Profiles management
address-port pair
The command is used to set the bundle of IP addresses and TCP/UDP port.
The use of a negative form (no) of the command removes an entry from a configured profile.
Syntax
[no] address-port pair < ADRR >:< PORT >
Parameters
<ADDR> – IP address, defined as AAA.BBB.CCC.DDD where each part takes values of [0..255];
<PORT> – port number, takes values of [1..65535].
Required privilege level
10
Command mode
CONFIG-OBJECT-GROUP-ADDRESS-PORT
Example
esr(config-object-group-address-port)# address-port pair 192.168.1.1:23
application
The command specifies the applications that are covered by the profile.
The use of a negative form (no) of the command removes an application from the current profile.
Syntax
[no] application < APPLICATION >
Parameters
<APPLICATION> – specifies the application covered by this profile.
May take the following values:
- afp – Apple Filing Protocol;
- amazon – Amazon Data Services;
- amqp – Advanced Message Queuing Protocol;
- apple – Apple Inc.;
- apple-icloud – Apple iCloud;
- apple-itunes – Apple iTunes;
- applejuice – Applejuice P2P;
- avi – AVI content in HTTP payload;
- ayiya – Anything In Anything;
- battlefield – Battlefield;
- bgp – Border Gateway Protocol;
- bittorrent – BitTorrent;
- bjnp – Canon BJNP protocol;
- cisco-skinny – Cisco Skinny;
- cisco-vpn – Cisco VPN;
- citrix – Citrix;
- citrix-online – Citrix-online;
- cloudflare – Cloudflare Inc.;
- coap – Constrained Application Protocol;
- collectd – Collectd;
- corba – Common Object Request Broker Architecture;
- dce-rpc – Distributed Computing Environment / Remote Procedure Calls;
- deezer – Deezer (music streaming service);
- dhcp – Dynamic Host Configuration Protocol;
- dhcpv6 – IPv6 Dynamic Host Configuration Protocol;
- directconnect – Direct Connect;
- dns – Domain Name System;
- dnscrypt – DNSCrypt;
- drda – Distributed Relational Database Architecture;
- dropbox – Dropbox;
- ebay – eBay;
- edonkey – eDonkey;
- egp – Exterior Gateway Protocol;
- epp – Extensible Provisioning Protocol.
Required privilege level
10
Command mode
CONFIG-OBJECT-GROUP-APPLICATION
Example
esr(config-object-group-application)# application egp
category
This command is used to set the content filtering category.
The use of a negative form (no) of the command removes a specified category.
Syntax
[no] category <CATEGORY>
Parameters
<CATEGORY> – category name. May take the following values:
- abortions – abortion related content.
- addictions – alcohol, tobacco and drugs related content.
- ads – teaser network websites, advertising services, contextual advertising services, advertising agencies.
- adult-content – adult content. Pornographic and erotic content, nudity.
- adult-dating – adult dating websites.
- adware – content related to software that downloads or displays unwanted advertising, collects marketing data.
- alcohol – sale of alcohol, discussion, articles on the subject.
- animals – content related to pets and animals. Articles and discussions.
- anonymizers – web anonymizers and proxy servers.
- anorexia – content related to anorexia and its promotion.
- banks – bank websites.
- beauty – content related to beauty, health and wellness.
- blogs – blogs and blog hostings.
- books – online libraries, bookstores, book reviews.
- business – web pages of commercial firms, business associations, industry groups and corporate websites in general.
- casino – content related to casino and card games.
- chats – web chats, forums, instant messaging.
- commerce – content related to online transactions and commerce.
- communication – content and services related to communication.
- cultural-heritage – web pages containing information about and promoting the visual arts, performing arts, and cultural heritage.
- culture – content related to culture and society.
- cryptocurrency – web pages about cryptocurrency and cryptomining software.
- dating – dating services. Does not include adult dating services.
- discrimination – content related to hatred and discrimination.
- downloads – software, audio or video content downloads.
- dyn-dns – resource provides dynamic DNS service.
- educational-institutions – school and university websites.
- education – education related content.
- electronics – web pages with content related to consumer electronics.
- email – email web services.
- encyclopedias – educational portals, knowledge bases, encyclopedias.
- extremist-materials – content from the Federal List of Extremist Materials of the Russian Federation.
- family – content related to home and family. Related stores.
- fashion – fashion and style related content.
- file-sharing – file sharing sites and services.
- finance – web pages containing information about finance and the national economy.
- food – food related content.
- gambling – content and services related to gambling, lotteries, sweepstakes.
- games – content related to games.
- government – government websites, political parties, laws, and law firms.
- health – content related to health, medicine, healthy lifestyles, diets, vegetarians.
- hobbies – content related to hobbies and entertainment.
- hosting – hosting and domain registration services, whois services, domain sellers.
- humour – humorous content.
- hunting – content related to hunting and fishing.
- illegal-content – content that is prohibited by Russian law.
- internet-services – sites of global and local Internet service providers.
- it – content related to information technology.
- it-security – web pages containing information about IT security, including websites that provide security products and services to corporate and home users.
- kids-internet – child content.
- lgbt – lesbian, gay, bisexual and transgender (LGBT) content.
- lingerie – content depicting underwear.
- magic – content related to esotericism, astrology, horoscopes, divination, chiromancy, ufology, magic.
- malware – malicious resources or malware download URLs.
- military – content related to weapons or military equipment.
- motor-vehicles – web pages with content about automobile vehicles.
- music – music related content.
- narcotics – narcotics. Sales, production, discussion.
- news – news and media websites.
- nudism – nudism and exhibitionism, related communities.
- online-betting – online betting services. Betting on horse racing and sports.
- online-lotteries – online lotteries.
- online-payments – online payment and online banking services.
- pharmacy – content related to pharmacy, legal drugs, and medical supplements.
- phishing – phishing websites.
- porno – pornographic and erotic content, nudity.
- profane-language – content with profanity.
- racism – extremist and racist content.
- rat-node – resources with software for remote administration.
- recruitment – recruitment, hiring and employment websites.
- religion – content related to religious associations, organizations, cults and sects.
- rental-services – real estate rental services.
- riskware – content related to legitimate programs that can cause damage if used by malicious users.
- roskomnadzor – content blacklisted by Roskomnadzor.
- searchers – search engines and services.
- sex-education – content related to sex education.
- sex-shops – sex shops and sex toys.
- shops – online stores and auctions.
- social-networks – social networks.
- spam – sites specifically created for spam purposes and/or found in spam emails.
- sport – content related to sports and bodybuilding.
- streams – video and audio hosting, downloads, streaming.
- self-damage – content has to do with suicide, self-harm, and self-mutilation.
- tobacco – tobacco sales, discussion.
- torrent – torrent trackers and forums, including protocol specifications and software.
- tor – Tor network nodes.
- traveling – travel related content.
- tv-radio – content related to television and radio.
- uncategorized – content that does not fall into any category.
- violence – physical or psychological violence, cruelty to animals.
- weapons – content relating to weapons, explosives and pyrotechnic products.
- 436-fz – content prohibited by Federal Law of the Russian Federation No. 436-FZ.
Required privilege level
10
Command mode
CONFIG-OBJECT-GROUP-CF-KASPERSKY
Example
esr(config-object-group-cf-kaspersky)# category books
description
The command is used to change a profile description.
The use of a negative form (no) of the command removes a profile description.
Syntax
description <DESCRIPTION>
no description
Parameters
<DESCRIPTION> – profile description, set by the string of up to 255 characters.
Required privilege level
10
Command mode
CONFIG-OBJECT-GROUP-NETWORK
CONFIG-OBJECT-GROUP-SERVICE
CONFIG-OBJECT-GROUP-MAC
CONFIG-OBJECT-GROUP-APPLICATION
CONFIG-OBJECT-GROUP-URL
CONFIG-OBJECT-GROUP-ADDRESS-PORT
CONFIG-OBJECT-GROUP-CONTENT-FILTER
CONFIG-OBJECT-GROUP-MAIL
Example
Set the description for IP addresses profile:
esr(config-object-group-network)# description "Internal addresses"
The command is used to specify a mail domain or mailbox address.
The use of a negative form (no) of the command removes an entry from a configured profile.
Syntax
[no] email <NAME>
Parameters
<NAME> – mail domain or mailbox addresses, specified by a string of 1 to 63 characters.
Required privilege level
10
Command mode
CONFIG-OBJECT-GROUP-MAIL
Example
esr(config-object-group-email)# email eltex@eltex-co.ru
esr(config-object-group-email)# email eltex-co.ru
ip address-range
The command specifies IP addresses range.
The use of a negative form (no) of the command removes an entry from a configured profile.
Syntax
[no] ip address-range <FROM-ADDR>[-<TO-ADDR>]
Parameters
<FROM-ADDR> – range starting IP address;
<TO-ADDR> – range ending IP address, optional parameter; If the parameter is not specified, a single IP address is set by the command.
The addresses are defined as AAA.BBB.CCC.DDD where each part takes values of [0..255].
You can specify up to 64 different IP ranges within one address group for ESR-20/21/100/200/1000/1200/1500/1700
You can specify up to 6 different IP ranges within one address group for ESR-10/12V/12VF/14VF
Required privilege level
10
Command mode
CONFIG-OBJECT-GROUP-NETWORK
Example
esr(config-object-group-network)# ip address-range 192.168.1.1 192.168.1.25
ip prefix
The command specifies a subnet.
The use of a negative form (no) of the command removes a specified subnet.
Syntax
[no] ip prefix <ADDR/LEN>
Parameters
<ADDR/LEN> – IP subnet, defined as AAA.BBB.CCC.DDD/EE where each part AAA-DDD takes values of [0..255] and EE takes values of [1..32].
Required privilege level
10
Command mode
CONFIG-OBJECT-GROUP-NETWORK
Example
esr(config-object-group-network)# ip prefix 10.10.10.0/24
ipv6 address-range
The command specifies IPv6 addresses range. The use of a negative form (no) of the command removes an entry from a configured profile.
Syntax
[no] ipv6 address-range <FROM-ADDR>[-<TO-ADDR>]
Parameters
<FROM-ADDR> – range starting IPv6 address.
<TO-ADDR> – range ending IPv6 address, optional parameter. If the parameter is not specified, a single IPv6 address is set by the command.
The addresses are defined as X:X:X:X::X where each part takes values in hexadecimal format [0..FFFF].
You can specify up to 64 different IP ranges within one address group for ESR-20/21/100/200/1000/1200/1500/1700
You can specify up to 6 different IP ranges within one address group for ESR-10/12V/12VF/14VF
Required privilege level
10
Command mode
CONFIG-OBJECT-GROUP-NETWORK
Example
esr(config-object-group-network)# ipv6 address-range fc00::1:1-fc00:1::32
ipv6 prefix
The command specifies IPv6 subnet.
The use of a negative form (no) of the command removes a specified subnet.
Syntax
[no] ipv6 prefix <IPV6-ADDR/LEN>
Parameters
<IPV6-ADDR/LEN> – IP address and mask of a subnet, defined as X:X:X:X::X/EE where each X part takes values in hexadecimal format [0..FFFF] and EE takes values of [1..128].
Required privilege level
10
Command mode
CONFIG-OBJECT-GROUP-NETWORK
Example
esr(config-object-group-network)# ipv6 prefix fc00::/126
mac address
The command specifies MAC addresses range.
The use of a negative form (no) of the command removes an entry from a configured profile.
Syntax
[no] mac address <MAC-ADDR> <MAC-MASK>
Parameters
<MAC-ADDR> – MAC address, defined as XX:XX:XX:XX:XX:XX where each part takes the values of [00..FF];
<MAC-MASK> – MAC address mask, defined as XX:XX:XX:XX:XX:XX where each part takes the values of [00..FF]. Mask bits, set to zero, specify MAC address bits excluded from the comparison when searching. Mask default value: FF:FF:FF:FF:FF:FF.
Required privilege level
10
Command mode
CONFIG-OBJECT-GROUP-MAC
Example
esr(config-object-group-mac)# mac address a8:f9:4b:80:e7:00 FF:FF:FF:FF:FF:00
object-group address-port
This command creates a profile of bundles of IP addresses and TCP/UDP ports. Profiles are used to configure services that work with pools of IP addresses and TCP/UDP ports – NAT, Firewall.
The use of a negative form (no) of the command removes IP address profile.
Syntax
[no] object-group address-port <NAME>
Parameters
<NAME> – the name of the configured profile of IP address bundles and TCP/UDP ports is specified by a string of up to 31 characters. The use of a negative form (no) of the command with «all» parameter removes all IP address profiles.
Required privilege level
10
Command mode
CONFIG
Example
To create IP addresses profile with name remote and to switch to profile configuration mode:
esr(config)# object-group address-port WEB
object-group application
The command is used to create application profile. The profile is used for filtration on the basis of applications (DPI).
The use of a negative form (no) of the command removes the profile.
Syntax
[no] object-group application <NAME>
Parameters
<NAME> – application profile name, set by the string of up to 31 characters. When removing, you can use ‘all’ key instead of the name. When using the «all» key, all application profiles will be removed.
Required privilege level
10
Command mode
CONFIG
Example
esr(config)# object-group application OGA045
object-group content-filter
This command is used to create a content filtering category profile. This profile is used in a set of custom rules.
The use of a negative form (no) of the command removes the profile.
Syntax
[no] object-group content-filter <NAME>
Parameters
<NAME> – name of the content filtering profile, specified as a string of up to 31 characters. When removing, you can use ‘all’ key instead of the name. When using the «all» key, all content filtering profiles will be removed.
Required privilege level
10
Command mode
CONFIG
Example
esr(config)# object-group content-filter OGC042
object-group email
This command is used to create a profile of mail domains and mailbox addresses. This profile is used in the "Antispam" service profile rules.
The use of a negative form (no) of the command removes the profile.
Syntax
[no] object-group email <NAME>
Parameters
<NAME> – profile name of mail domains and mailbox addresses, specified by a string of up to 31 characters. When removing, you can use ‘all’ key instead of the name. Using the "all" key will delete all mail domain profiles and mailbox addresses.
Required privilege level
10
Command mode
CONFIG
Example
esr(config)# object-group email chinese_spammers
object-group mac
The command is used to create MAC address profile. The profile is used in MAC-based VLAN.
The use of a negative form (no) of the command removes the profile.
Syntax
[no] object-group mac <NAME>
Parameters
<NAME> – MAC addresses profile name, set by the string of up to 31 characters. When removing, you can use ‘all’ key instead of the name. When using the «all» key, all MAC address profiles will be removed.
Required privilege level
10
Command mode
CONFIG
Example
esr(config)# object-group mac OGM007
object-group network
The command is used to create IP address profile. The profiles are used to configure services operating with IP address pools – for example, NAT, Firewall, Remote-Access – as well as to create prefix list.
The use of a negative form (no) of the command removes IP address profile.
Syntax
[no] object-group network <NAME>
Parameters
<NAME> – configured IP addresses profile, set by the string of up to 31 characters. The use of a negative form (no) of the command with ‘all’ parameter removes all IP address profiles.
Required privilege level
10
Command mode
CONFIG
Example
To create IP addresses profile with name remote and to switch to profile configuration mode:
esr(config)# object-group network remote
object-group service
The command creates TCP/UDP ports profile. The profile is used in NAT and Firewall services rules.
The use of a negative form (no) of the command removes the profile.
Syntax
[no] object-group service <NAME>
Parameters
<NAME> – port profile name, set by the string of up to 31 characters. The use of a negative form (no) of the command with ‘all’ parameter removes all TCP/UDP ports profiles.
Required privilege level
10
Command mode
CONFIG
Example
esr(config)# object-group service ssh
object-group url
The command is used to create URL link profile.
The use of a negative form (no) of the command removes the profile.
Syntax
[no] object-group url <NAME>
Parameters
<NAME> – port profile name, set by the string of up to 31 characters. The use of a negative form (no) of the command with ‘all’ parameter removes all URL links profiles.
Required privilege level
10
Command mode
CONFIG
Example
esr(config)# object-group url vk
port-range
The command specifies the range of TCP/UDP ports related to the profile.
The use of a negative form (no) of the command removes an entry from a configured profile.
Syntax
port-range <PORT>
no port-range [<PORT> | all]
Parameters
<PORT> – port number, takes values of [1..65535].
You can specify several ports separated by commas ',' or you can specify the range of ports with '-'. Example of the record: <PORT>, <PORT> or <PORT>-<PORT> or <PORT>-<PORT>, <PORT>-<PORT>.
Required privilege level
10
Command mode
CONFIG-OBJECT-GROUP-SERVICE
Example
esr(config-object-group-service)# port-range 22
regexp
This command describes a URL link pattern.
The use of a negative form (no) of the command removes a URL link pattern.
Syntax
regexp <REGEXP>
no regexp {<REGEXP>|all}
Parameters
<REGEXP> – regular expression. Described by the string of up to 255 characters. The character '\' must be shielded.
all — the key used to delete all created rules.
Default value
Pattern is not created.
Required privilege level
10
Command mode
CONFIG-OBJECT-GROUP-URL
Example
esr(config-object-group-url)# '^http:\/\/site\.ru'
show object-group
The command displays information on IP addresses and TCP/UDP ports profiles.
Syntax
show object-group <PROFILE_TYPE> [<NAME>]
Parameters
<PROFILE_TYPE> – profile type:
- network – IP addresses profile;
- service – TCP/UDP ports profile;
<NAME> – profile name, set by the string of up to 31 characters, optional parameter. If profile name is not specified, information on all IP addresses and TCP/UDP ports profiles will be displayed.
Required privilege level
1
Command mode
ROOT
Example
esr# show object-group network
Network Description
-------------------------------- --------------------------------
remote --
local --
tunnel --
esr# show object-group network remote
IP Addresses
--------------------------------
10.102.0.0/16
esr# show object-group service
Service Description
-------------------------------- --------------------------------
telnet --
ssh --
dhcp_server --
dhcp_client --
ntp --
esr# show object-group service ssh
Port ranges
--------------------------------
22
url
The command specifies URL link.
The use of a negative form (no) of the command removes a link from a configured profile.
Syntax
url <URL>
no url [ <URL> | all ]
Parameters
<URL> – text field containing URL link of 8-255 characters length.
When removing it with ‘all’ key, all previously added URL links will be removed.
Required privilege level
10
Command mode
CONFIG-OBJECT-GROUP-URL
Example
esr(config-object-group-url)# url https://vk.com
vendor
This command is used to set the content filtering category provider.
The use of a negative form (no) of the command removes the content filtering categories of this vendor.
Syntax
[no] vendor <CONTENT-FILTER-VENDOR>
Parameters
<CONTENT-FILTER-VENDOR> – name of the content filtering category provider. Takes the following values:
Kaspersky-Lab – in the current version of the software, only Kaspersky Lab can act as a content filtering category provider.
Required privilege level
10
Command mode
CONFIG-OBJECT-GROUP-CONTENT-FILTER
Example
esr(config-object-group-content-filter)# vendor kaspersky-lab