allot ~ cli guide 5.1

NetEnforcer X01/X02

Command Line Interface (CLI) v5.1

Table of Contents

Introduction ..............................................................................................................4 Accessing the CLI ..................................................................................................4 Scripts ...................................................................................................................4

CLI Command Syntax ................................................................................................5 Online Help ...............................................................................................................5 Command Descriptions..............................................................................................6

Object Editing – Add/Change/Rename/Delete ............................................................6 Pipes, VCs and Rules ............................................................................................6 QoS .................................................................................................................... 11 Services ............................................................................................................. 14 ToS .................................................................................................................... 18 VLANs ................................................................................................................ 19 Data Sources ...................................................................................................... 20 Hosts ................................................................................................................. 21 Time .................................................................................................................. 23 Connection Control ............................................................................................. 24

Other Actions ....................................................................................................... 26 List .................................................................................................................... 26 Config ................................................................................................................ 27

This guide is intended for use with NetEnforcer X01/02 units running software version 5.1.

Command Line Interface

Introduction The NetEnforcer Command Line Interface (CLI) can be used to define Pipes, Virtual Channels, Rules and Catalog entries. In addition, you can also use the CLI to set system parameters and device settings. The CLI enables you to modify the NetEnforcer database from a command line. The CLI supplies a set of commands to add, change, rename and remove NetEnforcer entities, such as, Pipes, Virtual Channels or other Catalog entries and change the configuration of NetEnforcer.

Accessing the CLI 1. Connect to the NetEnforcer from a local host using one of the following methods:

Via the console port.

Via Telnet from a workstation located on the same network as NetEnforcer.

2. Login to NetEnforcer as the root user. The default password is bagabu.

Scripts Scripts can contain both CLI and Linux commands in order to automate the data entry process. For example, you can write a script that will add 40 rules to 30 different Virtual Channels. A script can be written on a remote workstation, using your preferred text editor, and then sent to NetEnforcer via FTP. Alternatively, you can create the script directly on NetEnforcer using the built in VI editor. In both cases, ensure that the script has execute attributes. (For more details on file attributes, please refer to a Linux manual.)

www.allot.com 4


CLI Command Syntax The CLI consists of several actions, each of which has an object and one or more parameters and values. The syntax of the CLI is:

go <action> <object> <value> <parameter> <parameter value>

Element Definition

go Command heading. Precedes all CLI commands

action The command to perform. This can be add, delete, change, list or config.

object The object (for example, QoS) upon which the action is performed.

value A value that does not require the presence of a parameter, for example the name of a new QoS Catalog entry. Value elements are separated by colons (for example cbr:100:10). Multiple values are separated by commas (for example, cbr:100:10, cbr:100:10).

parameter An attribute of the object (for example, -qname).

parameter value

The value of the preceding parameter. (for example, Gold). Multiple parameter value elements are separated by colons (:). It is possible to have more then one parameter in a command.

Additional optional parameters may be used, as follows: -f: Disconnects any other client with write permissions and gives the write permissions to the CLI client. For use with all actions except list. For example, a CLI command to define a new Pipe QoS Catalog Entry called Basic (for both inbound and outbound traffic) with a priority of 1: go add qos Basic:pipe_both –prior 1 -f Names When working with Pipes, Virtual Channels, Rules or Catalog entries, you must enclose the name of the Pipe, Virtual Channel, Rule or Catalog entry in quotation marks if it contains more than one word. For example: Correct Command Forms: ac add vc Gold:PipeGold ac add vc “Gold Service”:PipeGold Incorrect Command Form: ac add vc Gold Service:PipeGold

Online Help If you are unsure as to which parameters are used with a specific command, you can enter an incomplete command and the CLI will list all the available parameters for that action and/or object.

www.allot.com 5


Command Descriptions

Object Editing – Add/Change/Rename/Delete

Pipes, VCs and Rules param – Required parameter param – Optional parameter VALUE – Parameter Value

Task Command

Add new Pipe go add pipe NAME:STATE

-expand VALUE

-src VALUE

-dst VALUE

-service VALUE

-time VALUE -tos VALUE -vlan VALUE

-access VALUE -qos VALUE

-offset VALUE

-dir VALUE

go add pipe example:enable –expand none –src host1 –dst host2 –service service1 –time time1 –tos tos1 –vlan vlan1 –access drop –qos qos1 –offset 2 –dir 1

Change Pipe go change pipe NAME:NEW_STATE -expand NEW_VALUE

-qos NEW_VALUE

-access NEW_VALUE

go change pipe example:enable –expand src –access drop –qos qos1

Rename Pipe go rename pipe NAME:NEW_NAME

Pi

pe

s

Delete Pipe go delete pipe NAME

www.allot.com 6


Task Command

Add new VC go add vc NAME:PIPE_NAME:STATE

-expand VALUE

-src VALUE

-dst VALUE

-service VALUE


-access VALUE

-coc VALUE -qos VALUE

-offset VALUE

-dir VALUE

go add vc example:example_pipe:enable –expand none –src host1 –dst host2 –service service1 –time time1 –tos tos1 –vlan vlan1 –access drop –coc coc1 –qos qos1 –offset 2 –dir 1

Change VC go change vc Name:PIPE_NAME:NEW_STATE -expand NEW_VALUE

-access NEW_VALUE

-coc NEW_VALUE -qos NEW_VALUE

go change vc example:pipe_example:enable –expand src –access drop –coc coc1 –qos qos1

Rename VC go rename vc NAME:PIPE_NAME:NEW_NAME

VC

s

Delete VC go delete VC NAME:PIPE_NAME

www.allot.com 7


Task Command

Add new Pipe Rule go add prule PIPE_NAME:STATE

-src VALUE

-dst VALUE -service VALUE


-offset VALUE

-dir VALUE

go add prule example:enable –src host1 –dst host2 –service service1 –time time1 –tos tos1 –vlan vlan1 –offset 2 –dir 1

Change Pipe Rule go change prule PIPE_NAME:OFFSET:STATE

-src NEW_VALUE

-dst NEW_VALUE -service NEW_VALUE

-time NEW_VALUE -tos NEW_VALUE -vlan NEW_VALUE

-dir NEW_VALUE

go change prule example:2:enable –src host1 –dst host2 –service service1 –time time1 –tos tos1 –vlan vlan1 –dir 1

Pi

pe

R

ul

es

Delete Pipe Rule go delete prule PIPE_NAME :OFFSET

www.allot.com 8


Task Command

Add new VC Rule go add vcrule VC_NAME:PIPE_NAME:STATE

-src VALUE

-dst VALUE -service VALUE


-offset VALUE

-dir VALUE

go add vcrule example:pipe_example:enable –src host1 –dst host2 –service service1 –time time1 –tos tos1 –vlan vlan1 –offset 2 –dir 1

Change VC rule go change vcrule VC_NAME:PIPE_NAME:OFFSET:STATE

-src NEW_VALUE

-dst NEW_VALUE -service NEW_VALUE

-time NEW_VALUE -tos NEW_VALUE -vlan NEW_VALUE

-dir NEW_VALUE

go change vcrule example:pipe_example:2:enable –src host1 –dst host2 –service service1 –time time1 –tos tos1 –vlan vlan1 –dir 1

VC

R

ul

es

Delete VC rule go delete vcrule VC_NAME:PIPE_NAME:OFFSET

When adding a new Pipe or Virtual Channel without parameter ‘-offset’ , it is added in the next to last position (before Fallback Pipe/VC).

Parameters Parameter Description Value(s)

-expand Location of possible Pipe/VC template expansion

none - No template

src – Source Host

dst – Destination Host

-src Source Host Catalog entry Host Entry Name

any (default)

www.allot.com 9


Parameter Description Value(s)

-dst Destination Host Catalog entry Host Entry Name

any (default)

-service Service Catalog Entry Service Entry Name

all IP (default)

-time Time Catalog Entry Time Entry Name

any Time (default)

-tos ToS Catalog Entry ToS Entry name

ignore (default)

-vlan VLAN Catalog Entry VLAN Entry Name

any (default)

-dir Direction of Traffic 1

2 (default)

-offset Offset from first Pipe/VC/Rule in table

Offset Number

-qos QoS Catalog Entry QoS Entry Name

-access Access Type accept (default)

reject

drop

-coc Connection Control Catalog Entry CoC Entry Name

Values Value Description Options

STATE Pipe/VC/Rule Status enable (default)

disable

www.allot.com 10


QoS param – Required parameter param – Optional parameter VALUE – Parameter Value

Task Command

Add/Change a QoS for Pipes in which both directions are defined together.

go add/change qos NAME:pipe_both -prior VALUE -max_bw VALUE -min_bw VALUE:MIN_RESERVED -tos TOS_IN:TOS_OUT -general MAX_CON:ADMISSION_CTRL:TOS_ADMIT

go add qos example:pipe_both –prior 1 –max_bw 100 –min_bw 100:yes –tos tos1:tos2 –general 300:admit:tos1

Add/Change a new QoS for Pipes in which each direction is defined separately.

go add/change qos NAME:pipe_each -prior VALUE_1,VALUE_2 -max_bw VALUE_1,VALUE_2 -min_bw

VALUE_1:MIN_RESERVED_1,VALUE_2:MIN_RESERVED_1 -tos TOS_IN_1:TOS_OUT_1, TOS_IN_1:TOS_OUT_1 -general MAX_CON:ADMISION_CTRL:TOS_ADMIT

go add qos example:pipe_each –prior 1,2 –max_bw 100,100 –min_bw 100:yes,100:no –tos tos1:tos2,tos1:tos2 –general 300:admit:tos1

Add/Change a new QoS Catalog entry for half-duplex Pipes.

go add/change qos NAME:pipe_half_duplex -prior VALUE_1,VALUE_2

-avail_bw VALUE

-tos VALUE

-general MAX_CON:ADMISSION_CTRL:TOS_ADMIT

go add qos example:pipe_half_duplex –prior 1,2 –avail_bw 100 –tos tos1 –general 300:admit:tos1

Rename an existing QoS.

go rename qos NAME:NEW_NAME

Pi

pe

Q

oS

Delete an existing QoS.

go delete qos NAME

www.allot.com 11


Task Command

Add/Change a new QoS for VCs in which both directions are defined together.

go add/change qos NAME:vc_both -prior VALUE -max_bw VALUE -min_bw VALUE -tos VALUE

-con-alloc burst:MAX_BW:SIZE:MIN_BW/cbr:BW:DELAY

go add qos example:vc_both –prior 1 –max_bw 100 –min_bw 100 –tos tos1 –con_alloc burst:100:1000:0

Add/Change a new QoS for VCs in which each direction is defined separately.

go add/change qos NAME:vc_each -prior VALUE -max_bw VALUE_1,VALUE_2

-min_bw VALUE_1,VALUE_2

-tos VALUE_1,VALUE_2

-con_allot burst:MAX_BW_1:SIZE_1:MIN_BW_1/cbr:BW_1:DELAY_1, burst:MAX_BW_2:SIZE_2:MIN_BW_2/cbr:BW_2:DELAY_2

go add qos example:vc_each –prior 1 –max_bw 100,100 –min_bw 100,100 –tos tos1,tos2 –con_alloc cbr:100:10,cbr:100:10

Rename an existing QoS.

go rename qos NAME:NEW_NAME

VC

Q

oS

Delete an existing QoS.

go delete qos NAME

NOTE: For commands to create ToS, see p. 14. NOTE: When QoS type vc_each or pipe_each, then all of the parameters (except for –general) require two values separated with a comma. The first value is for inbound traffic and the second is for outbound traffic. If you do not want to specify an inbound parameter, use a empty spacein format, for example, -prior ,2.

www.allot.com 12



-prior Priority (VC or Pipe) 1-10 (Default = 4)

-max_bw Maximum bandwidth (VC or Pipe) Bandwidth Value in K/M

-min_bw Maximum bandwidth (VC or Pipe) Bandwidth Value in K/M

-tos Enables ToS ToS Name

-general General Parameters MAX_CON, ADMISSION_CTRL, TOS_ADMIT

-con_alloc burst

Allocation of Connections for Burst type QoS policies

MAX_BW, MIN_BW, SIZE

-con_alloc cbr

Allocation of Connections for CBR type QoS policies

BW, DELAY

-avail_bw Available bandwidth (Full Duplex Pipe)

Bandwidth Value in K/M


MIN_RESERVED Minimum bandwidth reserve available

Yes

No

(Default = No)

TOS_IN ToS (in-profile traffic) ToS Name

TOS_OUT ToS (out of profile traffic) ToS Name

MAX_CON Maximum connections allowed (VC or Pipe).

Number of connections

ADMISSION_CTRL Sets admission policy when bandwidth is exceeded.

admit (by priority) deny

reject

TOS_ADMIT ToS ToS Name

MAX_BW Maximum bandwidth per connection (burst type)


MIN_BW Minimum bandwidth per connection (Burst type)


SIZE Burst size. Bits per seconds in K/M

BW Bandwidth per connection (CBR type)


DELAY Traffic Delay Delay in Microseconds

www.allot.com 13


Services param – Required parameter param – Optional parameter VALUE – Parameter Value

Task Command

Add/Change application-based Service.

go add/change service NAME:appl -protocol NETWORK:IP:APP

-dst_ports DST_PORT_1, DST_PORT_2,ETC -port_type VALUE -parse_by_port VALUE -coll_filter VALUE -advance IDLE:REJECT:CONNECT

go add service test:appl –protocol ip:tcp:ftp –dst_port 333,5445 -port_type all –parse_by_port enable –coll_filter appl –advance default:default:default

Add/Change Service Group. go add/change service NAME:group -group_report VALUE SERVER_NAME_1,SERVER_NAME_2,ETC

go add service test:group –group_report enable testserver,testserver2

Add/Change content-based Service.

go add/change service NAME:content:PARENT_NAME VALUE:VALUE

go add service test:content:SMTP domains:allot.com

Rename Service. go rename service NAME:NEW_NAME

Se

rv

ic

e

Ty

pe

s

Delete Service. go delete service NAME

When changing the port list of a Service Entry, use prefixes ‘– ‘ or ‘+’ to each port number or port range (‘– ‘ to remove port, ‘+’ to add new port), or prefix ‘=’ once at beginning for replacing ports list with entered new one. The same prefixes should be used for update the Service Group list and Content Inspection list.

For example,

go add service Test1:appl –dst_ports 333,3456-3460 -f

go change service Test1 –dst_ports +2222-2228,-333

go change service Test1 –dst_ports =2222-2228,4444 -f

www.allot.com 14



-protocol Protocol of Catalog entry. NETWORK, IP, APP

-dst_ports List of possible ports on the destination host.

Port Number or Port Range

-port_type Type of Destination port all

other

list

-parse_by_port Parsing by Port enable

disable

-coll_filter Collection Filter service

appl

-advance Allocation of Connections for Burst type QoS policies

IDLE, REJECT, CONNECT

-group_report Enables group reports Enable

Disable


NETWORK Network protocol used.

IP ARP Banyan-Vines DEC-DECNET DEC-LAT DEC-Ethernet Appletalk SNA IPX Ipv6 MS-IPX NetBEUI ANY PPPoE-Discovery PPPoE-Control 1-65534

www.allot.com 15


Value Description Options

IP Transport protocol used (if NETWORK is IP)

TCP UDP ICMP IGMP EGP RSVP OSPFIGP SIPP-ESP SIPP-AH I-NLSP SWIPE GGP GRE ANY 1-255

APP Application used (if IP is TCP or UDP).

NonIP OtherIP Other TCP Other UDP TFTP HTTP FTP All RTSP Oracle Citrix H.323 KaZaA Gnutella Citrix ICA SMTP eDonkey WinMX Citrix NFuse MS Exchange MGCP Winny Winamp Msplayer Realone Quicktime iTunes BitTorrent Direct Connect

IDLE Idle Timeout Number of Seconds default

REJECT Reject Timeout

Number of Seconds default

www.allot.com 16



CONNECT Connect Timeout

Number of Seconds default

PARENT_NAME Content type and value, depending upon application

Values for parent HTTP:

url

method: {CONNECT/DELETE/GET/HEAD/OPTIONS/POST/PUT/ TRACE}

host

content-type:{command 'go list content' shows all acceptable values}

Values for parent FTP:

command:{Download/Upload/Other}

file

Values for parent Oracle:

service

user

Values for parent H.323:

codec:{H.323 G711-64K Codec/H.323 G711-56K Codec/ H.323 G722-64K Codec/H.323 G722-56K Codec/H.323 G722-48K Codec/H.323 G7231 Codec/H.323 G728 Codec/H.323 G729 Codec/H.323 H261 Codec/H.323 H262 Codec/H.323 H263 Codec/H.323 Audio Default Codec/H.323 Video Default Codec}

Values for parent KaZaA / Gnutella: direction:{Upload/Download}

Values for parent SMTP:

domains_file:{name of the file containing domains}

domains Values for parent Citrix ICA:

priority:{High/Medium/Low/Print Traffic}

Values for parent Citrix

appl

user


Values for parent Citrix NFuse:

appl

user


Values for parent MGCP:

codec media type:{Audio/Video/Application/Data/All}

www.allot.com 17


ToS param – Required parameter param – Optional parameter VALUE – Parameter Value

Task Command

Add/Change ToS go add/change tos NAME -tosByte VALUE

go add tos test1 –tosByte 4

Rename ToS. go rename tos NAME:NEW_NAME

Ty

pe

s

of

S

er

vi

ce

Delete ToS. go delete tos NAME


-tosByte ToS Markings separated by commas. 1-8

www.allot.com 18


VLANs param – Required parameter param – Optional parameter VALUE – Parameter Value

Task Command

Add/Change VLAN. go add vlan NAME PRIORITY_ STATE:PRIORITY_BITS:VLAN_ID_STATE:VLAN_ID

go add vlan test enable:3:enable:3334

Rename VLAN. go rename vlan NAME:NEW_NAME

VL

AN

s

Delete VLAN. go delete vlan NAME


PRIORITY_STATE Enable/Disable VLAN priority Enable Disable

PRIORITY_BITS Priority bits number 1-7

VLAN_ID_STATE Enable/disable VLAN ID Enable Disable

VLAN_ID VLAN ID Number 0-4095

www.allot.com 19


Data Sources param – Required parameter param – Optional parameter VALUE – Parameter Value

Task Command

Add/Change LDAP Data Source

go add/change datasrc NAME:ldap HOST_NAME:USER_NAME:PASSWORD:DESCRIPTION

go add datasrc test1:ldap server1:Robert:password:A customer service portal

Add Text File Data Source go add datasrc NAME:txtfile HOST_NAME:DESCRIPTION

go add datasrc test2:txtfile server1:A customer service portal.

Rename Data Source go rename datasrc NAME:NEW_NAME

Da

ta

S

ou

rc

es

Delete Data Source. go delete datasrc NAME


HOST_NAME IP/hostname of LDAP/TFTP server IP Address or Host Name

USER_NAME LDAP User name Name

PASSWORD LDAP Password Password

DESCRIPTION Data Source Description (Optional parameter. Information appears in the Policy Editor only).

Short Description

www.allot.com 20


Hosts param – Required parameter param – Optional parameter VALUE – Parameter Value

Task Command

Add/Change Addresses Host.

go add host NAME:addresses TYPE:ADDRESS:INTERFACE, ETC

go add host example:addresses name:Allot1:anywhere,ipaddress:12.234.12.12:internal

Add/Change LDAP Host.

go add host NAME:ldap DATA_SOURCE:ROOT:ADDRESS_ATTR:NAME_ATTR:FILTER

go add host example:ldap source1:files:12.133.133.133:12.133.134.133:filter1

Add/Change Host Txtfile.

go add host NAME:txtfile DATA_SOURCE:FILE:START_ROW:ADDRESS_POS:NAME_POS:DELIMITER

go add host example:txtfile source1:allot /files:1:3:1:comma

Add/Change Host group.

go add host NAME:group HOST_1,HOST_2,ETC

go add host example:group host_a,host_b

Rename Host. go rename host NAME:NEW_NAME

Ho

st

s

Delete Host. go delete host NAME

When changing the addresses or group list of the Host Entry, use prefixes ‘-‘ or ‘+’ to each address or group item (‘– ‘ to remove item, ‘+’ to add item), or prefix ‘=’ once at beginning for replacing list with entered new one.

For example,

go change host Test1 -ipaddr:2.2.2.2,+range:1.1.1.1-1.1.1.9 -f

go change host Test2 +host8,-host9 –f

go change host Test2 =host10,host11 –f When changing txtfile or ldap Hosts, use empty fields for parameters you do not want to change. For example, to change the LDAP filter only enter the following command: go change host Test1 ::::servicegroup=gold

www.allot.com 21



TYPE Type of address. Name range netaddr ipaddr macaddr

INTERFACE Interface type. Internal external anywhere (default)

HOST_1,HOST_2, ETC

Names of previously defined Host Catalog entries, separated by commas, to be added to a group.

ToS Name

DATA_SOURCE Name of previously defined Data Source Catalog entry.

Name

ROOT LDAP Directory subtree root. Root Name

ADDRESS_ATTR Attribute/Address that holds the IP addresses of entries.

Name

NAME_ATTR Attribute/Address that holds the names of entries.

Name

FILTER LDAP Directory search filter. Filter Name

FILE Full file path on remote host. Path

START_ROW Row number to start reading data. Row Number

ADDRESS_POS Position of address field. Position

NAME_POS Position of name field. Position

DELIMITER Separator character that separates a text file row into fields.

comma space semicolon or other character.

www.allot.com 22


Time param – Required parameter param – Optional parameter VALUE – Parameter Value

Task Command

Add/Change Time. go add time NAME PERIOD:TIME/DAY/MONTH_DAY/MONTH

go add time example daily:10:00-12:00

Rename Time. go delete time NAME

Ti

me

Delete Time. go rename time NAME:NEW_NAME

When changing the Time Entry, use prefixes ‘– ‘ or ‘+’ to each time period ( ‘– ‘ to remove period, ‘+’ to add new period ), or prefix ‘=’ once at the beginning for replacing a list with a new one.

For example,

go add time Test1 daily:10.00-20.00, weekly:5:08.20-20.00 -f

go change time Test1 –daily:10.00-20.00,+monthly:15 -f

go change time Test1 =daily:14.00-20.00,monthly:25 -f


PERIOD Time Period daily[:TIME] weekly[:DAY[:TIME]] monthly[:MONTH_DAY[:TIME]] yearly[:MONTH MONTH_DAY[:TIME]]

TIME The range of hours and minutes

HH,mm-HH,mm allDay (default)

DAY The day of the week sun mon tue wed thu fri sat

MONTH_DAY The day of the month 1-31

MONTH The month 1-12

www.allot.com 23


Connection Control param – Required parameter param – Optional parameter VALUE – Parameter Value

Task Command

Add/Change load balancing Connection Control.

go add coc NAME:lb:TECHNIQUE:PORT_USED -behaviour NO_SERVER_ACTION:BACKUP:STICKY -servers HOST:PORT:WEIGHT

go add coc example:lb:wrr:fixed:657 –behavior drop:yes:100 –servers admit:465:50

Add/Change cache redirection Connection Control.

go add coc NAME:cache -behaviour NO_SERVER_ACTION

-servers HOST

go add coc example:cache –behavior drop –servers deny

Rename Connection Control.

go rename coc NAME:NEW_NAME

Co

C

Delete Connection Control.

go delete coc NAME

When changing the servers list of the Connection Control entry, use prefixes ‘-‘ or ‘+’ for each server item (‘– ‘ to remove item, ‘+’ to add item), or prefix ‘=’ once at the beginning when replacing a list with a new one.

For example,

go add coc Test1:lb:wrr:fixed:777 –servers 10.1.1.4::3 -f

go change coc Test1 –servers –10.1.1.4::3,+10.1.1.10::5 -f


-behavior Connection Behavior NO_SERVER_ACTION, BACKUP, STICKY

-servers Maximum bandwidth (VC or Pipe) Bandwidth Value in K/M


TECHNIQUE Load balancing technique rr

fa

wrr (default)

www.allot.com 24



PORT_USED Load balancing port original (default)

assigned

fixed:PORT_NUMBER

NO_SERVER_ACTION Action when no server connected.

drop

reject

pass-as-is (default)

BACKUP Activate load balancing on server failure. Load Balancing only.

Yes

No (default)

STICKY Timeout (in seconds) for sticky connections. Load Balancing only.

0-999999

HOST Sets admission policy when bandwidth is exceeded.

admit (by priority)

deny

reject

PORT Port number on load balancing server. Load Balancing only.

Port Number

WEIGHT Weight on load balancing server, when TECHNIQUE is wrr. Load Balancing only.

Weight

www.allot.com 25


Other Actions

List The list action displays the entries defined in the different Catalogs. param – Required parameter param – Optional parameter VALUE – Parameter Value

Task Command

List catalog go list CATALOG -full

Display Pipe data. go list pipedata PIPE_NAME

Display VC data go list vc NAME:PIPE_NAME

Display full Pipe list. go list pipes -full


-full Displays additional information, if any.

No Value


CATALOG Catalog to Display host time tos qos service datasrc vlan coc

www.allot.com 26


Config The config action enables you to configure attributes of the NetEnforcer. param – Required parameter param – Optional parameter VALUE – Parameter Value

Task Command

Configure the Activation key

go config key KEY

go config key 8D8D89C9EA333E9C9C9C9C98FB366E9003

Configure the interfaces

go config nic –internal MODE:SPEED–external MODE:SPEED –mgmt MODE:SPEED

go config nic –internal full:100 –external full:100 –mgmt half:100

Configure the access list

go config access_control +/-HOST_1,+/-HOST_2,ETC

go config access_control +Allot.com

Configure the SNMP settings

go config snmp –community READ:WRITE:TRAP-trap_dest VALUE -contact VALUE -location VALUE

go config snmp –community Allot:Allot:Allot –trap_dest 123.12.12.122 –contact Dave –location New York

Configure the VLAN go config vlan VLAN_STATE:VLAN_ID

go config vlan enable:764

www.allot.com 27


Task Command

Configure the IP Addresses

go config ips -h VALUE -d VALUE -g VALUE -ip IP_ADDRESS:MASK -dns DNS_1:DNS_2 -ts TS_1:TS_2:TS_3 -mgmt VALUE -reject_ip IP:MASK|none

go config ips –h Allot –d Allot_net –g 123.123.123.123 –ip 23.123.123.123:124 –dns 124.12.12.12:124/13/13/13 –ts 124.123.12.12:none:none –mgmt enable -reject_ip none

Configure the links go config access_link -internal LINK_TYPE:OUTBOUND:INBOUND -external LINK_TYPE:OUTBOUND:INBOUND

go config access_link –internal full:100:100 –external full:100:100

Configure the Policy Editor

go config policy_srv -auto_refresh VALUE

-save_refresh VALUE

go config policy_srv –auto_refresh 5min –save_refresh enable

Configure Monitoring go config monitoring -resolve_dns VALUE

-sample_period VALUE

go config monitoring –resolve_dns enable –sample_period 1min

Configure Connection Control parameters

go config coc -pass_through VALUE -retries SERVER_RETRIES:SERVICE_RETRIES

-timeout SERVER_TIMEOUT:SERVICE_TIMEOUT:CONNECT

go config coc –pass_through enable –retries 100:100 –timeout 100:100:100

Configure the accounting module.

go config acct_setup ACCT_STATE

-resolve_dns VALUE

-odbc VALUE:USER_NAME:PASSWORD

-collect_data VALUE

-del_data VALUE -ip IP_1:IP_2

www.allot.com 28


Task Command

go config acct_setup enable -resolve_dns enable –odbc disable –collect_data 10minutes –del_data 1month –ip 122.123.12.12

Configure RADIUS Accounting.

go config radius_setup RADIUS_STATE -stop_only VALUE

-collect_data VALUE -server1 VALUE -server2 VALUE

-send_timeout VALUE -retries VALUE -failed_msg VALUE

go config radius_setup enable –stop_only disable –collect_data 15minutes –server1 123.12.12.12:blue –send_timeout 30 –retries 5 –failed_msg 100

Configure RADIUS storage

go config acct_radius_storage -pipe VALUE -vc VALUE

-service VALUE

-hosts VALUE

go config acct_radius_storage –pipe enable –vc disable –service disable –hosts enable

Configure response to DoS attacks.

go config dos DOS_VALUE -max_conn VALUE -max_cer VALUE

go config dos enable –max_conn 250 –max_cer 5000

Configure security. go config security -connect VALUE -telnet VALUE -ping VALUE -timeout VALUE -root_login VALUE -ssh VALUE

go config security –connect ssl –telnet disable –ping disable –timeout 0 –root_login enable -ssh enable

www.allot.com 29


Task Command

Configure network parameters.

go config network -transport VALUE -appl VALUE -sptree VALUE -mesh VALUE -mom VALUE -ar -/+DEST_IP:MASK:GATEWAY:DEST_TYPE:INTERFACE

go config network –transport enable –appl enable –sptree disable –mesh enable –mom disable –ar +123.123.123.123:24.24.24.123:123.345.123.12:host:1

Configure Alerts. go config alerts ALERTS_STATE -email VALUE_1:VALUE_2 -sms VALUE

go config alerts enable –email [email protected] –sms [email protected]

Configure unit time. go config time -t VALUE -tz VALUE

go config time –t 31-07-2004-13-45 –tz antarctica/mcmurdo

View current configuration of NetEnforcer tabs.

go config view TAB

go config view key

Verify Setup. go config setup_verify

Send snapshot. go config send_snapshot


-internal Internal interface of the NetEnforcer MODE, SPEED

-external External interface of the NetEnforcer MODE, SPEED

-management Management interface of the NetEnforcer (when present)

MODE, SPEED

-community SNMP read, write and trap community. READ, WRITE, TRAP

-trap_dest SNMP trap destination address. IP Address

-contact SNMP contact. Contact Name

None

www.allot.com 30

mailto:[email protected]



-location SNMP location. Location Name

None

-vlan_id VLAN ID Number 1-4094

-h Host name of the NetEnforcer. Host Name

-d Domain name where the NetEnforcer is located.

Domain Name

-g IP address of Gateway IP Address

None

-ip (ips) IP address of NetEnforcer and network subnet mask.

IP Address:Subnet Mask

-dns IP address of Primary/ Secondary DNS server. DNS Address

None

-ts IP address of the Primary/ Secondary/ Tertiary Time server.

NTP Server Address

None

-mgmt Management Port enable

disable

-reject_ip IP Address:Subnet Mask

None

-internal Internal link settings LINK_TYPE, OUTBOUND, INBOUND

-external External link settings LINK_TYPE, OUTBOUND, INBOUND

-auto_refresh Auto refresh rate for query in policy catalog *sec

*min

*hours

*days

none

-save_refresh Refresh query in policy catalog when saving policy database.

enable

disable

-resolve_dns Resolve DNS names.

Note: With acct_setup applies to Internal Accounting only.

enable

disable

www.allot.com 31



-sample_period Monitoring sample period 30sec

1min

2min

3min

4min

5min

6min

7min

8min

9min

10min

-pass_through Pass all cached traffic through QoS device. enable

disable

-retries Tracking retries SERVER_RETRIES, SERVICE_RETRIES

-timeout Tracking timeout SERVER_TIMEOUT, SERVICE_TIMEOUT, CONNECT

-obdc ODBC Accounting (Internal Accounting only) enable

disable

-collect_data Timespan for saved accounting data (Internal and RADIUS Accounting only)

*minutes

*hours

*days

-del_data Timespan for deleted accounting data (Internal Accounting only)

*days

*months

-ip (acct_setup) External Accounting location. Primary IP Address, Secondary IP Address

-stop_only Send RADIUS Stop messages only enable

disable

-server1 Primary RADIUS server IP_ADDRESS[/PORT]:SECRET

-server2 Secondary RADIUS server IP_ADDRESS[/PORT]:SECRET

-send_timeout Timeout on message send failure 1-60

-retries Number of retries for message send 1-10

-failed_msg Number of failed messages before switching to other server

1-200

–pipe Save item 'Pipe' in each RADIUS Accounting record.

enable

disable

www.allot.com 32



–vc Save item 'Virtual Channel' in each RADIUS Accounting record.

enable

disable

–service Save item 'Service' in each RADIUS Accounting record.

enable

disable

–host Hosts recorded in RADIUS Accounting. int_host

ext_host

int_ext_host

client

server

client_server

disable.

-max_con Maximum number of connections in DoS attack.

1-500 (in thousands)

-max_cer Maximum new connections establishment rate.

1-10000

–connect Connection mode. ssl,

non-ssl

both

–telnet Telnet. enable

disable

–ping Ping replies. enable

disable

-timeout Timeout while connected via console or telnet. The shells will automatically logout after the specified number of seconds.

Number of Seconds

0 = Disable

-root_login Logging in as user “root”:

(modifies files /etc/security and /etc/ssh/sshd_config)

enable

disable

-ssh Secure Shell communications enable

disable

-transport Transport Layer Classification (TCP/UDP ports).

enable

disable

-sptree Support ‘Spanning Tree’ protocol. enable

disable

-appl Application Layer Analysis. enable

disable

-mesh Support Meshed network topology. enable

disable

www.allot.com 33



-mom 'Monitoring Only' mode. enable

disable

-ar Additional routes.

Prefixes: '-' to delete selected route from Routing Table; '+' to add new route to Routing Table.

DEST_IP, MASK, GATEWAY, DEST_TYPE, INTERFACE

–email Primary/Secondary email address for Alert messages

email address:email address

–sms SMS Address for Alert messages SMS Address

-t System time. DD-MM-YYYY-HH-mm

-tz Time zone. Time zone settings.

Enter one from the following list of parameters: US/Alaska, US/Aleutian, US/Arizona, US/Central, US/East-Indiana, US/Eastern, US/Hawaii, US/Indiana-Starke, US/Michigan, US/Mountain, US/Pacific, US/Samoa, Africa/Abidjan, Africa/Accra, Africa/Addis_Ababa, Africa/Algiers, Africa/Asmera, Africa/Bamako, Africa/Bangui, Africa/Banjul, Africa/Bissau, Africa/Blantyre, Africa/Brazzaville, Africa/Bujumbura,Africa/Cairo, Africa/Casablanca, Africa/Ceuta, Africa/Conakry, Africa/Dakar, Africa/Dar_es_Salaam, Africa/Djibouti, Africa/Douala, Africa/El_Aaiun, Africa/Freetown, Africa/Gaborone, Africa/Harare, Africa/Johannesburg, Africa/Kampala, Africa/Khartoum, Africa/Kigali, Africa/Kinshasa, Africa/Lagos, Africa/Libreville, Africa/Lome, Africa/Luanda, Africa/Lubumbashi, Africa/Lusaka, Africa/Malabo, Africa/Maputo, Africa/Maseru, Africa/Mbabane, Africa/Mogadishu, Africa/Monrovia, Africa/Nairobi, Africa/Ndjamena, Africa/Niamey, Africa/Nouakchott, Africa/Ouagadougou, Africa/Porto-Novo, Africa/Sao_Tome, Africa/Timbuktu, Africa/Tripoli, Africa/Tunis, Africa/Windhoek, America/Adak, America/Anchorage, America/Anguilla, America/Antigua, America/Araguaina, America/Aruba, America/Asuncion, America/Atka, America/Barbados, America/Belem, America/Belize, America/Boa_Vista, America/Bogota, America/Boise, America/Buenos_Aires, America/Cambridge_Bay, America/Cancun, America/Caracas, America/Catamarca, America/Cayenne, America/Cayman, America/Chicago,

www.allot.com 34


Parameter Description Value(s) America/Chihuahua, America/Cordoba, America/Costa_Rica, America/Cuiaba, America/Curacao, America/Dawson, America/Dawson_Creek, America/Denver, America/Detroit, America/Dominica, America/Edmonton, America/Eirunepe, America/El_Salvador, America/Ensenada, America/Fort_Wayne, America/Fortaleza, America/Glace_Bay, America/Godthab, America/Goose_Bay, America/Grand_Turk, America/Grenada, America/Guadeloupe, America/Guatemala, America/Guayaquil, America/Guyana, America/Halifax, America/Havana, America/Hermosillo, America/Indiana/Indianapolis, America/Indiana/Knox, America/Indiana/Marengo, America/Indiana/Vevay, America/Indianapolis, America/Inuvik, America/Iqaluit, America/Jamaica, America/Jujuy, America/Juneau, America/Lima, America/Kentucky/Louisville, America/La_Paz, America/Kentucky/Monticello, America/Knox_IN, America/Los_Angeles, America/Louisville, America/Maceio, America/Managua, America/Manaus, America/Martinique, America/Mazatlan, America/Mendoza, America/Menominee, America/Merida, America/Mexico_City, America/Miquelon, America/Monterrey, America/Montevideo, America/Montreal, America/Montserrat, America/Nassau, America/New_York, America/Nipigon, America/Nome, America/Noronha, America/Panama, America/Pangnirtung, America/Paramaribo, America/Phoenix, America/Port-au-Prince, America/Port_of_Spain, America/Porto_Acre, America/Porto_Velho, America/Puerto_Rico, America/Rainy_River, America/Rankin_Inlet, America/Recife, America/Regina, America/Rosario, America/Santiago, America/Santo_Domingo, America/Sao_Paulo, America/Scoresbysund, America/Shiprock, America/St_Johns, America/St_Kitts, America/St_Lucia, America/St_Thomas, America/St_Vincent, America/Swift_Current,

www.allot.com 35


Parameter Description Value(s) America/Tegucigalpa, America/Thule, America/Thunder_Bay, America/Tijuana, America/Tortola, America/Vancouver, America/Virgin, America/Whitehorse, America/Winnipeg, America/Yakutat, America/Yellowknife, Antarctica/Casey, Antarctica/Davis, Antarctica/DumontDUrville, Antarctica/Mawson, Antarctica/McMurdo, Antarctica/Palmer, Antarctica/South_Pole, Antarctica/Syowa, Arctic/Longyearbyen, Asia/Aden, Asia/Almaty,Asia/Amman, Asia/Anadyr, Asia/Aqtau, Asia/Aqtobe, Asia/Ashgabat, Asia/Ashkhabad, Asia/Baghdad, Asia/Bahrain, Asia/Baku, Asia/Bangkok, Asia/Beirut, Asia/Bishkek, Asia/Brunei, Asia/Calcutta, Asia/Chungking, Asia/Colombo, Asia/Dacca, Asia/Damascus, Asia/Dhaka, Asia/Dili,Asia/Dubai, Asia/Dushanbe, Asia/Gaza, Asia/Harbin, Asia/Hong_Kong, Asia/Hovd, Asia/Irkutsk, Asia/Istanbul, Asia/Jakarta, Asia/Jayapura, Asia/Jerusalem, Asia/Kabul, Asia/Kamchatka, Asia/Karachi, Asia/Kashgar, Asia/Katmandu, Asia/Krasnoyarsk, Asia/Kuala_Lumpur, Asia/Kuching, Asia/Kuwait, Asia/Macao, Asia/Magadan, Asia/Manila, Asia/Muscat, Asia/Nicosia, Asia/Novosibirsk, Asia/Omsk, Asia/Phnom_Penh, Asia/Pyongyang, Asia/Qatar, Asia/Rangoon ,Asia/Riyadh, Asia/Riyadh87, Asia/Riyadh88, Asia/Riyadh89, Asia/Saigon, Asia/Samarkand, Asia/Seoul, Asia/Shanghai, Asia/Singapore, Asia/Taipei, Asia/Tashkent, Asia/Tbilisi, Asia/Tehran, Asia/Tel_Aviv, Asia/Thimbu, Asia/Thimphu, Asia/Tokyo, Asia/Ujung_Pandang, Asia/Ulaanbaatar, Asia/Ulan_Bator, Asia/Urumqi, Asia/Vientiane, Asia/Vladivostok, Asia/Yakutsk, Asia/Yekaterinburg, Asia/Yerevan, Atlantic/Azores, Atlantic/Bermuda, Atlantic/Canary, Atlantic/Cape_Verde, Atlantic/Faeroe, Atlantic/Jan_Mayen, Atlantic/Madeira, Atlantic/Reykjavik, Atlantic/South_Georgia, Atlantic/St_Helena, Atlantic/Stanley, Australia/ACT, Australia/Adelaide, Australia/Brisbane, Australia/Broken_Hill, Australia/Canberra, Australia/Darwin, Australia/Hobart, Australia/LHI,

www.allot.com 36


Parameter Description Value(s) Australia/Lindeman, Australia/Lord_Howe, Australia/Melbourne, Australia/NSW, Australia/North, Australia/Perth, Australia/Queensland, Australia/South, Australia/Sydney, Australia/Tasmania, Australia/Victoria, Australia/West, Australia/Yancowinna, Brazil/Acre, Brazil/DeNoronha, Brazil/East,Brazil/West, CET, CST6CDT, Canada/Atlantic, Canada/Central, Canada/East-Saskatchewan, Canada/Eastern, Canada/Mountain, Canada/Newfoundland, Canada/Pacific, Canada/Saskatchewan, Canada/Yukon, Chile/Continental, Chile/EasterIsland, Cuba, EET, EST, EST5EDT, Egypt, Eire, Etc/GMT, Etc/GMT+0, Etc/GMT+1, Etc/GMT+10, Etc/GMT+11, Etc/GMT+12, Etc/GMT+2, Etc/GMT+3, Etc/GMT+4, Etc/GMT+5, Etc/GMT+6, Etc/GMT+7, Etc/GMT+8, Etc/GMT+9, Etc/GMT-0, Etc/GMT-1, Etc/GMT-10, Etc/GMT-11, Etc/GMT-12, Etc/GMT-13, Etc/GMT-14, Etc/GMT-2, Etc/GMT-3, Etc/GMT-4, Etc/GMT-5, Etc/GMT-6, Etc/GMT-7, Etc/GMT-8, Etc/GMT-9, Etc/GMT0, Etc/Greenwich, Etc/UCT, Etc/UTC, Etc/Universal, Etc/Zulu, Europe/Amsterdam, Europe/Andorra, Europe/Athens, Europe/Belfast, Europe/Belgrade, Europe/Berlin, Europe/Bratislava, Europe/Brussels, Europe/Bucharest, Europe/Budapest, Europe/Chisinau, Europe/Copenhagen, Europe/Dublin, Europe/Gibraltar, Europe/Helsinki, Europe/Istanbul, Europe/Kaliningrad, Europe/Kiev, Europe/Lisbon, Europe/Ljubljana, Europe/London, Europe/Luxembourg, Europe/Madrid, Europe/Malta, Europe/Minsk, Europe/Monaco, Europe/Moscow, Europe/Nicosia, Europe/Oslo, Europe/Paris, Europe/Prague, Europe/Riga, Europe/Rome, Europe/Samara, Europe/San_Marino, Europe/Sarajevo, Europe/Simferopol, Europe/Skopje, Europe/Sofia, Europe/Stockholm, Europe/Tallinn, Europe/Tirane, Europe/Tiraspol, Europe/Uzhgorod, Europe/Vaduz, Europe/Vatican, Europe/Vienna, Europe/Vilnius, Europe/Warsaw, Europe/Zagreb, Europe/Zaporozhye, Europe/Zurich, Factory, GB, GB-Eire, GMT, GMT+0, GMT-0, GMT0, Greenwich, HST, Hongkong, Iceland, Indian/Antananarivo, Indian/Chagos, Indian/Christmas, Indian/Cocos, Indian/Comoro, Indian/Kerguelen, Indian/Mahe, Indian/Maldives, Indian/Mauritius, Indian/Mayotte,

www.allot.com 37


Parameter Description Value(s) Indian/Reunion, Iran, Israel, Jamaica, Japan, Kwajalein, Libya, MET, MST, MST7MDT, Mexico/BajaNorte, Mexico/BajaSur, Mexico/General, Mideast/Riyadh87, Mideast/Riyadh88, Mideast/Riyadh89, NZ, NZ-CHAT, Navajo, PRC, PST8PDT, Pacific/Apia, Pacific/Auckland, Pacific/Chatham, Pacific/Easter, Pacific/Efate, Pacific/Enderbury, Pacific/Fakaofo, Pacific/Fiji, Pacific/Funafuti, Pacific/Galapagos, Pacific/Gambier, Pacific/Guadalcanal, Pacific/Guam, Pacific/Honolulu, Pacific/Johnston, Pacific/Kiritimati, Pacific/Kosrae, Pacific/Kwajalein, Pacific/Majuro, Pacific/Marquesas, Pacific/Midway, Pacific/Nauru, Pacific/Niue, Pacific/Norfolk, Pacific/Noumea, Pacific/Pago_Pago, Pacific/Palau, Pacific/Pitcairn, Pacific/Ponape, Pacific/Port_Moresby, Pacific/Rarotonga, Pacific/Saipan, Pacific/Samoa, Pacific/Tahiti, Pacific/Tarawa, Pacific/Tongatapu, Pacific/Truk, Pacific/Wake, Pacific/Wallis, Pacific/Yap, Poland, Portugal, ROC, ROK, Singapore, Turkey, UCT, UTC, Universal, W-SU, WET, Zulu


KEY NetEnforcer Activation Key Key Number

MODE Interface Mode auto full half

SPEED Interface Speed auto 10 100 1000

+/-HOST Adds or Subtracts a Host to/from the Access List

Host IP Address Host Name All

LINK_TYPE Link Type half

full

OUTBOUND Outbound traffic Value (in K/M)

INBOUND Inbound traffic Value (in K/M)

READ Name of SNMP Write Community SNMP Community Name

www.allot.com 38



WRITE Name of SNMP Read Community SNMP Community Name

TRAP Name of SNMP Trap Community SNMP Community Name

VLAN_STATE VLAN environment. enable

disable

SERVER_RETRIES Retries for Server 1-100

SERVER_TIMEOUT Timeout for Server 10-240

SERVICE_RETRIES Retries for Service 1-100

SERVICE_TIMEOUT Timeout for Service 10-249

CONNECT Timeout for Connection 10-240

ACCT_STATE Accounting module enable

disable

RADIUS_STATE RADIUS Accounting enable

disable

DOS_STATE DoS Attack Response Admit

Drop

DEST_IP Route Destination IP IP Address

MASK Route Subnet Mask IP Address

GATEWAY Route IP Gateway IP Address

DEST_TYPE Route Destination type host

network

INTERFACE Route Interface 0

1

2

ALERTS_STATE Alerts Module enable

disable

www.allot.com 39



TAB Configuration window tab key ips snmp access_link access_control vlan acct_setup monitoring policy_srv acct_radius_storage dos security alert time No Value = All

www.allot.com 40

allot ~ cli guide 5.1

Documents