hill山石網(wǎng)科安全網(wǎng)關(guān)命令手冊50r3p

1、Hillstone：StoneOS 5.0R3P6.1Hillstone 山石網(wǎng)科多核安全網(wǎng)關(guān)命令手冊關(guān)于本手冊本手冊為 Hillstone 山石網(wǎng)科多核安全網(wǎng)關(guān)命令手冊。詳細(xì)描述 StoneOS 中用到的所有命令，具體內(nèi)容有命令的格式、使用方法、參數(shù)、默認(rèn)值和使用實(shí)例等。文檔約定在本手冊中，StoneOS 命令語法描述使用以下約定：?大括?。?）：指明該內(nèi)容為必要元素。方括?。?）：指明該內(nèi)容為可選元素。豎線（|）：分隔可選擇的互相排斥的選項(xiàng)。粗體：粗體部分為命令的關(guān)鍵字，是命令行中不可變部分，用戶必須逐字輸入。斜體：斜體部分為需要用戶提供值的參數(shù)。命令實(shí)例約定：?命令實(shí)例中需要用戶輸入部分

2、用粗體標(biāo)出。需要用戶提供值的變量用斜體標(biāo)出。命令實(shí)例包括不同平臺(tái)的輸出，可能會(huì)有些許差別。Hillstone 山石網(wǎng)科多核安全網(wǎng)關(guān)命令手冊目錄怎樣使用 StoneOS CLI1CLI 介紹1命令模式和提示符1執(zhí)行模式1全局配置模式1子模塊配置模式1CLI 命令模式切換1命令行錯(cuò)誤信息提示2命令行的輸入2命令行的縮寫形式2自動(dòng)列出命令關(guān)鍵字2自動(dòng)補(bǔ)齊命令關(guān)鍵字3命令行的編輯3查看歷史命令3快捷鍵3過濾 CLI 輸出信息4分頁顯示 CLI 輸出信息4設(shè)置終端屬性5設(shè)置連接超時(shí)時(shí)間5重定向輸出5StoneOS 系統(tǒng)管理命令6access6admin6admin host7admin user8all

3、ow-pwd-change8app | ips signature stat-report9arp10bandwidth11bandwidth-threshold12delay-threshold12external-bypass enable13IHillstone 山石網(wǎng)科多核安全網(wǎng)關(guān)命令手冊clear nbt-cache14clock time14clock summer-time15clock zone16configure16console timeout17cpu17debug19delete configuration20desc20dns21dst-addr-based-ses

4、sion-counter22exec admin user password update23exec console baudrate23exec format24exec detach24exec customize25exec license apply25exec license install26exec license uninstall27exec webauth kickout27exit28expire28export configuration29group30hostname30http31http port32https port33https trust-domain

5、33ike-id34import configuration34import customize35import image36interface37ip37language39match39IIHillstone 山石網(wǎng)科多核安全網(wǎng)關(guān)命令手冊member40monitor41nbt-cache enable41nbtstat ip2name42network-manager enable42network-manager host43ntp authentication44ntp authentication-key44ntp enable45ntp max-adjustment45ntp

6、query-interval46ntp server47password47password（user）48password-policy48ping49privilege50reboot51role51role-expression52role-mapping-rule52rollback configuration backup53save54smtp54snmp-server contact55snmp-server engineID55snmp-server group56snmp-server host57snmp-server location58snmp-server manag

7、er58snmp-server port59snmp-server trap-host59snmp-server user60ssh port61ssh timeout61tcp62telnet authorization-try-count63telnet connection-interval64IIIHillstone 山石網(wǎng)科多核安全網(wǎng)關(guān)命令手冊telnet port65telnet timeout65threshold66traceroute66track67user68user-binding69user-group69webauth force-timeout70webauth

8、http71webauth http-port71webauth https72webauth https-port72webauth reauth73webauth redirect73webauth sso-ntlm74webauth sso-ntlm-timeout75webauth timeout75web timeout76系統(tǒng)結(jié)構(gòu)命令77deny-session deny-type77deny-session percentage77deny-session timeout78fragment chain79fragment timeout79tcp-mss80tcp-rst-bi

9、t-check80tcp-seq-check-disable81tcp-syn-check82tcp-syn-bit-check82安全網(wǎng)關(guān)應(yīng)用模式命令84exec vrouter enable/disable84ip vrouter84forward-tagged-packet85l2-nonip-action86virtual-wire enable86virtual-wire set87vswitch88IVHillstone 山石網(wǎng)科多核安全網(wǎng)關(guān)命令手冊安全網(wǎng)關(guān)網(wǎng)絡(luò)部署模式命令89tap control-interface89tap lan-address89zone （綁定接口到 T

10、ap 域）90zone （創(chuàng)建 Tap 域）90域（Zone）命令92bind92vrouter92zone93接口（Interface）命令94aggregate aggregatenumber94arp timeout94authenticated-arp95bgroup bgroupnumber96clear mac96combo97duplex97ftp98ftp port99holddown99holdup100interface aggregatenumber101interface aggregatenumber.tag101interface bgroupnumber102in

11、terface ethernetm/n102interface ethernetX/Y-pppoeZ103interface ethernetm/n.tag104interface loopbacknumber104interface redundantnumber105interface redundantnumber.tag105interface tunnelnumber106interface vlanid106interface supervlanX107ip address108ip mtu109lacp109lacp max-bundle110lacp min-bundle111

12、VHillstone 山石網(wǎng)科多核安全網(wǎng)關(guān)命令手冊lacp port-priority111lacp system-priority112lacp period-short112load-balance mode113mac-clone114manage114mirror to115mirror filter116primary117proxy-arp117redundant redundantnumber118reverse-route119shutdown119speed120tunnel121webauth auth-arp-prompt122zone122地址（Address）命令12

13、4address124host124ip125member126range126rename127服務(wù)（Service）命令128app cache128app cache disable129app cache static disable129application-identify130clear app cache table130description131icmp131icmp type132longlife-sess-percent133protocol134servgroup134service135service service-name136VIHillstone 山石網(wǎng)科

14、多核安全網(wǎng)關(guān)命令手冊tcp | udp136tcp | udp application137策略（Policy）命令139absolute139action139clear policy hit-count140clear policy hit-count default-action141default-action141description142disable142dst-addr143dst-host143dst-ip144dst-range145dst-zone145enable146log147import customize webredirect147move148name14

15、9periodic149periodic150policy-global151policy-qos-tag tag151role152user152user-group153rule154rule id155schedule156schedule156service157src-addr157src-host158src-ip159src-range159src-zone160web-redirect161VIIHillstone 山石網(wǎng)科多核安全網(wǎng)關(guān)命令手冊web-redirect idle-time161安全命令163arp163arp-disable-dynamic-entry164ar

16、p-inspection164arp-inspection rate-limit165arp-inspection trust165arp-inspection vlan166arp-l2mode167arp-learning167behavior-profile168clear arp168clear arp-spoofing-statistics169clear dhcp-snooping binding170dhcp-snooping（BGroup 或者 VSwitch 接口）170dhcp-snooping（物理接口）171dhcp-snooping rate-limit172dhcp

17、-snooping vlan172exec mac-address dynamic-to-static173exec urlfilter apply173export urlfilter-database174gratuitous-arp-send ip175host-blacklist175host-blacklist ip176host-blacklist mac177im178import urlfilter-database178mac-address-static179mac-learning180urlfilter180urlfilter domain-only181urlfilt

18、er rule type blacklist181urlfilter rule type keyword182urlfilter rule type whitelist183urlfilter unlimit-ip183urlfilter unlimit-ip184urlfilter whitelist-only184url-profile185VIIIHillstone 山石網(wǎng)科多核安全網(wǎng)關(guān)命令手冊認(rèn)證與命令186aaa-server186accounting186accounting enable187accounting port188accounting secret188admin

19、auth-server189admin auth-server radius-server-name190agent190auth-method191auto-sync191backup-aaa-server192backup1193backup2194base-dn194debug aaa195group-class195host196login-dn197login-password197member-attribute198naming-attribute198port （Active-Directory / LDAP）199port （RADIUS）199retries200role-

20、mapping-rule201secret201timeout202user-black-list202802.1X 認(rèn)證協(xié)議命令204aaa-server204dot1x allow-multi-logon204dot1x allow-multi-logon number205dot1x auto-kickout205dot1x control-mode206dot1x enable207dot1x max-user207dot1x port-control208IXHillstone 山石網(wǎng)科多核安全網(wǎng)關(guān)命令手冊dot1x profile209dot1x profile209dot1x t

21、imeout210exec dot1x kickout210quiet-period211reauth-period212retransmission-count212server-timeout213tx-period213網(wǎng)絡(luò)地址轉(zhuǎn)換（NAT）命令215dnatrule215dnatrule move216expanded-port-pool217nat217nat-enable218no dnatrule id219no snatrule id219snatrule （NAT）220snatrule（NAT444）222snatrule move223應(yīng)用層識(shí)別與命令225alg225a

22、lg h323 session-time225IPSec 協(xié)議命令227accept-all-proxy-id227anti-replay227authentication228auto-connect229compression deflate （manual）229compression deflate （P2）230connection-type230df-bit231dpd232encryption （P1）232encryption （manual）233encryption （P2）234encryption-key235XHillstone 山石網(wǎng)科多核安全網(wǎng)關(guān)命令手冊group

23、 （P1）235group （P2）236hash （P1）236hash （manual）237hash （P2）238hash-key239id239interface240ipsec proposal241ipsec-proposal241isakmp peer242isakmp-peer242isakmp proposal243isakmp-proposal244lifesize244lifetime （P1）245lifetime（P2）245local-id246mode （協(xié)商模式）247mode （操作模式）247nat-traversal248peer248peer-id24

24、9pre-share250protocol250spi251track-event-notify252trust-domain252tunnel ipsec name auto253tunnel ipsec name manual253type254-track255Secure Connect命令256aaa-server256anti-replay256address257allow-multi-logon258allow-multi-logon number258XIHillstone 山石網(wǎng)科多核安全網(wǎng)關(guān)命令手冊allow-pwd-change259client-auth-trust-

25、domain259client-cert-authentication260df-bit261dns261exclude address262exec sc exec sc exec sc exec sc exec scexec scapprove-binding263clear-binding263increase-host-binding264kickout265no-host-binding-check265no-user-binding-check266exec sms send test-message to266export aaa user-password267export s

26、cuser-host-binding268host-check268https-port269idle-time270import pki cacert271import aaa user-password271import scuser-host-binding272interface273ip-binding role273ip-binding user274link-select275move275phone276pool277redirect-url277sc scschost-check-profile278pool279-udp-port280sms-auth enable280s

27、ms-auth expiration281sms modem281split-tunnel-route282ssl-protocol283trust-domain283XIIHillstone 山石網(wǎng)科多核安全網(wǎng)關(guān)命令手冊tunnel-cipher encryption284tunnel sctunnel sc.285.285user-host-verify286wins287命令288撥號(hào)exec generate-user-key rootkey288generate-route288ike_id289user290PnP命令291dhcp-pool-address291dhcp-pool

28、-gateway291dhcp-pool-netmask292dns293peer_id fqdn293split-tunnel-route294tunnel-ip-address295user295wins296GRE 命令297destination297interface297next-tunnel ipsec298source298tunnel gre299L2TP 命令301aaa-server301accept-client-ip301address302allow-multi-logon303avp-hidden303clear l2tp304dns304exclude addr

29、ess305exec l2tp kickout306interface306XIIIHillstone 山石網(wǎng)科多核安全網(wǎng)關(guān)命令手冊ip-binding role307ip-binding user307ppp-lcp-echo interval308keepalive309move309next-tunnel ipsec310pool311ppp-auth311l2tp pool312local-name312secret313transmit-retry314tunnel-authentication314tunnel l2tp315tunnel l2tp316tunnel-receive

30、-window316wins317防護(hù)命令318ad all318ad arp-spoofing318ad dns-query-flood319ad huge-icmp-pak321ad icmp-flood321ad ip-directed-broadcast322ad ip-fragment323ad ip-option324ad ip-spoofing324ad ip-sweep325ad land-attack326ad ping-of-death326ad port-scan327ad session-limit328ad syn-flood329ad syn-proxy331ad

31、tcp-anomaly332ad tear-drop332ad tear-drop333ad udp-flood334XIVHillstone 山石網(wǎng)科多核安全網(wǎng)關(guān)命令手冊ad whitelist335ad winnuke335clear ad zone336clear session-limit337交換命令338bridge priority338enable338forward-delay339hello339interface vlanid340um-age340stp341stp cost342stp enable342stp priority343sub-vlan343superv

32、lan344switchmode344vlan345路由命令347access-list route347access-list name description347aggregate-address348area authentication349area default-cost349area range350area stub351area virtual-link351area virtual-link authentication352auto-cost reference-bandwidth353bind pbr-policy354clear ip bgp354continue3

33、55default-information originate356default-information originate356default-metric357default-metric（BGP）357description358XVHillstone 山石網(wǎng)科多核安全網(wǎng)關(guān)命令手冊disable359distance（BGP）359distance360distance360distance ospf361domain362dst-addr362dst-host363dst-ip364dst-range364ecmp enable365ecmp-route-select365eif36

34、6enable367exec isp-network clear-predefine367iif368import vrouter368ip369ip igmp-proxy enable370ip igmp-proxy router-mode | host-mode371ip igmp-snooping enable371ip igmp-snooping router-mode | host-mode | auto | disable372ip multicast-routing373ip mroute373ip ospf authentication374ip ospf authentica

35、tion-key375ip ospf cost375ip ospf dead-interval376ip ospf hello-interval377ip ospf message-digest-key377ip ospf priority378ip ospf retransmit-interval378ip ospf transmit-delay379ip rip authentication mode380ip rip authentication string380ip rip receive version381ip rip send version381ip rip split-ho

36、rizon382XVIHillstone 山石網(wǎng)科多核安全網(wǎng)關(guān)命令手冊ip route383ip route isp-name384ip route source384ip route source in-interface385ip vrouter386isp-network387llb inbound smartdns388llb-outbd-prox-detect388llb-outbd-prox-route389llb outbound proximity-route390match（OSPF）390match（PBR）391match id392max-route393move394

37、neighbor（BGP）394neighbor A.B.C.D peer-group395neighbor A.B.C.D | peer-group activate395neighbor A.B.C.D | peer-group default-originate396neighbor A.B.C.D | peer-group description396neighbor A.B.C.D | peer-group next-hop-self397neighbor A.B.C.D | peer-group password398neighbor A.B.C.D | peer-group re

38、mote-as398neighbor A.B.C.D | peer-group shutdown399neighbor A.B.C.D | peer-group timers399neighbor（RIP）400nexthop401network（BGP）401network（RIP）402network area403passive-interface403pbr-policy404redistribute（BGP）404redistribute（RIP）405redistribute（OSPF）406route-map406route enable/disable407role408XVI

39、IHillstone 山石網(wǎng)科多核安全網(wǎng)關(guān)命令手冊router bgp408router bgp409router ospf409router rip410router-id （BGP）411router-id （OSPF）411service412set412src-addr413src-host414src-ip414src-range415subnet416timers416timers basic417timers spf418unknown-multicast drop418user419user-group419version420網(wǎng)絡(luò)參數(shù)命令422ac422address422a

40、uthentication423auto-config interface423auto-connect424clear host425ddns enable425ddns name426dhcp-client ip426dhcp-client route427dhcp-relay enable428dhcp-relay server428dhcp-server enable429dhcp-server pool429dns430dns-proxy430domain431XVIIIHillstone 山石網(wǎng)科多核安全網(wǎng)關(guān)命令手冊gateway432exclude address432idle-

41、interval433ip address dhcp433ip dns-proxy black-list enable434ip dns-proxy white-list enable434ip dns-proxy black-list domain435ip dns-proxy white-list domain435ip address pppoe436ip domain lookup437ip domain name437ip domain retry438ip domain timeout438ip host439ip name-server439ip dns-proxy domain

42、440ipmac-bind441lease441maxupdate interval442minupdate interval443netmask（DHCP）443netmask（PPPoE）444news444pop3445pppoe enable group445pppoe-client group446pppoe-client group446relay-agent447route448server448schedule449service450smtp450static-ip451type451user（DDNS）452user（PPPoE）452wins453XIXHillstone

43、 山石網(wǎng)科多核安全網(wǎng)關(guān)命令手冊虛擬系統(tǒng)命令454enter-vsys454export-to454profile455session456vsys（創(chuàng)建）457vsys（接口）458vsys-profile458vsys-shared459QoS 管理命令460bandwidth460class460class-map461exception-list462disable462flex-qos463flex-qos low-water-mark463flex-qos max-bandwidth464flex-qos-up-rate465ip-qos465match address466matc

44、h application467match cos467match dscp468match ip-range468match policy-qos-tag469match precedence470match-priority470match role471.472priority473qos-profile473qos-profile474qos-profile（嵌套 QoS Profile）475random-detect476role-qos476set cos477set dscp478XXHillstone 山石網(wǎng)科多核安全網(wǎng)關(guān)命令手冊set ip-qos-priority478s

45、et precedence479shape479shaping-for-egress480PKI 配置命令482crl482crl configure482enrollment483export pki （PKI 信任域信息）483export pki （）.484import pki （PKI 信任域信息）485import pki （） .486keypair487pki authenticate487pki crl request488pki enroll488pki export489pki import490pki import pkcs12490pki key generate49

46、1pki key zeroize491pki key zeroize noconfirm492pki trust-domain492subject commonname493subject country493subject localityname494subject organization495subject organizationunit495subject stateorprovincename496url496高可靠性命令498arp498description498exec ha sync499ha cluster499ha group500ha link interface5

47、01ha link ip501XXIHillstone 山石網(wǎng)科多核安全網(wǎng)關(guān)命令手冊ha mode non-group502ha non-group502ha sync rdo session503ha traffic delay503ha traffic enable504hello interval504hello threshold505interface506manage ip506monitor track507preempt507priority508send gratuitous-arp509過濾命令510anti-malicious-sites510av enable510av

48、 max-decompression-recursion511av-profile512av signature update mode512av signature update schedule513av signature update server513exec av514exec av signature update515file-type515import av signature516label-mail517mail-sig518protocol-type518IPS 命令520attack-level520banner-protect enable521brute-force auth521brute-force lookup522command-injection-check523deny-method523exec block-ip remove524exec block-service remove524exec ips525XXIIHillstone 山石網(wǎng)科多核安全網(wǎng)關(guān)命令手冊external-link526external-link-check527ips enable527ips log disable528ips mode529ips profile529i