H3C MSR Series Command Reference Manual

H3C MSR Router Series

Comware 7 Security Command Reference

New H3C Technologies Co., Ltd.

http://www.h3c.com.hk

Software version: MSR-CMW710-R0605

Document version: 6W200-20170608

No part of this manual may be reproduced or transmitted in any form or by any means without prior written

consent of New H3C Technologies Co., Ltd.

Trademarks

H3C, , H3CS, H3CIE, H3CNE, Aolynk, , H

3

Care, , IRF, NetPilot, Netflow, SecEngine,

SecPath, SecCenter, SecBlade, Comware, ITCMM and HUASAN are trademarks of New H3C Technologies

Co., Ltd.

All other trademarks that may be mentioned in this manual are the property of their respective owners

Notice

The information in this document is subject to change without notice. Every effort has been made in the

preparation of this document to ensure accuracy of the contents, but all statements, information, and

recommendations in this document do not constitute the warranty of any kind, express or implied.

Preface

This command reference describes the commands for configuring, displaying, and maintaining

security features.

This preface includes the following topics about the documentation:

• Audience.

• Conventions

• Obtaining documentation

• Technical support

• Documentation feedback

Audience

This documentation is intended for:

• Network planners.

• Field technical support and servicing engineers.

• Network administrators working with the H3C MSR Router series.

Conventions

The following information describes the conventions used in the documentation.

Command conventions

Convention

Description

Boldface Bold

text represents commands and keywords that you enter literally as shown.

Italic

Italic text represents arguments that you replace with actual values.

[ ] Square brackets enclose syntax choices (keywords or arguments) that are optional.

{ x | y | ... }

Braces enclose a set of required syntax choices separated by vertical bars, from which

you select one.

[ x | y | ... ]

Square brackets enclose a set of optional syntax choices separated by vertical bars,

from which you select one or none.

{ x | y | ... } *

Asterisk marked braces enclose a set of required syntax choices separated by vertical

bars, from which you select a minimum of one.

[ x | y | ... ] *

Asterisk marked square brackets enclose optional syntax choices separated by vertical

bars, from which you select one choice, multiple choices, or none.

&<1-n>

The argument or keyword and argument combination before the ampersand (&) sign

can be entered 1 to n times.

# A line that starts with a pound (#) sign is comments.

GUI conventions

Convention

Description

Boldface

Window names, button names, field names, and menu items are in Boldface. For

example, the

New User

window opens; click

OK

.

Convention

Description

>

Multi-level menus are separated by angle brackets. For

example,

File

>

Create

>

Folder

.

Symbols

Convention

Description

WARNING!

An alert that calls attention to important information that if not understood or followed

can result in personal injury.

CAUTION:

An alert that calls attention to important information that if not understood or followed

can result in data loss, data corruption, or damage to hardware or software.

IMPORTANT:

An alert that calls attention to essential information.

NOTE:

An alert that contains additional or supplementary information.

TIP:

An alert that provides helpful information.

Network topology icons

Convention

Description

Represents a generic network device, such as a router, switch, or firewall.

Represents a routing-capable device, such as a router or Layer 3 switch.

Represents a generic switch, such as a Layer 2 or Layer 3 switch, or a router that

supports Layer 2 forwarding and other Layer 2 features.

Represents an access controller, a unified wired-WLAN module, or the access

controller engine on a unified wired-WLAN switch.

Represents an access point.

Wireless terminator unit.

Wireless terminator.

Represents a mesh access point.

Represents omnidirectional signals.

Represents directional signals.

Represents a security product, such as a firewall, UTM, multiservice security

gateway, or load balancing device.

Represents a security module, such as a firewall, load balancing, NetStream, SSL

VPN, IPS, or ACG module.

T

Examples provided in this document

Examples in this document might use devices that differ from your device in hardware model,

configuration, or software version. It is normal that the port numbers, sample output, screenshots,

and other information in the examples differ from what you have on your device.

Obtaining documentation

To access the most up-to-date H3C product documentation, go to the H3C website at

http://www.h3c.com.hk

To obtain information about installation, configuration, and maintenance, click

http://www.h3c.com.hk/Technical_Documents

To obtain software version information such as release notes, click

http://www.h3c.com.hk/Software_Download

Technical support

service@h3c.com

http://www.h3c.com.hk

Documentation feedback

You can e-mail your comments about product documentation to inf[email protected].

We appreciate your comments.

i

Contents

AAA commands ··············································································· 1

General AAA commands ············································································································· 1

aaa nas-id profile ················································································································· 1

aaa session-limit ················································································································· 2

accounting advpn ················································································································ 2

accounting command ··········································································································· 4

accounting default ··············································································································· 4

accounting ipoe ··················································································································· 5

accounting lan-access ·········································································································· 7

accounting login ·················································································································· 8

accounting portal ··············································································································· 10

accounting ppp ················································································································· 11

accounting quota-out ·········································································································· 13

accounting sslvpn ·············································································································· 13

accounting start-fail ············································································································ 14

accounting update-fail ········································································································ 15

authentication advpn ·········································································································· 16

authentication default ········································································································· 17

authentication ike ·············································································································· 18

authentication ipoe ············································································································ 19

authentication lan-access ···································································································· 20

authentication login ············································································································ 21

authentication portal ··········································································································· 23

authentication ppp ············································································································· 24

authentication sslvpn ·········································································································· 25

authentication super ··········································································································· 26

authorization advpn ··········································································································· 27

authorization command ······································································································ 28

authorization default ··········································································································· 30

authorization ike ················································································································ 31

authorization ipoe ·············································································································· 32

authorization lan-access ····································································································· 33

authorization login ············································································································· 34

authorization portal ············································································································ 35

authorization ppp ··············································································································· 37

authorization sslvpn ··········································································································· 38

authorization-attribute (ISP domain view) ················································································ 39

basic-service-ip-type ·········································································································· 41

dhcpv6-follow-ipv6cp ·········································································································· 42

display domain ·················································································································· 43

domain ···························································································································· 47

domain default enable ········································································································ 48

domain if-unknown ············································································································ 49

nas-id bind vlan ················································································································· 50

service-type (ISP domain view) ···························································································· 50

session-time include-idle-time ······························································································ 51

state (ISP domain view) ······································································································ 52

user-address-type ············································································································· 53

Local user commands ··············································································································· 53

access-limit ······················································································································ 53

authorization-attribute (local user view/user group view) ···························································· 54

bind-attribute ···················································································································· 57

company ························································································································· 58

description ······················································································································· 59

display local-guest waiting-approval ······················································································ 59

display local-user ·············································································································· 60

display user-group ············································································································· 64

ii

email ······························································································································ 66

full-name ························································································································· 67

group ······························································································································ 67

local-guest auto-delete enable ····························································································· 68

local-guest email format ······································································································ 68

local-guest email sender ····································································································· 69

local-guest email smtp-server ······························································································ 70

local-guest generate ·········································································································· 71

local-guest manager-email ·································································································· 72

local-guest send-email ········································································································ 73

local-guest timer ················································································································ 73

local-user ························································································································· 74

local-user-export class network guest ···················································································· 75

local-user-import class network guest ···················································································· 76

password ························································································································· 78

phone ····························································································································· 79

reset local-guest waiting-approval ························································································· 80

service-type (local user view) ······························································································· 80

sponsor-department ··········································································································· 82

sponsor-email ··················································································································· 82

sponsor-full-name ·············································································································· 83

state (local user view) ········································································································· 83

user-group ······················································································································· 84

validity-datetime ················································································································ 85

RADIUS commands ················································································································· 86

aaa device-id ···················································································································· 86

accounting-on enable ········································································································· 86

accounting-on extended ······································································································ 87

attribute 15 check-mode ····································································································· 88

attribute 25 car ·················································································································· 89

attribute remanent-volume ··································································································· 89

client······························································································································· 90

data-flow-format (RADIUS scheme view) ················································································ 91

display radius scheme ········································································································ 92

display radius statistics ······································································································· 95

key (RADIUS scheme view) ································································································· 96

nas-ip (RADIUS scheme view) ····························································································· 97

port ································································································································ 98

primary accounting (RADIUS scheme view) ············································································ 99

primary authentication (RADIUS scheme view) ······································································ 100

radius dscp ···················································································································· 102

radius dynamic-author server ····························································································· 102

radius nas-ip ·················································································································· 103

radius scheme ················································································································ 104

radius session-control client ······························································································· 105

radius session-control enable ····························································································· 106

radius-server test-profile ··································································································· 106

reset radius statistics ········································································································ 107

retry······························································································································ 108

retry realtime-accounting ··································································································· 109

secondary accounting (RADIUS scheme view) ······································································ 109

secondary authentication (RADIUS scheme view) ·································································· 111

snmp-agent trap enable radius ··························································································· 113

state primary ·················································································································· 114

state secondary ·············································································································· 115

timer quiet (RADIUS scheme view) ····················································································· 116

timer realtime-accounting (RADIUS scheme view) ·································································· 117

timer response-timeout (RADIUS scheme view) ····································································· 118

user-name-format (RADIUS scheme view) ············································································ 119

vpn-instance (RADIUS scheme view) ·················································································· 119

HWTACACS commands ·········································································································· 120

data-flow-format (HWTACACS scheme view) ········································································ 120

iii

display hwtacacs scheme ·································································································· 121

hwtacacs nas-ip ·············································································································· 123

hwtacacs scheme ············································································································ 124

key (HWTACACS scheme view) ························································································· 125

nas-ip (HWTACACS scheme view) ····················································································· 126

primary accounting (HWTACACS scheme view) ···································································· 127

primary authentication (HWTACACS scheme view) ································································ 128

primary authorization ········································································································ 130

reset hwtacacs statistics ··································································································· 131

secondary accounting (HWTACACS scheme view) ································································ 132

secondary authentication (HWTACACS scheme view) ···························································· 133

secondary authorization ···································································································· 135

timer quiet (HWTACACS scheme view) ················································································ 136

timer realtime-accounting (HWTACACS scheme view) ···························································· 137

timer response-timeout (HWTACACS scheme view) ······························································· 138

user-name-format (HWTACACS scheme view) ······································································ 138

vpn-instance (HWTACACS scheme view) ············································································· 139

LDAP commands ··················································································································· 140

attribute-map ·················································································································· 140

authentication-server ········································································································ 141

authorization-server ········································································································· 141

display ldap scheme ········································································································ 142

ip ································································································································· 144

ipv6 ······························································································································ 145

ldap attribute-map ··········································································································· 145

ldap scheme ··················································································································· 146

ldap server ····················································································································· 147

login-dn ························································································································· 147

login-password ··············································································································· 148

map ······························································································································ 149

protocol-version ·············································································································· 150

search-base-dn ··············································································································· 151

search-scope ·················································································································· 151

server-timeout ················································································································ 152

user-parameters ·············································································································· 152

802.1X commands ······································································· 154

display dot1x ·················································································································· 154

display dot1x connection ··································································································· 159

dot1x ···························································································································· 164

dot1x authentication-method ······························································································ 164

dot1x auth-fail vlan ·········································································································· 165

dot1x critical vlan ············································································································· 166

dot1x domain-delimiter ····································································································· 167

dot1x ead-assistant enable ································································································ 168

dot1x ead-assistant free-ip ································································································ 169

dot1x ead-assistant url ····································································································· 170

dot1x guest-vlan ·············································································································· 171

dot1x handshake ············································································································· 172

dot1x handshake reply enable ···························································································· 172

dot1x handshake secure ··································································································· 173

dot1x mandatory-domain ·································································································· 174

dot1x max-user ··············································································································· 174

dot1x multicast-trigger ······································································································ 175

dot1x port-control ············································································································ 176

dot1x port-method ··········································································································· 177

dot1x quiet-period ············································································································ 177

dot1x re-authenticate ······································································································· 178

dot1x re-authenticate server-unreachable keep-online ····························································· 179

dot1x retry ····················································································································· 179

dot1x smarton ················································································································· 180

dot1x smarton password ··································································································· 181

iv

dot1x smarton retry ·········································································································· 182

dot1x smarton switchid ····································································································· 183

dot1x smarton timer supp-timeout ······················································································· 183

dot1x timer ····················································································································· 184

dot1x unicast-trigger ········································································································ 186

reset dot1x guest-vlan ······································································································ 187

reset dot1x statistics ········································································································ 187

MAC authentication commands ······················································· 189

display mac-authentication ································································································ 189

display mac-authentication connection ················································································· 193

mac-authentication ·········································································································· 197

mac-authentication domain ································································································ 198

mac-authentication host-mode ··························································································· 198

mac-authentication max-user ····························································································· 199

mac-authentication re-authenticate server-unreachable keep-online ··········································· 200

mac-authentication timer ··································································································· 201

mac-authentication timer auth-delay ···················································································· 202

mac-authentication user-name-format ·················································································· 202

reset mac-authentication statistics ······················································································ 204

Port security commands ································································ 205

display port-security ········································································································· 205

display port-security mac-address block ··············································································· 208

display port-security mac-address security ············································································ 212

port-security authorization ignore ························································································ 213

port-security authorization-fail offline···················································································· 214

port-security enable ········································································································· 215

port-security intrusion-mode ······························································································ 215

port-security mac-address aging-type inactivity ······································································ 216

port-security mac-address dynamic ····················································································· 217

port-security mac-address security ······················································································ 218

port-security mac-move permit ··························································································· 219

port-security max-mac-count ······························································································ 220

port-security nas-id-profile ································································································· 221

port-security ntk-mode ······································································································ 222

port-security oui ·············································································································· 223

port-security port-mode ····································································································· 224

port-security timer autolearn aging ······················································································ 226

port-security timer disableport ···························································································· 227

snmp-agent trap enable port-security ··················································································· 228

Portal commands ········································································· 230

aaa-fail nobinding enable ·································································································· 230

aging-time ······················································································································ 231

app-id ··························································································································· 232

app-key ························································································································· 233

authentication-timeout ······································································································ 234

auth-url ························································································································· 234

binding-retry ··················································································································· 235

captive-bypass enable ······································································································ 236

cloud-binding enable ········································································································ 237

cloud-server url ··············································································································· 238

default-logon-page ··········································································································· 239

display portal ·················································································································· 239

display portal auth-error-record ·························································································· 246

display portal auth-fail-record ····························································································· 249

display portal captive-bypass statistics ················································································· 252

display portal extend-auth-server ························································································ 253

display portal local-binding mac-address ·············································································· 254

display portal logout-record ······························································································· 255

display portal mac-trigger-server ························································································· 257

v

display portal packet statistics ···························································································· 260

display portal redirect statistics ··························································································· 265

display portal rule ············································································································ 266

display portal safe-redirect statistics ···················································································· 277

display portal server ········································································································· 279

display portal user ··········································································································· 280

display portal user count ··································································································· 294

display portal web-server ·································································································· 295

display web-redirect rule ··································································································· 296

exclude-attribute (MAC binding server view) ·········································································· 299

exclude-attribute (portal authentication server view) ································································ 301

free-traffic threshold ········································································································· 302

if-match ························································································································· 303

if-match temp-pass ·········································································································· 305

ip (MAC binding server view) ····························································································· 307

ip (portal authentication server view)···················································································· 308

ipv6 ······························································································································ 309

local-binding aging-time ···································································································· 310

local-binding enable ········································································································· 310

logon-page bind ·············································································································· 311

logout-notify ··················································································································· 313

mail-domain-name ··········································································································· 314

mail-protocol ·················································································································· 314

nas-port-type ·················································································································· 315

port (MAC binding server view) ·························································································· 316

port (portal authentication server view) ················································································· 317

portal { bas-ip | bas-ipv6 } ·································································································· 317

portal { ipv4-max-user | ipv6-max-user } ··············································································· 318

portal apply mac-trigger-server ··························································································· 319

portal apply web-server ···································································································· 320

portal auth-error-record enable ··························································································· 321

portal auth-error-record export ··························································································· 322

portal auth-error-record max ······························································································ 324

portal auth-fail-record enable ····························································································· 325

portal auth-fail-record export ······························································································ 325

portal auth-fail-record max ································································································· 327

portal authorization strict-checking ······················································································ 328

portal captive-bypass optimize delay ··················································································· 329

portal client-gateway interface ···························································································· 330

portal client-traffic-report interval ························································································· 330

portal delete-user ············································································································ 331

portal device-id ··············································································································· 333

portal domain ················································································································· 333

portal dual-stack enable ···································································································· 334

portal dual-stack traffic-separate enable ··············································································· 335

portal enable ·················································································································· 336

portal extend-auth domain ································································································· 338

portal extend-auth-server ·································································································· 338

portal fail-permit server ····································································································· 339

portal fail-permit web-server ······························································································ 340

portal free-all except destination ························································································· 341

portal free-rule ················································································································ 342

portal free-rule description ································································································· 344

portal free-rule destination ································································································· 345

portal free-rule source ······································································································ 346

portal host-check enable ··································································································· 347

portal ipv6 free-all except destination ··················································································· 348

portal ipv6 layer3 source ··································································································· 349

portal ipv6 user-detect ······································································································ 350

portal layer3 source ········································································································· 351

portal local-web-server ····································································································· 352

portal logout-record enable ································································································ 353

vi

portal logout-record export ································································································ 354

portal logout-record max ··································································································· 356

portal mac-trigger-server ··································································································· 357

portal max-user ··············································································································· 357

portal nas-id profile ·········································································································· 358

portal nas-port-id format ···································································································· 359

portal nas-port-type ·········································································································· 361

portal outbound-filter enable ······························································································ 363

portal pre-auth domain ····································································································· 363

portal packet log enable ···································································································· 365

portal pre-auth ip-pool ······································································································ 365

portal redirect log enable ··································································································· 366

portal refresh enable ········································································································ 367

portal roaming enable ······································································································· 368

portal safe-redirect enable ································································································· 368

portal safe-redirect forbidden-file ························································································ 369

portal safe-redirect forbidden-url ························································································· 370

portal safe-redirect method ································································································ 370

portal safe-redirect user-agent ··························································································· 371

portal server ··················································································································· 372

portal temp-pass enable ··································································································· 373

portal traffic-accounting disable ·························································································· 374

portal user-detect ············································································································ 375

portal user-dhcp-only ······································································································· 376

portal user-logoff after-client-offline enable ············································································ 377

portal user log enable ······································································································· 378

portal web-server ············································································································ 378

redirect-url ····················································································································· 379

reset portal auth-error-record ····························································································· 380

reset portal auth-fail-record ································································································ 381

reset portal captive-bypass statistics···················································································· 382

reset portal logout-record ·································································································· 383

reset portal packet statistics ······························································································· 384

reset portal redirect statistics ····························································································· 385

reset portal safe-redirect statistics ······················································································· 385

server-detect (portal authentication server view) ···································································· 386

server-detect (portal Web server view) ················································································· 387

server-register ················································································································ 388

server-type (MAC binding server view) ················································································· 389

server-type(portal server view/portal Web server view) ···························································· 389

tcp-port ························································································································· 390

url ································································································································ 391

url-parameter ·················································································································· 392

user-password modify enable ···························································································· 394

user-sync ······················································································································· 395

version ·························································································································· 396

vpn-instance ··················································································································· 396

web-redirect track ············································································································ 397

web-redirect url ··············································································································· 398

User profile commands ·································································· 400

display user-profile ·········································································································· 400

user-profile ····················································································································· 405

Password control commands ·························································· 406

display password-control ··································································································· 406

display password-control blacklist ······················································································· 407

password-control { aging | composition | history | length } enable ··············································· 408

password-control aging ····································································································· 409

password-control alert-before-expire ··················································································· 411

password-control complexity ······························································································ 411

password-control composition ···························································································· 412

vii

password-control enable ··································································································· 414

password-control expired-user-login ···················································································· 415

password-control history ··································································································· 416

password-control length ···································································································· 417

password-control login idle-time ························································································· 418

password-control login-attempt ··························································································· 419

password-control super aging ···························································································· 421

password-control super composition ···················································································· 421

password-control super length ··························································································· 422

password-control update-interval ························································································ 423

reset password-control blacklist ·························································································· 424

reset password-control history-record ·················································································· 424

Keychain commands ····································································· 426

accept-lifetime utc ··········································································································· 426

authentication-algorithm ···································································································· 427

display keychain ·············································································································· 427

key ······························································································································· 429

keychain ························································································································ 429

key-string ······················································································································· 430

send-lifetime utc ·············································································································· 431

Public key management commands ················································· 433

display public-key local public ···························································································· 433

display public-key peer ····································································································· 436

peer-public-key end ········································································································· 438

public-key local create ······································································································ 439

public-key local destroy ···································································································· 442

public-key local export dsa ································································································ 443

public-key local export ecdsa ····························································································· 445

public-key local export rsa ································································································· 447

public-key peer ··············································································································· 449

public-key peer import sshkey ···························································································· 449

PKI commands ············································································ 451

attribute ························································································································· 451

ca identifier ···················································································································· 452

certificate request entity ···································································································· 453

certificate request from ····································································································· 454

certificate request mode ···································································································· 454

certificate request polling ·································································································· 456

certificate request url ········································································································ 457

common-name ················································································································ 458

country ·························································································································· 458

crl check ························································································································ 459

crl url ···························································································································· 459

display pki certificate access-control-policy ··········································································· 460

display pki certificate attribute-group ···················································································· 461

display pki certificate domain ····························································································· 462

display pki certificate renew-status ······················································································ 467

display pki certificate request-status ···················································································· 468

display pki crl domain ······································································································· 470

fqdn ······························································································································ 472

ip ································································································································· 472

ldap-server ····················································································································· 473

locality ·························································································································· 474

organization ··················································································································· 474

organization-unit ············································································································· 475

pki abort-certificate-request ······························································································· 476

pki certificate access-control-policy ····················································································· 476

pki certificate attribute-group ······························································································ 477

pki delete-certificate ········································································································· 478

viii

pki domain ····················································································································· 479

pki entity ························································································································ 480

pki export ······················································································································· 481

pki import ······················································································································· 488

pki request-certificate ······································································································· 492

pki retrieve-certificate ······································································································· 493

pki retrieve-crl ················································································································· 494

pki storage ····················································································································· 495

pki validate-certificate ······································································································· 496

public-key dsa ················································································································ 498

public-key ecdsa ············································································································· 499

public-key rsa ················································································································· 501

root-certificate fingerprint ·································································································· 502

rule······························································································································· 503

source ··························································································································· 504

state ····························································································································· 505

subject-dn ······················································································································ 506

usage ··························································································································· 507

vpn-instance ··················································································································· 508

IPsec commands ········································································· 509

ah authentication-algorithm ······························································································· 509

description ····················································································································· 510

display ipsec { ipv6-policy | policy } ······················································································ 511

display ipsec { ipv6-policy-template | policy-template } ····························································· 516

display ipsec profile ········································································································· 518

display ipsec sa ·············································································································· 519

display ipsec statistics ······································································································ 523

display ipsec transform-set ································································································ 525

display ipsec tunnel ········································································································· 526

encapsulation-mode ········································································································· 529

esn enable ····················································································································· 530

esp authentication-algorithm ······························································································ 530

esp encryption-algorithm ··································································································· 532

ike-profile ······················································································································· 534

ikev2-profile ··················································································································· 535

ipsec anti-replay check ····································································································· 536

ipsec anti-replay window ··································································································· 536

ipsec apply ····················································································································· 537

ipsec decrypt-check enable ······························································································· 538

ipsec df-bit ····················································································································· 538

ipsec fragmentation ········································································································· 539

ipsec global-df-bit ············································································································ 540

ipsec limit max-tunnel ······································································································· 541

ipsec logging negotiation enable ························································································· 541

ipsec logging packet enable ······························································································· 542

ipsec { ipv6-policy | policy } ································································································ 542

ipsec { ipv6-policy | policy } isakmp template ········································································· 544

ipsec { ipv6-policy | policy } local-address ············································································· 544

ipsec { ipv6-policy-template | policy-template } ······································································· 545

ipsec profile ···················································································································· 546

ipsec redundancy enable ·································································································· 547

ipsec sa global-duration ···································································································· 548

ipsec sa idle-time ············································································································ 549

ipsec transform-set ·········································································································· 550

local-address ·················································································································· 550

pfs································································································································ 551

protocol ························································································································· 552

qos pre-classify ··············································································································· 553

redundancy replay-interval ································································································ 553

remote-address ··············································································································· 554

reset ipsec sa ················································································································· 556

ix

reset ipsec statistics ········································································································· 557

reverse-route dynamic ······································································································ 557

reverse-route preference ··································································································· 559

reverse-route tag ············································································································· 559

sa duration ····················································································································· 560

sa hex-key authentication ·································································································· 561

sa hex-key encryption ······································································································ 562

sa idle-time ···················································································································· 564

sa spi ···························································································································· 565

sa string-key ··················································································································· 566

security acl ····················································································································· 567

snmp-agent trap enable ipsec ···························································································· 568

tfc enable ······················································································································· 569

transform-set ·················································································································· 570

tunnel protection ipsec ······································································································ 571

IKE commands ············································································ 573

aaa authorization ············································································································· 573

authentication-algorithm ···································································································· 574

authentication-method ······································································································ 575

certificate domain ············································································································ 576

client-authentication ········································································································· 577

description ····················································································································· 578

dh ································································································································ 578

display ike proposal ········································································································· 579

display ike sa ·················································································································· 580

display ike statistics ········································································································· 584

dpd······························································································································· 585

encryption-algorithm ········································································································ 585

exchange-mode ·············································································································· 587

ike address-group ············································································································ 588

ike dpd ·························································································································· 589

ike identity ····················································································································· 590

ike invalid-spi-recovery enable ··························································································· 591

ike keepalive interval ········································································································ 591

ike keepalive timeout ········································································································ 592

ike keychain ··················································································································· 593

ike limit ·························································································································· 594

ike logging negotiation enable ···························································································· 594

ike nat-keepalive ············································································································· 595

ike profile ······················································································································· 595

ike proposal ··················································································································· 596

ike signature-identity from-certificate···················································································· 597

inside-vpn ······················································································································ 598

keychain ························································································································ 598

local-identity ··················································································································· 599

match local address (IKE keychain view) ·············································································· 600

match local address (IKE profile view)·················································································· 601

match remote ················································································································· 602

pre-shared-key ··············································································································· 603

priority (IKE keychain view) ······························································································· 605

priority (IKE profile view) ··································································································· 605

proposal ························································································································ 606

reset ike sa ···················································································································· 607

reset ike statistics ············································································································ 607

sa duration ····················································································································· 608

snmp-agent trap enable ike ······························································································· 608

IKEv2 commands ········································································· 611

aaa authorization ············································································································· 611

address ························································································································· 612

authentication-method ······································································································ 612

x

certificate domain ············································································································ 614

config-exchange ·············································································································· 615

display ikev2 policy ·········································································································· 616

display ikev2 profile ········································································································· 617

display ikev2 proposal ······································································································ 618

display ikev2 sa ·············································································································· 619

display ikev2 statistics ······································································································ 623

dh ································································································································ 624

dpd······························································································································· 625

encryption ······················································································································ 626

hostname ······················································································································ 627

identity ·························································································································· 628

identity local ··················································································································· 629

ikev2 address-group ········································································································ 630

ikev2 cookie-challenge ····································································································· 630

ikev2 dpd ······················································································································· 631

ikev2 ipv6-address-group ·································································································· 632

ikev2 keychain ················································································································ 633

ikev2 nat-keepalive ·········································································································· 633

ikev2 policy ···················································································································· 634

ikev2 profile ···················································································································· 635

ikev2 proposal ················································································································ 636

inside-vrf ······················································································································· 637

integrity ························································································································· 638

keychain ························································································································ 638

match local (IKEv2 profile view) ·························································································· 639

match local address (IKEv2 policy view) ··············································································· 640

match remote ················································································································· 641

match vrf (IKEv2 policy view) ····························································································· 642

match vrf (IKEv2 profile view) ····························································································· 643

nat-keepalive ·················································································································· 644

peer······························································································································ 645

pre-shared-key ··············································································································· 645

prf ································································································································ 647

priority (IKEv2 policy view) ································································································ 648

priority (IKEv2 profile view) ································································································ 649

proposal ························································································································ 649

reset ikev2 sa ················································································································· 650

reset ikev2 statistics ········································································································· 651

sa duration ····················································································································· 651

Group domain VPN commands ······················································· 653

client anti-replay window ··································································································· 653

client registration ············································································································· 654

client rekey encryption ······································································································ 655

client transform-sets ········································································································· 656

display gdoi gm ··············································································································· 656

display gdoi gm acl ·········································································································· 661

display gdoi gm anti-replay ································································································ 662

display gdoi gm ipsec sa ··································································································· 663

display gdoi gm members ································································································· 664

display gdoi gm pubkey ···································································································· 665

display gdoi gm rekey ······································································································· 666

gdoi gm group ················································································································ 667

group ···························································································································· 668

identity ·························································································································· 669

reset gdoi gm ················································································································· 669

server address ················································································································ 670

SSH commands ··········································································· 672

SSH server commands ··········································································································· 672

display ssh server ············································································································ 672

xi

display ssh user-information ······························································································ 674

scp server enable ············································································································ 675

sftp server enable ············································································································ 676

sftp server idle-timeout ····································································································· 676

ssh ip alias ····················································································································· 677

ssh redirect disconnect ····································································································· 678

ssh redirect enable ·········································································································· 679

ssh redirect listen-port ······································································································ 680

ssh redirect timeout ········································································································· 681

ssh server acl ················································································································· 682

ssh server authentication-retries ························································································· 683

ssh server authentication-timeout ······················································································· 683

ssh server compatible-ssh1x enable ···················································································· 684

ssh server dscp ··············································································································· 685

ssh server enable ············································································································ 685

ssh server ipv6 acl ··········································································································· 686

ssh server ipv6 dscp ········································································································ 687

ssh server port ················································································································ 687

ssh server rekey-interval ··································································································· 688

ssh user ························································································································ 689

SSH client commands ············································································································· 692

bye ······························································································································· 692

cd ································································································································ 692

cdup ····························································································································· 693

delete ··························································································································· 693

dir ································································································································ 693

display sftp client source ··································································································· 694

display ssh client source ··································································································· 695

exit ······························································································································· 695

get ······························································································································· 696

help ······························································································································ 696

ls ································································································································· 697

mkdir ···························································································································· 698

put ······························································································································· 698

pwd ······························································································································ 699

quit ······························································································································· 699

remove ·························································································································· 700

rename ························································································································· 700

rmdir ····························································································································· 700

scp ······························································································································· 701

scp ipv6 ························································································································· 703

sftp ······························································································································· 705

sftp client ipv6 source ······································································································· 707

sftp client source ············································································································· 708

sftp ipv6 ························································································································ 708

ssh client ipv6 source ······································································································· 711

ssh client source ············································································································· 711

ssh2 ····························································································································· 712

ssh2 ipv6 ······················································································································· 714

SSH2 commands ··················································································································· 717

display ssh2 algorithm ······································································································ 717

ssh2 algorithm cipher ······································································································· 717

ssh2 algorithm key-exchange ····························································································· 718

ssh2 algorithm mac ·········································································································· 719

ssh2 algorithm public-key ·································································································· 720

SSL commands ··········································································· 722

certificate-chain-sending enable ························································································· 722

ciphersuite ····················································································································· 723

client-verify ···················································································································· 724

display ssl client-policy ····································································································· 725

display ssl server-policy ···································································································· 726

xii

pki-domain ····················································································································· 727

prefer-cipher ··················································································································· 728

server-verify enable ········································································································· 729

session ························································································································· 730

ssl client-policy ··············································································································· 731

ssl renegotiation disable ··································································································· 731

ssl server-policy ·············································································································· 732

ssl version ssl3.0 disable ·································································································· 733

version ·························································································································· 733

SSL VPN commands ···································································· 735

aaa domain ···················································································································· 735

bandwidth ······················································································································ 736

certificate-authentication enable ························································································· 736

content-type ··················································································································· 737

default ··························································································································· 738

default-policy-group ········································································································· 738

description (shortcut view) ································································································· 739

description (SSL VPN AC interface view) ·············································································· 740

display interface sslvpn-ac ································································································ 740

display sslvpn context ······································································································ 743

display sslvpn gateway ····································································································· 745

display sslvpn policy-group ································································································ 747

display sslvpn port-forward connection ················································································· 748

display sslvpn session ······································································································ 750

dynamic-password enable ································································································· 752

emo-server ···················································································································· 752

exclude ························································································································· 753

execution (port forwarding item view) ··················································································· 754

execution (shortcut view) ·································································································· 755

file-policy ······················································································································· 755

filter ip-tunnel acl ············································································································· 756

filter ip-tunnel uri-acl ········································································································· 757

filter tcp-access acl ·········································································································· 758

filter tcp-access uri-acl ······································································································ 759

filter web-access acl ········································································································· 760

filter web-access uri-acl ···································································································· 761

force-logout ···················································································································· 762

force-logout max-onlines enable ························································································· 763

gateway ························································································································ 763

heading ························································································································· 764

http-redirect ···················································································································· 765

include ·························································································································· 766

interface sslvpn-ac ··········································································································· 767

ip address ······················································································································ 767

ip-route-list ····················································································································· 768

ip-tunnel access-route ······································································································ 769

ip-tunnel address-pool ······································································································ 770

ip-tunnel dns-server ········································································································· 770

ip-tunnel interface ············································································································ 771

ip-tunnel keepalive ··········································································································· 772

ip-tunnel wins-server ········································································································ 772

ipv6 address ··················································································································· 773

local-port ······················································································································· 774

log resource-access enable ······························································································· 775

log enable user-log ·········································································································· 776

log resource-access enable ······························································································· 776

log user-login enable ········································································································ 777

login-message ················································································································ 777

logo ······························································································································ 778

max-onlines ··················································································································· 779

max-users ······················································································································ 779

xiii

message-server ·············································································································· 780

mtu······························································································································· 781

new-content ··················································································································· 781

old-content ····················································································································· 782

policy-group ··················································································································· 783

port-forward ··················································································································· 783

port-forward-item ············································································································· 784

reset counters interface sslvpn-ac ······················································································· 785

resources port-forward ····································································································· 786

resources port-forward-item ······························································································· 786

resources shortcut ··········································································································· 787

resources shortcut-list ······································································································ 788

resources url-list ·············································································································· 789

rewrite-rule ····················································································································· 789

rule······························································································································· 790

service enable (SSL VPN context view)················································································ 792

service enable (SSL VPN gateway view) ·············································································· 792

session-connections ········································································································ 793

shortcut ························································································································· 793

shortcut-list ···················································································································· 794

shutdown ······················································································································· 794

sms-imc address ············································································································· 795

sms-imc enable ··············································································································· 795

ssl client-policy ··············································································································· 796

ssl server-policy ·············································································································· 797

sslvpn context ················································································································· 798

sslvpn gateway ··············································································································· 799

sslvpn ip address-pool ······································································································ 799

timeout idle ···················································································································· 800

title ······························································································································· 801

uri-acl ··························································································································· 801

url (file policy view) ·········································································································· 802

url (URL list view) ············································································································ 803

url-list ···························································································································· 804

verify-code ····················································································································· 805

vpn-instance (SSL VPN context view) ·················································································· 805

vpn-instance (SSL VPN gateway view) ················································································ 806

ASPF commands ········································································· 808

aspf apply policy (interface view) ························································································ 808

aspf apply policy (zone pair view)························································································ 809

aspf icmp-error reply ········································································································ 810

aspf policy ····················································································································· 810

detect ··························································································································· 811

display aspf all ················································································································ 813

display aspf interface ······································································································· 814

display aspf policy ··········································································································· 814

display aspf session ········································································································· 815

icmp-error drop ··············································································································· 821

reset aspf session ··········································································································· 822

tcp syn-check ················································································································· 823

APR commands ··········································································· 824

app-group ······················································································································ 824

application statistics enable ······························································································· 825

apr set detectlen ············································································································· 826

apr signature auto-update ································································································· 827

apr signature auto-update-now ··························································································· 828

apr signature rollback ······································································································· 829

apr signature update ········································································································ 829

copy app-group ··············································································································· 832

description (application group view) ····················································································· 833

xiv

description (NBAR rule view) ····························································································· 833

destination ····················································································································· 834

direction ························································································································ 835

disable ·························································································································· 836

display app-group ············································································································ 837

display application ··········································································································· 839

display application statistics ······························································································· 842

display application statistics top ·························································································· 845

display apr signature information ························································································ 847

display port-mapping pre-defined ························································································ 848

display port-mapping user-defined ······················································································ 849

include application ··········································································································· 850

nbar application ·············································································································· 851

override-current ·············································································································· 852

port-mapping ·················································································································· 853

port-mapping acl ············································································································· 854

port-mapping host ··········································································································· 855

port-mapping subnet ········································································································ 857

reset application statistics ································································································· 858

service-port ···················································································································· 859

signature ······················································································································· 860

source ··························································································································· 861

update schedule ·············································································································· 862

Session management commands ···················································· 865

display session aging-time application ················································································· 865

display session aging-time state ························································································· 866

display session relation-table ····························································································· 867

display session statistics ipv4 ····························································································· 870

display session statistics ipv6 ····························································································· 872

display session statistics ··································································································· 873

display session statistics multicast ······················································································ 877

display session table ipv4 ·································································································· 878

display session table ipv6 ·································································································· 883

display session table multicast ipv4 ····················································································· 887

display session table multicast ipv6 ····················································································· 893

reset session relation-table ································································································ 900

reset session statistics ······································································································ 901

reset session statistics multicast ························································································· 902

reset session table ··········································································································· 902

reset session table ipv4 ···································································································· 903

reset session table ipv6 ···································································································· 904

reset session table multicast ······························································································ 905

reset session table multicast ipv4 ························································································ 906

reset session table multicast ipv6 ························································································ 907

session aging-time application ··························································································· 909

session aging-time state ··································································································· 911

session log { bytes-active | packets-active } ··········································································· 912

session log enable ··········································································································· 913

session log flow-begin ······································································································ 914

session log flow-end ········································································································ 915

session log time-active ····································································································· 915

session persistent acl ······································································································· 916

session state-machine mode loose ····················································································· 917

session statistics enable ··································································································· 918

Connection limit commands ···························································· 919

connection-limit ··············································································································· 919

connection-limit apply ······································································································· 920

connection-limit apply global ······························································································ 921

description ····················································································································· 921

display connection-limit ····································································································· 922

xv

display connection-limit ipv6-stat-nodes ··············································································· 925

display connection-limit statistics ························································································ 929

display connection-limit stat-nodes ······················································································ 930

limit ······························································································································ 935

reset connection-limit statistics ··························································································· 938

Object group commands ································································ 940

description ····················································································································· 940

display object-group ········································································································· 941

network (IPv4 address object group view) ············································································· 942

network (IPv6 address object group view) ············································································· 944

network exclude ·············································································································· 946

object-group ··················································································································· 947

object-group rename ········································································································ 948

port (port object group view) ······························································································ 949

service (service object group view) ······················································································ 951

Object policy commands ································································ 953

accelerate ······················································································································ 953

description ····················································································································· 954

display object-policy accelerate ·························································································· 955

display object-policy ip ······································································································ 956

display object-policy ipv6 ·································································································· 957

display object-policy statistics zone-pair security ···································································· 958

display object-policy zone-pair security ················································································ 959

move rule ······················································································································ 960

object-policy apply ip ········································································································ 960

object-policy apply ipv6 ····································································································· 961

object-policy ip ················································································································ 962

object-policy ipv6 ············································································································· 963

reset object-policy statistics ······························································································· 963

rule (IPv4 object policy view) ······························································································ 964

rule (IPv6 object policy view) ······························································································ 966

rule append ···················································································································· 969

rule comment ················································································································· 970

Attack detection and prevention commands ······································· 972

ack-flood action ··············································································································· 972

ack-flood detect ·············································································································· 973

ack-flood detect non-specific ······························································································ 974

ack-flood threshold ·········································································································· 975

attack-defense apply policy ······························································································· 975

attack-defense local apply policy ························································································ 976

attack-defense login reauthentication-delay ··········································································· 977

attack-defense policy ······································································································· 978

attack-defense signature log non-aggregate ·········································································· 978

attack-defense top-attack-statistics enable ············································································ 979

blacklist enable ··············································································································· 980

blacklist global enable ······································································································ 980

blacklist ip ······················································································································ 981

blacklist ipv6 ··················································································································· 982

blacklist logging enable ····································································································· 983

blacklist object-group ······································································································· 984

client-verify dns enable ····································································································· 985

client-verify http enable ····································································································· 985

client-verify protected ip ···································································································· 986

client-verify protected ipv6 ································································································· 987

client-verify tcp enable ······································································································ 988

display attack-defense flood statistics ip ··············································································· 989

display attack-defense flood statistics ipv6 ············································································ 992

display attack-defense policy ····························································································· 995

display attack-defense policy ip ·························································································· 999

H3C MSR Series Command Reference Manual

Related papers

Other documents