Profiles management

address-port pair

The command is used to set the bundle of IP addresses and TCP/UDP port.

The use of a negative form (no) of the command removes an entry from a configured profile.

Syntax

[no] address-port pair < ADRR >:< PORT >

Parameters

<ADDR> – IP address, defined as AAA.BBB.CCC.DDD where each part takes values of [0..255];

<PORT> – port number, takes values of [1..65535].

Required privilege level

10

Command mode

CONFIG-OBJECT-GROUP-ADDRESS-PORT

Example

esr(config-object-group-address-port)# address-port pair 192.168.1.1:23

application

The command specifies the applications that are covered by the profile.

The use of a negative form (no) of the command removes an application from the current profile.

Syntax

[no] application < APPLICATION >

Parameters

<APPLICATION> – specifies the application covered by this profile.

May take the following values:

• afp – Apple Filing Protocol;
• amazon – Amazon Data Services;
• amqp – Advanced Message Queuing Protocol;
• apple – Apple Inc.;
• apple-icloud – Apple iCloud;
• apple-itunes – Apple iTunes;
• applejuice – Applejuice P2P;
• avi – AVI content in HTTP payload;
• ayiya – Anything In Anything;
• battlefield – Battlefield;
• bgp – Border Gateway Protocol;
• bittorrent – BitTorrent;
• bjnp – Canon BJNP protocol;
• cisco-skinny – Cisco Skinny;
• cisco-vpn – Cisco VPN;
• citrix – Citrix;
• citrix-online – Citrix-online;
• cloudflare – Cloudflare Inc.;
• coap – Constrained Application Protocol;
• collectd – Collectd;
• corba – Common Object Request Broker Architecture;
• dce-rpc – Distributed Computing Environment / Remote Procedure Calls;
• deezer – Deezer (music streaming service);
• dhcp – Dynamic Host Configuration Protocol;
• dhcpv6 – IPv6 Dynamic Host Configuration Protocol;
• directconnect – Direct Connect;
• dns – Domain Name System;
• dnscrypt – DNSCrypt;
• drda – Distributed Relational Database Architecture;
• dropbox – Dropbox;
• ebay – eBay;
• edonkey – eDonkey;
• egp – Exterior Gateway Protocol;
• epp – Extensible Provisioning Protocol.

Required privilege level

10

Command mode

CONFIG-OBJECT-GROUP-APPLICATION

Example

esr(config-object-group-application)# application egp

category

This command is used to set the content filtering category.

The use of a negative form (no) of the command removes a specified category.

Syntax

[no] category <CATEGORY>

Parameters

<CATEGORY> – category name. May take the following values:

• abortions – abortion related content.
• addictions – alcohol, tobacco and drugs related content.
• ads – teaser network websites, advertising services, contextual advertising services, advertising agencies.
• adult-content – adult content. Pornographic and erotic content, nudity.
• adult-dating – adult dating websites.
• adware – content related to software that downloads or displays unwanted advertising, collects marketing data.
• alcohol – sale of alcohol, discussion, articles on the subject.
• animals – content related to pets and animals. Articles and discussions.
• anonymizers – web anonymizers and proxy servers.
• anorexia – content related to anorexia and its promotion.
• banks – bank websites.
• beauty – content related to beauty, health and wellness.
• blogs – blogs and blog hostings.
• books – online libraries, bookstores, book reviews. 
• business – web pages of commercial firms, business associations, industry groups and corporate websites in general.
• casino – content related to casino and card games.
• chats – web chats, forums, instant messaging.
• commerce – content related to online transactions and commerce.
• communication – content and services related to communication.
• cultural-heritage – web pages containing information about and promoting the visual arts, performing arts, and cultural heritage.
• culture – content related to culture and society.
• cryptocurrency – web pages about cryptocurrency and cryptomining software.
• dating – dating services. Does not include adult dating services.
• discrimination – content related to hatred and discrimination.
• downloads – software, audio or video content downloads.
• dyn-dns – resource provides dynamic DNS service.
• educational-institutions – school and university websites.
• education – education related content.
• electronics – web pages with content related to consumer electronics.
• email – email web services.
• encyclopedias – educational portals, knowledge bases, encyclopedias.
• extremist-materials – content from the Federal List of Extremist Materials of the Russian Federation.
• family – content related to home and family. Related stores.
• fashion – fashion and style related content.
• file-sharing – file sharing sites and services.
• finance – web pages containing information about finance and the national economy.
• food – food related content.
• gambling – content and services related to gambling, lotteries, sweepstakes.
• games – content related to games.
• government – government websites, political parties, laws, and law firms.
• health – content related to health, medicine, healthy lifestyles, diets, vegetarians.
• hobbies – content related to hobbies and entertainment.
• hosting – hosting and domain registration services, whois services, domain sellers.
• humour – humorous content.
• hunting – content related to hunting and fishing.
• illegal-content – content that is prohibited by Russian law.
• internet-services – sites of global and local Internet service providers.
• it – content related to information technology.
• it-security – web pages containing information about IT security, including websites that provide security products and services to corporate and home users.
• kids-internet – child content.
• lgbt – lesbian, gay, bisexual and transgender (LGBT) content.
• lingerie – content depicting underwear.
• magic – content related to esotericism, astrology, horoscopes, divination, chiromancy, ufology, magic.
• malware – malicious resources or malware download URLs.
• military – content related to weapons or military equipment.
• motor-vehicles – web pages with content about automobile vehicles.
• music – music related content.
• narcotics – narcotics. Sales, production, discussion.
• news – news and media websites.
• nudism – nudism and exhibitionism, related communities.
• online-betting – online betting services. Betting on horse racing and sports.
• online-lotteries – online lotteries.
• online-payments – online payment and online banking services.
• pharmacy – content related to pharmacy, legal drugs, and medical supplements.
• phishing – phishing websites.
• porno – pornographic and erotic content, nudity.
• profane-language – content with profanity.
• racism – extremist and racist content.
• rat-node – resources with software for remote administration.
• recruitment – recruitment, hiring and employment websites.
• religion – content related to religious associations, organizations, cults and sects.
• rental-services – real estate rental services.
• riskware – content related to legitimate programs that can cause damage if used by malicious users.
• roskomnadzor – content blacklisted by Roskomnadzor.
• searchers – search engines and services.
• sex-education – content related to sex education.
• sex-shops – sex shops and sex toys.
• shops – online stores and auctions.
• social-networks – social networks.
• spam – sites specifically created for spam purposes and/or found in spam emails.
• sport – content related to sports and bodybuilding.
• streams – video and audio hosting, downloads, streaming.
• self-damage – content has to do with suicide, self-harm, and self-mutilation.
• tobacco – tobacco sales, discussion.
• torrent – torrent trackers and forums, including protocol specifications and software.
• tor – Tor network nodes.
• traveling – travel related content.
• tv-radio – content related to television and radio.
• uncategorized – content that does not fall into any category.
• violence – physical or psychological violence, cruelty to animals.
• weapons – content relating to weapons, explosives and pyrotechnic products.
• 436-fz – content prohibited by Federal Law of the Russian Federation No. 436-FZ.

Required privilege level

10

Command mode

CONFIG-OBJECT-GROUP-CF-KASPERSKY

Example

esr(config-object-group-cf-kaspersky)# category books

description

The command is used to change a profile description.

The use of a negative form (no) of the command removes a profile description.

Syntax

description <DESCRIPTION>

no description

Parameters

<DESCRIPTION> – profile description, set by the string of up to 255 characters.

Required privilege level

10

Command mode

CONFIG-OBJECT-GROUP-NETWORK

CONFIG-OBJECT-GROUP-SERVICE

CONFIG-OBJECT-GROUP-MAC

CONFIG-OBJECT-GROUP-APPLICATION

CONFIG-OBJECT-GROUP-URL

CONFIG-OBJECT-GROUP-ADDRESS-PORT

CONFIG-OBJECT-GROUP-CONTENT-FILTER

CONFIG-OBJECT-GROUP-MAIL

Example

Set the description for IP addresses profile:

esr(config-object-group-network)# description "Internal addresses"

email

The command is used to specify a mail domain or mailbox address.

The use of a negative form (no) of the command removes an entry from a configured profile.

Syntax

[no] email <NAME>

Parameters

<NAME> – mail domain or mailbox addresses, specified by a string of 1 to 63 characters.

Required privilege level

10

Command mode

CONFIG-OBJECT-GROUP-MAIL

Example

esr(config-object-group-email)# email eltex@eltex-co.ru
esr(config-object-group-email)# email eltex-co.ru

ip address-range

The command specifies IP addresses range.

The use of a negative form (no) of the command removes an entry from a configured profile.

Syntax

[no] ip address-range <FROM-ADDR>[-<TO-ADDR>]

Parameters

<FROM-ADDR> – range starting IP address;

<TO-ADDR> – range ending IP address, optional parameter; If the parameter is not specified, a single IP address is set by the command.

The addresses are defined as AAA.BBB.CCC.DDD where each part takes values of [0..255].

You can specify up to 64 different IP ranges within one address group for ESR-20/21/100/200/1000/1200/1500/1700

You can specify up to 6 different IP ranges within one address group for ESR-10/12V/12VF/14VF

Required privilege level

10

Command mode

CONFIG-OBJECT-GROUP-NETWORK

Example

esr(config-object-group-network)# ip address-range 192.168.1.1 192.168.1.25

ip prefix

The command specifies a subnet.

The use of a negative form (no) of the command removes a specified subnet.

Syntax

[no] ip prefix <ADDR/LEN>

Parameters

<ADDR/LEN> – IP subnet, defined as AAA.BBB.CCC.DDD/EE where each part AAA-DDD takes values of [0..255] and EE takes values of [1..32].

Required privilege level

10

Command mode

CONFIG-OBJECT-GROUP-NETWORK

Example

esr(config-object-group-network)# ip prefix 10.10.10.0/24    

ipv6 address-range

The command specifies IPv6 addresses range. The use of a negative form (no) of the command removes an entry from a configured profile.

Syntax

[no] ipv6 address-range <FROM-ADDR>[-<TO-ADDR>]

Parameters

<FROM-ADDR> – range starting IPv6 address.

<TO-ADDR> – range ending IPv6 address, optional parameter. If the parameter is not specified, a single IPv6 address is set by the command.

The addresses are defined as X:X:X:X::X where each part takes values in hexadecimal format [0..FFFF].

You can specify up to 64 different IP ranges within one address group for ESR-20/21/100/200/1000/1200/1500/1700

You can specify up to 6 different IP ranges within one address group for ESR-10/12V/12VF/14VF

Required privilege level

10

Command mode

CONFIG-OBJECT-GROUP-NETWORK

Example

esr(config-object-group-network)# ipv6 address-range fc00::1:1-fc00:1::32

ipv6 prefix

The command specifies IPv6 subnet.

The use of a negative form (no) of the command removes a specified subnet.

Syntax

[no] ipv6 prefix <IPV6-ADDR/LEN>

Parameters

<IPV6-ADDR/LEN> – IP address and mask of a subnet, defined as X:X:X:X::X/EE where each X part takes values in hexadecimal format [0..FFFF] and EE takes values of [1..128].

Required privilege level

10

Command mode

CONFIG-OBJECT-GROUP-NETWORK

Example

esr(config-object-group-network)# ipv6 prefix fc00::/126     

mac address

The command specifies MAC addresses range.

The use of a negative form (no) of the command removes an entry from a configured profile.

Syntax

[no] mac address <MAC-ADDR> <MAC-MASK>

Parameters

<MAC-ADDR> – MAC address, defined as XX:XX:XX:XX:XX:XX where each part takes the values of [00..FF];

<MAC-MASK> – MAC address mask, defined as XX:XX:XX:XX:XX:XX where each part takes the values of [00..FF]. Mask bits, set to zero, specify MAC address bits excluded from the comparison when searching. Mask default value: FF:FF:FF:FF:FF:FF.

Required privilege level

10

Command mode

CONFIG-OBJECT-GROUP-MAC

Example

esr(config-object-group-mac)# mac address a8:f9:4b:80:e7:00 FF:FF:FF:FF:FF:00

object-group address-port

This command creates a profile of bundles of IP addresses and TCP/UDP ports. Profiles are used to configure services that work with pools of IP addresses and TCP/UDP ports – NAT, Firewall.

The use of a negative form (no) of the command removes IP address profile.

Syntax

[no] object-group address-port <NAME>

Parameters

<NAME> – the name of the configured profile of IP address bundles and TCP/UDP ports is specified by a string of up to 31 characters.  The use of a negative form (no) of the command with «all» parameter removes all IP address profiles.

Required privilege level

10

Command mode

CONFIG

Example

To create IP addresses profile with name remote and to switch to profile configuration mode:

esr(config)# object-group address-port WEB

object-group application

The command is used to create application profile. The profile is used for filtration on the basis of applications (DPI).

The use of a negative form (no) of the command removes the profile.

Syntax

[no] object-group application <NAME>

Parameters

<NAME> – application profile name, set by the string of up to 31 characters. When removing, you can use ‘all’ key instead of the name. When using the «all» key, all application profiles will be removed.

Required privilege level

10

Command mode

CONFIG

Example

esr(config)# object-group application OGA045

object-group content-filter

This command is used to create a content filtering category profile. This profile is used in a set of custom rules.

The use of a negative form (no) of the command removes the profile.

Syntax

[no] object-group content-filter <NAME>

Parameters

<NAME> – name of the content filtering profile, specified as a string of up to 31 characters. When removing, you can use ‘all’ key instead of the name. When using the «all» key, all content filtering profiles will be removed.

Required privilege level

10

Command mode

CONFIG

Example

esr(config)# object-group content-filter OGC042

object-group email

This command is used to create a profile of mail domains and mailbox addresses. This profile is used in the "Antispam" service profile rules.

The use of a negative form (no) of the command removes the profile.

Syntax

[no] object-group email <NAME>

Parameters

<NAME> – profile name of mail domains and mailbox addresses, specified by a string of up to 31 characters. When removing, you can use ‘all’ key instead of the name. Using the "all" key will delete all mail domain profiles and mailbox addresses.

Required privilege level

10

Command mode

CONFIG

Example

esr(config)# object-group email chinese_spammers 

object-group mac

The command is used to create MAC address profile. The profile is used in MAC-based VLAN.

The use of a negative form (no) of the command removes the profile.

Syntax

[no] object-group mac <NAME>

Parameters

<NAME> – MAC addresses profile name, set by the string of up to 31 characters. When removing, you can use ‘all’ key instead of the name. When using the «all» key, all MAC address profiles will be removed.

Required privilege level

10

Command mode

CONFIG

Example

esr(config)# object-group mac OGM007

object-group network

The command is used to create IP address profile. The profiles are used to configure services operating with IP address pools – for example, NAT, Firewall, Remote-Access – as well as to create prefix list.

The use of a negative form (no) of the command removes IP address profile.

Syntax

[no] object-group network <NAME>

Parameters

<NAME> – configured IP addresses profile, set by the string of up to 31 characters. The use of a negative form (no) of the command with ‘all’ parameter removes all IP address profiles.

Required privilege level

10

Command mode

CONFIG

Example

To create IP addresses profile with name remote and to switch to profile configuration mode:

esr(config)# object-group network remote

object-group service

The command creates TCP/UDP ports profile. The profile is used in NAT and Firewall services rules.

The use of a negative form (no) of the command removes the profile.

Syntax

[no] object-group service <NAME>

Parameters

<NAME> – port profile name, set by the string of up to 31 characters. The use of a negative form (no) of the command with ‘all’ parameter removes all TCP/UDP ports profiles.

Required privilege level

10

Command mode

CONFIG

Example

esr(config)# object-group service ssh

object-group url

The command is used to create URL link profile.

The use of a negative form (no) of the command removes the profile.

Syntax

[no] object-group url <NAME>

Parameters

<NAME> – port profile name, set by the string of up to 31 characters. The use of a negative form (no) of the command with ‘all’ parameter removes all URL links profiles.

Required privilege level

10

Command mode

CONFIG

Example

esr(config)# object-group url vk

port-range

The command specifies the range of TCP/UDP ports related to the profile.

The use of a negative form (no) of the command removes an entry from a configured profile.

Syntax

port-range <PORT>

no port-range [<PORT> | all]

Parameters

<PORT> – port number, takes values of [1..65535].

You can specify several ports separated by commas ',' or you can specify the range of ports with '-'. Example of the record: <PORT>, <PORT> or <PORT>-<PORT> or <PORT>-<PORT>, <PORT>-<PORT>.

Required privilege level

10

Command mode

CONFIG-OBJECT-GROUP-SERVICE

Example

esr(config-object-group-service)# port-range 22

regexp

This command describes a URL link pattern.

The use of a negative form (no) of the command removes a URL link pattern.

Syntax

regexp <REGEXP>

no regexp {<REGEXP>|all}

Parameters

<REGEXP> – regular expression. Described by the string of up to 255 characters. The character '\' must be shielded.

all — the key used to delete all created rules.

Default value

Pattern is not created.

Required privilege level

10

Command mode

CONFIG-OBJECT-GROUP-URL

Example

esr(config-object-group-url)# '^http:\/\/site\.ru'

show object-group

The command displays information on IP addresses and TCP/UDP ports profiles.

Syntax

show object-group <PROFILE_TYPE> [<NAME>]

Parameters

<PROFILE_TYPE> – profile type:

• network – IP addresses profile;
• service – TCP/UDP ports profile;

<NAME> – profile name, set by the string of up to 31 characters, optional parameter. If profile name is not specified, information on all IP addresses and TCP/UDP ports profiles will be displayed.

Required privilege level

1

Command mode

ROOT

Example

esr# show object-group network
Network                            Description
--------------------------------   --------------------------------
remote                             --
local                              --
tunnel                             --
esr# show object-group network remote
IP Addresses
--------------------------------
10.102.0.0/16
esr# show object-group service
Service                            Description
--------------------------------   --------------------------------
telnet                             --
ssh                                --
dhcp_server                        --
dhcp_client                        --
ntp                                --
esr# show object-group service ssh
Port ranges
--------------------------------
22

url

The command specifies URL link.

The use of a negative form (no) of the command removes a link from a configured profile.

Syntax

url <URL>

no url [ <URL> | all ]

Parameters

<URL> – text field containing URL link of 8-255 characters length.

When removing it with ‘all’ key, all previously added URL links will be removed.

Required privilege level

10

Command mode

CONFIG-OBJECT-GROUP-URL

Example

esr(config-object-group-url)# url https://vk.com

vendor

This command is used to set the content filtering category provider.

The use of a negative form (no) of the command removes the content filtering categories of this vendor.

Syntax

[no] vendor <CONTENT-FILTER-VENDOR>

Parameters

<CONTENT-FILTER-VENDOR> – name of the content filtering category provider. Takes the following values:

Kaspersky-Lab – in the current version of the software, only Kaspersky Lab can act as a content filtering category provider.

Required privilege level

10

Command mode

CONFIG-OBJECT-GROUP-CONTENT-FILTER

Example

esr(config-object-group-content-filter)# vendor kaspersky-lab