ZyNOS CI Command List

CI Command Reference

System Related Commands
TCP/IP Protocol Commands
Ethernet Debug Commands
Firewall Related CI Commands
IPSec Related CI Commands

1. Command Syntax and General User Interface

CI has the following command syntax:

command <iface | device > subcommand [param]
command subcommand [param]
command ? | help
command subcommand ? | help

General user interface:

1.	?	Shows the following commands and all major (sub)commands
2.	exit	Returns to SMT

System Related Commands

[ch-name]: enet0, enet1

sys
	baud	<1\|2\|3\|4\|5>		change console speed if parameter present 1: 38400 bps 2: 19200 bps 3: 9600 bps 4: 57600 bps 5: 115200 bps
	callhist
		add	<name> <dir> <rate> <uptime>	Add the call history
		display		display the call history
		remove	<index>	remove call history
	cbuf
		cnt	disp	display cbuf static
			clear	clear cbuf static
		disp	[a\|f\|u]	display cbuf a: all f: free u: used
	cmgr
		cnt	[ch-name]	display call related counter
		data		display phone number related data
		trace	[display\|clear] [ch-name]	display call related event
	country		<country code>	set country code
	cpu	disp		display CPU utilization
	date		<yy> <mm> <dd>	Change current date if parameter present
	dir			display file directory
	edit		<filename>	edit a text file
	errctl		[level]	set the error control level 0:crash no save,not in debug mode (default) 1:crash no save,in debug mode 2:crash save,not in debug mode 3:crash save,in debug mode
	event
		display		display tag flags information
		trace	[display\|clear]	display system event information
	extraphnum
		add	<set 1-3> <1st phone number> [2nd phone number]	add extra phone number
		display		display extra phone number
		node		map the extra phone number for remote node n
		remove		remove the extra phone number for remote node n
		reset		reset the extra phone number
	feature			display feature bit
	fid	display		display function id list
	filter
		disp		display filter statistic counters
		clear		clear filter statistic counter
		sw	[on\|off]	switch on\|off filter counter
		addNetBios		add default NetBIOS_LAN and NetBIOS_WAN filter sets
		removeNetBios		remove default NetBIOS_LAN and NetBIOS_WAN filter sets
	firewall
		acl
			clear	clear firewall counter
			cnt clear	clear firewall counter
			cnt display	display firewall counter
		display		display firewall log
		dynamicrule		display firewall dynamic acl rule usage
		icmp
			block_co	set block icmp packet with type 3 code 3
			display	display current code status
		online		display firewall log online
		pktdump		dump the 64 bytes of packets dropped by firewall
		trcprst
			rst	set sending tcp rst when reject a tcp connection except port 1
			rst113	set sending tcp rst when reject a tcp connection on tcp port 1
			display	display current tcp reset status
		update		update firewall rule
	hostname			display system hostname
	iface	disp		display iface list
	log
		disp		display log error
		clear		clear log error
		online	[on\|off]	turn on/off error log online display
	mbuf
		cnt	[disp\|cl]	display or clear system mbuf count
		link	link	list system mbuf link
		pool	[id] [type]	list system mbuf pool
		status		display system mbuf status
.	.	disp	<address>	display mbuf status
	memutil
		usage		display memory allocate and heap status
		mq	<address> <len>	display memory queues
		mcell	mid [f\|u]	display memory cells by given ID
		msecs		display memory sections
	pro
		disp		display all process information
		stack	[TAG]	display process's stack by a give TAG
		ps	[TAG]	display process's status by a give TAG
	queue
		disp	[a\|f\|u] [start#] [end#]	display queue by given status and range numbers
		ndisp	[#]	display a queue by a given number
	quit			quit CI command mode
	reboot		[code]	reboot system code =0 cold boot, =1 immediately boot = 2 bootModule debug mode
	reslog		[disp\|clear]	display resources trace
.	roadrun	disp	<iface-name>	display roadrunner information iface-name: enif1 (WAN port)
.	.	debug	<level>	enable/disable roadrunner service 0: disable <default> 1: enable
.	.	restart	<iface-name>	.
	socket			display system socket information
	spt	dump	[root\|rn\|user\|slot]	dump spt raw data
		size		display spt record size
	stdio		[second]	change terminal timeout value
	syslog
		facility	<facility number>	set UNIX syslog server facility
		mode	[on\|off]	enable/disable the syslog service
		server	<server ip>
	time		[hh:mm:ss]	set the current system time if the parameter present
	timer
		disp	[a\|f\|u]	display timer cell
	trcdisp			monitor packets
.	.	brief	.	online display packet content briefly
.	.	parse	.	online parse packet content
	trcl
		call		display call event
		clear		clear trace
		disp		display trace log
		level	[#]	set trace level of trace log #:1-10
		online	[on\|off]	set on/off trace log online
		switch	[on\|off]	set system trace log
		type	<bitmap>	set trace type of trace log
	trcp
		chann	<name> [none\|incoming\|outgoing\|bothway]	<name>=enet0,enet1 set packet trace direction for a given channel
		create	<entry> <size>	create packet trace buffer
		destroy		packet trace related commands
		disp		display packet trace
		switch	[on\|off]	turn on/off the packet trace
		udp	[sw\|addr\|port]	send packet trace to other system
.	.	brief	.	display packet content briefly
.	.	parse	[[begin_idx], end_idx]	parse packet content
	version			display RAS code and driver version
	wdog		<filename>	view a text file
		switch	[on\|off]	set on/off wdog
		cnt	<value>	display watchdog counts value: 0-34463

TCP/IP Protocol Commands

<hostid> format : xxx.xxx.xxx.xxx (ip Address)
<ether addr> format : xx:xx:xx:xx:xx:xx
<iface> : enif0, enif1
<gw> : gateway ip address

ip	address			display host ip address
	arp
		add	<hostid> ether <ether addr>	add arp
		drop	<hostid> [ether]	drop arp
		flush		flush arp
		publish		add proxy arp
		status		display ip arp status
	dhcp <iface name>			set dhcp configuration
		server	arpcount	<num>
		.	dnsserver	<dnsIP1> <dnsIP2>
		.	gateway	<gateway IP>
		.	hostname	<hostname>
		.	leasetime	<period>
		.	netmask	<netmask>
		.	pool	<start IP> <num>
		.	rebindtime	<period>
		.	renewaltime	<period>
		.	reset
.	.	status	.	display iface DHCP information iface-name: enif1, enif0.
.	.	client	release	release DHCP client IP
.	.	.	renew	renew DHCP client IP
	dns
		table		display dns table
		stats	[disp\|clear]	display or clear dns statistics
	icmp
		echo	[on\|off]	response for ICMP echo request
		status		display icmp statistic counter
		trace	[on\|off]	turn on/off trace for debugging
.	.	discovery	<iface name> [on\|off]	turn on\|off icmp router discovery response
	ifconfig			display ifconfig
	nat	iface <iface>	disp	display current NAT statistics
	nat	loopback	on	LAN user can use Internet IP to access internal server on the LAN
	ping		<hostid>	ping remote host
.	rip
		dialin_user	[show\|in\|out\|both\|none]	set sending RIP to remote dial-in user
		merge	[on\|off]	RIP merging
		mode	<iface> [in\|out] [mode]	mode: 0 - 3
		status		display rip statistic counters
	route
		add	<dest addr>[/<bits>] <gateway> [<metric>]	add route
		addprivate		add private route
		drop	<host address> [/bits]	drop a route
		errcnt	[disp\|clear]	display\|clear routing statistic counters
		flush		flush route table
		status		display routing table
	status			display ip statistic counters
	tcp
		status		display TCP statistic counters
	udp	status

Ethernet Debug Commands

<ch-name> : enet0, enet1

ether
	config			display Ethernet driver configuration information
	driver
		cnt	disp <ch-name>	display ether driver counters
			clear <ch-name>	ch-name: enet0, enet1
.	.	reg	.	display LAN hardware related registers
.	.	status	<ch-name>	ch-name: enet0, enet1
.	.	rxmod	<mode>	set LAN receive mode. mode: 1: turn off receiving 2: receive only packets of this interface 3: mode 2+ broadcast 5: mode 2 + multicast 6: all packets
.	debug	.	.	display Ethernet debug information
.	.	disp	<ch-name>	display Ethernet debug information
.	.	level	<ch-name> <level>	set the Ethernet debug level level 0: disable debug log level 1: enable debug log (default)
	pkttest
		arp	[ip-addr]	send an arp request
		disp event	[ch-name] [on\|off]	enable packet test event trace
		disp packet	[1\|2\|3]	packet test display level
		sap		send an sap packet
	version			display driver version

Firewall Related CI Commands

The value for <set#> can be 1 or 2
set 1 = LAN to WAN direction
set 2 = WAN to LAN direction
The value for <rule #> starts from 1 to 10, i.e., 10 rules in total for a set

config
	edit	firewall	active <yes\|no>			Activate or deactivate the saved firewall settings
	retrieve	firewall				Retrieve current saved firewall settings
	save	firewall				Save the current firewall settings
	display	firewall				Displays all the firewall settings
.	.		set <set#>			Display current entries of a set configuration; including timeout values, name, default-permit, and number of rules in the set.
.	.		set <set#>	rule <rule#>		Display current entries of a rule in a set.
.	.		attack			Display all the attack alert settings in PNC
.			e-mail			Display all the e-mail settings in PNC
.	.		?			Display all the available sub commands
.	.		e-mail	mail-server <mail server IP>		Edit the mail server IP to send the alert
				return-addr <e-mail address>		Edit the mail address for returning an email alert
				e-mail-to <e-mail address>		Edit the mail address to send the alert
				policy <full \| hourly \|daily \| weekly>		Edit email schedule when log is full or per hour, day, week.
				day <sunday \| monday \| tuesday \| wednesday \| thursday \| friday \| saturday>		Edit the day to send the log when the email policy is set to Weekly
				hour <0~23>		Edit the hour to send the log when the email policy is set to daily or weekly
				minute <0~59>		Edit the minute to send to log when the email policy is set to daily or weekly
			attack	send-alert <yes\|no>		Activate or deactivate the firewall DoS attacks notification emails
				block <yes\|no>		Yes: Block the traffic when exceeds the tcp-max-incomplete threshold No: Delete the oldest half-open session when exceeds the tcp-max-incomplete threshold
				block-minute <0~255>		Only valid when sets 'Block' to yes. The unit is minute
				minute-high <0~255>		The threshold to start to delete the old half-opened sessions to minute-low
				minute-low <0~255>		The threshold to stop deleting the old half-opened session
				max-incomplete-high <0~255>		The threshold to start to delete the old half-opened sessions to max-incomplete-low
				max-incomplete-low <0~255>		The threshold to stop deleting the half-opened session
				tcp-max-incomplete <0~255>		The threshold to start executing the block field
			set <set#>	name <desired name>		Edit the name for a set
				default-permit <forward\|block>		Edit whether a packet is dropped or allowed when it does not match the default set
				icmp-timeout <seconds>		Edit the timeout for an idle ICMP session before it is terminated
				udp-idle-timeout <seconds>		Edit the timeout for an idle UDP session before it is terminated
				connection-timeout <seconds>		Edit the wait time for the SYN TCP sessions before it is terminated
				fin-wait-timeout <seconds>		Edit the wait time for FIN in concluding a TCP session before it is terminated
				tcp-idle-timeout <seconds>		Edit the timeout for an idle TCP session before it is terminated
				pnc <yes\|no>		PNC is allowed when 'yes' is set even there is a rule to block PNC
				log <yes\|no>		Switch on/off sending the log for matching the default permit
				rule <rule#>	permit <forward\|block>	Edit whether a packet is dropped or allowed when it matches this rule
					active <yes\|no>	Edit whether a rule is enabled or not
					protocol <0~255>	Edit the protocol number for a rule. 1=ICMP, 6=TCP, 17=UDP...
					log <none\|match\|not-match\|both>	Sending a log for a rule when the packet none\|matches\|not match\|both the rule
					alert <yes\|no>	Activate or deactivate the notification when a DoS attack occurs or there is a violation of any alert settings. In case of such instances, the function will send an email to the SMTP destination address and log an alert.
					srcaddr-single <ip address>	Select and edit a source address of a packet which complies to this rule
					srcaddr-subnet <ip address> <subnet mask>	Select and edit a source address and subnet mask if a packet which complies to this rule.
					srcaddr-range <start ip address> <end ip address>	Select and edit a source address range of a packet which complies to this rule.
					destaddr-single <ip address>	Select and edit a destination address of a packet which complies to this rule
					destaddr-subnet <ip address> <subnet mask>	Select and edit a destination address and subnet mask if a packet which complies to this rule.
					destaddr-range <start ip address> <end ip address>	Select and edit a destination address range of a packet which complies to this rule.
					tcp destport-single <port#>	Select and edit the destination port of a packet which comply to this rule. For non-consecutive port numbers, the user may repeat this command line to enter the multiple port numbers.
					tcp destport-range <start port#> <end port#>	Select and edit a destination port range of a packet which comply to this rule.
					udp destport-single <port#>	Select and edit the destination port of a packet which comply to this rule. For non-consecutive port numbers, users may repeat this command line to enter the multiple port numbers.
					udp destport-range <start port#> <end port#>	Select and edit a destination port range of a packet which comply to this rule.
					desport-custom <desired custom port name>	Type in the desired custom port name
	delete	firewall	e-mail			Remove all email alert settings
			attack			Reset all alert settings to defaults
			set <set#>			Remove a specified set from the firewall configuration
			set <set#>	rule <rule#>		Remove a specified rule in a set from the firewall configuration

IPSec Related CI Commands

ipsec	.	.	.	.
.	debug	<1\|0>	.	turn on\|off trace for IPsec debug information
.	ipsec_log_disp	.	.	show IPSec log, same as menu 27.3
.	route	dmz	<on\|off>	After a packet is IPSec processed and will be sent to DMZ side, this switch is to control if this packet can be applied IPSec again. Remark: Command available since 3.50(WA.3)
.	.	lan	<on\|off>	After a packet is IPSec processed and will be sent to LAN side, this switch is to control if this packet can be applied IPSec again. Remark: Command available since 3.50(WA.3)
.	.	wan	<on\|off>	After a packet is IPSec processed and will be sent to WAN side, this switch is to control if this packet can be applied IPSec again. Remark: Command available since 3.50(WA.3)
..	show_runtime	sa	.	display runtime phase 1 and phase 2 SA information
.	..	spd	..	When a dynamic rule accepts a request and a tunnel is established, a runtime SPD is created according to peer local IP address. This command is to show these runtime SPD.
..	switch	<on\|off>	.	As long as there exists one active IPSec rule, all packets will run into IPSec process to check SPD. This switch is to control if a packet should do this. If it is turned on, even there exists active IPSec rules, packets will not run IPSec process.
.	timer	chk_my_ip	<1~3600>	- Adjust timer to check if WAN IP in menu is changed - Interval is in seconds - Default is 10 seconds - 0 is not a valid value
..	..	chk_conn.	<2~255>	- Adjust auto-timer to check if any IPsec connection has no traffic for certain period. If yes, system will disconnect it. - Interval is in minutes - Default is 2 minuets - 0 means never timeout
.	..	update_peer	<5~255>	- Adjust auto-timer to update IPSec rules which use domain name as the secure gateway IP. - Interval is in minutes - Default is 30 minutes - 0 means never update Remark: Command available since 3.50(WA.3)
.	updatePeerIp	....	..	Force system to update IPSec rules which use domain name as the secure gateway IP right away. Remark: Command available since 3.50(WA.3)
.	dial	<rule #>	..	Initiate IPSec rule <#> from Prestige box Remark: Command available since 3.50(WA.3)