Table Of Contents

undebug through zonelabs integrity ssl-client-authentication Commands

urgent-flag

undebug

unix-auth-gid

unix-auth-uid

upload-max-size

uri-non-sip

url

url-block

url-cache

url-entry

url-length-limit

url-list (removed)

url-list (group-policy webvpn)

url-server

user-authentication

user-authentication-idle-timeout

user-storage

username

username-from-certificate

username attributes

username-prompt

user-alert

user-message

user-parameter

user-storage

validate-attribute

validation-policy (crypto ca trustpoint)

verify

version

virtual http

virtual telnet

vlan

vlan (group-policy)

vpdn group

vpdn username

vpn-access-hours

vpn-addr-assign

vpn-filter

vpn-framed-ip-address

vpn-framed-ip-netmask

vpn-group-policy

vpn-idle-timeout

vpn load-balancing

vpn-sessiondb logoff

vpn-sessiondb max-session-limit

vpn-sessiondb max-webvpn-session-limit

vpn-session-timeout

vpn-simultaneous-logins

vpn-tunnel-protocol

vpnclient connect

vpnclient disconnect

vpnclient enable

vpnclient ipsec-over-tcp

vpnclient mac-exempt

vpnclient management

vpnclient mode

vpnclient nem-st-autoconnect

vpnclient server-certificate

vpnclient server

vpnclient trustpoint

vpnclient username

vpnclient vpngroup

wccp

wccp redirect

web-agent-url

web-applications

web-bookmarks

webvpn

webvpn (group-policy and username modes)

who

window-variation

wins-server

write erase

write memory

write net

write standby

write terminal

zonelabs-integrity fail-close

zonelabs-integrity fail-open

zonelabs-integrity fail-timeout

zonelabs-integrity interface

zonelabs-integrity port

zonelabs-integrity server-address

zonelabs-integrity ssl-certificate-port

zonelabs-integrity ssl-client-authentication

undebug through zonelabs integrity ssl-client-authentication Commands

---

urgent-flag

To allow or clear the URG pointer through the TCP normalizer, use the urgent-flag command in tcp-map configuration mode. To remove this specification, use the no form of this command.

urgent-flag {allow | clear}

no urgent-flag {allow | clear}

Syntax Description

allow	Allows the URG pointer through the TCP normalizer.
clear	Clears the URG pointer through the TCP normalizer.

Defaults

The urgent flag and urgent offset are clear by default.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Tcp-map configuration	•	•	•	•	—

Command History

Release	Modification
7.0(1)	This command was introduced.

Usage Guidelines

The tcp-map command is used along with the Modular Policy Framework infrastructure. Define the class of traffic using the class-map command and customize the TCP inspection with tcp-map commands. Apply the newTCP map using the policy-map command. Activate TCP inspection with service-policy commands.

Use the tcp-map command to enter tcp-map configuration mode. Use the urgent-flag command in tcp-map configuration mode to allow the urgent flag.

The URG flag is used to indicate that the packet contains information that is of higher priority than other data within the stream. The TCP RFC is vague about the exact interpretation of the URG flag, therefore, end systems handle urgent offsets in different ways, which may make the end system vulnerable to attacks. The default behavior is to clear the URG flag and offset.

Examples

The following example shows how to allow the urgent flag:

hostname(config)# tcp-map tmap

hostname(config-tcp-map)# urgent-flag allow

hostname(config)# class-map cmap

hostname(config-cmap)# match port tcp eq 513

hostname(config)# policy-map pmap

hostname(config-pmap)# class cmap

hostname(config-pmap)# set connection advanced-options tmap

hostname(config)# service-policy pmap global

Related Commands

Command	Description
class	Specifies a class map to use for traffic classification.
policy-map	Configures a policy; that is, an association of a traffic class and one or more actions.
set connection	Configures connection values.
tcp-map	Creates a TCP map and allows access to tcp-map configuration mode.

undebug

To disable the display of debug information in the current session, use the undebug command in privileged EXEC mode.

undebug {command | all}

Syntax Description

command	Disables debug for the specified command. See the Usage Guidelines for information about the supported commands.
all	Disables all debug output.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Privileged EXEC	•	•	•	•	•

Command History

Release	Modification
7.0(1)	This command was modified. It includes additional debug keywords.

Usage Guidelines

The following commands can be used with the undebug command. For more information about debugging a specific command, or for the associated arguments and keywords for a specific debug command, see the entry for debug command.

•aaa—AAA information

•acl—ACL information

•all—All debugging

•appfw—Application firewall information

•arp—ARP including NP operations

•asdm—ASDM information

•auto-update—Auto-update information

•boot-mem—Boot memory calculation and set

•cifs—CIFS information

•cmgr—CMGR information

•context—Context information

•cplane—CP information

•crypto—Crypto information

•ctiqbe—CTIQBE information

•ctl-provider—CTL provider debugging information

•dap—DAP information

•dcerpc—DCERPC information

•ddns—Dynamic DNS information

•dhcpc—DHCP client information

•dhcpd—DHCP server information

•dhcprelay—DHCP Relay information

•disk—Disk information

•dns—DNS information

•eap—EAP information

•eigrp—EIGRP protocol information

•email—Email information

•entity—Entity MIB information

•eou—EAPoUDP information

•esmtp—ESMTP information

•fips—FIPS 140-2 information

•fixup—Fixup information

•fover—Failover information

•fsm—FSM information

•ftp—FTP information

•generic—Miscellaneous information

•gtp—GTP information

•h323—H323 information

•http—HTTP information

•icmp—ICMP information

•igmp—Internet Group Management Protocol

•ils—LDAP information

•im—IM inspection information

•imagemgr—Image Manager information

•inspect—inspect debugging information

•integrityfw—Integrity Firewall information

•ip—IP information

•ipsec-over-tcp—IPSec over TCP information

•ipsec-pass-thru—Inspect ipsec-pass-thru information

•ipv6—IPv6 information

•iua-proxy—IUA proxy information

•kerberos—KERBEROS information

•l2tp—L2TP information

•ldap—LDAP information

•mfib—Multicast forwarding information base

•mgcp—MGCP information

•module-boot—Service module boot information

•mrib—Multicast routing information base

•nac-framework—NAC-FRAMEWORK information

•netbios-inspect—NETBIOS inspect information

•npshim—NPSHIM information

•ntdomain—NT domain information

•ntp—NTP information

•ospf—OSPF information

•p2p—P2P inspection information

•parser—Parser information

•pim—Protocol Independent Multicast

•pix—PIX information

•ppp—PPP information

•pppoe—PPPoE information

•pptp—PPTP information

•radius—RADIUS information

•redundant-interface—redundant interface information

•rip—RIP information

•rtp—RTP information

•rtsp—RTSP information

•sdi—SDI information

•sequence—Add sequence number

•session-command—Session command information

•sip—SIP information

•skinny—Skinny information

•sla—IP SLA Monitor Debug

•smtp-client—Email system log messsages

•splitdns—Split DNS information

•sqlnet—SQLNET information

•ssh—SSH information

•sunrpc—SUNRPC information

•tacacs—TACACS information

•tcp—TCP for WebVPN

•tcp-map—TCP map information

•timestamps—Add timestamp

•track—static route tracking

•vlan-mapping—VLAN mapping information

•vpn-sessiondb—VPN session database information

•vpnlb—VPN load balancing information

•wccp—WCCP information

•webvpn—WebVPN information

•xdmcp—XDMCP information

•xml—XML parser information

Because debugging output is assigned high priority in the CPU process, it can render the system unusable. For this reason, use debug commands only to troubleshoot specific problems or during troubleshooting sessions with Cisco TAC. Moreover, it is best to use debug commands during periods of lower network traffic and fewer users. Debugging during these periods decreases the likelihood that increased debug command processing overhead will affect system use.

Examples

The example disabled all debug output:

hostname(config)# undebug all

Related Commands

Command	Description
debug	Displays debug information for the selected command.

unix-auth-gid

To set the UNIX group ID, use the unix-auth-gid command in group-policy webvpn configuration mode. To remove this command from the configuration, use the no version of this command.

unix-auth-gid <identifier>

no storage-objects

Syntax Description

identifier

Specifies an integer in the range 0 through 4294967294.

Defaults

The default is 65534.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Group-policy webvpn configuration mode	•	—	•	—	—

Command History

Release	Modification
8.0(2)	This command was introduced.

Usage Guidelines

The string specifies a network file system (NetFS) location. Only SMB and FTP protocols are supported; for example, smb://(NetFS location) or ftp://(NetFS location). You use the name of this location in the storage-objects command.

Examples

The following example sets the UNIX group ID to 4567:

hostname(config)# group-policy test attributes

hostname(config-group-policy)# webvpn

hostname(config-group-webvpn)# unix-auth-gid 4567

Related Commands

Command	Description
unix-auth-uid	Sets the UNIX user ID.

unix-auth-uid

To set the UNIX user ID, use the unix-auth-uid command in group-policy webvpn configuration mode. To remove this command from the configuration, use the no version of this command.

unix-auth-gid <identifier>

no storage-objects

Syntax Description

identifier

Specifies an integer in the range 0 through 4294967294.

Defaults

The default is 65534.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Group-policy webvpn configuration mode	•	—	•	—	—

Command History

Release	Modification
8.0(2)	This command was introduced.

Usage Guidelines

The string specifies a network file system (NetFS) location. Only SMB and FTP protocols are supported; for example, smb://(NetFS location) or ftp://(NetFS location). You use the name of this location in the storage-objects command.

Examples

The following example sets the UNIX user ID to 333:

hostname(config)# group-policy test attributes

hostname(config-group-policy)# webvpn

hostname(config-group-webvpn)# unix-auth-gid 333

Related Commands

Command	Description
unix-auth-gid	Sets the UNIX group ID.

upload-max-size

To specify the maximum size allowed for an object to upload, use the upload-max-size command in group-policy webvpn configuration mode. To remove this object from the configuration, use the no version of this command.

upload-max-size <size>

no upload-max-size

Syntax Description

size	Specifies the maximum size allowed for a uploaded object. The range is 0 through 2147483647.

Defaults

The default size is 2147483647.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Group-policy webvpn configuration mode	•	—	•	—	—

Command History

Release	Modification
8.0(2)	This command was introduced.

Usage Guidelines

Setting the size to 0 effectively disallows object uploading.

Examples

The following example sets the maximum size for a uploaded object to 1500 bytes:

hostname(config)# group-policy test attributes

hostname(config-group-policy)# webvpn

hostname(config-group-webvpn)# upload-max-size 1500

Related Commands

Command	Description
post-max-size	Specifies the maximum size of an object to post.
download-max-size	Specifies the maximum size of an object to download.
webvpn	Use in group-policy configuration mode or in username configuration mode. Lets you enter webvpn mode to configure parameters that apply to group policies or usernames.
webvpn	Use in global configuration mode. Lets you configure global settings for WebVPN.

uri-non-sip

To identify the non-SIP URIs present in the Alert-Info and Call-Info header fields, use the uri-non-sip command in parameters configuration mode. Parameters configuration mode is accessible from policy map configuration mode. To disable this feature, use the no form of this command.

uri-non-sip action {mask | log} [log}

no uri-non-sip action {mask | log} [log}

Syntax Description

mask	Masks the non-SIP URIs.
log	Specifies standalone or additional log in case of violation.

Defaults

This command is disabled by default.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Parameters configuration	•	•	•	•	—

Command History

Release	Modification
7.2(1)	This command was introduced.

Examples

The following example shows how to identify the non-SIP URIs present in the Alert-Info and Call-Info header fields in a SIP inspection policy map:

hostname(config)# policy-map type inspect sip sip_map

hostname(config-pmap)# parameters

hostname(config-pmap-p)# uri-non-sip action log

Related Commands

Command	Description
class	Identifies a class map name in the policy map.
class-map type inspect	Creates an inspection class map to match traffic specific to an application.
policy-map	Creates a Layer 3/4 policy map.
show running-config policy-map	Display all current policy map configurations.

url

To maintain the list of static URLs for retrieving CRLs, use the url command in crl configure configuration mode. The crl configure configuration mode is accessible from the crypto ca trustpoint configuration mode. To delete an existing URL, use the no form of this command.

url index url

no url index url

Syntax Description

index	Specifies a value from 1 to 5 that determines the rank of each URL in the list. The security appliance tries the URL at index 1 first.
url	Specifies the URL from which to retrieve the CRL.

Defaults

No default behaviors or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
CRL configure configuration	•	—	•	—	—

Command History

Release	Modification
7.0	This command was introduced.

Usage Guidelines

You cannot overwrite existing URLs. To replace an existing URL, first delete it using the no form of this command.

Examples

The following example enters ca-crl configuration mode, and sets up an index 3 for creating and maintaining a list of URLs for CRL retrieval and configures the URL https://foobin.com from which to retrieve CRLs:

hostname(configure)# crypto ca trustpoint central

hostname(ca-trustpoint)# crl configure

hostname(ca-crl)# url 3 https://foobin.com

hostname(ca-crl)# 

Related Commands

Command	Description
crl configure	Enters ca-crl configuration mode.
crypto ca trustpoint	Enters trustpoint configuration mode.
policy	Specifies the source for retrieving CRLs.

url-block

To manage the URL buffers used for web server responses while waiting for a filtering decision from the filtering server, use the url-block command. To remove the configuration, use the no form of this command.

url-block block block_buffer

no url-block block block_buffer

url-block mempool-size memory_pool_size

no url-block mempool-size memory_pool_size

url-block url-size long_url_size

no url-block url-size long_url_size

Syntax Description

block block_buffer	Creates an HTTP response buffer to store web server responses while waiting for a filtering decision from the filtering server. The permitted values are from 1 to 128, which specifies the number of 1550-byte blocks.
mempool-size memory_pool_size	Configures the maximum size of the URL buffer memory pool in Kilobytes (KB). The permitted values are from 2  to 10240, which specifies a URL buffer memory pool from 2 KB to 10240 KB.
url-size long_url_size	Configures the maximum allowed URL size in KB for each long URL being buffered. The permitted values, which specifies a maximum URL size,: for Websense are 2, 3, or 4, representing 2 KB, 3 KB, or 4KB; or for Secure Computing, 2 or 3, representing 2 KB or 3 KB.

Defaults

This command is disabled by default.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Global configuration	•	•	•	•	•

Command History

Release	Modification
Preexisting	This command was preexisting.

Usage Guidelines

For Websense filtering servers, the url-block url-size command allows filtering of long URLs, up to 4 KB. For Secure Computing, the url-block url-size command allows filtering of long URLs, up to 3 KB. For both Websense and N2H2 filtering servers, the url-block block command causes the security appliance to buffer packets received from a web server in response to a web client request while waiting for a response from the URL filtering server. This improves performance for the web client compared to the default security appliance behavior, which is to drop the packets and to require the web server to retransmit the packets if the connection is permitted.

If you use the url-block block command and the filtering server permits the connection, the security appliance sends the blocks to the web client from the HTTP response buffer and removes the blocks from the buffer. If the filtering server denies the connection, the security appliance sends a deny message to the web client and removes the blocks from the HTTP response buffer.

Use the url-block block command to specify the number of blocks to use for buffering web server responses while waiting for a filtering decision from the filtering server.

Use the url-block url-size command with the url-block mempool-size command to specify the maximum length of a URL to be filtered and the maximum memory to assign to the URL buffer. Use these commands to pass URLs longer than 1159 bytes, up to a maximum of 4096 bytes, to the Websense or Secure-Computing server. The url-block url-size command stores URLs longer than 1159 bytes in a buffer and then passes the URL to the Websense or Secure-Computing server (through a TCP packet stream) so that the Websense or Secure-Computing server can grant or deny access to that URL.

Examples

The following example assigns 56 1550-byte blocks for buffering responses from the URL filtering server:

hostname#(config)# url-block block 56

Related Commands

Commands	Description
clear url-block block statistics	Clears the block buffer usage counters.
filter url	Directs traffic to a URL filtering server.
show url-block	Displays information about the URL cache, which is used for buffering URLs while waiting for responses from an N2H2 or Websense filtering server.
url-cache	Enables URL caching while pending responses from an N2H2 or Websense server and sets the size of the cache.
url-server	Identifies an N2H2 or Websense server for use with the filter command.

url-cache

To enable URL caching for URL responses received from a Websense server and to set the size of the cache, use the url-cache command in global configuration mode. To remove the configuration, use the no form of this command.

url-cache { dst |   src_dst } kbytes [ kb ]

no url-cache { dst |   src_dst } kbytes [ kb ]

Syntax Description

dst	Cache entries based on the URL destination address. Select this mode if all users share the same URL filtering policy on the Websense server.
size kbytes	Specifies a value for the cache size within the range 1 to 128 KB.
src_dst	Cache entries based on the both the source address initiating the URL request as well as the URL destination address. Select this mode if users do not share the same URL filtering policy on the Websense server.
statistics	Use the statistics option to display additional URL cache statistics, including the number of cache lookups and hit rate.

Defaults

This command is disabled by default.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Global configuration	•	•	•	•	•

Command History

Release	Modification
Preexisting	This command was preexisting.

Usage Guidelines

---

Note The N2H2 server application does not support this command for url filtering.

---

The url-cache command provides a configuration option to cache responses from the URL server.

Use the url-cache command to enable URL caching, set the size of the cache, and display cache statistics.

Caching stores URL access privileges in memory on the security appliance. When a host requests a connection, the security appliance first looks in the URL cache for matching access privileges instead of forwarding the request to the Websense server. Disable caching with the no url-cache command.

---

Note If you change settings on the Websense server, disable the cache with the no url-cache command and then re-enable the cache with the url-cache command.

---

Using the URL cache does not update the Websense accounting logs for Websense protocol Version 1. If you are using Websense protocol Version 1, let Websense run to accumulate logs so you can view the Websense accounting information. After you get a usage profile that meets your security needs, enable url-cache to increase throughput. Accounting logs are updated for Websense protocol Version 4 URL filtering while using the url-cache command.

Examples

The following example caches all outbound HTTP connections based on the source and destination addresses:

hostname(config)# url-cache src_dst 128

Related Commands

Commands	Description
clear url-cache statistics	Removes url-cache command statements from the configuration.
filter url	Directs traffic to a URL filtering server.
show url-cache statistics	Displays information about the URL cache, which is used for URL responses received from a Websense filtering server.
url-server	Identifies a Websense server for use with the filter command.

url-entry

To enable or disable the ability to enter any HTTP/HTTPS URL on the portal page, use the url-entry command in dap webvpn configuration mode.

url-entry enable | disable

enable | disable

Enables or disables the ability to browse for file servers or shares..

Defaults

No default value or behaviors.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Dap webvpn configuration	•	•	•	—	—

Command History

Release	Modification
8.0(2)	This command was introduced.

Usage Guidelines

Examples

The following example shows how to enable URL entryfor the DAP record called Finance:

hostname (config) config-dynamic-access-policy-record Finance

hostname(config-dynamic-access-policy-record)# webvpn

hostname(config-dynamic-access-policy-record)# url-entry enable

Related Commands

Command	Description
dynamic-access-policy-record	Creates a DAP record.
file-entry	Enables or disables the ability to enter file server names to access.

url-length-limit

To configure the maximum length of the URL allowed in the RTSP message, use the url-length-limit command in parameters configuration mode. Parameters configuration mode is accessible from policy map configuration mode. To disable this feature, use the no form of this command.

url-length-limit length

no url-length-limit length

Syntax Description

length

The URL length limit in bytes. Range is 0 to 6000.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Parameters configuration	•	•	•	•	—

Command History

Release	Modification
8.0(2)	This command was introduced.

Examples