allot ~ cli guide 5.1
TRANSCRIPT
NetEnforcer X01/X02
Command Line Interface (CLI) v5.1
Table of Contents
Introduction ..............................................................................................................4 Accessing the CLI ..................................................................................................4 Scripts ...................................................................................................................4
CLI Command Syntax ................................................................................................5 Online Help ...............................................................................................................5 Command Descriptions..............................................................................................6
Object Editing – Add/Change/Rename/Delete ............................................................6 Pipes, VCs and Rules ............................................................................................6 QoS .................................................................................................................... 11 Services ............................................................................................................. 14 ToS .................................................................................................................... 18 VLANs ................................................................................................................ 19 Data Sources ...................................................................................................... 20 Hosts ................................................................................................................. 21 Time .................................................................................................................. 23 Connection Control ............................................................................................. 24
Other Actions ....................................................................................................... 26 List .................................................................................................................... 26 Config ................................................................................................................ 27
This guide is intended for use with NetEnforcer X01/02 units running software version 5.1.
Command Line Interface
Introduction The NetEnforcer Command Line Interface (CLI) can be used to define Pipes, Virtual Channels, Rules and Catalog entries. In addition, you can also use the CLI to set system parameters and device settings. The CLI enables you to modify the NetEnforcer database from a command line. The CLI supplies a set of commands to add, change, rename and remove NetEnforcer entities, such as, Pipes, Virtual Channels or other Catalog entries and change the configuration of NetEnforcer.
Accessing the CLI 1. Connect to the NetEnforcer from a local host using one of the following methods:
Via the console port.
Via Telnet from a workstation located on the same network as NetEnforcer.
2. Login to NetEnforcer as the root user. The default password is bagabu.
Scripts Scripts can contain both CLI and Linux commands in order to automate the data entry process. For example, you can write a script that will add 40 rules to 30 different Virtual Channels. A script can be written on a remote workstation, using your preferred text editor, and then sent to NetEnforcer via FTP. Alternatively, you can create the script directly on NetEnforcer using the built in VI editor. In both cases, ensure that the script has execute attributes. (For more details on file attributes, please refer to a Linux manual.)
www.allot.com 4
Command Line Interface
CLI Command Syntax The CLI consists of several actions, each of which has an object and one or more parameters and values. The syntax of the CLI is:
go <action> <object> <value> <parameter> <parameter value>
Element Definition
go Command heading. Precedes all CLI commands
action The command to perform. This can be add, delete, change, list or config.
object The object (for example, QoS) upon which the action is performed.
value A value that does not require the presence of a parameter, for example the name of a new QoS Catalog entry. Value elements are separated by colons (for example cbr:100:10). Multiple values are separated by commas (for example, cbr:100:10, cbr:100:10).
parameter An attribute of the object (for example, -qname).
parameter value
The value of the preceding parameter. (for example, Gold). Multiple parameter value elements are separated by colons (:). It is possible to have more then one parameter in a command.
Additional optional parameters may be used, as follows: -f: Disconnects any other client with write permissions and gives the write permissions to the CLI client. For use with all actions except list. For example, a CLI command to define a new Pipe QoS Catalog Entry called Basic (for both inbound and outbound traffic) with a priority of 1: go add qos Basic:pipe_both –prior 1 -f Names When working with Pipes, Virtual Channels, Rules or Catalog entries, you must enclose the name of the Pipe, Virtual Channel, Rule or Catalog entry in quotation marks if it contains more than one word. For example: Correct Command Forms: ac add vc Gold:PipeGold ac add vc “Gold Service”:PipeGold Incorrect Command Form: ac add vc Gold Service:PipeGold
Online Help If you are unsure as to which parameters are used with a specific command, you can enter an incomplete command and the CLI will list all the available parameters for that action and/or object.
www.allot.com 5
Command Line Interface
Command Descriptions
Object Editing – Add/Change/Rename/Delete
Pipes, VCs and Rules param – Required parameter param – Optional parameter VALUE – Parameter Value
Task Command
Add new Pipe go add pipe NAME:STATE
-expand VALUE
-src VALUE
-dst VALUE
-service VALUE
-time VALUE -tos VALUE -vlan VALUE
-access VALUE -qos VALUE
-offset VALUE
-dir VALUE
go add pipe example:enable –expand none –src host1 –dst host2 –service service1 –time time1 –tos tos1 –vlan vlan1 –access drop –qos qos1 –offset 2 –dir 1
Change Pipe go change pipe NAME:NEW_STATE -expand NEW_VALUE
-qos NEW_VALUE
-access NEW_VALUE
go change pipe example:enable –expand src –access drop –qos qos1
Rename Pipe go rename pipe NAME:NEW_NAME
Pi
pe
s
Delete Pipe go delete pipe NAME
www.allot.com 6
Command Line Interface
Task Command
Add new VC go add vc NAME:PIPE_NAME:STATE
-expand VALUE
-src VALUE
-dst VALUE
-service VALUE
-time VALUE -tos VALUE -vlan VALUE
-access VALUE
-coc VALUE -qos VALUE
-offset VALUE
-dir VALUE
go add vc example:example_pipe:enable –expand none –src host1 –dst host2 –service service1 –time time1 –tos tos1 –vlan vlan1 –access drop –coc coc1 –qos qos1 –offset 2 –dir 1
Change VC go change vc Name:PIPE_NAME:NEW_STATE -expand NEW_VALUE
-access NEW_VALUE
-coc NEW_VALUE -qos NEW_VALUE
go change vc example:pipe_example:enable –expand src –access drop –coc coc1 –qos qos1
Rename VC go rename vc NAME:PIPE_NAME:NEW_NAME
VC
s
Delete VC go delete VC NAME:PIPE_NAME
www.allot.com 7
Command Line Interface
Task Command
Add new Pipe Rule go add prule PIPE_NAME:STATE
-src VALUE
-dst VALUE -service VALUE
-time VALUE -tos VALUE -vlan VALUE
-offset VALUE
-dir VALUE
go add prule example:enable –src host1 –dst host2 –service service1 –time time1 –tos tos1 –vlan vlan1 –offset 2 –dir 1
Change Pipe Rule go change prule PIPE_NAME:OFFSET:STATE
-src NEW_VALUE
-dst NEW_VALUE -service NEW_VALUE
-time NEW_VALUE -tos NEW_VALUE -vlan NEW_VALUE
-dir NEW_VALUE
go change prule example:2:enable –src host1 –dst host2 –service service1 –time time1 –tos tos1 –vlan vlan1 –dir 1
Pi
pe
R
ul
es
Delete Pipe Rule go delete prule PIPE_NAME :OFFSET
www.allot.com 8
Command Line Interface
Task Command
Add new VC Rule go add vcrule VC_NAME:PIPE_NAME:STATE
-src VALUE
-dst VALUE -service VALUE
-time VALUE -tos VALUE -vlan VALUE
-offset VALUE
-dir VALUE
go add vcrule example:pipe_example:enable –src host1 –dst host2 –service service1 –time time1 –tos tos1 –vlan vlan1 –offset 2 –dir 1
Change VC rule go change vcrule VC_NAME:PIPE_NAME:OFFSET:STATE
-src NEW_VALUE
-dst NEW_VALUE -service NEW_VALUE
-time NEW_VALUE -tos NEW_VALUE -vlan NEW_VALUE
-dir NEW_VALUE
go change vcrule example:pipe_example:2:enable –src host1 –dst host2 –service service1 –time time1 –tos tos1 –vlan vlan1 –dir 1
VC
R
ul
es
Delete VC rule go delete vcrule VC_NAME:PIPE_NAME:OFFSET
When adding a new Pipe or Virtual Channel without parameter ‘-offset’ , it is added in the next to last position (before Fallback Pipe/VC).
Parameters Parameter Description Value(s)
-expand Location of possible Pipe/VC template expansion
none - No template
src – Source Host
dst – Destination Host
-src Source Host Catalog entry Host Entry Name
any (default)
www.allot.com 9
Command Line Interface
Parameter Description Value(s)
-dst Destination Host Catalog entry Host Entry Name
any (default)
-service Service Catalog Entry Service Entry Name
all IP (default)
-time Time Catalog Entry Time Entry Name
any Time (default)
-tos ToS Catalog Entry ToS Entry name
ignore (default)
-vlan VLAN Catalog Entry VLAN Entry Name
any (default)
-dir Direction of Traffic 1
2 (default)
-offset Offset from first Pipe/VC/Rule in table
Offset Number
-qos QoS Catalog Entry QoS Entry Name
-access Access Type accept (default)
reject
drop
-coc Connection Control Catalog Entry CoC Entry Name
Values Value Description Options
STATE Pipe/VC/Rule Status enable (default)
disable
www.allot.com 10
Command Line Interface
QoS param – Required parameter param – Optional parameter VALUE – Parameter Value
Task Command
Add/Change a QoS for Pipes in which both directions are defined together.
go add/change qos NAME:pipe_both -prior VALUE -max_bw VALUE -min_bw VALUE:MIN_RESERVED -tos TOS_IN:TOS_OUT -general MAX_CON:ADMISSION_CTRL:TOS_ADMIT
go add qos example:pipe_both –prior 1 –max_bw 100 –min_bw 100:yes –tos tos1:tos2 –general 300:admit:tos1
Add/Change a new QoS for Pipes in which each direction is defined separately.
go add/change qos NAME:pipe_each -prior VALUE_1,VALUE_2 -max_bw VALUE_1,VALUE_2 -min_bw
VALUE_1:MIN_RESERVED_1,VALUE_2:MIN_RESERVED_1 -tos TOS_IN_1:TOS_OUT_1, TOS_IN_1:TOS_OUT_1 -general MAX_CON:ADMISION_CTRL:TOS_ADMIT
go add qos example:pipe_each –prior 1,2 –max_bw 100,100 –min_bw 100:yes,100:no –tos tos1:tos2,tos1:tos2 –general 300:admit:tos1
Add/Change a new QoS Catalog entry for half-duplex Pipes.
go add/change qos NAME:pipe_half_duplex -prior VALUE_1,VALUE_2
-avail_bw VALUE
-tos VALUE
-general MAX_CON:ADMISSION_CTRL:TOS_ADMIT
go add qos example:pipe_half_duplex –prior 1,2 –avail_bw 100 –tos tos1 –general 300:admit:tos1
Rename an existing QoS.
go rename qos NAME:NEW_NAME
Pi
pe
Q
oS
Delete an existing QoS.
go delete qos NAME
www.allot.com 11
Command Line Interface
Task Command
Add/Change a new QoS for VCs in which both directions are defined together.
go add/change qos NAME:vc_both -prior VALUE -max_bw VALUE -min_bw VALUE -tos VALUE
-con-alloc burst:MAX_BW:SIZE:MIN_BW/cbr:BW:DELAY
go add qos example:vc_both –prior 1 –max_bw 100 –min_bw 100 –tos tos1 –con_alloc burst:100:1000:0
Add/Change a new QoS for VCs in which each direction is defined separately.
go add/change qos NAME:vc_each -prior VALUE -max_bw VALUE_1,VALUE_2
-min_bw VALUE_1,VALUE_2
-tos VALUE_1,VALUE_2
-con_allot burst:MAX_BW_1:SIZE_1:MIN_BW_1/cbr:BW_1:DELAY_1, burst:MAX_BW_2:SIZE_2:MIN_BW_2/cbr:BW_2:DELAY_2
go add qos example:vc_each –prior 1 –max_bw 100,100 –min_bw 100,100 –tos tos1,tos2 –con_alloc cbr:100:10,cbr:100:10
Rename an existing QoS.
go rename qos NAME:NEW_NAME
VC
Q
oS
Delete an existing QoS.
go delete qos NAME
NOTE: For commands to create ToS, see p. 14. NOTE: When QoS type vc_each or pipe_each, then all of the parameters (except for –general) require two values separated with a comma. The first value is for inbound traffic and the second is for outbound traffic. If you do not want to specify an inbound parameter, use a empty spacein format, for example, -prior ,2.
www.allot.com 12
Command Line Interface
Parameters Parameter Description Value(s)
-prior Priority (VC or Pipe) 1-10 (Default = 4)
-max_bw Maximum bandwidth (VC or Pipe) Bandwidth Value in K/M
-min_bw Maximum bandwidth (VC or Pipe) Bandwidth Value in K/M
-tos Enables ToS ToS Name
-general General Parameters MAX_CON, ADMISSION_CTRL, TOS_ADMIT
-con_alloc burst
Allocation of Connections for Burst type QoS policies
MAX_BW, MIN_BW, SIZE
-con_alloc cbr
Allocation of Connections for CBR type QoS policies
BW, DELAY
-avail_bw Available bandwidth (Full Duplex Pipe)
Bandwidth Value in K/M
Values Value Description Options
MIN_RESERVED Minimum bandwidth reserve available
Yes
No
(Default = No)
TOS_IN ToS (in-profile traffic) ToS Name
TOS_OUT ToS (out of profile traffic) ToS Name
MAX_CON Maximum connections allowed (VC or Pipe).
Number of connections
ADMISSION_CTRL Sets admission policy when bandwidth is exceeded.
admit (by priority) deny
reject
TOS_ADMIT ToS ToS Name
MAX_BW Maximum bandwidth per connection (burst type)
Bandwidth Value in K/M
MIN_BW Minimum bandwidth per connection (Burst type)
Bandwidth Value in K/M
SIZE Burst size. Bits per seconds in K/M
BW Bandwidth per connection (CBR type)
Bandwidth Value in K/M
DELAY Traffic Delay Delay in Microseconds
www.allot.com 13
Command Line Interface
Services param – Required parameter param – Optional parameter VALUE – Parameter Value
Task Command
Add/Change application-based Service.
go add/change service NAME:appl -protocol NETWORK:IP:APP
-dst_ports DST_PORT_1, DST_PORT_2,ETC -port_type VALUE -parse_by_port VALUE -coll_filter VALUE -advance IDLE:REJECT:CONNECT
go add service test:appl –protocol ip:tcp:ftp –dst_port 333,5445 -port_type all –parse_by_port enable –coll_filter appl –advance default:default:default
Add/Change Service Group. go add/change service NAME:group -group_report VALUE SERVER_NAME_1,SERVER_NAME_2,ETC
go add service test:group –group_report enable testserver,testserver2
Add/Change content-based Service.
go add/change service NAME:content:PARENT_NAME VALUE:VALUE
go add service test:content:SMTP domains:allot.com
Rename Service. go rename service NAME:NEW_NAME
Se
rv
ic
e
Ty
pe
s
Delete Service. go delete service NAME
When changing the port list of a Service Entry, use prefixes ‘– ‘ or ‘+’ to each port number or port range (‘– ‘ to remove port, ‘+’ to add new port), or prefix ‘=’ once at beginning for replacing ports list with entered new one. The same prefixes should be used for update the Service Group list and Content Inspection list.
For example,
go add service Test1:appl –dst_ports 333,3456-3460 -f
go change service Test1 –dst_ports +2222-2228,-333
go change service Test1 –dst_ports =2222-2228,4444 -f
www.allot.com 14
Command Line Interface
Parameters Parameter Description Value(s)
-protocol Protocol of Catalog entry. NETWORK, IP, APP
-dst_ports List of possible ports on the destination host.
Port Number or Port Range
-port_type Type of Destination port all
other
list
-parse_by_port Parsing by Port enable
disable
-coll_filter Collection Filter service
appl
-advance Allocation of Connections for Burst type QoS policies
IDLE, REJECT, CONNECT
-group_report Enables group reports Enable
Disable
Values Value Description Options
NETWORK Network protocol used.
IP ARP Banyan-Vines DEC-DECNET DEC-LAT DEC-Ethernet Appletalk SNA IPX Ipv6 MS-IPX NetBEUI ANY PPPoE-Discovery PPPoE-Control 1-65534
www.allot.com 15
Command Line Interface
Value Description Options
IP Transport protocol used (if NETWORK is IP)
TCP UDP ICMP IGMP EGP RSVP OSPFIGP SIPP-ESP SIPP-AH I-NLSP SWIPE GGP GRE ANY 1-255
APP Application used (if IP is TCP or UDP).
NonIP OtherIP Other TCP Other UDP TFTP HTTP FTP All RTSP Oracle Citrix H.323 KaZaA Gnutella Citrix ICA SMTP eDonkey WinMX Citrix NFuse MS Exchange MGCP Winny Winamp Msplayer Realone Quicktime iTunes BitTorrent Direct Connect
IDLE Idle Timeout Number of Seconds default
REJECT Reject Timeout
Number of Seconds default
www.allot.com 16
Command Line Interface
Value Description Options
CONNECT Connect Timeout
Number of Seconds default
PARENT_NAME Content type and value, depending upon application
Values for parent HTTP:
url
method: {CONNECT/DELETE/GET/HEAD/OPTIONS/POST/PUT/ TRACE}
host
content-type:{command 'go list content' shows all acceptable values}
Values for parent FTP:
command:{Download/Upload/Other}
file
Values for parent Oracle:
service
user
Values for parent H.323:
codec:{H.323 G711-64K Codec/H.323 G711-56K Codec/ H.323 G722-64K Codec/H.323 G722-56K Codec/H.323 G722-48K Codec/H.323 G7231 Codec/H.323 G728 Codec/H.323 G729 Codec/H.323 H261 Codec/H.323 H262 Codec/H.323 H263 Codec/H.323 Audio Default Codec/H.323 Video Default Codec}
Values for parent KaZaA / Gnutella: direction:{Upload/Download}
Values for parent SMTP:
domains_file:{name of the file containing domains}
domains Values for parent Citrix ICA:
priority:{High/Medium/Low/Print Traffic}
Values for parent Citrix
appl
user
priority:{High/Medium/Low/Print Traffic}
Values for parent Citrix NFuse:
appl
user
priority:{High/Medium/Low/Print Traffic}
Values for parent MGCP:
codec media type:{Audio/Video/Application/Data/All}
www.allot.com 17
Command Line Interface
ToS param – Required parameter param – Optional parameter VALUE – Parameter Value
Task Command
Add/Change ToS go add/change tos NAME -tosByte VALUE
go add tos test1 –tosByte 4
Rename ToS. go rename tos NAME:NEW_NAME
Ty
pe
s
of
S
er
vi
ce
Delete ToS. go delete tos NAME
Parameters Parameter Description Value(s)
-tosByte ToS Markings separated by commas. 1-8
www.allot.com 18
Command Line Interface
VLANs param – Required parameter param – Optional parameter VALUE – Parameter Value
Task Command
Add/Change VLAN. go add vlan NAME PRIORITY_ STATE:PRIORITY_BITS:VLAN_ID_STATE:VLAN_ID
go add vlan test enable:3:enable:3334
Rename VLAN. go rename vlan NAME:NEW_NAME
VL
AN
s
Delete VLAN. go delete vlan NAME
Values Value Description Options
PRIORITY_STATE Enable/Disable VLAN priority Enable Disable
PRIORITY_BITS Priority bits number 1-7
VLAN_ID_STATE Enable/disable VLAN ID Enable Disable
VLAN_ID VLAN ID Number 0-4095
www.allot.com 19
Command Line Interface
Data Sources param – Required parameter param – Optional parameter VALUE – Parameter Value
Task Command
Add/Change LDAP Data Source
go add/change datasrc NAME:ldap HOST_NAME:USER_NAME:PASSWORD:DESCRIPTION
go add datasrc test1:ldap server1:Robert:password:A customer service portal
Add Text File Data Source go add datasrc NAME:txtfile HOST_NAME:DESCRIPTION
go add datasrc test2:txtfile server1:A customer service portal.
Rename Data Source go rename datasrc NAME:NEW_NAME
Da
ta
S
ou
rc
es
Delete Data Source. go delete datasrc NAME
Values Value Description Options
HOST_NAME IP/hostname of LDAP/TFTP server IP Address or Host Name
USER_NAME LDAP User name Name
PASSWORD LDAP Password Password
DESCRIPTION Data Source Description (Optional parameter. Information appears in the Policy Editor only).
Short Description
www.allot.com 20
Command Line Interface
Hosts param – Required parameter param – Optional parameter VALUE – Parameter Value
Task Command
Add/Change Addresses Host.
go add host NAME:addresses TYPE:ADDRESS:INTERFACE, ETC
go add host example:addresses name:Allot1:anywhere,ipaddress:12.234.12.12:internal
Add/Change LDAP Host.
go add host NAME:ldap DATA_SOURCE:ROOT:ADDRESS_ATTR:NAME_ATTR:FILTER
go add host example:ldap source1:files:12.133.133.133:12.133.134.133:filter1
Add/Change Host Txtfile.
go add host NAME:txtfile DATA_SOURCE:FILE:START_ROW:ADDRESS_POS:NAME_POS:DELIMITER
go add host example:txtfile source1:allot /files:1:3:1:comma
Add/Change Host group.
go add host NAME:group HOST_1,HOST_2,ETC
go add host example:group host_a,host_b
Rename Host. go rename host NAME:NEW_NAME
Ho
st
s
Delete Host. go delete host NAME
When changing the addresses or group list of the Host Entry, use prefixes ‘-‘ or ‘+’ to each address or group item (‘– ‘ to remove item, ‘+’ to add item), or prefix ‘=’ once at beginning for replacing list with entered new one.
For example,
go change host Test1 -ipaddr:2.2.2.2,+range:1.1.1.1-1.1.1.9 -f
go change host Test2 +host8,-host9 –f
go change host Test2 =host10,host11 –f When changing txtfile or ldap Hosts, use empty fields for parameters you do not want to change. For example, to change the LDAP filter only enter the following command: go change host Test1 ::::servicegroup=gold
www.allot.com 21
Command Line Interface
Values Value Description Options
TYPE Type of address. Name range netaddr ipaddr macaddr
INTERFACE Interface type. Internal external anywhere (default)
HOST_1,HOST_2, ETC
Names of previously defined Host Catalog entries, separated by commas, to be added to a group.
ToS Name
DATA_SOURCE Name of previously defined Data Source Catalog entry.
Name
ROOT LDAP Directory subtree root. Root Name
ADDRESS_ATTR Attribute/Address that holds the IP addresses of entries.
Name
NAME_ATTR Attribute/Address that holds the names of entries.
Name
FILTER LDAP Directory search filter. Filter Name
FILE Full file path on remote host. Path
START_ROW Row number to start reading data. Row Number
ADDRESS_POS Position of address field. Position
NAME_POS Position of name field. Position
DELIMITER Separator character that separates a text file row into fields.
comma space semicolon or other character.
www.allot.com 22
Command Line Interface
Time param – Required parameter param – Optional parameter VALUE – Parameter Value
Task Command
Add/Change Time. go add time NAME PERIOD:TIME/DAY/MONTH_DAY/MONTH
go add time example daily:10:00-12:00
Rename Time. go delete time NAME
Ti
me
Delete Time. go rename time NAME:NEW_NAME
When changing the Time Entry, use prefixes ‘– ‘ or ‘+’ to each time period ( ‘– ‘ to remove period, ‘+’ to add new period ), or prefix ‘=’ once at the beginning for replacing a list with a new one.
For example,
go add time Test1 daily:10.00-20.00, weekly:5:08.20-20.00 -f
go change time Test1 –daily:10.00-20.00,+monthly:15 -f
go change time Test1 =daily:14.00-20.00,monthly:25 -f
Values Value Description Options
PERIOD Time Period daily[:TIME] weekly[:DAY[:TIME]] monthly[:MONTH_DAY[:TIME]] yearly[:MONTH MONTH_DAY[:TIME]]
TIME The range of hours and minutes
HH,mm-HH,mm allDay (default)
DAY The day of the week sun mon tue wed thu fri sat
MONTH_DAY The day of the month 1-31
MONTH The month 1-12
www.allot.com 23
Command Line Interface
Connection Control param – Required parameter param – Optional parameter VALUE – Parameter Value
Task Command
Add/Change load balancing Connection Control.
go add coc NAME:lb:TECHNIQUE:PORT_USED -behaviour NO_SERVER_ACTION:BACKUP:STICKY -servers HOST:PORT:WEIGHT
go add coc example:lb:wrr:fixed:657 –behavior drop:yes:100 –servers admit:465:50
Add/Change cache redirection Connection Control.
go add coc NAME:cache -behaviour NO_SERVER_ACTION
-servers HOST
go add coc example:cache –behavior drop –servers deny
Rename Connection Control.
go rename coc NAME:NEW_NAME
Co
C
Delete Connection Control.
go delete coc NAME
When changing the servers list of the Connection Control entry, use prefixes ‘-‘ or ‘+’ for each server item (‘– ‘ to remove item, ‘+’ to add item), or prefix ‘=’ once at the beginning when replacing a list with a new one.
For example,
go add coc Test1:lb:wrr:fixed:777 –servers 10.1.1.4::3 -f
go change coc Test1 –servers –10.1.1.4::3,+10.1.1.10::5 -f
Parameters Parameter Description Value(s)
-behavior Connection Behavior NO_SERVER_ACTION, BACKUP, STICKY
-servers Maximum bandwidth (VC or Pipe) Bandwidth Value in K/M
Values Value Description Options
TECHNIQUE Load balancing technique rr
fa
wrr (default)
www.allot.com 24
Command Line Interface
Value Description Options
PORT_USED Load balancing port original (default)
assigned
fixed:PORT_NUMBER
NO_SERVER_ACTION Action when no server connected.
drop
reject
pass-as-is (default)
BACKUP Activate load balancing on server failure. Load Balancing only.
Yes
No (default)
STICKY Timeout (in seconds) for sticky connections. Load Balancing only.
0-999999
HOST Sets admission policy when bandwidth is exceeded.
admit (by priority)
deny
reject
PORT Port number on load balancing server. Load Balancing only.
Port Number
WEIGHT Weight on load balancing server, when TECHNIQUE is wrr. Load Balancing only.
Weight
www.allot.com 25
Command Line Interface
Other Actions
List The list action displays the entries defined in the different Catalogs. param – Required parameter param – Optional parameter VALUE – Parameter Value
Task Command
List catalog go list CATALOG -full
Display Pipe data. go list pipedata PIPE_NAME
Display VC data go list vc NAME:PIPE_NAME
Display full Pipe list. go list pipes -full
Parameters Parameter Description Value(s)
-full Displays additional information, if any.
No Value
Values Value Description Options
CATALOG Catalog to Display host time tos qos service datasrc vlan coc
www.allot.com 26
Command Line Interface
Config The config action enables you to configure attributes of the NetEnforcer. param – Required parameter param – Optional parameter VALUE – Parameter Value
Task Command
Configure the Activation key
go config key KEY
go config key 8D8D89C9EA333E9C9C9C9C98FB366E9003
Configure the interfaces
go config nic –internal MODE:SPEED–external MODE:SPEED –mgmt MODE:SPEED
go config nic –internal full:100 –external full:100 –mgmt half:100
Configure the access list
go config access_control +/-HOST_1,+/-HOST_2,ETC
go config access_control +Allot.com
Configure the SNMP settings
go config snmp –community READ:WRITE:TRAP-trap_dest VALUE -contact VALUE -location VALUE
go config snmp –community Allot:Allot:Allot –trap_dest 123.12.12.122 –contact Dave –location New York
Configure the VLAN go config vlan VLAN_STATE:VLAN_ID
go config vlan enable:764
www.allot.com 27
Command Line Interface
Task Command
Configure the IP Addresses
go config ips -h VALUE -d VALUE -g VALUE -ip IP_ADDRESS:MASK -dns DNS_1:DNS_2 -ts TS_1:TS_2:TS_3 -mgmt VALUE -reject_ip IP:MASK|none
go config ips –h Allot –d Allot_net –g 123.123.123.123 –ip 23.123.123.123:124 –dns 124.12.12.12:124/13/13/13 –ts 124.123.12.12:none:none –mgmt enable -reject_ip none
Configure the links go config access_link -internal LINK_TYPE:OUTBOUND:INBOUND -external LINK_TYPE:OUTBOUND:INBOUND
go config access_link –internal full:100:100 –external full:100:100
Configure the Policy Editor
go config policy_srv -auto_refresh VALUE
-save_refresh VALUE
go config policy_srv –auto_refresh 5min –save_refresh enable
Configure Monitoring go config monitoring -resolve_dns VALUE
-sample_period VALUE
go config monitoring –resolve_dns enable –sample_period 1min
Configure Connection Control parameters
go config coc -pass_through VALUE -retries SERVER_RETRIES:SERVICE_RETRIES
-timeout SERVER_TIMEOUT:SERVICE_TIMEOUT:CONNECT
go config coc –pass_through enable –retries 100:100 –timeout 100:100:100
Configure the accounting module.
go config acct_setup ACCT_STATE
-resolve_dns VALUE
-odbc VALUE:USER_NAME:PASSWORD
-collect_data VALUE
-del_data VALUE -ip IP_1:IP_2
www.allot.com 28
Command Line Interface
Task Command
go config acct_setup enable -resolve_dns enable –odbc disable –collect_data 10minutes –del_data 1month –ip 122.123.12.12
Configure RADIUS Accounting.
go config radius_setup RADIUS_STATE -stop_only VALUE
-collect_data VALUE -server1 VALUE -server2 VALUE
-send_timeout VALUE -retries VALUE -failed_msg VALUE
go config radius_setup enable –stop_only disable –collect_data 15minutes –server1 123.12.12.12:blue –send_timeout 30 –retries 5 –failed_msg 100
Configure RADIUS storage
go config acct_radius_storage -pipe VALUE -vc VALUE
-service VALUE
-hosts VALUE
go config acct_radius_storage –pipe enable –vc disable –service disable –hosts enable
Configure response to DoS attacks.
go config dos DOS_VALUE -max_conn VALUE -max_cer VALUE
go config dos enable –max_conn 250 –max_cer 5000
Configure security. go config security -connect VALUE -telnet VALUE -ping VALUE -timeout VALUE -root_login VALUE -ssh VALUE
go config security –connect ssl –telnet disable –ping disable –timeout 0 –root_login enable -ssh enable
www.allot.com 29
Command Line Interface
Task Command
Configure network parameters.
go config network -transport VALUE -appl VALUE -sptree VALUE -mesh VALUE -mom VALUE -ar -/+DEST_IP:MASK:GATEWAY:DEST_TYPE:INTERFACE
go config network –transport enable –appl enable –sptree disable –mesh enable –mom disable –ar +123.123.123.123:24.24.24.123:123.345.123.12:host:1
Configure Alerts. go config alerts ALERTS_STATE -email VALUE_1:VALUE_2 -sms VALUE
go config alerts enable –email [email protected] –sms [email protected]
Configure unit time. go config time -t VALUE -tz VALUE
go config time –t 31-07-2004-13-45 –tz antarctica/mcmurdo
View current configuration of NetEnforcer tabs.
go config view TAB
go config view key
Verify Setup. go config setup_verify
Send snapshot. go config send_snapshot
Parameters Parameter Description Value(s)
-internal Internal interface of the NetEnforcer MODE, SPEED
-external External interface of the NetEnforcer MODE, SPEED
-management Management interface of the NetEnforcer (when present)
MODE, SPEED
-community SNMP read, write and trap community. READ, WRITE, TRAP
-trap_dest SNMP trap destination address. IP Address
-contact SNMP contact. Contact Name
None
www.allot.com 30
Command Line Interface
Parameter Description Value(s)
-location SNMP location. Location Name
None
-vlan_id VLAN ID Number 1-4094
-h Host name of the NetEnforcer. Host Name
-d Domain name where the NetEnforcer is located.
Domain Name
-g IP address of Gateway IP Address
None
-ip (ips) IP address of NetEnforcer and network subnet mask.
IP Address:Subnet Mask
-dns IP address of Primary/ Secondary DNS server. DNS Address
None
-ts IP address of the Primary/ Secondary/ Tertiary Time server.
NTP Server Address
None
-mgmt Management Port enable
disable
-reject_ip IP Address:Subnet Mask
None
-internal Internal link settings LINK_TYPE, OUTBOUND, INBOUND
-external External link settings LINK_TYPE, OUTBOUND, INBOUND
-auto_refresh Auto refresh rate for query in policy catalog *sec
*min
*hours
*days
none
-save_refresh Refresh query in policy catalog when saving policy database.
enable
disable
-resolve_dns Resolve DNS names.
Note: With acct_setup applies to Internal Accounting only.
enable
disable
www.allot.com 31
Command Line Interface
Parameter Description Value(s)
-sample_period Monitoring sample period 30sec
1min
2min
3min
4min
5min
6min
7min
8min
9min
10min
-pass_through Pass all cached traffic through QoS device. enable
disable
-retries Tracking retries SERVER_RETRIES, SERVICE_RETRIES
-timeout Tracking timeout SERVER_TIMEOUT, SERVICE_TIMEOUT, CONNECT
-obdc ODBC Accounting (Internal Accounting only) enable
disable
-collect_data Timespan for saved accounting data (Internal and RADIUS Accounting only)
*minutes
*hours
*days
-del_data Timespan for deleted accounting data (Internal Accounting only)
*days
*months
-ip (acct_setup) External Accounting location. Primary IP Address, Secondary IP Address
-stop_only Send RADIUS Stop messages only enable
disable
-server1 Primary RADIUS server IP_ADDRESS[/PORT]:SECRET
-server2 Secondary RADIUS server IP_ADDRESS[/PORT]:SECRET
-send_timeout Timeout on message send failure 1-60
-retries Number of retries for message send 1-10
-failed_msg Number of failed messages before switching to other server
1-200
–pipe Save item 'Pipe' in each RADIUS Accounting record.
enable
disable
www.allot.com 32
Command Line Interface
Parameter Description Value(s)
–vc Save item 'Virtual Channel' in each RADIUS Accounting record.
enable
disable
–service Save item 'Service' in each RADIUS Accounting record.
enable
disable
–host Hosts recorded in RADIUS Accounting. int_host
ext_host
int_ext_host
client
server
client_server
disable.
-max_con Maximum number of connections in DoS attack.
1-500 (in thousands)
-max_cer Maximum new connections establishment rate.
1-10000
–connect Connection mode. ssl,
non-ssl
both
–telnet Telnet. enable
disable
–ping Ping replies. enable
disable
-timeout Timeout while connected via console or telnet. The shells will automatically logout after the specified number of seconds.
Number of Seconds
0 = Disable
-root_login Logging in as user “root”:
(modifies files /etc/security and /etc/ssh/sshd_config)
enable
disable
-ssh Secure Shell communications enable
disable
-transport Transport Layer Classification (TCP/UDP ports).
enable
disable
-sptree Support ‘Spanning Tree’ protocol. enable
disable
-appl Application Layer Analysis. enable
disable
-mesh Support Meshed network topology. enable
disable
www.allot.com 33
Command Line Interface
Parameter Description Value(s)
-mom 'Monitoring Only' mode. enable
disable
-ar Additional routes.
Prefixes: '-' to delete selected route from Routing Table; '+' to add new route to Routing Table.
DEST_IP, MASK, GATEWAY, DEST_TYPE, INTERFACE
–email Primary/Secondary email address for Alert messages
email address:email address
–sms SMS Address for Alert messages SMS Address
-t System time. DD-MM-YYYY-HH-mm
-tz Time zone. Time zone settings.
Enter one from the following list of parameters: US/Alaska, US/Aleutian, US/Arizona, US/Central, US/East-Indiana, US/Eastern, US/Hawaii, US/Indiana-Starke, US/Michigan, US/Mountain, US/Pacific, US/Samoa, Africa/Abidjan, Africa/Accra, Africa/Addis_Ababa, Africa/Algiers, Africa/Asmera, Africa/Bamako, Africa/Bangui, Africa/Banjul, Africa/Bissau, Africa/Blantyre, Africa/Brazzaville, Africa/Bujumbura,Africa/Cairo, Africa/Casablanca, Africa/Ceuta, Africa/Conakry, Africa/Dakar, Africa/Dar_es_Salaam, Africa/Djibouti, Africa/Douala, Africa/El_Aaiun, Africa/Freetown, Africa/Gaborone, Africa/Harare, Africa/Johannesburg, Africa/Kampala, Africa/Khartoum, Africa/Kigali, Africa/Kinshasa, Africa/Lagos, Africa/Libreville, Africa/Lome, Africa/Luanda, Africa/Lubumbashi, Africa/Lusaka, Africa/Malabo, Africa/Maputo, Africa/Maseru, Africa/Mbabane, Africa/Mogadishu, Africa/Monrovia, Africa/Nairobi, Africa/Ndjamena, Africa/Niamey, Africa/Nouakchott, Africa/Ouagadougou, Africa/Porto-Novo, Africa/Sao_Tome, Africa/Timbuktu, Africa/Tripoli, Africa/Tunis, Africa/Windhoek, America/Adak, America/Anchorage, America/Anguilla, America/Antigua, America/Araguaina, America/Aruba, America/Asuncion, America/Atka, America/Barbados, America/Belem, America/Belize, America/Boa_Vista, America/Bogota, America/Boise, America/Buenos_Aires, America/Cambridge_Bay, America/Cancun, America/Caracas, America/Catamarca, America/Cayenne, America/Cayman, America/Chicago,
www.allot.com 34
Command Line Interface
Parameter Description Value(s) America/Chihuahua, America/Cordoba, America/Costa_Rica, America/Cuiaba, America/Curacao, America/Dawson, America/Dawson_Creek, America/Denver, America/Detroit, America/Dominica, America/Edmonton, America/Eirunepe, America/El_Salvador, America/Ensenada, America/Fort_Wayne, America/Fortaleza, America/Glace_Bay, America/Godthab, America/Goose_Bay, America/Grand_Turk, America/Grenada, America/Guadeloupe, America/Guatemala, America/Guayaquil, America/Guyana, America/Halifax, America/Havana, America/Hermosillo, America/Indiana/Indianapolis, America/Indiana/Knox, America/Indiana/Marengo, America/Indiana/Vevay, America/Indianapolis, America/Inuvik, America/Iqaluit, America/Jamaica, America/Jujuy, America/Juneau, America/Lima, America/Kentucky/Louisville, America/La_Paz, America/Kentucky/Monticello, America/Knox_IN, America/Los_Angeles, America/Louisville, America/Maceio, America/Managua, America/Manaus, America/Martinique, America/Mazatlan, America/Mendoza, America/Menominee, America/Merida, America/Mexico_City, America/Miquelon, America/Monterrey, America/Montevideo, America/Montreal, America/Montserrat, America/Nassau, America/New_York, America/Nipigon, America/Nome, America/Noronha, America/Panama, America/Pangnirtung, America/Paramaribo, America/Phoenix, America/Port-au-Prince, America/Port_of_Spain, America/Porto_Acre, America/Porto_Velho, America/Puerto_Rico, America/Rainy_River, America/Rankin_Inlet, America/Recife, America/Regina, America/Rosario, America/Santiago, America/Santo_Domingo, America/Sao_Paulo, America/Scoresbysund, America/Shiprock, America/St_Johns, America/St_Kitts, America/St_Lucia, America/St_Thomas, America/St_Vincent, America/Swift_Current,
www.allot.com 35
Command Line Interface
Parameter Description Value(s) America/Tegucigalpa, America/Thule, America/Thunder_Bay, America/Tijuana, America/Tortola, America/Vancouver, America/Virgin, America/Whitehorse, America/Winnipeg, America/Yakutat, America/Yellowknife, Antarctica/Casey, Antarctica/Davis, Antarctica/DumontDUrville, Antarctica/Mawson, Antarctica/McMurdo, Antarctica/Palmer, Antarctica/South_Pole, Antarctica/Syowa, Arctic/Longyearbyen, Asia/Aden, Asia/Almaty,Asia/Amman, Asia/Anadyr, Asia/Aqtau, Asia/Aqtobe, Asia/Ashgabat, Asia/Ashkhabad, Asia/Baghdad, Asia/Bahrain, Asia/Baku, Asia/Bangkok, Asia/Beirut, Asia/Bishkek, Asia/Brunei, Asia/Calcutta, Asia/Chungking, Asia/Colombo, Asia/Dacca, Asia/Damascus, Asia/Dhaka, Asia/Dili,Asia/Dubai, Asia/Dushanbe, Asia/Gaza, Asia/Harbin, Asia/Hong_Kong, Asia/Hovd, Asia/Irkutsk, Asia/Istanbul, Asia/Jakarta, Asia/Jayapura, Asia/Jerusalem, Asia/Kabul, Asia/Kamchatka, Asia/Karachi, Asia/Kashgar, Asia/Katmandu, Asia/Krasnoyarsk, Asia/Kuala_Lumpur, Asia/Kuching, Asia/Kuwait, Asia/Macao, Asia/Magadan, Asia/Manila, Asia/Muscat, Asia/Nicosia, Asia/Novosibirsk, Asia/Omsk, Asia/Phnom_Penh, Asia/Pyongyang, Asia/Qatar, Asia/Rangoon ,Asia/Riyadh, Asia/Riyadh87, Asia/Riyadh88, Asia/Riyadh89, Asia/Saigon, Asia/Samarkand, Asia/Seoul, Asia/Shanghai, Asia/Singapore, Asia/Taipei, Asia/Tashkent, Asia/Tbilisi, Asia/Tehran, Asia/Tel_Aviv, Asia/Thimbu, Asia/Thimphu, Asia/Tokyo, Asia/Ujung_Pandang, Asia/Ulaanbaatar, Asia/Ulan_Bator, Asia/Urumqi, Asia/Vientiane, Asia/Vladivostok, Asia/Yakutsk, Asia/Yekaterinburg, Asia/Yerevan, Atlantic/Azores, Atlantic/Bermuda, Atlantic/Canary, Atlantic/Cape_Verde, Atlantic/Faeroe, Atlantic/Jan_Mayen, Atlantic/Madeira, Atlantic/Reykjavik, Atlantic/South_Georgia, Atlantic/St_Helena, Atlantic/Stanley, Australia/ACT, Australia/Adelaide, Australia/Brisbane, Australia/Broken_Hill, Australia/Canberra, Australia/Darwin, Australia/Hobart, Australia/LHI,
www.allot.com 36
Command Line Interface
Parameter Description Value(s) Australia/Lindeman, Australia/Lord_Howe, Australia/Melbourne, Australia/NSW, Australia/North, Australia/Perth, Australia/Queensland, Australia/South, Australia/Sydney, Australia/Tasmania, Australia/Victoria, Australia/West, Australia/Yancowinna, Brazil/Acre, Brazil/DeNoronha, Brazil/East,Brazil/West, CET, CST6CDT, Canada/Atlantic, Canada/Central, Canada/East-Saskatchewan, Canada/Eastern, Canada/Mountain, Canada/Newfoundland, Canada/Pacific, Canada/Saskatchewan, Canada/Yukon, Chile/Continental, Chile/EasterIsland, Cuba, EET, EST, EST5EDT, Egypt, Eire, Etc/GMT, Etc/GMT+0, Etc/GMT+1, Etc/GMT+10, Etc/GMT+11, Etc/GMT+12, Etc/GMT+2, Etc/GMT+3, Etc/GMT+4, Etc/GMT+5, Etc/GMT+6, Etc/GMT+7, Etc/GMT+8, Etc/GMT+9, Etc/GMT-0, Etc/GMT-1, Etc/GMT-10, Etc/GMT-11, Etc/GMT-12, Etc/GMT-13, Etc/GMT-14, Etc/GMT-2, Etc/GMT-3, Etc/GMT-4, Etc/GMT-5, Etc/GMT-6, Etc/GMT-7, Etc/GMT-8, Etc/GMT-9, Etc/GMT0, Etc/Greenwich, Etc/UCT, Etc/UTC, Etc/Universal, Etc/Zulu, Europe/Amsterdam, Europe/Andorra, Europe/Athens, Europe/Belfast, Europe/Belgrade, Europe/Berlin, Europe/Bratislava, Europe/Brussels, Europe/Bucharest, Europe/Budapest, Europe/Chisinau, Europe/Copenhagen, Europe/Dublin, Europe/Gibraltar, Europe/Helsinki, Europe/Istanbul, Europe/Kaliningrad, Europe/Kiev, Europe/Lisbon, Europe/Ljubljana, Europe/London, Europe/Luxembourg, Europe/Madrid, Europe/Malta, Europe/Minsk, Europe/Monaco, Europe/Moscow, Europe/Nicosia, Europe/Oslo, Europe/Paris, Europe/Prague, Europe/Riga, Europe/Rome, Europe/Samara, Europe/San_Marino, Europe/Sarajevo, Europe/Simferopol, Europe/Skopje, Europe/Sofia, Europe/Stockholm, Europe/Tallinn, Europe/Tirane, Europe/Tiraspol, Europe/Uzhgorod, Europe/Vaduz, Europe/Vatican, Europe/Vienna, Europe/Vilnius, Europe/Warsaw, Europe/Zagreb, Europe/Zaporozhye, Europe/Zurich, Factory, GB, GB-Eire, GMT, GMT+0, GMT-0, GMT0, Greenwich, HST, Hongkong, Iceland, Indian/Antananarivo, Indian/Chagos, Indian/Christmas, Indian/Cocos, Indian/Comoro, Indian/Kerguelen, Indian/Mahe, Indian/Maldives, Indian/Mauritius, Indian/Mayotte,
www.allot.com 37
Command Line Interface
Parameter Description Value(s) Indian/Reunion, Iran, Israel, Jamaica, Japan, Kwajalein, Libya, MET, MST, MST7MDT, Mexico/BajaNorte, Mexico/BajaSur, Mexico/General, Mideast/Riyadh87, Mideast/Riyadh88, Mideast/Riyadh89, NZ, NZ-CHAT, Navajo, PRC, PST8PDT, Pacific/Apia, Pacific/Auckland, Pacific/Chatham, Pacific/Easter, Pacific/Efate, Pacific/Enderbury, Pacific/Fakaofo, Pacific/Fiji, Pacific/Funafuti, Pacific/Galapagos, Pacific/Gambier, Pacific/Guadalcanal, Pacific/Guam, Pacific/Honolulu, Pacific/Johnston, Pacific/Kiritimati, Pacific/Kosrae, Pacific/Kwajalein, Pacific/Majuro, Pacific/Marquesas, Pacific/Midway, Pacific/Nauru, Pacific/Niue, Pacific/Norfolk, Pacific/Noumea, Pacific/Pago_Pago, Pacific/Palau, Pacific/Pitcairn, Pacific/Ponape, Pacific/Port_Moresby, Pacific/Rarotonga, Pacific/Saipan, Pacific/Samoa, Pacific/Tahiti, Pacific/Tarawa, Pacific/Tongatapu, Pacific/Truk, Pacific/Wake, Pacific/Wallis, Pacific/Yap, Poland, Portugal, ROC, ROK, Singapore, Turkey, UCT, UTC, Universal, W-SU, WET, Zulu
Values Value Description Options
KEY NetEnforcer Activation Key Key Number
MODE Interface Mode auto full half
SPEED Interface Speed auto 10 100 1000
+/-HOST Adds or Subtracts a Host to/from the Access List
Host IP Address Host Name All
LINK_TYPE Link Type half
full
OUTBOUND Outbound traffic Value (in K/M)
INBOUND Inbound traffic Value (in K/M)
READ Name of SNMP Write Community SNMP Community Name
www.allot.com 38
Command Line Interface
Value Description Options
WRITE Name of SNMP Read Community SNMP Community Name
TRAP Name of SNMP Trap Community SNMP Community Name
VLAN_STATE VLAN environment. enable
disable
SERVER_RETRIES Retries for Server 1-100
SERVER_TIMEOUT Timeout for Server 10-240
SERVICE_RETRIES Retries for Service 1-100
SERVICE_TIMEOUT Timeout for Service 10-249
CONNECT Timeout for Connection 10-240
ACCT_STATE Accounting module enable
disable
RADIUS_STATE RADIUS Accounting enable
disable
DOS_STATE DoS Attack Response Admit
Drop
DEST_IP Route Destination IP IP Address
MASK Route Subnet Mask IP Address
GATEWAY Route IP Gateway IP Address
DEST_TYPE Route Destination type host
network
INTERFACE Route Interface 0
1
2
ALERTS_STATE Alerts Module enable
disable
www.allot.com 39
Command Line Interface
Value Description Options
TAB Configuration window tab key ips snmp access_link access_control vlan acct_setup monitoring policy_srv acct_radius_storage dos security alert time No Value = All
www.allot.com 40