hill山石网科安全网关命令手册50r3p

1、Hillstone：StoneOS 5.0R3P6.1Hillstone 山石网科多核安全网关命令手册关于本手册本手册为 Hillstone 山石网科多核安全网关命令手册。详细描述 StoneOS 中用到的所有命令，具体内容有命令的格式、使用方法、参数、默认值和使用实例等。文档约定在本手册中，StoneOS 命令语法描述使用以下约定：?大括弧（ ）：指明该内容为必要元素。方括弧（ ）：指明该内容为可选元素。竖线（|）：分隔可选择的互相排斥的选项。粗体：粗体部分为命令的关键字，是命令行中不可变部分，用户必须逐字输入。斜体：斜体部分为需要用户提供值的参数。命令实例约定：?命令实例中需要用户输入部分

2、用粗体标出。需要用户提供值的变量用斜体标出。命令实例包括不同平台的输出，可能会有些许差别。Hillstone 山石网科多核安全网关命令手册目录怎样使用 StoneOS CLI1CLI 介绍1命令模式和提示符1执行模式1全局配置模式1子模块配置模式1CLI 命令模式切换1命令行错误信息提示2命令行的输入2命令行的缩写形式2自动列出命令关键字2自动补齐命令关键字3命令行的编辑3查看历史命令3快捷键3过滤 CLI 输出信息4分页显示 CLI 输出信息4设置终端属性5设置连接超时时间5重定向输出5StoneOS 系统管理命令6access6admin6admin host7admin user8all

3、ow-pwd-change8app | ips signature stat-report9arp10bandwidth11bandwidth-threshold12delay-threshold12external-bypass enable13IHillstone 山石网科多核安全网关命令手册clear nbt-cache14clock time14clock summer-time15clock zone16configure16console timeout17cpu17debug19delete configuration20desc20dns21dst-addr-based-ses

4、sion-counter22exec admin user password update23exec console baudrate23exec format24exec detach24exec customize25exec license apply25exec license install26exec license uninstall27exec webauth kickout27exit28expire28export configuration29group30hostname30http31http port32https port33https trust-domain

5、33ike-id34import configuration34import customize35import image36interface37ip37language39match39IIHillstone 山石网科多核安全网关命令手册member40monitor41nbt-cache enable41nbtstat ip2name42network-manager enable42network-manager host43ntp authentication44ntp authentication-key44ntp enable45ntp max-adjustment45ntp

6、query-interval46ntp server47password47password（user）48password-policy48ping49privilege50reboot51role51role-expression52role-mapping-rule52rollback configuration backup53save54smtp54snmp-server contact55snmp-server engineID55snmp-server group56snmp-server host57snmp-server location58snmp-server manag

7、er58snmp-server port59snmp-server trap-host59snmp-server user60ssh port61ssh timeout61tcp62telnet authorization-try-count63telnet connection-interval64IIIHillstone 山石网科多核安全网关命令手册telnet port65telnet timeout65threshold66traceroute66track67user68user-binding69user-group69webauth force-timeout70webauth

8、http71webauth http-port71webauth https72webauth https-port72webauth reauth73webauth redirect73webauth sso-ntlm74webauth sso-ntlm-timeout75webauth timeout75web timeout76系统结构命令77deny-session deny-type77deny-session percentage77deny-session timeout78fragment chain79fragment timeout79tcp-mss80tcp-rst-bi

9、t-check80tcp-seq-check-disable81tcp-syn-check82tcp-syn-bit-check82安全网关应用模式命令84exec vrouter enable/disable84ip vrouter84forward-tagged-packet85l2-nonip-action86virtual-wire enable86virtual-wire set87vswitch88IVHillstone 山石网科多核安全网关命令手册安全网关网络部署模式命令89tap control-interface89tap lan-address89zone （绑定接口到 T

10、ap 域）90zone （创建 Tap 域）90域（Zone）命令92bind92vrouter92zone93接口（Interface）命令94aggregate aggregatenumber94arp timeout94authenticated-arp95bgroup bgroupnumber96clear mac96combo97duplex97ftp98ftp port99holddown99holdup100interface aggregatenumber101interface aggregatenumber.tag101interface bgroupnumber102in

11、terface ethernetm/n102interface ethernetX/Y-pppoeZ103interface ethernetm/n.tag104interface loopbacknumber104interface redundantnumber105interface redundantnumber.tag105interface tunnelnumber106interface vlanid106interface supervlanX107ip address108ip mtu109lacp109lacp max-bundle110lacp min-bundle111

12、VHillstone 山石网科多核安全网关命令手册lacp port-priority111lacp system-priority112lacp period-short112load-balance mode113mac-clone114manage114mirror to115mirror filter116primary117proxy-arp117redundant redundantnumber118reverse-route119shutdown119speed120tunnel121webauth auth-arp-prompt122zone122地址（Address）命令12

13、4address124host124ip125member126range126rename127服务（Service）命令128app cache128app cache disable129app cache static disable129application-identify130clear app cache table130description131icmp131icmp type132longlife-sess-percent133protocol134servgroup134service135service service-name136VIHillstone 山石网科

14、多核安全网关命令手册tcp | udp136tcp | udp application137策略（Policy）命令139absolute139action139clear policy hit-count140clear policy hit-count default-action141default-action141description142disable142dst-addr143dst-host143dst-ip144dst-range145dst-zone145enable146log147import customize webredirect147move148name14

15、9periodic149periodic150policy-global151policy-qos-tag tag151role152user152user-group153rule154rule id155schedule156schedule156service157src-addr157src-host158src-ip159src-range159src-zone160web-redirect161VIIHillstone 山石网科多核安全网关命令手册web-redirect idle-time161安全命令163arp163arp-disable-dynamic-entry164ar

16、p-inspection164arp-inspection rate-limit165arp-inspection trust165arp-inspection vlan166arp-l2mode167arp-learning167behavior-profile168clear arp168clear arp-spoofing-statistics169clear dhcp-snooping binding170dhcp-snooping（BGroup 或者 VSwitch 接口）170dhcp-snooping（物理接口）171dhcp-snooping rate-limit172dhcp

17、-snooping vlan172exec mac-address dynamic-to-static173exec urlfilter apply173export urlfilter-database174gratuitous-arp-send ip175host-blacklist175host-blacklist ip176host-blacklist mac177im178import urlfilter-database178mac-address-static179mac-learning180urlfilter180urlfilter domain-only181urlfilt

18、er rule type blacklist181urlfilter rule type keyword182urlfilter rule type whitelist183urlfilter unlimit-ip183urlfilter unlimit-ip184urlfilter whitelist-only184url-profile185VIIIHillstone 山石网科多核安全网关命令手册认证与命令186aaa-server186accounting186accounting enable187accounting port188accounting secret188admin

19、auth-server189admin auth-server radius-server-name190agent190auth-method191auto-sync191backup-aaa-server192backup1193backup2194base-dn194debug aaa195group-class195host196login-dn197login-password197member-attribute198naming-attribute198port （Active-Directory / LDAP）199port （RADIUS）199retries200role-

20、mapping-rule201secret201timeout202user-black-list202802.1X 认证协议命令204aaa-server204dot1x allow-multi-logon204dot1x allow-multi-logon number205dot1x auto-kickout205dot1x control-mode206dot1x enable207dot1x max-user207dot1x port-control208IXHillstone 山石网科多核安全网关命令手册dot1x profile209dot1x profile209dot1x t

21、imeout210exec dot1x kickout210quiet-period211reauth-period212retransmission-count212server-timeout213tx-period213网络地址转换（NAT）命令215dnatrule215dnatrule move216expanded-port-pool217nat217nat-enable218no dnatrule id219no snatrule id219snatrule （NAT）220snatrule（NAT444）222snatrule move223应用层识别与命令225alg225a

22、lg h323 session-time225IPSec 协议命令227accept-all-proxy-id227anti-replay227authentication228auto-connect229compression deflate （manual）229compression deflate （P2）230connection-type230df-bit231dpd232encryption （P1）232encryption （manual）233encryption （P2）234encryption-key235XHillstone 山石网科多核安全网关命令手册group

23、 （P1）235group （P2）236hash （P1）236hash （manual）237hash （P2）238hash-key239id239interface240ipsec proposal241ipsec-proposal241isakmp peer242isakmp-peer242isakmp proposal243isakmp-proposal244lifesize244lifetime （P1）245lifetime（P2）245local-id246mode （协商模式）247mode （操作模式）247nat-traversal248peer248peer-id24

24、9pre-share250protocol250spi251track-event-notify252trust-domain252tunnel ipsec name auto253tunnel ipsec name manual253type254-track255Secure Connect命令256aaa-server256anti-replay256address257allow-multi-logon258allow-multi-logon number258XIHillstone 山石网科多核安全网关命令手册allow-pwd-change259client-auth-trust-

25、domain259client-cert-authentication260df-bit261dns261exclude address262exec sc exec sc exec sc exec sc exec scexec scapprove-binding263clear-binding263increase-host-binding264kickout265no-host-binding-check265no-user-binding-check266exec sms send test-message to266export aaa user-password267export s

26、cuser-host-binding268host-check268https-port269idle-time270import pki cacert271import aaa user-password271import scuser-host-binding272interface273ip-binding role273ip-binding user274link-select275move275phone276pool277redirect-url277sc scschost-check-profile278pool279-udp-port280sms-auth enable280s

27、ms-auth expiration281sms modem281split-tunnel-route282ssl-protocol283trust-domain283XIIHillstone 山石网科多核安全网关命令手册tunnel-cipher encryption284tunnel sctunnel sc.285.285user-host-verify286wins287命令288拨号exec generate-user-key rootkey288generate-route288ike_id289user290PnP命令291dhcp-pool-address291dhcp-pool

28、-gateway291dhcp-pool-netmask292dns293peer_id fqdn293split-tunnel-route294tunnel-ip-address295user295wins296GRE 命令297destination297interface297next-tunnel ipsec298source298tunnel gre299L2TP 命令301aaa-server301accept-client-ip301address302allow-multi-logon303avp-hidden303clear l2tp304dns304exclude addr

29、ess305exec l2tp kickout306interface306XIIIHillstone 山石网科多核安全网关命令手册ip-binding role307ip-binding user307ppp-lcp-echo interval308keepalive309move309next-tunnel ipsec310pool311ppp-auth311l2tp pool312local-name312secret313transmit-retry314tunnel-authentication314tunnel l2tp315tunnel l2tp316tunnel-receive

30、-window316wins317防护命令318ad all318ad arp-spoofing318ad dns-query-flood319ad huge-icmp-pak321ad icmp-flood321ad ip-directed-broadcast322ad ip-fragment323ad ip-option324ad ip-spoofing324ad ip-sweep325ad land-attack326ad ping-of-death326ad port-scan327ad session-limit328ad syn-flood329ad syn-proxy331ad

31、tcp-anomaly332ad tear-drop332ad tear-drop333ad udp-flood334XIVHillstone 山石网科多核安全网关命令手册ad whitelist335ad winnuke335clear ad zone336clear session-limit337交换命令338bridge priority338enable338forward-delay339hello339interface vlanid340um-age340stp341stp cost342stp enable342stp priority343sub-vlan343superv

32、lan344switchmode344vlan345路由命令347access-list route347access-list name description347aggregate-address348area authentication349area default-cost349area range350area stub351area virtual-link351area virtual-link authentication352auto-cost reference-bandwidth353bind pbr-policy354clear ip bgp354continue3

33、55default-information originate356default-information originate356default-metric357default-metric（BGP）357description358XVHillstone 山石网科多核安全网关命令手册disable359distance（BGP）359distance360distance360distance ospf361domain362dst-addr362dst-host363dst-ip364dst-range364ecmp enable365ecmp-route-select365eif36

34、6enable367exec isp-network clear-predefine367iif368import vrouter368ip369ip igmp-proxy enable370ip igmp-proxy router-mode | host-mode371ip igmp-snooping enable371ip igmp-snooping router-mode | host-mode | auto | disable372ip multicast-routing373ip mroute373ip ospf authentication374ip ospf authentica

35、tion-key375ip ospf cost375ip ospf dead-interval376ip ospf hello-interval377ip ospf message-digest-key377ip ospf priority378ip ospf retransmit-interval378ip ospf transmit-delay379ip rip authentication mode380ip rip authentication string380ip rip receive version381ip rip send version381ip rip split-ho

36、rizon382XVIHillstone 山石网科多核安全网关命令手册ip route383ip route isp-name384ip route source384ip route source in-interface385ip vrouter386isp-network387llb inbound smartdns388llb-outbd-prox-detect388llb-outbd-prox-route389llb outbound proximity-route390match（OSPF）390match（PBR）391match id392max-route393move394

37、neighbor（BGP）394neighbor A.B.C.D peer-group395neighbor A.B.C.D | peer-group activate395neighbor A.B.C.D | peer-group default-originate396neighbor A.B.C.D | peer-group description396neighbor A.B.C.D | peer-group next-hop-self397neighbor A.B.C.D | peer-group password398neighbor A.B.C.D | peer-group re

38、mote-as398neighbor A.B.C.D | peer-group shutdown399neighbor A.B.C.D | peer-group timers399neighbor（RIP）400nexthop401network（BGP）401network（RIP）402network area403passive-interface403pbr-policy404redistribute（BGP）404redistribute（RIP）405redistribute（OSPF）406route-map406route enable/disable407role408XVI

39、IHillstone 山石网科多核安全网关命令手册router bgp408router bgp409router ospf409router rip410router-id （BGP）411router-id （OSPF）411service412set412src-addr413src-host414src-ip414src-range415subnet416timers416timers basic417timers spf418unknown-multicast drop418user419user-group419version420网络参数命令422ac422address422a

40、uthentication423auto-config interface423auto-connect424clear host425ddns enable425ddns name426dhcp-client ip426dhcp-client route427dhcp-relay enable428dhcp-relay server428dhcp-server enable429dhcp-server pool429dns430dns-proxy430domain431XVIIIHillstone 山石网科多核安全网关命令手册gateway432exclude address432idle-

41、interval433ip address dhcp433ip dns-proxy black-list enable434ip dns-proxy white-list enable434ip dns-proxy black-list domain435ip dns-proxy white-list domain435ip address pppoe436ip domain lookup437ip domain name437ip domain retry438ip domain timeout438ip host439ip name-server439ip dns-proxy domain

42、440ipmac-bind441lease441maxupdate interval442minupdate interval443netmask（DHCP）443netmask（PPPoE）444news444pop3445pppoe enable group445pppoe-client group446pppoe-client group446relay-agent447route448server448schedule449service450smtp450static-ip451type451user（DDNS）452user（PPPoE）452wins453XIXHillstone

43、 山石网科多核安全网关命令手册虚拟系统命令454enter-vsys454export-to454profile455session456vsys（创建）457vsys（接口）458vsys-profile458vsys-shared459QoS 管理命令460bandwidth460class460class-map461exception-list462disable462flex-qos463flex-qos low-water-mark463flex-qos max-bandwidth464flex-qos-up-rate465ip-qos465match address466matc

44、h application467match cos467match dscp468match ip-range468match policy-qos-tag469match precedence470match-priority470match role471.472priority473qos-profile473qos-profile474qos-profile（嵌套 QoS Profile）475random-detect476role-qos476set cos477set dscp478XXHillstone 山石网科多核安全网关命令手册set ip-qos-priority478s

45、et precedence479shape479shaping-for-egress480PKI 配置命令482crl482crl configure482enrollment483export pki （PKI 信任域信息）483export pki （）.484import pki （PKI 信任域信息）485import pki （） .486keypair487pki authenticate487pki crl request488pki enroll488pki export489pki import490pki import pkcs12490pki key generate49

46、1pki key zeroize491pki key zeroize noconfirm492pki trust-domain492subject commonname493subject country493subject localityname494subject organization495subject organizationunit495subject stateorprovincename496url496高可靠性命令498arp498description498exec ha sync499ha cluster499ha group500ha link interface5

47、01ha link ip501XXIHillstone 山石网科多核安全网关命令手册ha mode non-group502ha non-group502ha sync rdo session503ha traffic delay503ha traffic enable504hello interval504hello threshold505interface506manage ip506monitor track507preempt507priority508send gratuitous-arp509过滤命令510anti-malicious-sites510av enable510av

48、 max-decompression-recursion511av-profile512av signature update mode512av signature update schedule513av signature update server513exec av514exec av signature update515file-type515import av signature516label-mail517mail-sig518protocol-type518IPS 命令520attack-level520banner-protect enable521brute-force auth521brute-force lookup522command-injection-check523deny-method523exec block-ip remove524exec block-service remove524exec ips525XXIIHillstone 山石网科多核安全网关命令手册external-link526external-link-check527ips enable527ips log disable528ips mode529ips profile529i