Network Configuration

Zones

This section is located at the network zone level. To create a new zone, use the following command:

Admin@nodename# create network zone

Provide the following zone parameters:

Parameter	Description
name	Zone name.
description	Zone description.
dos-protection-syn	Protect the zone against network flooding for TCP protocol (SYN-flood): enabled: enable/disable the protection. on off aggregate: on: count all packets incoming to the zone's interfaces off: count packets for each IP address separately. alert-threshold: alert threshold; if the number of requests exceeds this value, the event is recorded in the system log. drop-threshold: packet drop threshold; if the number of requests exceeds this value, UserGate drops packets and records this event in the system log. excluded-ips: list of IP addresses of servers that should be excluded from protection.
dos-protection-udp	Protect the zone against network flooding for UDP protocol: enabled: enable/disable the protection. on off aggregate: on: count all packets incoming to the zone's interfaces off: count packets for each IP address separately. alert-threshold: alert threshold; if the number of requests exceeds this value, the event is recorded in the system log. drop-threshold: packet drop threshold; if the number of requests exceeds this value, UserGate drops packets and records this event in the system log. excluded-ips: list of IP addresses of servers that should be excluded from protection.
dos-protection-icmp	Protect the zone against network flooding for ICMP protocol: enabled: enable/disable the protection. on off on: count all packets incoming to the zone's interfaces off: count packets for each IP address separately. alert-threshold: alert threshold; if the number of requests exceeds this value, the event is recorded in the system log. drop-threshold: packet drop threshold; if the number of requests exceeds this value, UserGate drops packets and records this event in the system log. excluded-ips: list of IP addresses of servers that should be excluded from protection.
enabled-services	Zone access control settings: "Any ICMP": allow use of the ping command to a UserGate address. SNMP: provides SNMP access to UserGate (UDP 161). response-pages: permission to display Captive portal auth and block pages (TCP 80, 443, 8002). rpc: control XML-RPC: enables API control of the product (TCP 4040). ha: service required to combine multiple UserGate nodes into a cluster (TCP 4369, TCP 9000-9100). VRRP: required for combining several UserGate nodes into a HA cluster (IP protocol 112). "Admin Console": access to the management web console (TCP 8001). DNS: provides access to the DNS proxy service (TCP 53, UDP 53). "HTTP Proxy": access to the HTTP(S) proxy (TCP 8090). "Authorization agent": server access required for Windows authorization agents and terminal servers (UDP 1813). "SMTP Proxy": service to filter SMTP traffic for spam and viruses. Required only when publishing a mail server to the Internet. "POP3 Proxy": service to filter POP3 traffic for spam and viruses. Required only when publishing a mail server to the Internet. "CLI over SSH": access to server to manage it via CLI, port TCP 2200. VPN: provides server access for connecting L2TP VPN clients (UDP 500, 4500). SCADA: SCADA traffic filtering. Required only for SCADA traffic control. "REVERSE PROXY": service required to publish internal resources using Reverse Proxy. "PROXY PORTAL": service required to publish internal resources using an SSL VPN. L7 DNS: DNS traffic detection at the application level. L7 NTP: NTP traffic detection at the application level. "SAML SERVER": select an SAML server in the list of zone services and general UserGate settings. Log Analyzer: the Log Analyzer service. Enable this if you plan to use this UserGate server as a Log analyzer (TCP 2023 and 9713). "Dynamic routing OSPF": OSPF dynamic routing service. "Dynamic routing BGP": BGP dynamic routing service. "SNMP Proxy": service used to build a distributed monitoring system (used to balance load and organize monitoring of a distributed network infrastructure). "SSH Proxy": service used to initiate SSH traffic. Multicast: multicast service. NTP: access to the accurate time service running on the UserGate server. "Dynamic routing RIP": RIP dynamic routing service. UserID agent: a transparent authentication service. Active Directory log and Syslog are used as the authentication data source for that purpose. BFD: the Bidirectional Forwarding Detection service for quick network fault detection.
service-addresses	Allowed IP addresses for services: service: select services (the list corresponds to enabled-services). allowed-addresses: the allowed IP addresses. The options are: geoip: a GeoIP code ip-list: an IP address list previously configured in the item library.
antispoof-enabled	Enable/disable IP spoofing protection: on off
antispoof-negate	Enumerated options: on off If antispoof-negate on is enabled, the interfaces in that zone will not receive packets from the source addresses specified in the value ip-spoofing-networks. In this case packets with specified source IP addresses will be discarded.
sessions-limit-enabled	Enable the limit on the number of concurrent sessions from a single IP address: on off
sessions-limit-exclusions	Add a list of IP addresses to which the concurrent session limit will not apply.
sessions-limit-threshold	The maximum allowed number of sessions originating from a single IP address.
geoip	GeoIP codes that are used in IP spoofing protection.
ip-list	List of IP addresses that are used in IP spoofing protection.

Example command to create a zone:

Admin@nodename# create network zone name Test_zone description "Test_zone description" antispoof-enable on enabled-services [ "Any ICMP" DNS ] dos-protection-icmp enabled on

To edit zone parameters, use the following command:

Admin@nodename# set network zone <zone-name>

To edit zone parameters, use the following command:

Admin@nodename# set network zone Test_zone dos-protection-syn enabled on

To delete a zone or its parameters, use the following command:

Admin@nodename# delete network zone <zone-name>

You can delete the following parameters:

Parameter	Description
dos-protection-syn	Protect the zone against network flooding for TCP protocol (SYN-flood): excluded-ips: list of IP addresses of servers that should be excluded from protection.
dos-protection-udp	Protect the zone against network flooding for UDP protocol: excluded-ips: list of IP addresses of servers that should be excluded from protection.
dos-protection-icmp	Protect the zone against network flooding for ICMP protocol: excluded-ips: list of IP addresses of servers that should be excluded from protection.
enabled-services	The previously configured zone access control settings
geoip	GeoIP codes that are used in IP spoofing protection.
ip-list	List of IP addresses that are used in IP spoofing protection.

To preview zone settings, use the following command:

Admin@nodename# show network zone <zone-name>

Interfaces

An ordered list of network interface names with the associated physical addresses can be displayed using this command (available both in the Diagnostics and monitoring and Configuration modes):

Admin@nodename> show network interface-mapping Admin@nodename# show network interface-mapping

The interfaces are ordered b port number on the PCI bus.

To delete the list, use the following commands (available both in the Diagnostics and monitoring and Configuration modes):

Admin@nodename> clear network interface-mapping Admin@nodename# delete network interface-mapping

After the UserGate server reboots, the list will update and become available for display. This operation needs to be performed after adding network ports to a configured UserGate appliance.

Discussed next is interface configuration, which is done at the network interface level.

Adapter settings

Network adapters are configured at the network interface adapter level.

You cannot create a network adapter. To update an existing network adapter, use the command:

Admin@nodename# set network interface adapter <adapter_name>

Provide the following network adapter parameters:

Parameter	Description
enabled	Enable/disable a network interface: on off
description	Network interface description.
alias	The interface's alias.
iface-type	Interface type: l3: interface works in Layer 3 mode (you can assign an IP address and use it in firewall, content filtering, and other rules; this is the standard interface operation mode). mirror: interface works in Mirror mode (it can receive traffic from the network equipment SPAN port to analyze it).
iface-mode	IP address assignment mode: dhcp: obtain a dynamic IP address via DHCP. manual: no address. Static mode is set automatically when an IP address is assigned to the interface.
zone	Zone to which the interface belongs.
link-info	Settings for network interface parameters: bc_forwarding: control forwarding the directed broadcast packets arriving at the specified interface. proxy_arp, proxy_arp_vlan: Proxy ARP mechanism. With proxy_arp, UserGate will respond to ARP requests for addresses outside the interface's network; with proxy_arp_vlan, UserGate will respond to ARP requests for addresses that belong to the interface's network. To specify them, use the following format: Admin@nodename# create network interface <iface-type> ... link-info [ key/value ] where key is the parameter name. which can include lowercase Latin letters (a-z) and underscore (_), and value is the parameter value. Parameter values can only be integers. For example, use proxy_arp/1 to enable the Proxy ARP mechanism and proxy_arp/0 to disable it. The link-info field is displayed only when adding parameters. Important! You cannot delete the specified parameters.
netflow-profile	The Netflow profile to send statistical data to the Netflow collector. For more details on Netflow profile settings, see Configuring Netflow Profiles.
lldp-profile	Profile to send data using Link Layer Discovery Protocol (LLDP). For more details on configuring profiles, see Configuring LLDP Profiles.
ip-addresses	Assign an IP address to the interface. The IP addresses are specified as [ <ip_address/mask> ] or [ <ip_address/mask> <ip_address/mask> ]. In case of several IP addresses (with space used as the separator), the subnet mask is entered in the decimal format. Important! Make sure to separate the square brackets with spaces on both sides.
mac	Interface MAC address.
mtu	Specify the MTU size.
rx-ring	Buffer size of the RX ring interface of the adapter type.
tx-ring	Buffer size of the TX ring interface of the adapter type.
dhcp-relay	Settings for the DHCP relay on the interface. You need to specify the following: enabled: enable/disable the relay: on off utm-address: IP address of the UserGate interface on which the relay function is added (possible values: <ip \| none>). server-address: addresses of DHCP servers where DHCP requests from clients should be redirected.

To delete an adapter or its parameters, use the following command:

Admin@nodename# delete network interface adapter <adapter-name>

You can delete the following parameters:

Parameter	Description
ip-addresses	Specified IP address.
dhcp-relay server-address	DHCP server IP address.

To display information about all network adapters, use the following command:

Admin@nodename# show network interface adapter

To display the adapter information, use the following command:

Admin@nodename# show network interface adapter <adapter-name>

Configuring a VLAN

VLAN interfaces are configured at the network interface vlan level.

To add a new VLAN interface, use the following command:

Admin@nodename# create network interface vlan

Parameters:

Parameter	Description
enabled	Enable/disable a VLAN interface: on off
description	Interface description.
alias	The interface's alias.
iface-type	Interface type: l3: Layer 3 (you can assign an IP address and use it in firewall, content filtering, and other rules; this is the standard interface operation mode). mirror: interface works in Mirror mode (it can receive traffic from the network equipment SPAN port to analyze it).
iface-mode	IP address assignment mode: dhcp: obtain a dynamic IP address via DHCP. manual: no address. Static mode is set automatically when an IP address is assigned to the interface.
tag	VLAN tag. Up to 4094 interfaces can be created.
node-name	Cluster node name where the VLAN is created.
interface	The physical interface on which the VLAN is being created.
zone	Zone to which the interface belongs.
link-info	Settings for network interface parameters: bc_forwarding: control forwarding the directed broadcast packets arriving at the specified interface. proxy_arp, proxy_arp_vlan: Proxy ARP mechanism. With proxy_arp, UserGate will respond to ARP requests for addresses outside the interface's network; with proxy_arp_vlan, UserGate will respond to ARP requests for addresses that belong to the interface's network. To specify them, use the following format: Admin@nodename# create network interface <iface-type> ... link-info [ key/value ] where key is the parameter name. which can include lowercase Latin letters (a-z) and underscore (_), and value is the parameter value. Parameter values can only be integers. For example, use proxy_arp/1 to enable the Proxy ARP mechanism and proxy_arp/0 to disable it. The link-info field is displayed only when adding parameters. Important! You cannot delete the specified parameters.
netflow-profile	The Netflow profile to send statistical data to the Netflow collector. For more details on Netflow profile settings, see Configuring Netflow Profiles.
ip-addresses	Assign an IP address to the interface. The IP addresses are specified as [ <ip_address/mask> ] or [ <ip_address/mask> <ip_address/mask> ]. In case of several IP addresses (with space used as the separator), the subnet mask is entered in the decimal format. Important! Make sure to separate the square brackets with spaces on both sides.
mac	Interface MAC address.
mtu	Specify the MTU size.
dhcp-relay	Settings for the DHCP relay on the interface. You need to specify the following: enabled: enable/disable the relay: on off utm-address: IP address of the UserGate interface on which the relay function is added. server-address: addresses of DHCP servers where DHCP requests from clients should be redirected.

To edit an existing VLAN, use the following command:

Admin@nodename# set network interface vlan <vlan-name>

The parameters available for setting are the same as those for creating a VLAN, except for tag, node-name, and interface (you cannot change these parameter values).

To delete a VLAN interface or its parameters, use the following command:

Admin@nodename# delete network interface vlan <vlan-name>

You can delete the following parameters:

Parameter	Description
ip-addresses	Specified IP address.
dhcp-relay server-address	DHCP server IP address.

To display information about all VLAN interfaces, use the following command:

Admin@nodename# show network interface vlan

To display information about a single interface, use the following command:

Admin@nodename# show network interface vlan <vlan-name>

Properties of bond interfaces

You configure bond interface properties at the network interface bond level.

To create a bond interface, use the following command:

Admin@nodename# create network interface bond

You need to specify the following parameters:

Parameter	Description
enabled	Enable/disable the interface: on off
interface-name	Enter a number to include in the interface name (for example, if you enter 1 the interface name will be bond1).
description	Interface description.
alias	The interface's alias.
node-name	Cluster node where the bond interface is created.
zone	Zone to which the bond belongs.
link-info	Settings for network interface parameters: bc_forwarding: control forwarding the directed broadcast packets arriving at the specified interface. proxy_arp, proxy_arp_vlan: Proxy ARP mechanism. With proxy_arp, UserGate will respond to ARP requests for addresses outside the interface's network; with proxy_arp_vlan, UserGate will respond to ARP requests for addresses that belong to the interface's network. To specify them, use the following format: Admin@nodename# create network interface <iface-type> ... link-info [ key/value ] where key is the parameter name. which can include lowercase Latin letters (a-z) and underscore (_), and value is the parameter value. Parameter values can only be integers. For example, use proxy_arp/1 to enable the Proxy ARP mechanism and proxy_arp/0 to disable it. The link-info field is displayed only when adding parameters. Important! You cannot delete the specified parameters.
netflow-profile	The Netflow profile to send statistical data to the Netflow collector. For more details on Netflow profile settings, see Configuring Netflow Profiles.
bonding	Additional bond interface parameters: aggr-mode: bond operation mode. The available options: round-robin: Round robin mode (packets are sent sequentially starting with the first available interface and ending with the last one. This policy is used to provide load balancing and high availability.) active-backup: Active backup mode (only one network interface in the bond will be active. Another slave interface can become active only if the currently active interface fails. With this policy, the MAC address of the bond interface is only visible externally through one network port to avoid problems with the switch. This policy is used to provide high availability). xor: XOR mode (the transmission is allocated among the NICs using the following formula: [( XOR ) MOD ]. This means that the same NIC sends packets to the same recipients. Optionally, the transmission allocation can also be based on the xmit_hash policy. The XOR policy is used for load balancing and high availability). broadcast: Broadcast mode (broadcasts everything to all network interfaces. This policy is used for high availability). 802.3ad: IEEE 802.3ad mode (the default mode supported by most network switches. Creates aggregated groups of NICs with identical speed and duplex settings. When combined like this, all links in the active aggregation participate in transmission as per IEEE 802.3ad. The choice of interface for packet transmission is determined by the policy. By default, the XOR policy is used, with the xmit_hash policy as a possible alternative). transmit: Adaptive transmit load balancing mode (outgoing traffic is distributed depending on the loading of each NIC (determined by the load speed). No additional configuration on the switch is required. The incoming traffic is received by the current network card. If this card fails, another card assumes the MAC address of the failed one). load: Adaptive load balancing mode. Includes the previous policy plus incoming traffic balancing. No additional configuration on the switch is required. The incoming traffic is balanced through ARP negotiation. The driver intercepts ARP responses sent from the local NICs to the outside and overwrites the source MAC address with one of the unique MAC addresses of the NIC in the bond. Thus, different peers use different server MAC addresses. The incoming traffic is balanced sequentially (round-robin) among the interfaces. mii-monitoring: MII monitoring period in milliseconds. Determines how often the link state will be checked for failures. down-delay: delay time (in milliseconds) before an interface is disabled if a connection failure occurs. This option is only valid for MII monitoring (miimon). The parameter value must be a multiple of miimon, up-delay: delay time in milliseconds before deploying the channel if it is detected to be restored. This parameter is only valid with MII monitoring (miimon). The parameter value must be a multiple of miimon, lacp-rate: interval with which the partner transmits LACPDU packets in 802.3ad mode. Enumerated options: slow: requests that the partner send LACPDU packets every 30 seconds. fast: requests that the partner send LACPDU packets every second. failover-mac: define the assignment type of MAC addresses to bond interfaces in Active backup mode when switching interfaces. Enumerated options: disabled: the same MAC address is set on all interfaces during switching. active: the MAC address on the bond interface will always be identical to that on the currently active slave. The MAC addresses on the backup interfaces are not changed. The MAC address on the bond interface changes during the failover processing. follow: the MAC address on the bond interface will be the same as that on the first slave added to the bond. This MAC is not set on the second and subsequent interfaces while they are in backup mode. That MAC address gets assigned during a failover: when a backup slave interface becomes active, it assumes a new MAC (the one on the bond interface), and the formerly active slave is assigned the MAC that the currently active one used to have. xmit-hash: define a hash policy for sending packets over bond interfaces in XOR or IEEE 802.3ad mode. Enumerated options: l2: use only MAC addresses to generate the hash. With this algorithm, the traffic for a particular network host is always sent over the same interface. This algorithm is compatible with IEEE 802.3ad. l2-3: use both MAC and IP addresses to generate the hash. This algorithm is compatible with IEEE 802.3ad. l3-4: uses IP addresses and transport layer protocols (TCP or UDP) to generate the hash. This algorithm is not universally compatible with IEEE 802.3ad, as both fragmented and non-fragmented packets can be transmitted within a single TCP or UDP interaction. Fragmented packets lack the source and destination ports. As a result, packets from the same session can reach the recipient in an order other than the intended one because they are sent via different slaves. interface: interfaces to be bonded.
iface-mode	IP address assignment mode: dhcp: obtain a dynamic IP address via DHCP. manual: no address. Static mode is set automatically when an IP address is assigned to the interface.
iface-type	The type of interface to be created: l3: a Layer 3 interface mirror: a mirroring interface.
ip-addresses	Assign an IP address to the interface. The IP addresses are specified as [ <ip_address/mask> ] or [ <ip_address/mask> <ip_address/mask> ]. In case of several IP addresses (with space used as the separator), the subnet mask is entered in the decimal format. Important! Make sure to separate the square brackets with spaces on both sides.
mac	Interface MAC address.
mtu	Specify the MTU size.
dhcp-relay	Settings for the DHCP relay on the interface. You need to specify the following: enabled: enable/disable the relay: on off utm-address: IP address of the UserGate interface on which the relay function is added. server-address: addresses of DHCP servers where DHCP requests from clients should be redirected.

To update an existing bond interface, use the following command:

Admin@nodename# set network interface bond <bond-name>

The parameters available for setting are the same as those for creating a bond interface, except for interface-name and node-name (you cannot change the values of these parameters).

To delete a bond interface or its parameters, use the following command:

Admin@nodename# delete network interface bond <bond-name>

You can delete the following parameters:

Parameter	Description
ip-addresses	Specified IP address.
dhcp-relay server-address	DHCP server IP address.
bonding interface	Bonded interfaces.

To display information about all bond interfaces, use the following command:

Admin@nodename# show network interface bond

To display information about a single interface, use the following command:

Admin@nodename# show network interface bond <bond-name>

Bridge Interface Settings

You configure a bridge at the network interface bridge level.

To add a new bridge interface:

Admin@nodename# create network interface bridge

You need to specify the following parameters:

Parameter	Description
enabled	Enable/disable a bridge: on off
interface-name	Enter a number to include in the interface name (for example, if you enter 1 the interface name will be bridge1).
description	Bridge interface description.
alias	The interface's alias.
node-name	Node name of the cluster where the bridge is created.
zone	Zone to which the bridge belongs.
link-info	Settings for network interface parameters: bc_forwarding: control forwarding the directed broadcast packets arriving at the specified interface. proxy_arp, proxy_arp_vlan: Proxy ARP mechanism. With proxy_arp, UserGate will respond to ARP requests for addresses outside the interface's network; with proxy_arp_vlan, UserGate will respond to ARP requests for addresses that belong to the interface's network. To specify them, use the following format: Admin@nodename# create network interface <iface-type> ... link-info [ key/value ] where key is the parameter name. which can include lowercase Latin letters (a-z) and underscore (_), and value is the parameter value. Parameter values can only be integers. For example, use proxy_arp/1 to enable the Proxy ARP mechanism and proxy_arp/0 to disable it. The link-info field is displayed only when adding parameters. Important! You cannot delete the specified parameters.
netflow-profile	The Netflow profile to send statistical data to the Netflow collector. For more details on Netflow profile settings, see Configuring Netflow Profiles.
bridging	Additional bridge parameters: iface-type: interface mode: l2: Layer 2 (you do not need to assign an IP address or specify routes and gateways for the bridge to work correctly. In this mode, the bridge works at the MAC address level by forwarding packets from one network segment to another. Mail security rules cannot be used in this case; content filtering is available in this mode). l3: Layer 3 (you can assign an IP address and use it in firewall, content filtering, and other rules; this is the standard interface operation mode). interface: interfaces to use to create the bridge. stp: enable/disable STP (Spanning Tree Protocol) for protection against network loops: on. off forward-delay: delay before the bridge switches to the active mode (Forwarding) if the STP is enabled (in seconds). max-age: time after which the STP connection is considered lost (in seconds). bypass-pair: interface pair to use to build the bypass bridge. UserGate HSC support is required.
iface-mode	IP address assignment mode: dhcp: obtain a dynamic IP address via DHCP. manual: no address. Static mode is set automatically when an IP address is assigned to the interface.
ip-addresses	Assign an IP address to the interface. The IP addresses are specified as [ <ip_address/mask> ] or [ <ip_address/mask> <ip_address/mask> ]. In case of several IP addresses (with space used as the separator), the subnet mask is entered in the decimal format. Important! Make sure to separate the square brackets with spaces on both sides.
mac	Interface MAC address.
mtu	Specify the MTU size.
dhcp-relay	Settings for the DHCP relay on the interface. You need to specify the following: enabled: enable/disable the relay: on off utm-address: IP address of the UserGate interface on which the relay function is added. server-address: addresses of DHCP servers where DHCP requests from clients should be redirected.

To update an existing bridge interface, use the following command:

Admin@nodename# set network interface bridge <bridge-name>

The parameters available for setting are the same as those for creating a bridge, except for interface-name and node-name (you cannot change the values of these parameters).

To delete a bridge interface or its parameters, use the following command:

Admin@nodename# delete network interface bridge <bridge-name>

You can delete the following parameters:

Parameter	Description
ip-addresses	Specified IP address.
dhcp-relay server-address	DHCP server IP address.

To display information about all bridge interfaces, use the following command:

Admin@nodename# show network interface bridge

To display information about a single interface, use the following command:

Admin@nodename# show network interface bridge <bridge-name>

PPPoE configuration

PPPoE is configured at the network interface PPPoE level.

To create a PPPoE interface, use the following command:

Admin@nodename# create network interface pppoe

Parameters:

Parameter	Description
enabled	Enable/disable a PPPoE interface: on off
interface-name	Enter a number to include in the interface name (for example, if you enter 1 the interface name will be ppp1).
description	PPPoE interface description.
alias	The interface's alias.
node-name	Cluster node name where the interface is created.
zone	Zone to which the interface belongs.
link-info	Settings for network interface parameters: bc_forwarding: control forwarding the directed broadcast packets arriving at the specified interface. proxy_arp, proxy_arp_vlan: Proxy ARP mechanism. With proxy_arp, UserGate will respond to ARP requests for addresses outside the interface's network; with proxy_arp_vlan, UserGate will respond to ARP requests for addresses that belong to the interface's network. To specify them, use the following format: Admin@nodename# create network interface <iface-type> ... link-info [ key/value ] where key is the parameter name. which can include lowercase Latin letters (a-z) and underscore (_), and value is the parameter value. Parameter values can only be integers. For example, use proxy_arp/1 to enable the Proxy ARP mechanism and proxy_arp/0 to disable it. The link-info field is displayed only when adding parameters. Important! You cannot delete the specified parameters.
netflow-profile	The Netflow profile to send statistical data to the Netflow collector. For more details on Netflow profile settings, see Configuring Netflow Profiles.
config	Additional PPPoE interface parameters: interface: interface where the PPPoE interface is created. login: login name for PPPoE connection. password: password for PPPoE connection. persist-connection: automatic reconnection in case of connection failure: on off auth-type: authorization type: CHAP. PAP. holdoff: time period (in seconds) to restart the connection after it was broken. default-route: use the PPPoE interface as the default route: on off echo-intervall: interval to check the connection. echo-failure: number of LCP echo failures after which UserGate assumes there is no connection and drops it. providers-dns: use DNS servers provided by the ISP: on off connection-attempts: number of unsuccessful connection attempts, after which auto-connection attempts will stop. service-name: specify the service name if provided by the ISP.
mtu	Specify the MTU size. Set by default to a value of 1492 bytes compatible with the standard Ethernet frame size.

To update an existing PPPoE interface, use the following command:

Admin@nodename# set network interface pppoe <pppoe-name>

The parameters available for setting are the same as those for creating an interface, except for interface-name (you cannot change this parameter's value).

To delete a PPPoE interface, use the following command:

Admin@nodename# delete network interface pppoe <pppoe-name>

To display information about all PPPoE interfaces, use the following command:

Admin@nodename# show network interface pppoe

To display information about a single interface, use the following command:

Admin@nodename# show network interface pppoe <pppoe-name>

Configuring a VPN device

You configure VPN devices at the network interface vpn level.

To create a VPN device, use the following command:

Admin@nodename# create network interface vpn

Parameters:

Parameter	Description
enabled	Enable/disable a VPN interface: on off
interface-name	Enter a number to include in the interface name (for example, if you enter 1 the interface name will be tunnel1).
description	VPN interface description.
alias	The interface's alias.
zone	Zone to which the interface belongs.
link-info	Settings for network interface parameters: bc_forwarding: control forwarding the directed broadcast packets arriving at the specified interface. proxy_arp, proxy_arp_vlan: Proxy ARP mechanism. With proxy_arp, UserGate will respond to ARP requests for addresses outside the interface's network; with proxy_arp_vlan, UserGate will respond to ARP requests for addresses that belong to the interface's network. To specify them, use the following format: Admin@nodename# create network interface <iface-type> ... link-info [ key/value ] where key is the parameter name. which can include lowercase Latin letters (a-z) and underscore (_), and value is the parameter value. Parameter values can only be integers. For example, use proxy_arp/1 to enable the Proxy ARP mechanism and proxy_arp/0 to disable it. The link-info field is displayed only when adding parameters. Important! You cannot delete the specified parameters.
netflow-profile	The Netflow profile to send statistical data to the Netflow collector. For more details on Netflow profile settings, see Configuring Netflow Profiles.
iface-mode	IP address assignment mode: dhcp: obtain a dynamic IP address via DHCP. manual: no address. If the interface is to be used for receiving VPN connections (Site-2-Site VPN or Remote access VPN), a static IP address must be used. Static mode is set automatically when an IP address is assigned to the interface. To use an interface as a client, select the dynamic mode.
ip-addresses	Assign an IP address to the interface. The IP addresses are specified as [ <ip_address/mask> ] or [ <ip_address/mask> <ip_address/mask> ]. In case of several IP addresses (with space used as the separator), the subnet mask is entered in the decimal format. Important! Make sure to separate the square brackets with spaces on both sides.
mtu	Specify the MTU size for the selected interface.

To update an existing VPN interface, use the following command:

Admin@nodename# set network interface vpn <vpn-name>

The parameters available for setting are the same as those for creating an interface, except for interface-name (you cannot change this parameter's value).

To delete a VPN interface or its parameters, use the following command:

Admin@nodename# delete network interface vpn <vpn-name>

You can delete the following parameters: ip-addresses.

To display information about all VPN interfaces, use the following command:

Admin@nodename# show network interface vpn

To display information about a single interface, use the following command:

Admin@nodename# show network interface vpn <vpn-name>

Configuring tunnels

You create and configure tunnels at the network interface tunnel level.

To create a tunnel, use the following command:

Admin@nodename# create network interface tunnel

Parameters:

Parameter	Description
enabled	Enable/disable the tunnel: on off
interface-number	Enter a number to include in the tunnel name (for example, if you enter 1 the interface name will be gre1).
description	Tunnel description.
alias	The interface's alias.
node-name	Cluster node where the tunnel is created.
zone	Zone to which the interface belongs.
link-info	Settings for network interface parameters: bc_forwarding: control forwarding the directed broadcast packets arriving at the specified interface. proxy_arp, proxy_arp_vlan: Proxy ARP mechanism. With proxy_arp, UserGate will respond to ARP requests for addresses outside the interface's network; with proxy_arp_vlan, UserGate will respond to ARP requests for addresses that belong to the interface's network. To specify them, use the following format: Admin@nodename# create network interface <iface-type> ... link-info [ key/value ] where key is the parameter name. which can include lowercase Latin letters (a-z) and underscore (_), and value is the parameter value. Parameter values can only be integers. For example, use proxy_arp/1 to enable the Proxy ARP mechanism and proxy_arp/0 to disable it. The link-info field is displayed only when adding parameters. Important! You cannot delete the specified parameters.
mtu	The MTU size for the selected interface.
ip-addresses	The IP address assigned to the tunnel interface. The IP addresses are specified as [ <ip_address/mask> ] or [ <ip_address/mask> <ip_address/mask> ]. In case of several IP addresses (with space used as the separator), the subnet mask is entered in the decimal format. Important! Make sure to separate the square brackets with spaces on both sides.
local-ip	The local address of the Point-to-Point interface.
remote-ip	The remote address of the Point-to-Point interface.
mode	The tunnel operation mode: gre: GRE (a network packet tunneling protocol developed by Cisco Systems. Its main purpose is to encapsulate network layer packets into IP packets. The IP protocol number is 47. ipip: IPIP (an IP tunneling protocol that encapsulates one IP packet in another IP packet. Encapsulating one IP packet in another IP packet adds an external header with the Source IP which is the entry point into the tunnel and the Destination IP which is the exit point from the tunnel). vxlan: VXLAN (tunneling protocol from Layer 2 Ethernet frames to UDP packets, port 4789).
vxlan-id	The VXLAN ID. Relevant only for a VXLAN tunnel.

To edit an existing tunnel parameters, use the following command:

Admin@nodename# set network interface tunnel <tunnel-name>

The parameters available for setting are the same as those for creating an interface, except for interface-number and node-name (you cannot change these parameter values).

To delete a tunnel interface or its parameters, use the following command:

Admin@nodename# delete network interface tunnel <tunnel-name>

You can delete the following parameters: ip-addresses.

To display information about all tunnels, use the following command:

Admin@nodename# show network interface tunnel

To display information about a single interface, use the following command:

Admin@nodename# show network interface tunnel <tunnel-name>

Properties of loopback interfaces

You create and configure a loopback interface at the network interface loopback level.

To create an interface, use the following command:

Admin@nodename# create network interface loopback

Parameters:

Parameter	Description
enabled	Enable/disable the interface: on off
interface-name	The interface name.
description	Network interface description.
alias	The interface's alias.
ip-addresses	Assign an IP address to the interface. The IP addresses are specified as [ <ip_address/mask> ], the subnet mask is entered in the decimal format. Important! Make sure to separate the square brackets with spaces on both sides.
iface-mode	IP address assignment mode: dhcp: obtain a dynamic IP address via DHCP. manual: no address. Static mode is set automatically when an IP address is assigned to the interface.
lldp-profile	Profile to send data using Link Layer Discovery Protocol (LLDP). For more details on configuring profiles, see Configuring LLDP Profiles.
zone	Zone to which the interface belongs.
link-info	Settings for interface parameters: bc_forwarding: control forwarding the directed broadcast packets arriving at the specified interface. proxy_arp, proxy_arp_vlan: Proxy ARP mechanism. With proxy_arp, UserGate will respond to ARP requests for addresses outside the interface's network; with proxy_arp_vlan, UserGate will respond to ARP requests for addresses that belong to the interface's network. To specify them, use the following format: Admin@nodename# create network interface <iface-type> ... link-info [ key/value ] where key is the parameter name. which can include lowercase Latin letters (a-z) and underscore (_), and value is the parameter value. Parameter values can only be integers. For example, use proxy_arp/1 to enable the Proxy ARP mechanism and proxy_arp/0 to disable it. The link-info field is displayed only when adding parameters. Important! You cannot delete the specified parameters.
netflow-profile	The Netflow profile to send statistical data to the Netflow collector. For more details on Netflow profile settings, see Configuring Netflow Profiles.
node-name	Cluster node where the interface is created.
mac	Interface MAC address.
mtu	Specify the MTU size.
dhcp-relay	Settings for the DHCP relay on the interface. You need to specify the following: enabled: enable/disable the relay: on off utm-address: IP address of the UserGate interface on which the relay function is added (possible values: <ip \| none>). server-address: addresses of DHCP servers where DHCP requests from clients should be redirected.

To edit an existing interface, use the following command:

Admin@nodename# set network interface loopback <interface-name>

The parameters available for setting are the same as those for creating a loopback interface, except for node-name and interface (you cannot change these parameter values).

To delete a loopback interface or its parameters, use the following command:

Admin@nodename# delete network interface loopback <interface-name>

You can delete the following parameters:

Parameter	Description
ip-addresses	Specified IP address.
dhcp-relay	DHCP server IP address.

To display information about all loopback interfaces, use the following command:

Admin@nodename# show network interface loopback

To display information about a single interface, use the following command:

Admin@nodename# show network interface loopback <interface-name>

Gateways

This section is located at the network gateway level.

To add a new gateway, use the following command:

Admin@nodename# create network gateway

Available parameters:

Parameter	Description
enabled	Enable/disable the gateway: on off
name	Gateway name.
description	Gateway description.
interface	Interface used to access the Internet.
virtual-router	Select a virtual router for which the gate is configured.
ip	Gateway IP address.
node-name	Select the cluster node for which the gateway is configured.
weight	Gateway weight (the greater the weight, the greater the share of traffic goes through the gateway).
balancing	Balancing mode: all traffic to the Internet will be distributed between the gateways according to their weights: on off
default	Use this gateway as the default gateway: on off

To update gateway parameters, use the following command:

Admin@nodename# set network gateway <gateway-name>

You can use the same set of parameters as when creating a gateway.

To delete a gateway, use the following command:

Admin@nodename# delete network gateway <gateway-name>

To display information about all gateways, use the following command:

Admin@nodename# show network gateway

To display information about a single gateway, use the following command:

Admin@nodename# show network gateway <gateway-name>

DHCP

This section is located at the network dhcp level.

To create a DHCP subnet, use the following command:

Admin@nodename# create network dhcp

Parameters:

Parameter	Description
enabled	Enable/disable the use of this IP address range: on off
name	Subnet name.
description	Subnet description.
interface	Interface of the server which will assign IP addresses from the range being created.
ip-range	The IP address range assigned to DHCP clients. Format: <IP_start-IP_end>.
mask	The subnet mask assigned to DHCP clients.
expiration-time	The duration in seconds for which IP addresses are assigned.
domain	The domain name assigned to DHCP clients.
gateway	The gateway IP address assigned to DHCP clients.
dns-servers	The DNS server IP addresses assigned to DHCP clients.
reserved-hosts	The MAC addresses and the associated IP addresses: mac: MAC address. ip: IP address associated with the MAC address. hostname: name of the host.
ignored-mac	List of MAC addresses ignored by the DHCP server.
pxe-boot-ip	PXE boot server IP.
pxe-boot-filename	PXE boot filename.
options	Option number and value: code: DHCP option number. values: option value.

To update an existing DHCP subnet, use the following command:

Admin@nodename# set network dhcp <dhcp-name>

The parameters available for settings are the same as those used when creating a subnet.

To delete a subnet, use the following command:

Admin@nodename# delete network dhcp <dhcp-name>

You can also delete individual DHCP subnet parameters:

dns-servers.
ignored-mac.
reserved-hosts (specify all three values: mac, ip, and hostname)
options (specify both values: code and values).

To display information about all subnets created, use the following command:

Admin@nodename# show network dhcp

To display information about a specific DHCP subnet, use the following command:

Admin@nodename# show network dhcp <dhcp-name>

DNS Configuration

This section is located at the network dns level.

Settings for System DNS servers

You configure system DNS servers at the network dns system-dns-servers level.

To add new DNS servers or update the list of existing ones, use the following commands:

Admin@nodename# set network dns system-dns-servers ip [ <ip> <ip> ... ]

To delete the entire list of DNS server addresses, use the following command:

Admin@nodename# delete network dns system-dns-servers

To delete individual servers, use the following command:

Admin@nodename# delete network dns system-dns-servers ip [ <ip> <ip> ... ]

To display the list of system DNS servers, use the following command:

Admin@nodename# show network dns system-dns-servers

DNS proxy settings

You configure DNS proxies at the network dns proxy-settings level.

To edit DNS proxy settings, use the following command:

Admin@nodename# set network dns proxy-settings

Add the parameters you want to change:

Parameter	Description
filtering	DNS request filtering: on off
caching	Cache DNS responses: on off
limit	Limit the number of DNS queries per second for each user (default value: 100).
max-ttl	Maximum possible time-to-live for DNS records.
recursive	Perform recursive DNS queries: on off
dns-timeout	Time to the next attempt to query a DNS server (in milliseconds).
a-aaaa-unknown	Respond only to requests for A and AAAA records from unknown users. This effectively blocks attempts to establish a VPN over the DNS protocol: on off
retries	Number of attempts to send a DNS request.
factory-defaults	Reset the values of the selected parameter (parameters shown in this table) or all parameters (all) to factory defaults.

Example command to edit DNS-proxy parameters:

Admin@nodename# set network dns proxy-settings limit 10 dns-timeout 10

To display DNS proxy settings, use the following command:

Admin@nodename# show network dns proxy-settings

Configuring DNS rules

DNS rules are configured at the network dns rules level using the UPL syntax. For more details on the command structure, see Configuring Rules Using UPL.

DNS rule parameters:

Parameter	Description
PASS OK	Action to create a rule using UPL.
enabled	Enable/disable the rule: enabled(yes) or enabled(true). enabled(no) or enabled(false).
name	The name of the rule. Example: name("DNS rule example").
desc	DNS proxy rule description. Example: desc("DNS rule example set via CLI").
url.domain	List of domains to which you want to redirect. You can use an asterisk () to specify a domain template. To specify a list of domains: url.domain = ".example.com"**.
dns_server	List of DNS server IP addresses to which requests for the specified domains should be forwarded. To specify a server: dns_server(1.2.3.4).

Example command to create a DNS rule using UPL:

Admin@nodename# create network dns rules 1 upl-rule OK \ ...url.domain = "*.example.com" \ ...dns_server(1.2.3.4) \ ...name("DNS rule example") \ ...desc("DNS rule example description over CLI") \ ...enabled(true) \ ... Admin@nodename# Admin@nodename# show network dns rules % ----------------- 1 ----------------- OK \ url.domain = "*.example.com" \ dns_server(1.2.3.4) \ desc("DNS rule example description over CLI") \ enabled(true) \ id("0f83e1bb-0aa5-4f42-8eeb-9c4ffa30c04a") \ name("DNS rule example")

Configuring DNS proxy static records

This section is located at the network dns static-records level.

To add a static DNS record, use the following command:

Admin@nodename# create network dns static-records

Specify the parameters:

Parameter	Description
enabled	Enable/disable static record usage: on off
name	Record name.
description	DNS record description.
domain	Static record FQDN (Fully Qualified Name), e.g. www.example.com.
dns-a-records	List of IP addresses the UserGate server will return when this FQDN is queried.

Command

Admin@nodename# show network dns static-records

displays information about all existing static DNS records. To display information about a specific record, use the following command:

Admin@nodename# show network dns static-records <static-record-name>

Example of creating a static DNS record:

Admin@nodename# create network dns static-records name "Test DNS static record" description "Test DNS static record description" enabled on domain example.com dns-a-records [ 10.10.0.100 ] Admin@nodename# Admin@nodename# show network dns static-records Test DNS static record name : Test DNS static record description : Test DNS static record description domain : example.com dns-a-records : 10.10.0.100 enabled : on

To edit information about static DNS records:

Admin@nodename# set network dns static-records <static-record-name>

The set of parameters available to change is the same as those for the create command.

An example of editing a previously created static DNS record:

Admin@nodename# set network dns static-records "Test DNS static record" dns-a-records [ 10.10.0.101 ] Admin@nodename# show network dns static-records "Test DNS static record" name : Test DNS static record description : Test DNS static record description domain : example.com dns-a-records : 10.10.0.100; 10.10.0.101 enabled : on

To delete a static record, use the following command:

Admin@nodename# delete network dns static-records <static-record-name>

You can also delete only the dns-a-records parameter values from the static record.

An example of deleting the value of the dns-a-records parameter in a previously created record and deleting the entire static DNS record.

Admin@nodename# delete network dns static-records "Test DNS static record" dns-a-records [ 10.10.0.101 ] Admin@nodename# show network dns static-records "Test DNS static record" name : Test DNS static record description : Test DNS static record description domain : example.com dns-a-records : 10.10.0.100 enabled : on Admin@nodename# delete network dns static-records "Test DNS static record" Admin@nodename# show network dns static-records Admin@nodename#

Configuring Virtual Routers

This section describes how to configure static routes, OSPF, BGP, and RIP dynamic routing protocols, and multicast routing using the CLI (the configuration is discussed in the respective sections). These settings are applied at the network virtual-router level.

Commands used to configure general settings of virtual routers are listed below.

To add a new virtual router, use the following command:

Admin@nodename# create network virtual-router <parameters>

Specify the parameters:

Parameter	Description
name	Virtual router unique name.
description	Virtual router description.
node-name	Select a UserGate node where the virtual router will be created (if a cluster exists).
interfaces	Interfaces to use on this virtual router. You cannot add interfaces already added to other virtual routers. An interface can belong to only one virtual router. All types of interfaces, including physical, virtual (VLAN), bond, VPN, and others can be added to a virtual router.

To display information about a virtual router, use the following command:

Admin@nodename# show network virtual-router <virtual-router-name>

Example of creating a virtual router:

Admin@nodename# create network virtual-router name test_router description "Test virtual router" interfaces [ port2 ] Admin@nodename# show network virtual-router test_router name : test_router description : Test virtual router node-name : node_1 interfaces : port2 ...

To edit virtual router parameters, use the following command:

Admin@nodename# set network virtual-router <virtual-router-name>

The parameters available to update are the same as those for the create command, except for:

name.
node-name.

Example of editing virtual router parameters:

Admin@nodename# set network virtual-router test_router interfaces [ port3 ] Admin@nodename# show network virtual-router test_router name : test_router description : Test virtual router node-name : node_1 interfaces : port2; port3 ...

To delete a virtual router, use the following command:

Admin@nodename# delete network virtual-router <virtual-router-name>

Configuring static routes

To add a new static route, use the following command:

Admin@nodename# set network virtual-router <virtual-router-name> routes new

Specify the parameters:

Parameter	Description
enabled	Enable/disable usage of a static route: on off
name	Route name.
description	Route description.
type	Route type: unicast: the standard route type. Forwards the traffic destined for the specified address via the specified gateway. unreachable: drops the traffic. and sends the "Host unreachable" (type 3 code 1) ICMP message to the source. prohibit: drops the traffic. and sends the "Host unreachable" (type 3 code 13) ICMP message to the source. blackhole: drops the traffic without informing the source that the data did not reach the recipient.
destination-ip	IP address of the destination subnet, format: <ip/mask>.
gateway	IP address of the gateway through which the specified subnet will be reachable. The IP address must be reachable from the UserGate server.
interface	Interface through which the route is added.
metric	Route metric. The lower the metric, the higher the priority of the route (if there is more than one route to a network).

Example of adding a static route:

Admin@nodename# set network virtual-router test_router routes new name "Test static route" description "Test static route description" destination-ip 192.168.200.0/24 gateway 192.168.100.100 interface port3 type unicast metric 1 enabled on Admin@nodename# Admin@nodename# show network virtual-router test_router name : test_router description : Test virtual router node-name : node_1 interfaces : port2; port3 routes : Test static route name : Test static route enabled : on description : Test static route description destination-ip : 192.168.200.0/24 gateway : 192.168.100.100 interface : port3 metric : 1 ...

To change the parameters of an existing static route, use the following command:

Admin@nodename# set network virtual-router <virtual-router-name> routes <static-route-name>

The parameters available to change are listed in the table above.

Example of editing a static route:

Admin@nodename# set network virtual-router test_router routes "Test static route" metric 10 Admin@nodename# show network virtual-router test_router name : test_router description : Test virtual router node-name : node_1 interfaces : port2; port3 routes : Test static route name : Test static route enabled : on description : Test static route description destination-ip : 192.168.200.0/24 gateway : 192.168.100.100 interface : port3 metric : 10 ...

To delete a static route, use the following command:

Admin@nodename# delete network virtual-router <virtual-router-name> routes <static-route-name>

Example of deleting a static route:

Admin@nodename# delete network virtual-router test_router routes "Test static route" Admin@nodename# show network virtual-router test_router name : test_router description : Test virtual router node-name : node_1 interfaces : port2; port3 routes : [] ...

To display static routes, use the following command:

Admin@nodename# show network virtual-router <virtual-router-name> routes

OSPF Configuration

To configure OSPF using CLI, use the following command:

Admin@nodename# set network virtual-router <virtual-router-name> ospf

Provide the following OSPF router parameters:

Parameter	Description
enabled	Enable/disable an OSPF router: on off
router-id	Router IP address. Must be unique and specified in IPv4 format (for convenience, it can match one of the IP addresses assigned to the UserGate network interfaces that belong to this virtual router). If the OSPF is disabled (enabled off), the router-id value can be deleted (none).
metric	Redistributed route metric.
default-originate	Notify other routers that this router has a default route configured: on off
interfaces	Select one of the existing interfaces on which OSPF will run. Only the interfaces belonging to this virtual router are available for selection. To add an interface or change parameters for an existing interface, use the following commands: Admin@nodename# set network virtual-router <virtual-router-name> ospf interfaces new Admin@nodename# set network virtual-router <virtual-router-name> ospf interfaces <interface-name> Next, specify the following parameters: enabled <on \| off>: enable/disable the interface. interface: name of the interface in this virtual router. description: interface description. bfd: Add a bfd profile (Bidirectional Forwarding Detection). Bfd profiles are created in the element library, read more in the Configuring Libraries section. cost: interface link cost. This value is reported in the LSA (link-state advertisement) to the neighboring routers which use it to compute the shortest path. Default value: 1. priority: an integer from 0 to 255. The higher the value, the higher the probability that this router will become the network's designated router for sending out LSAs. A value of 0 excludes the router from being designated. Default value: 1. network-type: select a network type to optimize the adjacency establishment process. Available values: none: not specified bc: broadcast ptm: point to multipoint ptp: point to point passive-mode <on \| off>: enable/disable the passive operating mode of the interface, in which routing protocol update packets are prohibited from being sent through the interface. hello-interval: time between sending hello packets (in seconds). This should be the same for all routers in an autonomous system. The default value is 10 seconds. dead-interval: time after which the router is considered offline (in seconds). The time is counted from the moment of receiving the last hello packet from the neighboring router. The default value is 40 seconds. retransmit-interval: time before the LSA packet is retransmitted (in seconds). The default value is 5 seconds. transmit-delay: approximate time required to deliver link state updates to neighbor routers (in seconds). The default value is 1 second. authentication: authentication type. Available values: enabled <on \| off>: enable/disable mandatory authentication for each OSPF message received by the router. Authentication is normally used to prevent the injection of a fake route from illegitimate routers. auth-type: select the authentication type as plain (transmit the key as plain text to authenticate routers) or digest (use an MD5 hash of the key to authenticate OSPF packets). md5: the key ID. key: the key. A key can only contain Latin letters, numbers, and the underscore. Maximum length: 16 characters.
areas	Configuring the OSPF area. To add a new area or change parameters for an existing one, use the following commands: Admin@nodename# set network virtual-router <virtual-router-name> ospf areas new Admin@nodename# set network virtual-router <virtual-router-name> ospf areas <area-name> Next, specify the following parameters: enabled <on \| off>: enable/disable the area. name: area name. description: area description. cost: cost of the LSAs announced in the stub area. area-id: zone ID (area ID). The ID can be specified in decimal format or IP address record format. The area ID must match to establish an OSPF adjacency. auth-type: authentication type. Available values: none: do not require OSPF packet authentication. plain: transmit the key as plain text to authenticate OSPF packets. The key specified in the interface settings is used. digest: use an MD5 hash of the key to authenticate OSPF packets. The key specified in the interface settings is used. The interface-level authentication takes precedence over zone-level authentication. area-type: OSPF area type. Available types: normal: normal zone, created by default. This zone receives link updates, summary routes, and external routes. nssa: a Not-So-Stubby Area defines an additional LSA type, which is LSA type 7. A boundary router (ASBR) can be located in the NSSA zone. stub: a stub area. Does not receive information on routes external to the autonomous system but receives routes from other areas. If routers from a stub area need to send information outside of the autonomous system, they use the default route. An ASBR cannot reside in a stub area. no-summary: allow/deny summarized routes to be injected into stub zone area types: on off interfaces: select the OSPF interfaces on which this area will be available. virtual-links: this is a special type of connection that makes it possible, for example, to interconnect a partitioned area or connect an area to the backbone area via another area. It is configured between two ABRs. Routers can transmit OSPF packets encapsulated in IP packets over such links. This mechanism is used as a temporary solution or as a backup in case the primary connections fail. You can specify the IDs of the routers available via this zone.
redistribute	OSPF route redistribution: connected: redistribute routes to the networks directly connected to UserGate kernel: redistribute routes added by the administrator.

To display a OSPF configuration of a virtual router, use the following command:

Admin@nodename# show network virtual-router <virtual-router-name> ospf

Examples of OSPF configuring in a virtual router:

Admin@nodename# set network virtual-router test_router ospf router-id 192.168.100.3 areas new area-id 1 area-type normal name "New OSPF area" enabled on interfaces [ ] ... Admin@nodename# show network virtual-router test_router name : test_router description : Test virtual router node-name : node_1 interfaces : port2; port3 routes : [] ospf : router-id : 192.168.100.3 enabled : off default-originate : off metric : None areas : New OSPF area name : New OSPF area enabled : on cost : 1 area-id : 1 area-type : normal no-summary : off interfaces : [] ...

To delete OSPF settings, use the following command:

Admin@nodename# delete network virtual-router <virtual-router-name> ospf <parameter>

You can delete the following parameters:

interface
area

Configuring BGP

To configure BGP (Border Gateway Protocol) dynamic routing protocol on a virtual router, use the following command:

Admin@nodename# set network virtual-router <virtual-router-name> bgp

Specify the parameters:

Parameter	Description
enabled	Enable/disable an OSPF router: on off
router-id	Router IP address. Must match one of the IP addresses assigned to the UserGate network interfaces that belong to this virtual router. If the BGP is disabled (enabled off), the router-id value can be deleted (none).
asn	An autonomous system is a system of IP networks and routers managed by one or more operators that have a single routing policy. The autonomous system number identifies the router as belonging to that system.
multiple-path	Enable/disable traffic balancing to routes with the same cost: on off
redistribute	BGP route redistribution: connected: redistribute routes to the networks directly connected to UserGate kernel: redistribute routes added by the administrator. ospf: redistribute routes received via the OSPF protocol.
networks	A list of networks that belong to this autonomous system. Format: <ip/mask>.
routemaps	Routemaps are used to manage routing tables and specify the match conditions under which routes are passed between domains. To create a routemap or change parameters for an existing routemap, use the following commands: Admin@nodename# set network virtual-router <virtual-router-name> bgp routemaps new Admin@nodename# set network virtual-router <virtual-router-name> bgp routemaps <routemap-name> Routemap parameters: name: routemap name. description: routemap description. action: action: allow: allow data that matches the routemap conditions to pass through block: deny data that matches the routemap conditions to pass through. match-by: match condition to apply a routemap. Match by: ip: IP address. aspath: AS path. community: Community. next-hop: set next hop value for filtered routes to the specified IP address. weight: set the weight for filtered routes to the specified value. metric: set the metric for filtered routes to the specified value. preference: set the preference for filtered routes to the specified value. as-prepend: set the AS-prepend value, which is a list of autonomous systems being added for this route. community: set the BGP community value for filtered routes. append-community: append community. ip-match: add all required IP addresses when selecting IP address matching. as-path-match: add all required autonomous network numbers when selecting AS path matching. POSIX 1003.2 regular expressions are allowed, supplemented by the underscore (_) character that is interpreted as: A space A comma Start of line End of line AS set delimiter { and } AS confederation delimiter ( and ). community-match: add the strings of all desired BGP communities when matching by Community is selected.
filters	Filters allow you to filter routes when redistributing. To create a filter or change parameters for an existing one, use the following commands: Admin@nodename# set network virtual-router <virtual-router-name> bgp filters new Admin@nodename# set network virtual-router <virtual-router-name> bgp filters <filter-name> Parameters: name: the filter name. description: the filter description. action: action: allow: allow data that matches the routemap conditions to pass through block: deny data that matches the routemap conditions to pass through. filter-by: conditions on application of the filter. The following actions are available: ip: filter by the IP address. aspath: filter by the AS path. ip-filter: add all desired IP addresses when IP address filtering is selected. The addresses can be specified in the following formats: 10.0.0.0/8 for the 10.0.0.0/8 subnet only 10.0.0.0/8:11 for routes where the first octet is 10 and the prefix is from 8 to 11 10.0.0.0/8:11:13 for routes where the first octet is 10 and the prefix is from 11 to 13. as-path-filter: add all required autonomous network numbers when selecting filtering by AS path.
neighbors	BGP neighbors. To add new neighbors or change data for existing ones, use the following commands: Admin@nodename# set network virtual-router <virtual-router-name> bgp neighbors new Admin@nodename# set network virtual-router <virtual-router-name> bgp neighbors <host-ip> Parameters: enabled: enable/disable use of the neighbor: on off description: BGP neighbor description. host: neighbor IP address. remote-asn: neighbor's autonomous system number. weight: weight of routes received from this neighbor. ttl: maximum allowed hop number to this neighbor. allowas-in: allows receiving and processing routes even if the router detects its own autonomous system number on the AS Path in the aggregation route. on off allowas-in-number: how many times the autonomous BGP neighbor's system number can be included in the AS Path. Available values: from 0 to 10 (0 is the origin). bfd: Add a bfd profile (Bidirectional Forwarding Detection). Bfd profiles are created in the element library, read more in the Configuring Libraries section. next-hop-self: if the neighbor is a BGP, replace the next-hop-self value with its own IP address: on off ebgp-multihop: the connection to this BGP neighbor is not direct (more than one hop): on off route-reflector-client: determine if a BGP neighbor is a Route reflector client: on off soft-reconfiguration: use soft reconfiguration (without disconnecting) to update the configuration: on off default-originate: announce the default route to a neighbor: on off send-community: redirect the community to BGP neighbors. on off enable-auth: enable/disable authentication for the neighbor. on off password: the neighbor authentication password. filter-in: restrict routing information received from neighbors. filter-out: restrict routing information announced to neighbors. routemap-in: restrict routing information that BGP receives from neighbors. routemap-out: restrict routing information that BGP sends to neighbors.

To display BGP configuration in a virtual router, use the following command:

Admin@nodename# show network virtual-router <virtual-router-name> bgp

Example command to configure BGP in a virtual router:

Admin@nodename# set network virtual-router test_router bgp router-id 192.168.95.224 asn 1 networks [ 192.168.100.0/24 ] redistribute [ connected kernel ] Admin@nodename# show network virtual-router test_router name : test_router description : Test virtual router node-name : node_1 interfaces : port2; port3 ... bgp : enabled : off asn : 1 router-id : 192.168.95.224 redistribute : connected; kernel multiple-path : off networks : 192.168.100.0/24 routemaps : [] neighbors : [] filters : [] ...

To delete BGP router parameters, use the following command:

Admin@nodename# delete network virtual-router <virtual-router-name> bgp <parameter>

You can delete the following parameters:

Addresses of networks that belong to this autonomous system: networks.
Conditions on application of routemap: routemaps <routemap-name> ip-match | community-match | as-path-match.
Condition on application of filters: filters <filter-name> ip-filter | as-path-filter.
BGP neighbors and routemap filters: neighbors <host-ip> filter-in | filter-out | routemap-in | routemap-out.
BGP route redistribution options: redistribute [ connected | kernel ].

RIP Configuration

To configure RIP (Routing Information Protocol) on a virtual router, use the following command:

Admin@nodename# set network virtual-router <virtual-router-name> rip

Specify the parameters:

Parameter	Description
enabled	Enable/disable an RIP router: on off
version	RIP protocol version: 1 2 Usually, the 2nd version of the protocol is used.
metric	RIP metric. Default value: 1; max value: 15. A value of 16 is considered infinite.
distance	The cost of routes received using the RIP protocol. Default value for RIP protocol: 120. This is used for route selection when routes can be received using multiple methods (OSPF, BGP, static).
originate	Sends itself as the router by default.
networks-cidr	Specify the network as a CIDR. Format: <ip/mask>.
networks-interface	Specify the network interface from which to send route information updates. Provide interfaces that belong to the virtual router.
redistribute	Route redistribution: connected: redistribute routes to other RIP routers to the networks directly connected to UserGate. <metric>: metric value; available values: from 0 to 16 off static: redistribute static routes to other static router. <metric>: metric value; available values: from 0 to 16 off kernel: redistribute routes added by an administrator to other RIP routers. <metric>: metric value; available values: from 0 to 16 off ospf: redistribute routes received via OSPF to other RIP routers. <metric>: metric value; available values: from 0 to 16 off bgp: redistribute routes received via BGP to other RIP routers. <metric>: metric value; available values: from 0 to 16 off
interfaces	Configure interfaces where the RIP protocol is supported. The interfaces should be added to the virtual router. To add new interfaces or change data for existing ones, use the following commands: Admin@UGOS# set network virtual-router <virtual-router-name> rip interfaces new Admin@UGOS# set network virtual-router <virtual-router-name> rip interfaces <interface-name> Parameters: interface: select the interface. send-version: the RIP protocol version that the router will send. Available values: 0 1 2 3 receive-version: the RIP protocol version that the router will receive. Available values: 0 1 2 3 password: the authorization string that will be sent and received in RIP packets. All routes participating in RIP information exchange must have an identical password. split-horizone: a routing loop avoidance method where the router does not redistribute network information through the interface on which the update arrived. on off poisoned-reverse: a routing loop avoidance method where the router sets the route cost to 16 and sends it to the neighbor from which it was received. on off passive-mode: an interface mode in which the interface receives RIP updates but does not send them. on off

To display RIP configuration in a virtual router, use the following command:

Admin@nodename# show network virtual-router <virtual-router-name> rip

Example command to configure RIP in a virtual router:

Admin@nodename# set network virtual-router test_router rip version 2 originate on Admin@nodename# show network virtual-router test_router name : test_router description : Test virtual router node-name : node_1 interfaces : port2; port3 ... rip : enabled : off distance : 120 metric : 1 originate : on interfaces : [] redistribute : {} version : 2 ... Admin@nodename# set network virtual-router test_router rip interfaces new interface port2 Admin@nodename# show network virtual-router test_router name : test_router description : Test virtual router node-name : node_1 interfaces : port2; port3 ... rip : enabled : off distance : 120 metric : 1 originate : on interfaces : port2 interface : port2 passive-mode : off poisoned-reverse : off receive-version : 0 send-version : 0 split-horizone : off redistribute : {} version : 2 ...

To delete RIP router parameters, use the following command:

Admin@nodename# delete network virtual-router <virtual-router-name> rip <parameter>

You can delete the following parameters:

RIP interfaces: interfaces.
RIP networks: networks-cidr.
Network interface from which route information updates will be sent: networks-interface.

Configuring multicast routing

To configure multicast routing on the virtual router, use the following command:

Admin@nodename# set network virtual-router <virtual-router-name> multicast-router

Specify the parameters:

Parameter	Description
enabled	Enable/disable an RIP router: on off
ecmp	Enable traffic distribution using Equal Cost Multi Path (ECMP) technology: on off Requires that several routes exist to the network node of interest. If this option is disabled, all traffic to a specific destination host will be sent through only one of the routers (next hop).
ecmp-rebalance	Use ECMP rebalance: on: if one of the interfaces through which traffic was sent has disconnected, then all existing flows are redistributed among the remaining routes (next hop). off: if one of the interfaces through which traffic was sent has disconnected, only the flows sent through the disconnected interface will be redistributed.
join-prune	Interval for sending messages to PIM neighbors about the multicast groups whose traffic the router wants to receive or no longer wants to receive.
register-suppress	Interval after which the router sends a register suppress message.
keep-alive	Interval after which the router sends keepalive messages to neighbors, and the interval the router waits before considering a neighbor unavailable.
interfaces	Interface to use for multicasting. You can only specify interfaces added to the virtual router. To add new interfaces or change data for existing ones, use the following commands: Admin@nodename# set network virtual-router <virtual-router-name> multicast-router interfaces new Admin@nodename# set network virtual-router <virtual-router-name> multicast-router interfaces <interface-name> Parameters: interface: select an interface for multicast. Only the interfaces belonging to this virtual router are available for selection. hello-timeout: the interval to send PIM HELLO messages (in seconds). PIM Hello messages are sent periodically from all interfaces for which multicast support is enabled. These messages let the router know about neighbor routers that support multicasting. dr-priority: the Designated router (DR) selection priority, which allows the administrator to control the process of DR selection for the LAN. bfd: Add a bfd profile (Bidirectional Forwarding Detection). Bfd profiles are created in the element library, read more in the Configuring Libraries section. enable-igmp: receive IGMP report and IGMP query messages on this interface. use-igmpv2: use IGMP v2 (the default is IGMP v3).
rendezvous-points	When configuring Rendezvous points, you can specify the following parameters: enabled: enable/disable this RP. on off name: the RP name. ip: the unicast IP address of the RP. asm-allowed-groups: the list of allowed multicast group addresses for any source multicast from this RP. Any networks in the range 224.0.0.0/4. If nothing is specified, there are no restrictions.
ssm-allowed-groups	A multicast router setting that defines a list of allowed group addresses for source-specific multicast. You can specify any networks in the range 232.0.0.0/8. If nothing is specified, there are no restrictions.
spt-exclusions	Multicast router setting that defines a list of IPv4 multicast groups excluded from switching to the shortest path tree.

To display a multicast configuration of a virtual router, use the following command:

Admin@nodename# show network virtual-router <virtual-router-name> multicast-router

Example command to configure multicast routing in a virtual router:

Admin@nodename# set network virtual-router test_router multicast-router interfaces new interface port2 use-igmpv2 on Admin@nodename# show network virtual-router test_router name : test_router description : Test virtual router node-name : node_1 interfaces : port2; port3 ... multicast-router : enabled : off ecmp-rebalance : off ecmp : off join-prune : 60 keep-alive : 31 register-suppress : 5 interfaces : port2 interface : port2 enabled : off enable-igmp : off use-igmpv2 : on bfd : Not set rendevouz-points : [] ...

To delete multicast router parameters, use the following command:

Admin@nodename# delete network virtual-router <virtual-router-name> multicast-router

You can delete the following parameters:

Interfaces used for multicast: interfaces.
Rendezvous points: rendevouz-points <rp-name>, and the list of allowed group addresses for any source multicast from this RP: rendevouz-points <rp-name> asm-allowed groups.
The list of allowed group addresses for the source-specific multicast: ssm-allowed-groups.
The list of IPv4 multicast groups excluded from switching to the shortest path tree: spt-exclusions.

WCCP Configuration

WCCP (Web Cache Communication Protocol) settings are applied at the network wccp level. To create a WCCP service group, use the following command:

Admin@nodename# create network wccp <parameter>

Available parameters:

Parameter	Description
enabled	Enable/disable the service group: on off
name	WCCP service group name.
description	A description of the service group.
password	The password to authenticate UserGate in the service group. The password must match the one specified on the WCCP servers.
fwd-type	Forwarding type from WCCP servers to UserGate: l2: use L2 redirection. In this case, the router (WCCP server) replaces the destination MAC address in the packet with the UserGate address. gre: use a GRE (Generic Routing Encapsulation) tunnel. L2 redirection generally requires fewer resources than GRE, but the WCCP server and UserGate must reside in the same L2 segment. Not all WCCP server types support L2 redirection with WCCP clients.
ret-type	Forwarding type from UserGate to WCCP servers: l2: using L2 redirection. In this case, UserGate (the WCCP client) changes the destination MAC address in the packet to that of the WCCP server. gre: use a GRE (Generic Routing Encapsulation) tunnel. L2 redirection generally requires fewer resources than GRE, but the WCCP server and UserGate must reside in the same L2 segment. Not all WCCP server types support L2 redirection with WCCP clients.
service-group	The numeric ID of the service group. Service group IDs must be identical on all devices in the group.
priority	The group's priority. If multiple service groups are applicable to the traffic managed by the WCCP server, the priority determines the order in which the server will distribute traffic to the WCCP clients.
ports	Ports to redirect (traffic destination ports). If necessary, multiple ports can be specified in the ports-to-redirect + [ 80 442 ] format. Important! UserGate can only apply filtering to redirected TCP traffic with destination ports 80 and 443 (HTTP/HTTPS). Traffic sent to UserGate through other ports is sent to the Internet unfiltered.
ports-source	Redirection of traffic based on the source port values: on off
protocol	Select a protocol: tcp: Transmission Control Protocol (TCP) udp: User Datagram Protocol (UDP).
routers-lists	List of WCCP server IP addresses. For more details about how to create IP address lists using CLI, see Configuring IP Addresses.
routers-ips	WCCP server IP addresses.
assignment-type	When there are multiple WCCP clients in a service group, the assignment type determines how traffic is distributed from the WCCP servers to the WCCP clients. hash: distribute traffic based on a hash computed from the specified IP packet fields. The options are: source-ip: calculate the hash based on the source IP address source-port: calculate the hash based on the source port dest-ip: calculate the hash based on the destination IP address dest-port: calculate the hash based on the destination port alt-source-ip: calculate an alternate hash based on the source IP address alt-source-port: calculate an alternate hash based on the source port alt-dest-ip: calculate an alternate hash based on the destination IP address alt-dest-port: calculate an alternate hash based on the destination port. mask: distribute traffic based on the result of a Boolean AND between the mask and the selected packet header. When selecting a mask, consult the vendor documentation for the WCCP server. source-ip: mask by the source IP address source-port: mask by the source port dest-ip: mask by the destination IP address dest-port: mask by the destination port mask-value: mask value for the mask scheme. 16 bits for masking by port and 32 bits for masking by IP address. Specify the value in hexadecimal format.

To specify values for a WCCP service group or update information on it, use the following command:

Admin@nodename# set network wccp <service-group-name> <parameter>

Specify the parameters to update. The parameter values are listed in the table above.

To view information about a WCCP service group:

Admin@nodename# show network wccp <service-group-name>

Example commands to create and edit WCCP:

Admin@nodename# create network wccp name "Test service group" protocol tcp service-group 1 routers-ips [ 192.168.100.120 ] fwd-type l2 ret-type l2 ports [ 80 ] priority 1 password 12345 Admin@nodename# show network wccp "Test service group" name : Test service group enabled : off fwd-type : l2 ret-type : l2 service-group : 1 priority : 1 protocol : tcp ports : 80 assignment-type : hash source-ip : off source-port : off dest-ip : off dest-port : off alt-source-ip : off alt-source-port : off alt-dest-ip : off alt-dest-port : off routers-ips : 192.168.100.120 Admin@nodename# set network wccp "Test service group" description "Test service group description" service-group 100 Admin@nodename# show network wccp "Test service group" name : Test service group description : Test service group description enabled : off fwd-type : l2 ret-type : l2 service-group : 100 priority : 1 protocol : tcp ports : 80 assignment-type : hash source-ip : off source-port : off dest-ip : off dest-port : off alt-source-ip : off alt-source-port : off alt-dest-ip : off alt-dest-port : off routers-ips : 192.168.100.120

To remove a service group completely or some of its parameters:

Admin@nodename# delete network wccp <service-group-name>

You can delete the following parameters:

routers-lists.
routers-ips.
ports.

Вы здесь

Форма поиска

Network Configuration

Zones

Interfaces

Adapter settings

Configuring a VLAN

Properties of bond interfaces

Bridge Interface Settings

PPPoE configuration

Configuring a VPN device

Configuring tunnels

Properties of loopback interfaces

Gateways

DHCP

DNS Configuration

Settings for System DNS servers

DNS proxy settings

Configuring DNS rules

Configuring DNS proxy static records

Configuring Virtual Routers

Configuring static routes

OSPF Configuration

Configuring BGP

RIP Configuration

Configuring multicast routing

WCCP Configuration