IPv4 advanced ACLs • 4000 to 4999 for Ethernet frame header ACLs name acl-name: Assigns a name for the IPv4 ACL for easy identification.
[Sysname-acl-basic-2000] # Create IPv4 basic ACL 2001 with the name flow, and enter its view.
acl copy Syntax acl copy { source-acl-number | name source-acl-name } to { dest-acl-number | name dest-acl-name } View System view Default level 2: System level Parameters source-acl-number: Specifies a source IPv4 ACL that already exists by its number: • 2000 to 2999 for IPv4 basic ACLs • 3000 to 3999 for IPv4 advanced ACLs • 4000 to 4999 for Ethernet frame header ACLs name source-acl-name: Specifies a source IPv4 ACL that already exists by its name.
Default level 2: System level Parameters acl-name: Specifies the name of an existing IPv4 ACL, which is a case insensitive string of 1 to 32 characters. It must start with an English letter. Description Use the acl name command to enter the view of an IPv4 ACL that has a name. Related commands: acl. Examples # Enter the view of IPv4 ACL flow.
View Any view Default level 1: Monitor level Parameters acl-number: Specifies an IPv4 ACL by its number: • 2000 to 2999 for basic ACLs • 3000 to 3999 for advanced ACLs • 4000 to 4999 for Ethernet frame header ACLs all: Displays information for all IPv4 ACLs. name acl-name: Specifies an IPv4 ACL by its name. The acl-name argument takes a case insensitive string of 1 to 32 characters. It must start with an English letter.
Field Description 2 times matched There have been two matches for the rule. The statistic counts only ACL matches performed in software. This field is not displayed when no packets have matched the rule.
Field Description Whether ACL acceleration is using up to date criteria for rule matching: • UTD—The ACL criteria are up to date and have not changed since ACL acceleration Status was enabled. • OOD—The ACL criteria are out of date. This state is displayed, if you have modified the ACL after ACL acceleration was enabled. ACL acceleration matches packets still against the old criteria. To ensure correct packet matching, disable and re-enable ACL acceleration.
View User view Default level 2: System level Parameters acl-number: Specifies an IPv4 ACL by its number: • 2000 to 2999 for IPv4 basic ACLs • 3000 to 3999 for IPv4 advanced ACLs • 4000 to 4999 for Ethernet frame header ACLs all: Clears statistics for all IPv4 ACLs. name acl-name: Specifies an IPv4 ACL by its name. The acl-name argument takes a case insensitive string of 1 to 32 characters. It must start with an English letter.
cos vlan-pri: Matches an 802.1p priority. The vlan-pri argument can be a number in the range 0 to 7, or in words, best-effort (0), background (1), spare (2), excellent-effort (3), controlled-load (4), video (5), voice (6), or network-management (7). counting: Counts the number of times the IPv4 ACL rule has been matched. dest-mac dest-addr dest-mask: Matches a destination MAC address range. The dest-addr and dest-mask arguments represent a destination MAC address and mask in H-H-H format.
[ icmp-code ] | icmp-message } | logging | precedence precedence | reflective | source { sour-addr sour-wildcard | any } | source-port operator port1 [ port2 ] | time-range time-range-name | tos tos ] * undo rule rule-id [ { { ack | fin | psh | rst | syn | urg } * | established } | counting | destination | destination-port | dscp | fragment | icmp-type | logging | precedence | reflective | source | source-port | time-range | tos ] * View IPv4 advanced ACL view Default level 2: System level Parameters rul
Parameters Function Description dscp dscp Specifies a DSCP priority The dscp argument can be a number in the range 0 to 63, or in words, af11 (10), af12 (12), af13 (14), af21 (18), af22 (20), af23 (22), af31 (26), af32 (28), af33 (30), af41 (34), af42 (36), af43 (38), cs1 (8), cs2 (16), cs3 (24), cs4 (32), cs5 (40), cs6 (48), cs7 (56), default (0), or ef (46). logging Logs matching packets This function requires that the module (for example, a firewall) that uses the ACL supports logging.
Parameters Function Description { ack ack-value | fin fin-value | psh psh-value | rst rst-value | syn syn-value | urg urg-value } * Specifies one or more TCP flags including ACK, FIN, PSH, RST, SYN, and URG established Specifies the flags for indicating the established status of a TCP connection Parameters specific to TCP. The value for each argument can be 0 (flag bit not set) or 1 (flag bit set). The TCP flags in a rule are ORed.
ICMP message name ICMP message type ICMP message code source-quench 4 0 source-route-failed 3 5 timestamp-reply 14 0 timestamp-request 13 0 ttl-exceeded 11 0 Description Use the rule command to create or edit an IPv4 advanced ACL rule. You can edit ACL rules only when the match order is config. Use the undo rule command to delete an entire IPv4 advanced ACL rule or some attributes in the rule. If no optional keywords are provided, you delete the entire rule.
[Sysname-acl-adv-3003] rule permit udp source-port eq snmptrap [Sysname-acl-adv-3003] rule permit udp destination-port eq snmp [Sysname-acl-adv-3003] rule permit udp destination-port eq snmptrap rule (IPv4 basic ACL view) Syntax rule [ rule-id ] { deny | permit } [ counting | fragment | logging | source { sour-addr sour-wildcard | any } | time-range time-range-name ] * undo rule rule-id [ counting | fragment | logging | source | time-range ] * View IPv4 basic ACL view Default level 2: System level Param
To view rules in an ACL and their rule IDs, use the display acl all command. Related commands: acl, display acl, step, and time-range. Examples # Create a rule in IPv4 basic ACL 2000 to deny the packets from any source IP segment but 10.0.0.0/8, 172.17.0.0/16, or 192.168.1.0/24. system-view [Sysname] acl number 2000 [Sysname-acl-basic-2000] rule permit source 10.0.0.0 0.255.255.255 [Sysname-acl-basic-2000] rule permit source 172.17.0.0 0.0.255.255 [Sysname-acl-basic-2000] rule permit source 192.
View IPv4 basic/advanced ACL view, Ethernet frame header ACL view Default level 2: System level Parameters step-value: ACL rule numbering step, which ranges from 1 to 20. Description Use the step command to set a rule numbering step for an ACL. The rule numbering step sets the increment by which the system numbers rules automatically. For example, the default ACL rule numbering step is 5. If you do not assign IDs to rules you are creating, they are numbered 0, 5, 10, 15, and so on.
days: Specifies the day or days of the week (in words or digits) on which the periodic statement is valid. If you specify multiple values, separate each value with a space, and be sure that they do not overlap. These values can take one of the following forms: • A digit in the range 0 to 6, respectively for Sunday, Monday, Tuesday, Wednesday, Thursday, Friday, and Saturday. • A day of a week in words, sun, mon, tue, wed, thu, fri, and sat. • working-day for Monday through Friday.
system-view [Sysname] time-range t1 8:0 to 18:0 working-day # Create an absolute time range t2, setting it to be active in the whole year of 2010. system-view [Sysname] time-range t2 from 0:0 1/1/2010 to 23:59 12/31/2010 # Create a compound time range t3, setting it to be active from 08:00 to 12:00 on Saturdays and Sundays of the year 2010.
PKI configuration commands attribute Syntax attribute id { alt-subject-name { fqdn | ip } | { issuer-name | subject-name } { dn | fqdn | ip } } { ctn | equ | nctn | nequ} attribute-value undo attribute { id | all } View Certificate attribute group view Default Level 2: System level Parameters id: Sequence number of the certificate attribute rule, in the range 1 to 16. alt-subject-name: Specifies the name of the alternative certificate subject. fqdn: Specifies the FQDN of the entity.
Examples # Create a certificate attribute rule, specifying that the DN in the subject name includes the string of abc. system-view [Sysname] pki certificate attribute-group mygroup [Sysname-pki-cert-attribute-group-mygroup] attribute 1 subject-name dn ctn abc # Create a certificate attribute rule, specifying that the FQDN in the issuer name cannot be the string of abc.
Default Level 2: System level Parameters entity-name: Name of the entity for certificate request, a case-insensitive string of 1 to 15 characters. Description Use the certificate request entity command to specify the entity for certificate request. Use the undo certificate request entity command to remove the configuration. By default, no entity is specified for a PKI domain. Related commands: pki entity. Examples # Specify the entity for certificate request as entity1.
certificate request mode Syntax certificate request mode { auto [ key-length key-length | password { cipher | simple } password ] * | manual } undo certificate request mode View PKI domain view Default Level 2: System level Parameters auto: Specifies to request a certificate in auto mode. key-length: Length of the RSA keys, in the range 512 to 2,048 bits. It is 1,024 bits by default. cipher: Specifies to display the password in cipher text. simple: Specifies to display the password in clear text.
Default Level 2: System level Parameters count count: Specifies the maximum number of attempts to poll the status of the certificate request, in the range 1 to 100. interval minutes: Specifies polling interval, in the range 5 to 168 minutes. Description Use the certificate request polling command to specify the certificate request polling interval and attempt limit. Use the undo certificate request polling command to restore the defaults.
Examples # Specify the URL of the server for certificate request. system-view [Sysname] pki domain 1 [Sysname-pki-domain-1] certificate http://169.254.0.100/certsrv/mscep/mscep.dll request url common-name Syntax common-name name undo common-name View PKI entity view Default Level 2: System level Parameters name: Common name of an entity, a case-insensitive string of 1 to 31 characters. No comma can be included.
Description Use the country command to specify the code of the country to which an entity belongs. It is a standard 2-character code, for example, CN for China. Use the undo country command to remove the configuration. By default, no country code is specified. Examples # Set the country code of an entity to CN.
Default Level 2: System level Parameters hours: CRL update period, in the range 1 to 720 hours. Description Use the crl update-period command to set the CRL update period, that is, the interval at which the PKI entity downloads the latest CRLs. Use the undo crl update-period command to restore the default. By default, the CRL update period depends on the next update field in the CRL file. The CRL update period is the interval at which a PKI entity with a certificate downloads a CRL from LDAP server.
[Sysname-pki-domain-1] crl url ldap://169.254.0.30 display pki certificate Syntax display pki certificate { { ca | local } domain domain-name | request-status } View Any view Default Level 2: System level Parameters ca: Displays the CA certificate. local: Displays the local certificate. domain-name: Name of the PKI domain, a string of 1 to 15 characters. request-status: Displays the status of a certificate request.
Public Key Algorithm: rsaEncryption RSA Public Key: (512 bit) Modulus (512 bit): 00D41D1F … Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Alternative Name: DNS: hyf.xxyyzz.net X509v3 CRL Distribution Points: URI:http://1.1.1.1:447/myca.
Examples # Display information about the certificate attribute-based access control policy named mypolicy.
Field Description issuer-name Name of the certificate issuer fqdn FQDN of the entity nctn Indicates the not-contain operations app Value of attribute 2 display pki crl domain Syntax display pki crl domain domain-name View Any view Default Level 2: System level Parameters domain-name: Name of the PKI domain, a string of 1 to 15 characters. Description Use the display pki crl domain command to display the locally saved CRLs. Related commands: pki retrieval-crl, pki domain.
Table 11 Output description Field Description Version Version of the CRLs Signature Algorithm Signature algorithm used by the CRLs Issuer CA issuing the CRLs Last Update Last update time Next Update Next update time CRL extensions Extensions of CRL X509v3 Authority Key Identifier CA issuing the CRLs. The certificate version is X.509v3. ID of the public key keyid A CA may have multiple key pairs. This field indicates the key pair used by the CRL’s signature.
ip (PKI entity view) Syntax ip ip-address undo ip View PKI entity view Default Level 2: System level Parameters ip-address: IP address for an entity. Description Use the ip command to configure the IP address of an entity. Use the undo ip command to remove the configuration. By default, no IP address is specified for an entity. Examples # Configure the IP address of an entity as 11.0.0.1. system-view [Sysname] pki entity 1 [Sysname-pki-entity-1] ip 11.0.0.
Examples # Specify an LDAP server for PKI domain 1. system-view [Sysname] pki domain 1 [Sysname-pki-domain-1] ldap-server ip 169.254.0.30 locality Syntax locality locality-name undo locality View PKI entity view Default Level 2: System level Parameters locality-name: Name for the geographical locality, a case-insensitive string of 1 to 31 characters. No comma can be included.
Description Use the organization command to configure the name of the organization to which the entity belongs. Use the undo organization command to remove the configuration. By default, no organization name is specified for an entity. Examples # Configure the name of the organization to which an entity belongs as org-name.
Default Level 2: System level Parameters policy-name: Name of the certificate attribute-based access control policy, a case-insensitive string of 1 to 16 characters. It cannot be “a”, “al” or “all”. all: Specifies all certificate attribute-based access control policies. Description Use the pki certificate access-control-policy command to create a certificate attribute-based access control policy and enter its view.
pki delete-certificate Syntax pki delete-certificate { ca | local } domain domain-name View System view Default Level 2: System level Parameters ca: Deletes the locally stored CA certificate. local: Deletes the locally stored local certificate. domain-name: Name of the PKI domain whose certificates are to be deleted, a string of 1 to 15 characters. Description Use the pki delete-certificate command to delete the certificate locally stored for a PKI domain.
[Sysname-pki-domain-1] pki entity Syntax pki entity entity-name undo pki entity entity-name View System view Default Level 2: System level Parameters entity-name: Name for the entity, a case-insensitive string of 1 to 15 characters. Description Use the pki entity command to create a PKI entity and enter PKI entity view. Use the undo pki entity command to remove a PKI entity. By default, no entity exists. You can configure a variety of attributes for an entity in PKI entity view.
filename filename: Specifies the name of the certificate file, which is a case-insensitive string of 1 to 127 characters. It defaults to domain-name_ca.cer or domain-name_local.cer, the name for the file to be created to save the imported certificate. Description Use the pki import-certificate command to import a CA certificate or local certificate from a file and save it locally. Related commands: pki domain. Examples # Import the CA certificate for PKI domain cer in the format of PEM.
R8owVmA0XVtGMbyqBNcDTG0f5NbHrXZQT5+MbFJOnm5K/mn1ro5TJKMTKV46PlCZ JUjsugaY02GBY0BVcylpC9iIXLuXNIqjh1MBIqVsa1lQOHS7YMvnop6hXAQlkM4c -----END CERTIFICATE REQUEST----- pki retrieval-certificate Syntax pki retrieval-certificate { ca | local } domain domain-name View System view Default Level 2: System level Parameters ca: Retrieves the CA certificate. local: Retrieves the local certificate. domain-name: Name of the PKI domain used for certificate request.
Examples # Retrieve CRLs. system-view [Sysname] pki retrieval-crl domain 1 pki validate-certificate Syntax pki validate-certificate { ca | local } domain domain-name View System view Default Level 2: System level Parameters ca: Verifies the CA certificate. local: Verifies the local certificate. domain-name: Name of the PKI domain to which the certificate to be verified belongs, a string of 1 to 15 characters.
string: Fingerprint to be used. An MD5 fingerprint must be a string of 32 characters in hexadecimal. A SHA1 fingerprint must be a string of 40 characters in hexadecimal. Description Use the root-certificate fingerprint command to configure the fingerprint to be used for verifying the validity of the CA root certificate. Use the undo root-certificate fingerprint command to remove the configuration. By default, no fingerprint is configured for verifying the validity of the CA root certificate.
Examples # Create an access control rule, specifying that a certificate is considered valid when it matches an attribute rule in certificate attribute group mygroup. system-view [Sysname] pki certificate access-control-policy mypolicy [Sysname-pki-cert-acp-mypolicy] rule 1 permit mygroup state Syntax state state-name undo state View PKI entity view Default Level 2: System level Parameters state-name: State or province name, a case-insensitive string of 1 to 31 characters.
Public key configuration commands display public-key local rsa public Syntax display public-key local rsa public View Any view Default level 1: Monitor level Parameters None Description Use the display public-key local rsa public command to display the public key information of the local asymmetric key pairs. Related commands: public-key local create rsa. Examples # Display the public key information of the local RSA key pairs.
Table 12 Output description Field Description Time of Key pair created Date and time when the local asymmetric key pair was created Key name, which can be one of the following values: • HOST_KEY—Host public key. Key name • SERVER_KEY—Server public key. This value is available only for RSA key pairs. Key type Key type, which can only be: RSA Encryption Key—RSA key pair.
42D56393BF241F99A639DD02D9E29B1F5C1FD05CC1C44FBD6CFFB58BE6F035FAA2C596B27D1231D159846 B7CB9A7757C5800FADA9FD72F65672F4A549EE99F63095E11BD37789955020123 Table 13 Output description Field Description Key Name Name of the public key Key Type Key type, which can only be RSA. Key Module Key modulus length in bits Key Code Public key data # Display brief information about all locally saved peer public keys.
public-key-code begin Syntax public-key-code begin View Public key view Default level 2: System level Parameters None Description Use the public-key-code begin command to enter public key code view. Then input the key data in the correct format to specify the peer public key. Spaces and carriage returns are allowed between characters. If the peer device is an HP device, input the key data displayed by the display public-key local rsa public command so that the key is format compliant.
Description Use the public-key-code end command to return from public key code view to public key view and to save the configured public key. The system verifies the key before saving it. If the key is not in the correct format, the system discards the key and displays an error message. If the key is valid, the system saves the key. Related commands: public-key peer and public-key-code begin. Examples # Exit public key code view and save the configured public key.
system-view [Sysname] public-key local create rsa The range of public key size is (512 ~ 2048). NOTES: If the key modulus is greater than 512, It will take a few minutes. Press CTRL+C to abort. Input the bits of the modulus[default = 1024]: Generating Keys... ++++++++++++++++ +++++++ +++++++++ +++ public-key local destroy rsa Syntax public-key local destroy rsa View System view Default level 2: System level Parameters rsa: RSA key pair.
ssh1: Uses the format of SSH1.5. ssh2: Uses the format of SSH2.0. filename: Specifies the name of the file for storing the host public key. For more information about file name, see System Maintenance Configuration Guide. Description Use the public-key local export rsa command without the filename argument to display the host public key of the local RSA key pairs in a specified key format.
Parameters keyname: Specifies a name for the peer public key on the local device, a case sensitive string of 1 to 64 characters. Description Use the public-key peer command to specify a name for the peer public key and enter public key view. Use the undo public-key peer command to remove the public key. To manually configure the peer public key on the local device, obtain the public key in hexadecimal from the peer device beforehand and perform the following configurations: 1.
Examples # Import the peer host public key named key2 from the public key file key.pub. system-view [Sysname] public-key peer key2 import sshkey key.
SSL configuration commands ciphersuite Syntax ciphersuite [ rsa_aes_128_cbc_sha | rsa_des_cbc_sha | rsa_rc4_128_md5 | rsa_rc4_128_sha ] * View SSL server policy view Default level 2: System level Parameters rsa_aes_128_cbc_sha: Specifies the key exchange algorithm of RSA, the data encryption algorithm of 128-bit AES_CBC, and the MAC algorithm of SHA. rsa_des_cbc_sha: Specifies the key exchange algorithm of RSA, the data encryption algorithm of DES_CBC, and the MAC algorithm of SHA.
Default level 2: System level Parameters None Description Use the client-verify enable command to enable certificate-based SSL client authentication, that is, to enable the SSL server to authenticate the client by the client’s certificate during the SSL handshake process. Use the undo client-verify enable command to restore the default. By default, certificate-based SSL client authentication is disabled. Related commands: display ssl server-policy.
[Sysname-ssl-server-policy-policy1] close-mode wait display ssl client-policy Syntax display ssl client-policy { policy-name | all } View Any view Default level 1: Monitor level Parameters policy-name: SSL client policy name, a case-insensitive string of 1 to 16 characters. all: Displays information about all SSL client policies. Description Use the display ssl client-policy command to view information about a specified or all SSL client policies.
Parameters policy-name: SSL server policy name, a case-insensitive string of 1 to 16 characters. all: Displays information about all SSL server policies. Description Use the display ssl server-policy command to view information about a specified or all SSL server policies. Examples # Display information about SSL server policy policy1.
undo handshake timeout View SSL server policy view Default level 2: System level Parameters time: Handshake timeout time in seconds, in the range 180 to 7200. Description Use the handshake timeout command to set the handshake timeout time for an SSL server policy. Use the undo handshake timeout command to restore the default. By default, the handshake timeout time is 3600 seconds.
system-view [Sysname] ssl server-policy policy1 [Sysname-ssl-server-policy-policy1] pki-domain server-domain # Configure SSL client policy policy1 to use PKI domain client-domain.
undo session { cachesize | timeout } * View SSL server policy view Default level 2: System level Parameters cachesize size: Specifies the maximum number of cached sessions, in the range 100 to 1000. timeout time: Specifies the caching timeout time in seconds, in the range 1800 to 72000. Description Use the session command to set the maximum number of cached sessions and the caching timeout time. Use the undo session command to restore the default.
Description Use the ssl client-policy command to create an SSL policy and enter its view. Use the undo ssl client-policy command to delete a specified or all SSL client policies. Related commands: display ssl client-policy. Examples # Create SSL client policy policy1 and enter its view.
View SSL client policy view Default level 2: System level Parameters ssl3.0: Specifies SSL 3.0. tls1.0: Specifies TLS 1.0. Description Use the version command to specify the SSL protocol version for an SSL client policy. Use the undo version command to restore the default. By default, the SSL protocol version for an SSL client policy is TLS 1.0. Related commands: display ssl client-policy. Examples # Specify the SSL protocol version for SSL client policy policy1 as SSL 3.0.
AAA configuration commands aaa nas-id profile Syntax aaa nas-id profile profile-name undo aaa nas-id profile profile-name View System view Default level 2: System level Parameters profile-name: Name of the NAS ID profile, a case-insensitive string of 1 to 16 characters. Description Use the aaa nas-id profile command to create a NAS ID profile and enter its view. Use the undo aaa nas-id profile command to remove a NAS ID profile. Related commands: nas-id bind vlan.
Description Use the access-limit enable command to enable the limit on the number of users in an ISP domain and set the allowed maximum number. After the number of users reaches the maximum number allowed, no more users will be accepted. Use the undo access-limit enable command to restore the default. By default, there is no limit to the number of users in an ISP domain.
accounting default Syntax accounting default { local | none | radius-scheme radius-scheme-name [ local ] } undo accounting default View ISP domain view Default level 2: System level Parameters local: Performs local accounting. none: Does not perform any accounting. radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, which is a string of 1 to 32 characters. Description Use the accounting default command to configure the default accounting method for all types of users.
View ISP domain view Default level 2: System level Parameters local: Performs local accounting. It is not used for charging purposes, but for collecting statistics on and limiting the number of local user connections. none: Does not perform any accounting. radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, which is a string of 1 to 32 characters. Description Use the accounting login command to configure the accounting method for login users.
Description Use the accounting optional command to enable the accounting optional feature. Use the undo accounting optional command to disable the feature. By default, the feature is disabled.
Examples # Configure the default ISP domain system to use local authentication for all types of users. system-view [Sysname] domain system [Sysname-isp-system] authentication default local # Configure ISP domain test to use RADIUS authentication scheme rd for all types of users and use local authentication as the backup.
authentication super Syntax authentication super radius-scheme radius-scheme-name undo authentication super View ISP domain view Default level 2: System level Parameters radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, which is a case-insensitive string of 1 to 32 characters. Description Use the authentication super command to configure the authentication method for user privilege level switching. Use the undo authentication super command to restore the default.
Description Use the authorization command command to configure the command line authorization method. Use the undo authorization command command to restore the default. By default, the default authorization method is used for command line users. For local authorization, the local users must have been configured for the command line users on the LB module, and the level of the commands authorized to a local user must be lower than or equal to that of the local user. Otherwise, local authorization will fail.
Related commands: authentication default, accounting default, and radius scheme. Examples # Configure the default ISP domain system to use local authorization for all types of users. system-view [Sysname] domain system [Sysname-isp-system] authorization default local # Configure ISP domain test to use RADIUS authorization scheme rd for all types of users and use local authorization as the backup.
# Configure ISP domain test to use RADIUS authorization scheme rd for login users and use local authorization as the backup.
Description Use the authorization-attribute command to configure authorization attributes for the local user or user group. After the local user or a local user of the user group passes authentication, the LB module will assign these attributes to the user. Use the undo authorization-attribute command to remove authorization attributes. By default, no authorization attribute is configured for a local user or user group.
Description Use the authorization-attribute user-profile command to specify the default authorization user profile for an ISP domain. Use the undo authorization-attribute user-profile command to restore the default. By default, an ISP domain has no default authorization user profile.
Description Use the bind-attribute command to configure binding attributes for a local user. Use the undo bind-attribute command to remove binding attributes of a local user. By default, no binding attribute is configured for a local user. Binding attributes are checked upon authentication of a local user. If the binding attributes of a local user do not match the configured ones, the checking will fail and the user will fail the authentication as a result.
user-name user-name: Specifies a user connection by username. The user-name argument is a case-sensitive string of 1 to 80 characters and must contain the domain name. If you enter a username without any domain name, the system assumes that the default domain name is used for the username. vlan vlan-id: Specifies user connections of a VLAN, with vlan-id ranging from 1 to 4094. Description Use the cut connection command to tear down the specified connections forcibly.
If you specify the ucibindex ucib-index combination, the command displays detailed information; otherwise, the command displays brief information. This command does not apply to FTP user connections. Related commands: cut connection. Examples # Display information about all AAA user connections. display connection Index=1 ,Username=telnet@system IP=10.0.0.1 Total 1 connection(s) matched. # Display information about AAA user connections using the index of 0.
View Any view Default level 1: Monitor level Parameters isp-name: Name of an existing ISP domain, a string of 1 to 24 characters. Description Use the display domain command to display the configuration information of a specified ISP domain or all ISP domains. Related commands: access-limit enable, domain, and state. Examples # Display the configuration information of all ISP domains.
Field Description State Status of the domain (active or block) Access-limit Limit on the number of user connections Accounting method Accounting method (either required or optional) Default authentication scheme Default authentication method Default authorization scheme Default authorization method Default accounting scheme Default accounting method Domain User Template Template for users in the domain Idle-cut Whether idle cut is enabled Self-service Whether self service is enabled User
ServiceType: None Access-limit: Disable User-group: system Current AccessNum: 0 Bind attributes: Authorization attributes: The contents of local user 2: State: Active ServiceType: ftp/telnet Access-limit: Disable User-group: system Current AccessNum: 0 Bind attributes: Authorization attributes: User Privilege: 3 The contents of local user 3: State: Active ServiceType: telnet Access-limit: Disable User-group: system Current AccessNum: 0 Bind attributes: Authorization attributes: Us
Related commands: user-group. Examples # Display configuration information about user group abc. display user-group abc The contents of user group abc: Authorization attributes: Idle-cut: 120(min) Work Directory: cfa0 Level: 1 Acl Number: 2000 Vlan ID: 1 User-Profile: 1 Callback-number: 1 Total 1 user group(s) matched.
domain default enable Syntax domain default enable isp-name undo domain default enable View System view Default level 3: Manage level Parameters isp-name: Name of the ISP domain, a string of 1 to 24 characters. Description Use the domain default enable command to specify the system default ISP domain. Users without any domain name carried in the usernames are considered to be in the default domain. Use the undo domain default enable command to restore the default.
Parameters time: Expiration time of the local user, in the format HH:MM:SS-MM/DD/YYYY or HH:MM:SS-YYYY/MM/DD. HH:MM:SS indicates the time, where HH ranges from 0 to 23, MM and SS range from 0 to 59. YYYY/MM/DD indicates the date, where YYYY ranges from 2000 to 2035, MM ranges from 1 to 12, and the range of DD depends on the month. Except for the zeros in 00:00:00, leading zeros can be omitted. For example, 2:2:0-2008/2/2 equals to 02:02:00-2008/02/02.
[Sysname-luser-111] group abc idle-cut enable Syntax idle-cut enable minute flow undo idle-cut enable View ISP domain view Default level 2: System level Parameters minute: Maximum idle duration allowed, in the range 1 to 600 minutes. flow: User idle threshold, in the range 1 to 10240000 bytes. Description Use the idle-cut enable command to enable the idle cut function and set the relevant parameters.
Default level 3: Manage level Parameters user-name: Name for the local user, a case-sensitive string of 1 to 55 characters that does not contain the domain name. It cannot contain any backward slash (\), forward slash (/), vertical line (|), colon (:), asterisk (*), question mark (?), less-than sign (<), greater-than sign (>) and the @ sign and cannot be a, al, or all. all: Specifies all users. service-type: Specifies the users of a type. • ftp refers to users using FTP. • ssh refers to users using SSH.
Use the undo local-user password-display-mode command to restore the default. The default mode is auto. With the cipher-force mode configured: • A local user password is always displayed in cipher text, regardless of the configuration of the password command. • If you use the save command to save the configuration, all existing local user passwords will still be displayed in cipher text after the LB module restarts, even if you restore the display mode to auto.
password Syntax password { cipher | simple } password undo password View Local user view Default level 2: System level Parameters cipher: Specifies to display the password in cipher text. simple: Specifies to display the password in simple text. password: Password for the local user. • In simple text, it must be a string of 1 to 63 characters that contains no blank space, for example, aabbcc. • In cipher text, it must be _(TT8F]Y\5SQ=^Q`MAF4<1!!.
View ISP domain view Default level 2: System level Parameters url-string: URL of the self-service server for changing user password, a string of 1 to 64 characters. It must start with http:// and contain no question mark. Description Use the self-service-url enable command to enable the self-service server location function and specify the URL of the self-service server for changing user password. Use the undo self-service-url enable command to restore the default. By default, the function is disabled.
ssh: Authorizes the user to use the SSH service.. telnet: Authorizes the user to use the Telnet service. terminal: Authorizes the user to use the terminal service, allowing the user to login from the console port. Description Use the service-type command to specify the service types that a user can use. Use the undo service-type command to delete one or all service types configured for a user. By default, a user is authorized with no service. Examples # Authorize user user1 to use the Telnet service.
# Place the current user user1 to the state of blocked. system-view [Sysname] local-user user1 [Sysname-luser-user1] state block user-group Syntax user-group group-name undo user-group group-name View System view Default level 3: Manage level Parameters group-name: User group name, a case-insensitive string of 1 to 32 characters. Description Use the user-group command to create a user group and enter its view. Use the undo user-group command to remove a user group.
RADIUS configuration commands accounting-on enable Syntax accounting-on enable undo accounting-on enable View RADIUS scheme view Default level 2: System level Parameters None Description Use the accounting-on enable command to enable the accounting-on feature. After doing so, when the LB module reboots, an accounting-on message will be sent to the RADIUS server to log out the online users of the module. Use the undo accounting-on enable command to disable the accounting-on feature.
Default level 2: System level Parameters seconds: Time interval to retransmit accounting-on packet in seconds, ranging from 1 to 15. Description Use the accounting-on enable interval command to configure the retransmission interval of accounting-on packets. Use the undo accounting-on enable interval command to restore the default. By default, the retransmission interval of accounting-on packets is 3 seconds.
The maximum number of accounting-on packet transmission attempts configured with this command takes effect immediately. Related commands: radius scheme and accounting-on enable. Examples # In RADIUS scheme rd, set the maximum number of accounting-on packet transmission attempts to 10.
Default level 2: System level Parameters data: Specifies the unit for data flows, which can be byte, kilobyte, megabyte, or gigabyte. packet: Specifies the unit for data packets, which can be one-packet, kilo-packet, mega-packet, or giga-packet. Description Use the data-flow-format command to specify the unit for data flows or packets to be sent to a RADIUS server. Use the undo data-flow-format command to restore the default.
display radius scheme -----------------------------------------------------------------SchemeName : radius1 Index : 0 Type : extended Primary Auth Server: IP: 1.1.1.1 Port: 1812 State: block Port: 1813 State: block Port: 1812 State: block Port: 1813 State: block Encryption Key : 345 Primary Acct Server: IP: 1.1.1.
Field Description Port Service port of the server. If no port configuration is performed, the default port number is displayed. State Status of the server, active or block.
Examples # Display statistics about RADIUS packets.
Field Description DEAD Number of idle users AuthProc Number of users waiting for authentication AuthSucc Number of users who have passed authentication AcctStart Number of users for whom accounting has been started RLTSend Number of users for whom the system sends real-time accounting packets RLTWait Number of users waiting for real-time accounting AcctStop Number of users in the state of accounting waiting stopped OnLine Number of online users Stop Number of users in the state of stop R
Field Description Auth reject Number of rejected authentication packets EAP auth replying Number of replying packets of EAP authentication Account success Number of accounting succeeded packets Account failure Number of accounting failed packets Server ctrl req Number of server control requests RecError_MSG_sum Number of received packets in error SndMSG_Fail_sum Number of packets that failed to be sent out Timer_Err Number of timer errors Alloc_Mem_Err Number of memory errors State Misma
If receiving no response after sending a stop-accounting request to a RADIUS server, the module buffers the request and retransmits it. You can use the retry stop-accounting command to set the number of allowed transmission attempts. Related commands: reset stop-accounting-buffer, stop-accounting-buffer enable, user-name-format, and retry stop-accounting. Examples # Display information about the buffered stop-accounting requests from 0:0:0 to 23:59:59 on August 31, 2006.
system-view [Sysname] radius scheme radius1 [Sysname-radius-radius1] key accounting ok nas-ip (RADIUS scheme view) Syntax nas-ip ip-address undo nas-ip View RADIUS scheme view Default level 2: System level Parameters ip-address: IPv4 address in dotted decimal notation. It must be an address of the LB module and cannot be 0.0.0.0, 255.255.255.255, a class D address, a class E address, or a loopback address.
primary accounting (RADIUS scheme view) Syntax primary accounting ip-address [ port-number ] [ key string ] undo primary accounting View RADIUS scheme view Default level 2: System level Parameters ip-address: IPv4 address of the primary accounting server. port-number: UDP port number of the primary accounting server, which ranges from 1 to 65535 and defaults to 1813. key string: Specifies the shared key for exchanging accounting packets with the primary RADIUS accounting server.
primary authentication (RADIUS scheme view) Syntax primary authentication ip-address [ port-number ] [ key string ] undo primary authentication View RADIUS scheme view Default level 2: System level Parameters ip-address: IPv4 address of the primary authentication/authorization server. port-number: UDP port number of the primary authentication/authorization server, which ranges from 1 to 65535 and defaults to 1812.
system-view [Sysname] radius scheme radius1 [Sysname-radius-radius1] primary authentication 10.110.1.1 1812 radius client Syntax radius client enable undo radius client View System view Default level 2: System level Parameters None Description Use the radius client enable command to enable the listening port of the RADIUS client. Use the undo radius client command to disable the listening port of the RADIUS client. By default, the listening port is enabled.
Default level 2: System level Parameters ip-address: IPv4 address in dotted decimal notation. It must be an address of the LB module and cannot be 0.0.0.0, 255.255.255.255, a class D address, a class E address, or a loopback address. Description Use the radius nas-ip command to specify the IP address for the LB module to use as the source address of the RADIUS packets to be sent to the server. Use the undo radius nas-ip command to remove the configuration.
By default, no RADIUS scheme is defined. The RADIUS protocol is configured scheme by scheme. Every RADIUS scheme must at least specify the IP addresses and UDP ports of the RADIUS authentication/authorization/accounting servers and the parameters necessary for a RADIUS client to interact with the servers. A RADIUS scheme can be referenced by more than one ISP domain at the same time. You cannot remove the RADIUS scheme being used by online users with the undo radius scheme command.
• Status of a RADIUS server changes. If a NAS sends an accounting or authentication request to the RADIUS server but gets no response, the NAS retransmits the request and then sends a trap message when the NAS transmits the request for half of the specified maximum number of transmission attempts. If the specified maximum number of transmission attempts is odd, the half of the number refers to the smallest integer greater than the half of the number.
View User view Default level 2: System level Parameters radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a string of 1 to 32 characters. session-id session-id: Specifies a session by its ID, a string of 1 to 50 characters. time-range start-time stop-time: Specifies a time range by its start time and end time in the format of hh:mm:ss-mm/dd/yyyy or hh:mm:ss-yyyy/mm/dd. user-name user-name: Specifies a username based on which to reset the stop-accounting buffer.
The default value for the retry-times argument is 3. As RADIUS uses UDP packets to transmit data, the communication is not reliable. If the LB module does not receive a response to its request from the RADIUS server within the response timeout time, it will retransmit the RADIUS request. If the number of transmission attempts exceeds the limit but the module still receives no response from the RADIUS server, the module regards that the authentication fails.
Suppose that the RADIUS server response timeout period is 3 seconds (set with the timer response-timeout command), the timeout retransmission attempts is 3 (set with the retry command), and the real-time accounting interval is 12 minutes (set with the timer realtime-accounting command), and the maximum number of accounting request transmission attempts is 5 (set with the retry realtime-accounting command).
Examples # Set the maximum number of stop-accounting request transmission attempts to 1,000 for RADIUS scheme radius1.
Examples # Specify the secondary accounting server for RADIUS scheme radius1. system-view [Sysname] radius scheme radius1 [Sysname-radius-radius1] secondary accounting 10.110.1.
Related commands: key, radius scheme, and state. Examples # Specify the secondary authentication/authorization server for RADIUS scheme radius1. system-view [Sysname] radius scheme radius1 [Sysname-radius-radius1] secondary authentication 10.110.1.2 1812 security-policy-server Syntax security-policy-server ip-address undo security-policy-server { ip-address | all } View RADIUS scheme view Default level 2: System level Parameters ip-address: IP address of the security policy server.
Default level 2: System level Parameters extended: Specifies the extended RADIUS server (generally CAMS or iMC), which requires the RADIUS client and RADIUS server to interact according to the procedures and packet formats provisioned by the private RADIUS protocol. standard: Specifies the standard RADIUS server, which requires the RADIUS client end and RADIUS server to interact according to the regulation and packet format of the standard RADIUS protocol (RFC 2865/2866 or newer).
When the primary server and secondary server are both in active state, the LB module communicates with the primary server. If the primary server fails, the module changes the status of the primary server to block and turns to the secondary server. When the quiet timer times out, the module resumes the status of the primary server to active while keeping the status of the secondary server unchanged.
response or the number of transmission retries reaches the configured limit. In the latter case, the NAS discards the packet. You can use the commands to change the setting only when no user is using the RADIUS scheme. Related commands: reset stop-accounting-buffer, radius scheme, and display stop-accounting-buffer. Examples # In RADIUS scheme radius1, enable the LB module to buffer the stop-accounting requests getting no responses.
Default level 2: System level Parameters minutes: Real-time accounting interval in minutes, zero or a multiple of 3 in the range 3 to 60. The default is 12. Description Use the timer realtime-accounting command to set the real-time accounting interval. Use the undo timer realtime-accounting command to restore the default. For real-time accounting, a NAS must transmit the accounting information of online users to the RADIUS accounting server periodically. This command is for setting the interval.
Parameters seconds: RADIUS server response timeout period in seconds. It ranges from 1 to 10 and defaults to 3. Description Use the timer response-timeout command to set the RADIUS server response timeout timer. Use the undo timer command to restore the default.
If a RADIUS scheme defines that the username is sent without the ISP domain name, do not apply the RADIUS scheme to more than one ISP domain, thus avoiding the confused situation where the RADIUS server regards two users in different ISP domains but with the same user ID as one. For 802.1X users using EAP authentication, the user-name-format command configured for a RADIUS scheme does not take effect and the module does not change the usernames from clients before forwarding them to the RADIUS server.
Session management commands application aging-time Syntax application aging-time { dns | ftp | msn | qq } time-value undo application aging-time [ dns | ftp | msn | qq ] View System view Default Level 2: System level Parameters dns: Specifies the aging time for DNS sessions. ftp: Specifies the aging time for FTP sessions. msn: Specifies the aging time for MSN sessions. qq: Specifies the aging time for QQ sessions. time-value: Aging time, which ranges from 5 seconds to 100000 seconds.
Parameters vd-name vd-name: Displays the relationship table entries of the specified virtual device. The vd-name argument specifies the name of a virtual device. It is a case-insensitive string of 1 to 20 characters, which can be numerals, letters and underlines. Description Use the display session relation-table command to display relationship table entries. If no virtual device is specified, the command displays the relationship table entries of all virtual devices.
Default Level 2: System level Parameters vd-name vd-name: Displays the session statistics of the specified virtual device. The vd-name argument specifies the name of a virtual device. It is a case-insensitive string of 1 to 20 characters, which can be numerals, letters and underlines. Description Use the display session statistics command to display statistics about sessions. If no virtual device is specified, the command displays session statistics of all virtual devices.
Field Description Current UDP session(s) Number of UDP sessions Current ICMP session(s) Number of ICMP sessions Current RAWIP session(s) Number of Raw IP sessions Current relation table(s) Total number of relationship table entries Session establishment rate Session establishment rate TCP Session establishment rate Establishment rate of TCP sessions UDP Session establishment rate Establishment rate of UDP sessions ICMP Session establishment rate Establishment rate of ICMP sessions RAWIP Se
If no keywords or parameters are specified, the command displays information about all sessions. If no virtual device is specified, the command displays the session tables of all virtual devices. If both the source-ip and destination-ip keywords are specified, the command displays only the sessions with the specified source and destination IP addresses. Examples # Display brief information about all sessions. display session table Initiator: Source IP/Port : 192.168.1.
Received packet(s)(Reply): 1168 packet(s) 61845 byte(s) Total find: 2 Table 25 Output description Field Description Initiator: Session information of the initiator Responder: Session information of the responder Pro Transport layer protocol, TCP, UDP, ICMP, or Raw IP VPN-Instance/VLAN ID/VLL ID VPN instance that the session belongs to and the VLAN and INLINE that the session belongs to during Layer 2 forwarding App Application layer protocol, FTP, DNS, MSN or QQ Unknown indicates protocol type o
Default Level 2: System level Parameters vd-name vd-name: Specifies the sessions of the specified virtual device. The vd-name argument specifies the name of a virtual device. It is a case-insensitive string of 1 to 20 characters, which can be only numerals, letters and underlines. source-ip source-ip: Specifies the sessions with the specified source IP address of the initiator. destination-ip destination-ip: Specifies the sessions with the specified destination IP address of the initiator.
Description Use the reset session statistics command to clear session statistics. If no virtual device is specified, the command clears the session statistics of all virtual devices. Examples # Clear the statistics about all sessions.
system-view [Sysname] session aging-time syn 60 session checksum Syntax session checksum { all | { icmp | tcp | udp } * } undo session checksum { all | { icmp | tcp | udp } * } View System view Default Level 2: System level Parameters all: Enables checksum verification for TCP, UDP, and ICMP packets. icmp: Enables checksum verification for ICMP packets. tcp: Enables checksum verification for TCP packets. udp: Enables checksum verification for UDP packets.
Description Use the session persist acl command to specify the persistent session ACL. All sessions permitted by the ACL are considered persistent sessions. Use the undo session persist command to remove the configuration. By default, no persistent session ACL is specified. Persistent sessions will not be removed because they are not matched with any packets within the aging time. You can manually remove such sessions when necessary. There can be only one persistent session ACL.
Connection limit configuration commands connection-limit apply policy Syntax connection-limit apply policy policy-number undo connection-limit apply policy policy-number View System view Default level 2: System level Parameters policy-number: Number of an existing connection limit policy. The value can only be 0. Description Use the connection-limit apply policy command to apply a connection limit policy. The connection limit policy to be applied must contain at least one limit rule.
all: Specifies all connection limit policies. Description Use the connection-limit policy command to create a connection limit policy and enter connection limit policy view. A connection limit policy contains a set of rules for limiting the number of connections of a specified user. Use the undo connection-limit policy command to delete the specified or all connection limit policies. By default, no connection limit policy exists.
Field Description refcount 0, 1 limit Number of times that the policy is applied and number of rules in the policy. limit xxx Rule in the policy. For more information, see the limit command.
The connection limit rules in a policy are matched in ascending order of rule ID. Take the match order into consideration when assigning the rules IDs. HP recommends you arrange the rule by limit granularity and limit range in ascending order. Related commands: connection-limit policy and display connection-limit policy. Examples # Configure connection limit rule 1 for policy 1 to limit the maximum number of TCP connections sourced from 1.1.1.1.
Web filtering configuration commands NOTE: The file name conventions in this document are as follows: • Full file name: File path plus file name, a case-insensitive string of 1 to 135 characters excluding the end character. • File name: File name without file path, a case-insensitive string of 1 to 91 characters excluding the end character.
1 5 .OCX 2 0 .vbs Table 27 Output description Field Description SN Serial number Match-Times Number of times that a suffix keyword is matched Keywords ActiveX blocking suffix keyword # Display detailed ActiveX blocking information. display firewall http activex-blocking verbose ActiveX blocking is enabled. No ACL group has been configured. There are 5 packet(s) being filtered. There are 0 packet(s) being passed.
# Display Java blocking information about all suffix keywords. display firewall http java-blocking all SN Match-Times Keywords ---------------------------------------------1 10 .CLASS 2 0 .JAR 3 0 .java Table 28 Output description Field Description SN Serial number Match-Times Number of times that the suffix keyword has been matched Keywords Java blocking suffix keyword # Display detailed information about Java blocking.
Default method: permit. # Display URL address filtering information about a specified filtering entry. display firewall http url-filter host item ^webfilter$ The HTTP request packet including "^webfilter$" had been matched for 10 times. # Display URL address filtering information about all filtering entries.
item keywords: Specifies a filtering keyword. The keywords argument is a case-insensitive string of 1 to 80 characters. Valid characters include numerals, English letters, wildcards (‘^’, ‘$’, ‘&’ and ‘*’), and other ASCII characters with values in the range 31 to 127. verbose: Specifies detailed information. Description Use the display firewall http url-filter parameter command to display information about URL parameter filtering.
firewall http activex-blocking acl Syntax firewall http activex-blocking acl acl-number undo firewall http activex-blocking acl View System view Default Level 2: System level Parameters acl-number: ACL number, in the range 2000 to 3999. Description Use the firewall http activex-blocking acl command to specify an ACL for ActiveX blocking. Use the undo firewall http activex-blocking acl command to cancel the configuration. By default, no ACL is specified for ActiveX blocking.
Description Use the firewall http activex-blocking enable command to enable the ActiveX blocking function and add the default blocking keyword ‘.ocx’ to the ActiveX blocking suffix list. Use the undo firewall http activex-blocking enable command to disable the ActiveX blocking function. By default, the ActiveX blocking function is disabled. Related commands: display firewall http activex-blocking. Examples # Enable the ActiveX blocking function.
View System view Default Level 2: System level Parameters acl-number: ACL number, in the range 2000 to 3999. Description Use the firewall http java-blocking acl command to specify an ACL for Java blocking. Use the undo firewall http java-blocking acl command to cancel the configuration. By default, no ACL is specified for Java blocking. After the command takes effect, all web requests containing any suffix keywords in the Java blocking suffix list will be processed according to the specified ACL.
Examples # Enable the Java blocking function. system-view [Sysname] firewall http java-blocking enable firewall http java-blocking suffix Syntax firewall http java-blocking suffix keywords undo firewall http java-blocking suffix keywords View System view Default Level 2: System level Parameters keywords: Blocking suffix keyword, a case-insensitive string of 1 to 9 characters. Its starting character must be a dot “.” and the subsequent characters must be digits or English letters.
Parameters acl-number: ACL number, in the range 2000 to 3999. Description Use the firewall http url-filter host acl command to specify an ACL for URL address filtering. Use the undo firewall http url-filter host acl command to cancel the configuration. By default, no ACL is specified for URL address filtering. With the command configured, all web requests using IP addresses will be processed according to the specified ACL.
[Sysname] firewall http url-filter host default permit firewall http url-filter host enable Syntax firewall http url-filter host enable undo firewall http url-filter host enable View System view Default Level 2: System level Parameters None Description Use the firewall http url-filter host enable command to enable the URL address filtering function. Use the undo firewall http url-filter host enable command to disable the URL address filtering function.
Related commands: firewall http url-filter host enable, display firewall http url-filter host. Examples # Configure to permit web requests using IP addresses for access to websites.
• If “*” is present at the beginning of a filtering entry, it must be present in the format like *.xxx, where xxx represents a keyword, for example, *.com or *.webfilter.com. • A filtering entry with only numerals is invalid. To filter a website address like www.123.com, you can define a filtering entry like ^123$, www.123.com, or 123.com, instead of 123. In other words, use exact match to filter numeral website addresses.
Wildcard Meaning Usage guidelines $ Matches parameters ending with the keyword It can be present once at the end of a filtering entry. & Stands for one valid character It can be present multiple times at any position of a filtering entry, consecutively or inconsecutively, and cannot be used next to “*”. If it is present at the beginning or end of a filtering entry, it must be next to “^” or “$”.
Description Use the firewall http url-filter parameter enable command to enable the URL parameter filtering function. Use the undo firewall http url-filter parameter enable command to disable the URL parameter filtering function. By default, the URL parameter filtering function is disabled. Related commands: display firewall http url-filter parameter. Examples # Enable the URL parameter filtering function.
RSH configuration commands rsh Syntax rsh host [ user username ] command remote-command View User view Default level 0: Visit level Parameters host: IP address or host name of the remote host, a string of 1 to 20 characters. user username: Specifies the username for remote login, which is a string of 1 to 20 characters. If you specify no username, the system name of the HP LB module, which can be set by using the sysname command, applies. remote-command: Command to be executed remotely.
2001-12-07 17:28 122,880 wrshdctl.exe 2003-06-21 10:51 192,512 wrshdnt.cpl 2001-12-09 16:41 38,991 wrshdnt.hlp 2001-12-09 16:26 1,740 wrshdnt.cnt 2003-06-22 11:14 452,230 wrshdnt.htm 2003-06-23 18:18 2003-06-23 18:18 2003-06-22 11:13 2001-09-02 15:41 49,152 wrshdrdr.exe 2003-06-21 10:32 69,632 wrshdrun.exe 2004-01-02 15:54 196,608 wrshdsp.exe 2004-01-02 15:54 102,400 wrshdnt.exe 2001-07-30 18:05 766 wrshdnt.ico 2004-07-13 09:10 3,253 INSTALL.LOG 4,803 wrshdnt_header.
Support and other resources Contacting HP For worldwide technical support information, see the HP support website: http://www.hp.
Conventions This section describes the conventions used in this documentation set. Command conventions Convention Description Boldface Bold text represents commands and keywords that you enter literally as shown. Italic Italic text represents arguments that you replace with actual values. [] Square brackets enclose syntax choices (keywords or arguments) that are optional. { x | y | ... } Braces enclose a set of required syntax choices separated by vertical bars, from which you select one.
Network topology icons Represents a generic network device, such as a router, switch, or firewall. Represents a routing-capable device, such as a router or Layer 3 switch. Represents a generic switch, such as a Layer 2 or Layer 3 switch, or a router that supports Layer 2 forwarding and other Layer 2 features. Represents a LB module. Port numbering in examples The port numbers in this document are for illustration only and might be unavailable on your device.
Index ABCDEFGHIKLNOPRSTUVW common-name,24 A connection-limit apply policy,128 aaa nas-id profile,61 connection-limit policy,128 access-limit,62 country,24 access-limit enable,61 crl check,25 accounting default,63 crl update-period,25 accounting login,63 crl url,26 accounting optional,64 cut connection,73 accounting-on enable,89 accounting-on enable interval,89 D accounting-on enable send,90 data-flow-format (RADIUS scheme view),91 acl,1 description,4 acl accelerate,2 display acl,4 acl
domain,79 P domain default enable,80 password,85 E peer-public-key end,45 expiration-date,80 pki certificate access-control-policy,34 pki certificate attribute-group,35 F pki delete-certificate,36 firewall http activex-blocking acl,137 pki domain,36 firewall http activex-blocking enable,137 pki entity,37 firewall http activex-blocking suffix,138 pki import-certificate,37 firewall http java-blocking acl,138 pki request-certificate domain,38 firewall http java-blocking enable,139 pki retrie
stop-accounting-buffer enable (RADIUS scheme view),113 rule comment,15 S Subscription service,149 secondary accounting (RADIUS scheme view),109 T secondary authentication (RADIUS scheme view),110 timer quiet (RADIUS scheme view),114 security-policy-server,111 self-service-url enable,85 timer realtime-accounting (RADIUS scheme view),114 server-type,111 timer response-timeout (RADIUS scheme view),115 service-type,86 time-range,16 session,57 U session aging-time,125 user-group,88 session check
