Home  Prev  cOS Core 14.00.18 CLI Reference Guide  Next

2.2. Runtime

2.2.1. about

Show copyright/build information.

Description

Show copyright and build information.

Usage

2.2.2. acme

Display information on ACME objects state and also restart the client.

Description

Display information about ACME objects.

Usage

acme -num=<n>
Show summary information about ACME objects.
acme -show [<ACME Certificate Management>]
Show detailed certificate information.
acme -restart
Restart the ACME client, resetting all object states.
acme -snoop [-on] [-off] [-verbose]
Show requests and responses on the console.

Options

-num=<n>
Limit display to <n> certificates. (Default: 5)
-off
Turn snoop off.
-on
Turn snoop on.
-restart
[WARNING] Restart the ACME client, resetting all object states.
-show
Show info on ACME object.
-snoop
Show requests and server responses on the console window.
-verbose
Show snoop detailed information.
<ACME Certificate Management>
Name of certificate.

2.2.3. alarm

Show alarm information.

Description

Show list of currently active alarms.

Usage

alarm [-history] [-active]

Options

-active
Show the currently active alarms.
-history
Show the 20 latest alarms.

2.2.4. appcontrol

Show application control status.

Description

Browse the applications defined in the Application Control functionality. Saved browsing results as filters that can be later used to define IPPolicies.

Usage

appcontrol
Show general information about application control system.
appcontrol -show_lists
List information about specified application.
appcontrol -delete_lists={ALL | <Integer>}
List information about specified application.
appcontrol <Name>
List information about specified application.
appcontrol -application=<String> [-save_list]
Define a filter selecting individual applications.
appcontrol -filter [-name=<String>] [-family=<String>]
           [-risk={VERY_LOW | LOW | MEDIUM | HIGH | VERY_HIGH}]
           [-tag=<String>] [-save_list]
Define a filter selecting families, tags, risks and a matching expression for the applications names.

Options

-application=<String>
Exact application name.
-delete_lists={ALL | <Integer>}
Free saved Strings.
-family=<String>
Application family.
-filter
Shows applications matching certain criteria.
-name=<String>
Application name (wildcards allowed).
-risk={VERY_LOW | LOW | MEDIUM | HIGH | VERY_HIGH}
Application risk level.
-save_list
Saved filter result.
-show_lists
List saved strings.
-tag=<String>
Application tag.
<Name>
Application name.

2.2.5. arp

Show ARP entries for given interface.

Description

List the ARP cache entries of specified interfaces.

If no interface is given the ARP cache entries of all interfaces will be presented.

The presented list can be filtered using the ip and hw options.

Usage

arp
Show all ARP entries.
arp -show [<Interface>] [-ip=<pattern>] [-hw=<pattern>] [-num=<n>]
Show ARP entries.
arp -hashinfo [<Interface>]
Show information on hash table health.
arp -flush [<Interface>]
Flush ARP cache of specified interface.
arp -notify=<ip> [<Interface>] [-hwsender=<Ethernet Address>]
Send gratuitous ARP for IP.

Options

-flush
Flush ARP cache of all specified interfaces. (Admin only)
-hashinfo
Show information on hash table health.
-hw=<pattern>
Show only hardware addresses matching pattern.
-hwsender=<Ethernet Address>
Sender ethernet address.
-ip=<pattern>
Show only IP addresses matching pattern.
-notify=<ip>
Send gratuitous ARP for <ip>.
-num=<n>
Show only the first <n> entries per interface. (Default: 20)
-show
Show ARP entries for given interface(s).
<Interface>
Interface name.

2.2.6. arpsnoop

Toggle snooping and displaying of ARP requests.

Description

Toggle snooping and displaying of ARP queries and responses on-screen.

The snooped messages are displayed before the access section validates the sender IP addresses in the ARP data.

Usage

arpsnoop
Show snooped interfaces.
arpsnoop {ALL | NONE | <interface>} [-verbose]
Snoop specified interface.

Options

-verbose
Verbose.
{ALL | NONE | <interface>}
Interface name.
[Note] Note
Requires Administrator privileges.

2.2.7. ats

Show active ARP Transaction States.

Description

Show active ARP Transaction States.

Usage

ats [-num=<n>]

Options

-num=<n>
Limit list to <n> entries. (Default: 20)

2.2.8. authagent

Shows the state of the Authentication Agents.

Description

Shows the state of the Authentication Agents.

Usage

authagent -version
Shows the state of the configured Authentication Agents including the protocol version.
authagent
Shows the state of the configured Authentication Agents.
authagent {ALL | <AuthAgent>}
Shows the state of the configured Authentication Agents.
authagent -reconnect {ALL | <AuthAgent>}
Closes the connection with the Agent and attempst to reconnect.

Options

-reconnect
Closes the connection with the Agent and attempst to reconnect. (Admin only)
-version
Show protocol version.
{ALL | <AuthAgent>}
Authentication Agent name.

2.2.9. authagentsnoop

Toggle snooping and displaying of Authentication Agents traffic.

Description

Toggle snooping and displaying of Authentication Agents queries and responses on-screen.

Usage

authagentsnoop
Show snooped Authentication Agents.
authagentsnoop {ALL | NONE | <AuthAgent>} [-verbose]
Snoop specified Authentication Agent.

Options

-verbose
Verbose.
{ALL | NONE | <AuthAgent>}
Authentication Agent name.
[Note] Note
Requires Administrator privileges.

2.2.10. blacklist

Blacklist.

Description

Block and unblock hosts on the black and white list.

Note: Static blacklist hosts cannot be unblocked.

If -force is not specified, only the exact host with the service, protocol/port and destiny specified is unblocked.

Example 2.7. Block hosts

blacklist -show -black -listtime -info
blacklist -block 100.100.100.0/24 -serv=FTP -dest=50.50.50.1 -time=6000

Usage

blacklist
Show the current blacklist and whitelist content.
blacklist -show [-num={ALL | <Integer>}] [-alerttype={IDS |
          HOST_THRESHOLD | NETWORK_THRESHOLD | CLI | REST |
          DOS_GENERAL | DOS_GEOIP | BOTNET | SCANNER | SPAM |
          PHISHING | ALL}] [-creationtime] [-dynamic] [-listtime]
          [-info] [-black] [-white] [-all]
Show information about the blacklisted hosts.
blacklist -block <host> [-serv=<service>] [-prot={TCP | UDP | ICMP
          | OTHER | TCPUDP | ALL}] [-port=<port number>]
          [-dest=<ip address>] [-time=<seconds>]
Block specified netobject.
blacklist -unblock <host> [-serv=<service>] [-prot={TCP | UDP |
          ICMP | OTHER | TCPUDP | ALL}] [-port=<port number>]
          [-dest=<ip address>] [-force]
Unblock specified netobject.
blacklist -purge {IDS | HOST_THRESHOLD | NETWORK_THRESHOLD | CLI |
          REST | DOS_GENERAL | DOS_GEOIP | BOTNET | SCANNER | SPAM
          | PHISHING}
Unblock all netobject of specific alert type.

Options

-alerttype={IDS | HOST_THRESHOLD | NETWORK_THRESHOLD | CLI | REST | DOS_GENERAL | DOS_GEOIP | BOTNET | SCANNER | SPAM | PHISHING | ALL}
Alert types to show (Default: ALL).
-all
Show all the information.
-black
Show blacklist hosts only.
-block
Block specified netobject. (Admin only)
-creationtime
Show creation time.
-dest=<ip address>
Destination address to block/unblock (ExceptExtablished flag is set on).
-dynamic
Show dynamic hosts only.
-force
Unblock all services for the host that matches to options.
-info
Show detailed information.
-listtime
Show time in list (for dynamic whitelist hosts).
-num={ALL | <Integer>}
Maximum number of entries to show (Default: 20).
-port=<port number>
Number of the port to block/unblock.
-prot={TCP | UDP | ICMP | OTHER | TCPUDP | ALL}
Protocol to block/unblock.
-purge
Unblock all object of specific type. (Admin only)
-serv=<service>
Service to block/unblock.
-show
Show information about the blacklisted hosts.
-time=<seconds>
The time that the host will remain blocked.
-unblock
Unblock specified netobject. (Admin only)
-white
Show whitelist hosts only.
<host>
IP address range.
{IDS | HOST_THRESHOLD | NETWORK_THRESHOLD | CLI | REST | DOS_GENERAL | DOS_GEOIP | BOTNET | SCANNER | SPAM | PHISHING}
Alert types to purge.

2.2.11. cam

CAM table information.

Description

Show information about the CAM table(s) and their entries.

Usage

cam -num=<n>
Show CAM table information.
cam <Interface> [-num=<n>]
Show interface-specified CAM table information.
cam <Interface> [-flush]
Flush CAM table information of specified interface.
cam -flush
Flush CAM table information.

Options

-flush
Flush CAM table. If interface is specified, only entries using this interface are flushed. (Admin only)
-num=<n>
Limit list to <n> entries per CAM table. (Default: 20)
<Interface>
Interface.

2.2.12. certcache

Show the contents of the certificate cache.

Description

Show all certificates in the certificate cache.

Usage

certcache [-verbose] [-flush]

Options

-flush
Flush certificate cache.
-verbose
Show verbose information.

2.2.13. connections

List current state-tracked connections.

Description

List current state-tracked connections.

Usage

connections -show [-extended] [-num=<n>] [-verbose]
            [-srciface=<interface>] [-destiface=<interface>]
            [-ipver={IPV6 | IPV4}] [-srcip=<ip address>]
            [-destip=<ip address>] [-protocol=<name/num>]
            [-srcport=<port>] [-destport=<port>]
            [-dataless=<bytes>] [-datamore=<bytes>]
List connections.
connections
Same as "connections -show".
connections -close [-all] [-srciface=<interface>]
            [-destiface=<interface>] [-ipver={IPV6 | IPV4}]
            [-srcip=<ip address>] [-destip=<ip address>]
            [-protocol=<name/num>] [-srcport=<port>]
            [-destport=<port>] [-dataless=<bytes>]
            [-datamore=<bytes>]
Close connections.

Options

-all
Mark all connections.
-close
Close all connections that match the filter expression. (Admin only)
-dataless=<bytes>
Filter on amount of data transferred below specified limit. Acceptable suffixes are 'k', 'M' and 'G'.
-datamore=<bytes>
Filter on amount of data transferred above specified limit. Acceptable suffixes are 'k', 'M' and 'G'.
-destiface=<interface>
Filter on destination interface.
-destip=<ip address>
Filter on destination IP address.
-destport=<port>
Filter on TCP/UDP destination port.
-extended
Show connections with extended information.
-ipver={IPV6 | IPV4}
Filter on IP version.
-num=<n>
Limit list to <n> connections. (Default: 20)
-protocol=<name/num>
Filter in IP protocol.
-show
Show connections.
-srciface=<interface>
Filter on source interface.
-srcip=<ip address>
Filter on source IP address.
-srcport=<port>
Filter on TCP/UDP source port.
-verbose
Verbose (more information).

2.2.14. cpuid

Display info about the cpu.

Description

Display the make and model of the machine's CPU.

Usage

cpuid

2.2.15. crashdump

Show the contents of the crash.dmp file.

Description

Show the contents of the crash.dmp file, if it exists.

Usage

crashdump
Show the contents of the crash.dmp file.
crashdump -remove
Remove all stored crashdumps.

Options

-remove
Remove all stored crashdumps.

2.2.16. cryptostat

Show information about crypto accelerators.

Description

Show information about active crypto accelerators.

Usage

cryptostat [-all] [-hashinfo]

Options

-all
Show information about all devices.
-hashinfo
Show information about the hardware fastpath hash.

2.2.17. dcc

Status of the Distributed Checksum Clearinghouses (DCC) anti-spam service.

Description

Shows status of the DCC service.

Usage

dcc

2.2.18. dconsole

Displays the content of the diagnose console.

Description

The diagnose console is used to help troubleshooting internal problems within the firewall

Usage

dconsole [-clean] [-flush] [-date=<date>] [-onlyhigh]

Options

-clean
Remove all diagnose entries. (Admin only)
-date=<date>
YYYY-MM-DD. Only show entries from this date and forward.
-flush
Flush all diagnose entries to disk. (Admin only)
-onlyhigh
Only show entries with severity high. (Admin only)

2.2.19. dhcp

Display information about DHCP-enabled interfaces or modify/update their leases.

Description

Display information about a DHCP-enabled interface.

Usage

dhcp
List DHCP enabled interfaces.
dhcp -list
List DHCP enabled interfaces.
dhcp -show [<interface>]
Show information about DHCP enabled interface.
dhcp -lease={RENEW | RELEASE} <interface>
Modify interface lease.

Options

-lease={RENEW | RELEASE}
Modify interface lease. (Admin only)
-list
List all DHCP enabled interfaces.
-show
Show information about DHCP enabled interface.
<interface>
DHCP Interface.

2.2.20. dhcprelay

Show DHCP/BOOTP relayer ruleset.

Description

Display the content of the DHCP/BOOTP relayer ruleset and the current routed DHCP relays.

Display filter filters relays based on interface/ip (example: if1 192.168.*)

Usage

dhcprelay
Show the currently relayed DHCP sessions.
dhcprelay -show [-num={ALL | <Integer>}] [-rules] [-routes]
          [<display filter>]...
Show DHCP/BOOTP relayer ruleset.
dhcprelay -release <ip address> [-interface=<Interface>]
Terminate relayed session.

Options

-interface=<Interface>
Interface.
-num={ALL | <Integer>}
Maximum number of entries to show (Default: 20).
-release
Terminate relayed session <[interface:]ip>. (Admin only)
-routes
Show the currently relayed DHCP sessions.
-rules
Show the DHCP/BOOTP relayer ruleset.
-show
Show ruleset.
<display filter>
Display filter, filters relays based on interface/ip.
<ip address>
IP address.

2.2.21. dhcpserver

Show content of the DHCP server ruleset.

Description

Show the content of the DHCP server ruleset and various information about active/inactive leases.

Display filter filters entries based on Interface/MAC/IP (example: If1 192.168.*)

Usage

dhcpserver
Show DHCP server leases.
dhcpserver -show [-rules] [-leases] [-num=<Integer>]
           [-fromentry=<Integer>] [-mappings] [-utilization]
           [<Display filter>]...
Show DHCP server ruleset.
dhcpserver -release={BLACKLIST}
Release a specific types of IPs.
dhcpserver -releaseip <Interface> <IP address>
Release an active IP.

Options

-fromentry=<Integer>
Show entry list from offset <n>.
-leases
Show DHCP server leases.
-mappings
Show DHCP server IP mappings.
-num=<Integer>
Limit list to <n> entries.
-release={BLACKLIST}
Release specific type of IPs. (Admin only)
-releaseip
Release an active IP. (Admin only)
-rules
Show DHCP server rules.
-show
Show ruleset.
-utilization
Show IP pool utilization.
<Display filter>
Display filter based on Interface/MAC/IP (eg. If1 192.168.*).
<Interface>
Interface.
<IP address>
IP address.

2.2.22. dhcpv6

Display information about DHCPv6-enabled interfaces or modify/update their leases.

Description

Display information about a DHCPV6-enabled interface.

Usage

dhcpv6
List DHCPv6 enabled interfaces.
dhcpv6 -list
List DHCPv6 enabled interfaces.
dhcpv6 -show [<interface>]
Show information about DHCPv6 enabled interface.
dhcpv6 -lease={RENEW | RELEASE} <interface>
Modify interface lease.

Options

-lease={RENEW | RELEASE}
Modify interface lease. (Admin only)
-list
List all DHCPv6 enabled interfaces.
-show
Show information about DHCPv6 enabled interface.
<interface>
DHCPv6 Interface.

2.2.23. dhcpv6server

Show content of the DHCPv6 server ruleset.

Description

Show the content of the DHCPv6 server ruleset and various information about active/inactive leases.

Display filter filters leases based on interface/mac/ip (example: if1 2001:DB8::*)

Usage

dhcpv6server
Show DHCPv6 server leases.
dhcpv6server -releaseip <interface> <IPv6 address>
Release an active IP6.
dhcpv6server -show [-rules] [-leases] [-num=<Integer>]
             [-fromentry=<Integer>] [<display filter>]...
Show DHCP server ruleset.

Options

-fromentry=<Integer>
Shows dhcp server lease list from offset <n>.
-leases
Show DHCPv6 server leases.
-num=<Integer>
Limit list to <n> leases.
-releaseip
Release an active IP. (Admin only)
-rules
Show DHCPv6 server rules.
-show
Show ruleset.
<display filter>
Display filters for leases based on interface/mac/ip (eg. if1 2001:DB8::*).
<interface>
Interface.
<IPv6 address>
IPv6 address.

2.2.24. dns

DNS client and queries.

Description

Show status of the DNS client and manage pending DNS queries.

Usage

dns -cache [<FQDNAddress>] [-num=<n>] [-verbose]
Show contents of DNS cache.
dns -flush
Flush the contents of DNS cache.
dns -refresh [<FQDNAddress>]
Set FQDN cache object to start DNS query.
dns
Show status of the DNS client.
dns -query <domain name> [-type={A | AAAA}]
Resolve domain name.
dns -list
List pending DNS queries.
dns -remove
Remove all pending DNS queries.

Options

-cache
Show contents of the DNS cache.
-flush
Flush entire contents of the DNS cache.
-list
List pending DNS queries.
-num=<n>
Limit list to <n> addresses. (Default: 20)
-query
Resolve domain name.
-refresh
Set FQDN cache object to start DNS query.
-remove
Remove all pending DNS queries.
-type={A | AAAA}
Query type.
-verbose
Verbose output.
<domain name>
Resolve domain name.
<FQDNAddress>
FQDN Address object name.

2.2.25. dnsbl

DNSBL.

Description

Show status of DNSBL.

Usage

dnsbl [-show] [<SMTP ALG>] [-clean]

Options

-clean
Clear DNSBL statistics for ALG.
-show
Show DNSBL statistics for ALG.
<SMTP ALG>
Name of SMTP ALG.

2.2.26. dnscontrol

DNS Control ALG commands.

Description

Show status for DNS Control ALG sessions.

Usage

dnscontrol
List DNS Control Sessions.
dnscontrol -list [-num[=<Integer>]] [-verbose]
List DNS Control Sessions (Advanced).
dnscontrol -stats
Show DNS control statistics.

Options

-list
List all DNS Control sessions.
-num[=<Integer>]
Sessions to list. (Default: 40)
-stats
Show DNS Control statistics.
-verbose
Verbose output.

2.2.27. dynroute

Show dynamic routing policy.

Description

Show the dynamic routing policy filter ruleset and current exports.

In the "Flags" field of the dynrouting exports, the following letters are used:

o
Route describe the optimal path to the network
u
Route is unexported

Usage

dynroute [-rules] [-exports]

Options

-exports
Show current exports.
-rules
Show dynamic routing, filter ruleset.

2.2.28. enetvendor

Ethernet address OUI lookup.

Description

Ethernet address OUI lookup.

Usage

enetvendor -hw=<Ethernet Address>

Options

-hw=<Ethernet Address>
MAC address to be searched on.

2.2.29. exit

Close the active management session.

Description

Close the active management session.

Usage

exit

2.2.30. fallback

Manage and show status for fallback policy.

Description

Display fallback policy status and preform various related actions

Usage

fallback
Display status for all policies.
fallback -status <String>
Display status for specific policy.
fallback -suspend <String> <ip address>
Suspend load distribution to primary server.
fallback -resume <String> <ip address>
Resume load distribution to primary server.

Options

-resume
Resume load distribution to primary server (maintenance off).
-status
Display status for specific fallback policy.
-suspend
Suspend load distribution to primary server (maintenance on).
<ip address>
IP address.
<String>
Fallback policy.

2.2.31. filedownload

File download stats.

Description

Show statistics of the File Download engine.

Usage

filedownload
Show active downloads.
filedownload -inactive
Show inactive downloads.
filedownload -active
Show active downloads.

Options

-active
Show active downloads.
-inactive
Show inactive downloads.

2.2.32. frags

Show active fragment reassemblies.

Description

List active fragment reassemblies.

More detailed information can optionally be obtained for specific reassemblies:

NEW
Newest reassembly
ALL
All reassemblies
0..1023
Assembly 'N'

Example 2.8. frags

frags NEW
frags 254

Usage

frags [{NEW | ALL | <reassembly id>}] [-free] [-done] [-num=<n>]

Options

-done
List successfully reassembled (kept to see if more frags arrive).
-free
List free instead of active.
-num=<n>
List <n> entries. (Default: 20)
{NEW | ALL | <reassembly id>}
Show in-depth info about reassembly <n>. (Default: all)

2.2.33. ha

Show and change HA status.

Description

Show current HA status.

Usage

ha [-activate] [-deactivate]

Options

-activate
Go active. (Admin only)
-deactivate
Go inactive. (Admin only)

2.2.34. hostmon

Show Host Monitor statistics.

Description

Show active Host Monitor sessions.

Usage

hostmon [-verbose] [-num=<n>]

Options

-num=<n>
Limit list to <n> entries. (Default: 20)
-verbose
Verbose output.

2.2.35. httpalg

Commands related to the HTTP Application Layer Gateway.

Description

Show information about the WCF cache or list the overridden WCF hosts.

Usage

httpalg -override [-flush]
List or flush hosts that have overridden the wcf filter.
httpalg -wcfcache [-show] [-url=<String>] [-flush] [-verbose]
        [-count] [-server[={STATUS | CONNECT | DISCONNECT}]]
        [-num=<n>]
Display URL cache information.

Options

-count
Only display cache count.
-flush
Removes all entries.
-num=<n>
Limit list to <n> entries. (Default: 20)
-override
List hosts that have overridden the wcf filter.
-server[={STATUS | CONNECT | DISCONNECT}]
Web Content Filtering Server options. (Default: status)
-show
Show Web Content Filtering cache data.
-url=<String>
Limits the output from the show command to only match the specified characters.
-verbose
Verbose.
-wcfcache
Show statistics of WCF functionality.

2.2.36. httpposter

Display HTTP Poster status.

Description

Display configuration and status of configured HTTPPoster_URLx targets.

Usage

httpposter [-repost=<Integer>]

Options

-repost=<Integer>
Re-post URL now. (Admin only)

2.2.37. hwm

Show hardware monitor sensor status.

Description

Show hardware monitor sensor status.

Usage

hwm [-all] [-verbose]

Options

-all
Show ALL sensors, WARNING: use at own risk, may take long time for highspeed ifaces to cope.
-verbose
Show sensor number, type and limits.

2.2.38. idppipes

Show and remove hosts that are piped by IDP.

Description

Show list of currently piped hosts.

Usage

idppipes
List all idppipes.
idppipes -show [-host=<ip addr>]
Lists hosts for which new connections are piped by IDP.
idppipes -unpipe [-all] [-host=<ip addr>]
Remove piping for the specified host.

Options

-all
mark all hosts.
-host=<ip addr>
Filter on source IP address.
-show
Lists hosts for which new connections are piped by IDP.
-unpipe
Remove piping for the specified host. (Admin only)

2.2.39. ifstat

Show interface statistics.

Description

Show list of attached interfaces, or in-depth information about a specific interface.

Usage

ifstat [<Interface>] [-filter=<expr>] [-pbr=<table name>]
       [-num=<n>] [-type={ETHERNET | IFACEGROUP | ZONE | ALL}]
       [-restart] [-allindepth] [-maclist] [-snmpnewindexes]
       [-extend]

Options

-allindepth
Show in-depth information about all interfaces.
-extend
Display extended interface information where available.
-filter=<expr>
Filter list of interfaces.
-maclist
Show MAC addresses for all interfaces.
-num=<n>
Limit list to <n> lines. (Default: 20)
-pbr=<table name>
Only list members of given PBR table(s).
-restart
Stop and restart the interface. (Admin only)
-snmpnewindexes
Renumber persistent SNMP interface indexes for all interfaces. A reconfigure must follow this command in order to generate the new indexes.
-type={ETHERNET | IFACEGROUP | ZONE | ALL}
Filter interface type. (Default: ethernet)
<Interface>
Name of interface.

2.2.40. igmp

IGMP Interfaces.

Description

Show information about the current state of the IGMP interfaces.

Send simulated messages to test configuration of the interface.

Usage

igmp
Prints the current IGMP state.
igmp -state [<Interface>]
Prints the current IGMP state. If an interface is specified, more details are provided.
igmp -query <Interface> [<MC address> [<router address>]]
Simulate an incoming IGMP query message.
igmp -join <Interface> <MC address> [<host address>]
Simulate an incoming IGMP join message.
igmp -leave <Interface> <MC address> [<host address>]
Simulate an incoming IGMP leave message.

Options

-join
Simulate an incoming IGMP join message.
-leave
Simulate an incoming IGMP leave message.
-query
Simulate an incoming IGMP query message.
-state
Show the current IGMP state.
<host address>
Host IP address.
<Interface>
Interface.
<MC address>
Multicast Address.
<router address>
Router IP address.

2.2.41. ihs

Alias for ipsechastat.

2.2.42. ike

Initiate/delete/show IKE negotiated SAs.

Description

Command to do various operations on IKE negotiated Security Associations.

Usage

ike -stat [<IPsecTunnelBase>] [-cfgmode]
Show global or interface statistics about IKE SAs.
ike -mem
Show memory statistics about the IKE enigne.
ike -delete [<ip address>] [-srcif=<Interface>]
    [-tunnel=<IPsecTunnelBase>] [-force]
Delete IKE SAs.
ike -connect [<IPsecTunnelBase>]
Setup IKE and IPsec SAs for a specified tunnel.
ike -tunnels [<IPsecTunnelBase>] [-num={ALL | <Integer>}] [-force]
Show configured tunnels.
ike -show [<ip address>] [-num={ALL | <Integer>}]
    [-srcif=<Interface>] [-verbose] [-force]
    [-tunnel=<IPsecTunnelBase>]
Show current IKE SAs.
ike -snoop [<ip address>] [-match] [-brief] [-off]
Enable/disable IKE snooping.
ike -ha [-clear]
Shows statistics about IKE/IPsec SAs synchronized and how many that failed to import. Sent statistics shows how many packets that has been sent to the other cluster member when this node was active and receive statistics show how many packets/failures it got as inactive.
ike
Show current IKE SAs.

Options

-brief
Show only header information.
-cfgmode
Show statistics for config mode pool.
-clear
Reset all statistics.
-connect
Setup IKE and IPsec SAs for a specified tunnel.
-delete
Delete IKE SAs. (Admin only)
-force
Don't send notifications. Delete without delay.
-ha
Show HA synchronizing statistics for IKE/IPsec SAs.
-match
Turn on snooping of tunnel matching.
-mem
Show memory statistics.
-num={ALL | <Integer>}
Maximum number of entries to show (Default: 40/8).
-off
Turn off IKE snoop.
-show
Show information on current IKE SAs.
-snoop
Enable/disable snooping of IKE messages. (Admin only)
-srcif=<Interface>
Interface used to reach the remote endpoint.
-stat
Show verbose information.
-tunnel=<IPsecTunnelBase>
IPsec interface.
-tunnels
Show information on configured tunnels.
-verbose
Show verbose information.
<ip address>
IP address of remote SG/peer.
<IPsecTunnelBase>
IPsec interface.

2.2.43. ippool

Show IP pool information.

Description

Show information about the current state of the configured IP pools.

Usage

ippool
Show IP pool information.
ippool -release [<ip address>] [-all]
Forcibly free IP assigned to subsystem.
ippool -renew [<ip address>] [-all]
Try to renew IP leases through DHCP Server.
ippool -show [-verbose] [-num=<n>]
Show IP pool information.

Options

-all
Free or renew all IP addresses.
-num=<n>
Limit list to <n> entries. (Default: 100)
-release
Forcibly free IP assigned to subsystem. (Admin only)
-renew
Try to renew IP leases through DHCP Server. (Admin only)
-show
Show IP pool information.
-verbose
Verbose output.
<ip address>
IP address to free or renew.

2.2.44. ipreputation

IP Reputation stats.

Description

Show IP Reputation engine information and perform IP Reputation operations.

Usage

ipreputation -query <ip address> [-category[={ALL | SPAM_SOURCES |
             WINDOWS_EXPLOITS | WEB_ATTACKS | BOTNETS | SCANNERS |
             DOS | REPUTATION | PHISHING | PROXY | NETWORK |
             CLOUD_PROVIDERS | MOBILE_THREATS | <String>}]]
             [-lookup[={ALLMETHODS | LOCAL | CLOUD | CACHE}]]
Perform an advanced IP Reputation Query.
ipreputation -query <ip address>
Perform an IP Reputation Query.
ipreputation -show [-updates] [-verbose]
Show IP Reputation update information.
ipreputation -updates [-update] [-verbose]
Update IP Reputation Database.
ipreputation
Show engine information.
ipreputation -cache [-show] [-flush] [-num=<n>] [-verbose]
IP Reputation cache.
ipreputation -subsystems [-verbose]
Show subsystem information.
ipreputation -statistics[={TOTAL | 24H | 2M | 30D}]
Show IP Reputation statistics.

Options

-cache
IP Reputation cache.
-category[={ALL | SPAM_SOURCES | WINDOWS_EXPLOITS | WEB_ATTACKS | BOTNETS | SCANNERS | DOS | REPUTATION | PHISHING | PROXY | NETWORK | CLOUD_PROVIDERS | MOBILE_THREATS | <String>}]
IP Reputation category. (Default: all)
-flush
Remove IP Reputation cache entries.
-lookup[={ALLMETHODS | LOCAL | CLOUD | CACHE}]
Query lookup method. (Default: allmethods)
-num=<n>
Limit list to <n> entries. (Default: 40)
-query
Perform an IP Reputation query.
-show
Show IP Reputation update information.
-statistics[={TOTAL | 24H | 2M | 30D}]
IP Reputation statistics. (Default: 24h)
-subsystems
Show subsystem information.
-update
IP Reputation updates.
-updates
Update the IP Reputation database.
-verbose
Verbose output.
<ip address>
IP address.

2.2.45. ipsec

Show the IPsec SAs in use.

Description

List the currently active IPsec SAs, optionally only showing SAs matching the pattern given for the argument "iface".

Usage

ipsec -stat [<IPsecTunnelBase>]
Show global or interface statistics about IPsec SAs.
ipsec -show [<IPsecTunnelBase>] [-verbose] [-num={ALL | <Integer>}]
      [-srcif=<Interface>] [-force] [-usage] [-hash]
Show SA information.
ipsec -globalstats [-verbose]
Show global IPsec statistics.
ipsec -defines
Show IPsec system defines.
ipsec
Show SA information.

Options

-defines
Show IPsec system defines.
-force
Bypass confirmation question.
-globalstats
Show global IPsec statistics.
-hash
Calculate hash of SA content.
-num={ALL | <Integer>}
Maximum number of entries to show (Default: 40/8).
-show
Show SA information.
-srcif=<Interface>
Interface used to reach the remote endpoint.
-stat
Show IPsec statistics.
-usage
Show detailed SA statistics information.
-verbose
Show verbose information.
<IPsecTunnelBase>
IPsec interface.

2.2.46. ipsechastat

Show statistics about HA synchronization for IPsec.

Description

Shows statistics about IKE/IPsec SAs synchronized and how many that failed to import. Sent statistics shows how many packets that has been sent to the other cluster member when this node was active and receive statistics show how many packets/failures it got as inactive.

Usage

ipsechastat [-clear]

Options

-clear
Reset all statistics.

2.2.47. l2tp

Show L2TP information.

Description

Shows L2TP information and statistics.

Usage

l2tp -state={ALL | ACTIVE | LISTENING} [-child] [-num=<Integer>]
Show all L2TP sessions.
l2tp -l2tpserver=<PPTP/L2TP Server> [-l2tpv3server=<L2TPv3 Server>]
     [-l2tpv3client=<L2TPv3 Client>]
     [-l2tpclient=<PPTP/L2TP Client>] [-state={ALL | ACTIVE |
     LISTENING}] [-child] [-num=<Integer>]
List L2TP sessions.
l2tp -l2tpv3server=<L2TPv3 Server> [-l2tpserver=<PPTP/L2TP Server>]
     [-state={ALL | ACTIVE | LISTENING}] [-child] [-num=<Integer>]
List L2TP sessions.
l2tp -l2tpclient=<PPTP/L2TP Client> [-l2tpv3client=<L2TPv3 Client>]
     [-state={ALL | ACTIVE | LISTENING}] [-child] [-num=<Integer>]
List L2TP sessions.
l2tp -l2tpv3client=<L2TPv3 Client> [-l2tpclient=<PPTP/L2TP Client>]
     [-state={ALL | ACTIVE | LISTENING}] [-child] [-num=<Integer>]
List L2TP sessions.

Options

-child
Include child sessions.
-l2tpclient=<PPTP/L2TP Client>
Only show sessions belonging to this L2TPClient.
-l2tpserver=<PPTP/L2TP Server>
Only show sessions belonging to this L2TPServer.
-l2tpv3client=<L2TPv3 Client>
Only show sessions belonging to this L2TPv3Client.
-l2tpv3server=<L2TPv3 Server>
Only show sessions belonging to this L2TPv3Server.
-num=<Integer>
Number of entries to list.
-state={ALL | ACTIVE | LISTENING}
Show sessions with specified state. (Default: active)

2.2.48. languagefiles

Manage language files on disk.

Description

Manage language files on disk

Usage

languagefiles
Show all language files on disk.
languagefiles -remove=<String>
Remove a language file from disk.

Options

-remove=<String>
Specify language file to delete.

2.2.49. ldap

LDAP information.

Description

Status and statistics for the configured LDAP databases.

Usage

ldap
List all LDAP databases.
ldap -list
List all LDAP databases.
ldap -show [<LDAP Server>]
Show LDAP database status and statistics.
ldap -reset [<LDAP Server>]
Reset LDAP database.

Options

-list
List all LDAP databases.
-reset
Reset status for LDAP database. (Admin only)
-show
Show status and statistics.
<LDAP Server>
LDAP database.

2.2.50. license

License management.

Description

Manage the contents of the current license.

Usage

license
Show the contents of the current license.
license -show
Show the contents of the current license.
license -activate [-request] [-username=<String>]
        [-password=<String>]
Activates a license.
license -myclavister [-username=<String>] [-password=<String>]
        [-disconnect]
Manages the MyClavister connection.
license -downloadlicense
Downloads the latest license from MyClavister.
license -checkdate
Perform a check to see if a newer license exists from MyClavister.
license -remove
Remove the installed license. Unit will enter 2h demo mode.
license -update
Initiate a license update.
license -secaas_add <String> <String>
Add SECaaS configuration.
license -secaas_remove
Remove SECaaS configuration and license.

Options

-activate
Manages license activation. (Admin only)
-checkdate
Request a check for a newer license from MyClavister. (Admin only)
-disconnect
Disconnects this device from MyClavister. (Admin only)
-downloadlicense
Requests a download of the latest license from MyClavister. (Admin only)
-myclavister
Manages the connection to MyClavister. (Admin only)
-password=<String>
Sets password to be used. (Admin only)
-remove
Remove license file from the firewall. (Admin only)
-request
Send request to Clavister server to activate license. (Admin only)
-secaas_add
Create new SECaaS configuration file. (Admin only)
-secaas_remove
Removes SECaaS configuration and license. System will restart in Demo mode. (Admin only)
-show
Show current status and credentials.
-update
Initiate a license update. (Admin only)
-username=<String>
Sets username to be used. (Admin only)
<String>
SECaaS identification number. (Admin only)
<String>
SECaaS license number. (Admin only)

2.2.51. linkmon

Display link montitoring statistics.

Description

If link monitor hosts have been configured, linkmon will monitor host reachability to detect link/NIC problems.

Usage

linkmon

2.2.52. linktest

Simple tool to test connection to external server.

Description

Verifies connection using Measurement Lab NDT7 protocol or HTTP(S) server.

Usage

linktest
Show test results.
linktest -abort [-clear]
Aborts currently running test.
linktest -clear
Clear results from previous test.
linktest -show [-verbose]
Show test results.
linktest -start [-host=<IPAddress>] [-port=<1...65535>] [-ssl={TRUE
         | FALSE}] [-pbr=<table>] [-clients[=<1...15>]]
Speed test using Measurement Lab NDT7.
linktest -start_http {GET | PUT | POST} <String> [-limit[=<MB>]]
         [-timeout[=<seconds>]] [-pbr=<table>]
         [-clients[=<1...15>]]
Speed test using HTTP(S) server.

Options

-abort
Abort running test.
-clear
Clear test results.
-clients[=<1...15>]
Max number of parallel clients to use. (Default: 1)
-host=<IPAddress>
Hostname or IP address for NDT7 test server.
-limit[=<MB>]
Max number of MB to transfer. (Default: 1000)
-pbr=<table>
Route using PBR Table.
-port=<1...65535>
Custom port for NDT7 test server.
-show
Show test status or results.
-ssl={TRUE | FALSE}
Specify if test should run over SSL.
-start
Starts test using Measurement Lab NDT7.
-start_http
Start HTTP(S) test using specified server.
-timeout[=<seconds>]
Max number of seconds to run test. (Default: 15)
-verbose
Show verbose information.
<String>
URL of test server.
{GET | PUT | POST}
HTTP method to use.
[Note] Note
Requires Administrator privileges.

2.2.53. logout

Logout user.

Description

Logout current user.

Usage

logout

2.2.54. lwhttp

Commands related to the Light-Weight HTTP inspection engine.

Description

The lwhttp CLI command prints information about the Light-Weight HTTP inspection engine a.k.a. LW-HTTP ALG.

The LW-HTTP inspection engine is automaticlaly enabled for IP policies with HTTP protocol validation or a web profile configured.

Compared to the ordinary HTTP-ALG, the LW-HTTP inspector provides better throughput performance without affecting network security.

Usage

lwhttp

2.2.55. macstorage

The MAC address storage.

Description

The mac address storage keeps mac addresses persistent for SR-IOV interfaces when used in virtual environments.

Usage

macstorage

2.2.56. management

Show remote management status.

Description

Show remote management status and information

Usage

management
List remote management.
management -type=InCenter
Show InCenter remote management.
management -type=InControl
Show InControl remote management.
management -type={REST | SNMP | SSH | WEBUI} [<String>]
Show info for specific remote management.

Options

-type={INCENTER | INCONTROL | REST | SNMP | SSH | WEBUI}
Type of management to display.
<String>
Object to show info for.

2.2.57. natpool

Show current NAT Pools.

Description

Show current NAT Pools and in-depth information.

Usage

natpool [-num=<Integer>] [<pool name> [<IPv4 Address>]]

Options

-num=<Integer>
Maximum number of items to list (Default: 20).
<IPv4 Address>
Translated IP.
<pool name>
NAT Pool name.

2.2.58. nd

Show Neighbor Discovery entries for given interface.

Description

List the Neighbor Discovery cache entries of specified interfaces.

If no interface is given the Neighbor Discovery cache entries of all interfaces will be presented.

The presented list can be filtered using the ip and hw options.

Usage

nd -routerdiscovery [<Interface>] [-num=<n>]
Show Router Discovery enabled interfaces.
nd
Show all Neighbor Discovery entries.
nd -show [<Interface>] [-ip=<pattern>] [-hw=<pattern>] [-num=<n>]
Show Neighbor Discovery entries.
nd -hashinfo [<Interface>]
Show information on hash table health.
nd -flush [<Interface>]
Flush Neighbor Discovery cache of specified interface.
nd -query=<ip> <Interface>
Send Neighbor Solicitation for IP.
nd -del=<ip> <Interface>
Delete ND cache entry.

Options

-del=<ip>
Delete ND cache entry <ip>.
-flush
Flush Neighbor Discovery cache of all specified interfaces. (Admin only)
-hashinfo
Show information on hash table health.
-hw=<pattern>
Show only hardware addresses matching pattern.
-ip=<pattern>
Show only IP addresses matching pattern.
-num=<n>
Show only the first <n> entries per interface. (Default: 20)
-query=<ip>
Send Neighbor Solicitation for <ip>.
-routerdiscovery
Show Router Discovery enabled interfaces.
-show
Show Neighbor Discovery entries for given interface(s).
<Interface>
Interface name.

2.2.59. ndsnoop

Toggle snooping and displaying of ARP requests.

Description

Toggle snooping and displaying of Neighbor Discovery queries and responses on-screen.

The snooped messages are displayed before the access section validates the sender IP addresses in the ARP data.

Usage

ndsnoop
Show snooped interfaces.
ndsnoop {ALL | NONE | <interface>} [-verbose]
Snoop specified interface.

Options

-verbose
Verbose.
{ALL | NONE | <interface>}
Interface name.
[Note] Note
Requires Administrator privileges.

2.2.60. neighborcache

Shows the default contents of the neighbor cache.

Description

Contains information such as hostname, configured name, hardware address and ip4 address, for the firewall's network neighbors.

Usage

neighborcache
Show neighbor cache.
neighborcache -show [-names] [-users] [-ipv6] [-devinfo]
              [-filter={INACTIVE | ACTIVE}]
Show neighbor cache.
neighborcache -devinfo [-filter={INACTIVE | ACTIVE}]
Show device intelligence information for neighbor cache entries.

Options

-devinfo
Show Device Intelligence information.
-filter={INACTIVE | ACTIVE}
Shows the filtered contents of the neighbor cache, based on state.
-ipv6
Shows the ipv6 addresses for entries in the neighbor cache.
-names
Shows the host name and configured name for entries in the neighbor cache.
-show
Shows the default contents of the neighbor cache.
-users
Shows any authenticated users against their neighbor cache entry.

2.2.61. netcon

List all NetCon users.

Description

Show a list of connected NetCon users.

Usage

2.2.62. netobjects

Show runtime values of network objects.

Description

Displays named network objects and their contents.

Example 2.9.  List network objects which have names containing "net". 

netobjects *net*

Usage

netobjects [<String>] [-num=<num>]

Options

-num=<num>
Number of entries to show. (Default: 20)
<String>
Name or pattern.

2.2.63. oidc

OIDC command.

Description

OIDC functions.

Usage

oidc
Show OIDC objects.
oidc -manual
Show manual OIDC objects.
oidc -discovery [-url=<String>]
Manual discovery download.
oidc -memory
Show OIDC memory usage.
oidc -refresh
Refresh OIDC contexts.
oidc -verbose
Verbose output.

Options

-discovery
Do OIDC discovery download.
-manual
Show manual OIDC objects.
-memory
Show OIDC memory.
-refresh
Refresh OIDC objects by downloading OIDc discovery data for all configured OIDC Providers.
-url=<String>
OIDC discovery URL.
-verbose
Verbose output.

2.2.64. oneconnect

OneConnect tunnels.

Description

List running OneConnect configurations, OneConnect active tunnels and call information.

Usage

oneconnect -num=<n> [-verbose]
Show sessions.

Options

-num=<n>
Limit display to <n> entries. (Default: 20)
-verbose
Verbose output.

2.2.65. ospf

Show runtime OSPF information.

Description

Show runtime information about the OSPF router process(es).

Note: -process is only required if there are >1 OSPF router processes.

Usage

ospf -memory [-verbose]
Show OSPF memory information.
ospf -status
Show OSPF status information.
ospf
Show runtime information.
ospf -iface [<interface>] [-process=<OSPF Router Process>]
Show interface information.
ospf -area [<OSPF Area>] [-process=<OSPF Router Process>]
Show area information.
ospf -cfgneighbor [<OSPF Neighbor>]
     [-process=<OSPF Router Process>]
Show neighbor information.
ospf -neighbor [-listall] [-ip=<ip>] [-num=<n>]
     [-process=<OSPF Router Process>]
Show neighbor information.
ospf -route [{HA | ALT}] [-process=<OSPF Router Process>]
Show the internal OSPF process routingtable.
ospf -database [-verbose] [-process=<OSPF Router Process>]
Show the LSA database.
ospf -lsa <lsaID> [-process=<OSPF Router Process>]
Show details for a specified LSA.
ospf -snoop={ON | OFF} [-process=<OSPF Router Process>]
Show troubleshooting messages on the console.
ospf -ifacedown <interface> [-process=<OSPF Router Process>]
Take specified interface offline.
ospf -ifaceup <interface> [-process=<OSPF Router Process>]
Take specified interface online.
ospf -execute={STOP | START | RESTART}
     [-process=<OSPF Router Process>]
Start/stop/restart OSPF process.

Options

-area
Show area information.
-cfgneighbor
Show neighbor information by configured neighbor.
-database
Show the LSA database.
-execute={STOP | START | RESTART}
Start/stop/restart OSPF process. (Admin only)
-iface
Show interface information.
-ifacedown
Take specified interface offline. (Admin only)
-ifaceup
Take specified interface online. (Admin only)
-ip=<ip>
IP address.
-listall
Show list.
-lsa
Show details for a specified LSA <lsaID>.
-memory
Show OSPF memory usage.
-neighbor
Show neighbor information.
-num=<n>
Limit display to <n> objects. (Default: 20)
-process=<OSPF Router Process>
Required if there are >1 OSPF router processes.
-route
Show the internal OSPF process routingtable.
-snoop={ON | OFF}
Show troubleshooting messages on the console. (Admin only)
-status
Show OSPF status.
-verbose
Increase amount of information to display.
<interface>
OSPF enabled interface.
<interface>
OSPF enabled interface.
<lsaID>
LSA ID.
<OSPF Area>
OSPF Area.
<OSPF Neighbor>
Neighbor.
{HA | ALT}
Show HA routingtable.

2.2.66. pcapdump

Packet capturing.

Description

Packet capture engine

Usage

pcapdump
Show capture status.
pcapdump -start [<interface(s)>] [-size=<value>] [-snaplen=<value>]
         [-count=<value>] [-out] [-out-nocap]
         [-eth=<Ethernet Address>] [-ethsrc=<Ethernet Address>]
         [-ethdest=<Ethernet Address>] [-ip=<IPv4 Address>]
         [-ipsrc=<IPv4 Address>] [-ipdest=<IPv4 Address>]
         [-port=<String>] [-srcport=<String>] [-destport=<String>]
         [-proto=<0...255>] [-icmp] [-tcp] [-udp] [-promisc]
         [-ipversion=<1...15>]
Start capture.
pcapdump -stop [<interface(s)>]
Stop capture.
pcapdump -status
Show capture status.
pcapdump -show [<interface(s)>] [-num={ALL | <Integer>}]
Show a captured packets brief.
pcapdump -write [<interface(s)>] [-filename=<String>]
Write the captured packets to disk.
pcapdump -wipe
Remove all captured packets from memory.
pcapdump -cleanup
Remove all captured packets, release capture mode and delete all written capture files from disk.

Options

-cleanup
Remove all captured packets, release capture mode and delete all written capture files from disk.
-count=<value>
Number of packets to capture.
-destport=<String>
Destination TCP/UDP port filter.
-eth=<Ethernet Address>
Ethernet address filter.
-ethdest=<Ethernet Address>
Ethernet destination address filter.
-ethsrc=<Ethernet Address>
Ethernet source address filter.
-filename=<String>
Filename for capture file.
-icmp
ICMP filter.
-ip=<IPv4 Address>
IP address filter.
-ipdest=<IPv4 Address>
Destination IP address filter.
-ipsrc=<IPv4 Address>
Source IP address filter.
-ipversion=<1...15>
IP version filter.
-num={ALL | <Integer>}
Maximum number of entries to show (Default: 20).
-out
Realtime packet brief dumped to console.
-out-nocap
Unbuffered (not stored in memory) realtime packet brief dumped to console.
-port=<String>
TCP/UDP port filter.
-promisc
Set iface in promiscuous mode.
-proto=<0...255>
IP protocol filter.
-show
Show a captured packets brief.
-size=<value>
Size (kb) of buffer to store captured packets in memory (default 512kb).
-snaplen=<value>
Maximum length of each packet to capture.
-srcport=<String>
Source TCP/UDP port filter.
-start
Start capture.
-status
Show capture status.
-stop
Stop capture.
-tcp
TCP filter.
-udp
UDP filter.
-wipe
Remove all captured packets from memory.
-write
Write the captured packets to disk.
<interface(s)>
Name of interface(s).
[Note] Note
Requires Administrator privileges.

2.2.67. pciscan

Show detected PCI devices.

Description

Usage

pciscan
Show identified ethernet devices.
pciscan -all
Show all detected devices.
pciscan -ethernet
Show all detected ethernet devices.
pciscan -cfgupdate
Updates the config with detected devices.
pciscan -force_driver <Integer> {UIO}
Force a certain driver to a device.

Options

-all
Show all detected devices.
-cfgupdate
Updates the config with detected devices. (Admin only)
-ethernet
Show all detected ethernet devices.
-force_driver
Force a certain device to a specific driver. (Admin only)
<Integer>
Index of device to update.
{UIO}
Interface driver to use.

2.2.68. pipes

Show pipes information.

Description

Show list of configured pipes / pipe details / pipe users.

Note: The "pipes" command is not executed right away; it is queued until the end of the second, when pipe values are calculated.

Usage

pipes
List all pipes.
pipes -users [<Pipe>] [-expr=<String>]
List users of a given pipe.
pipes -show [<Pipe>] [-expr=<String>]
Show pipe details.

Options

-expr=<String>
Pipe wildcard(*) expression.
-show
Show pipe details.
-users
List users of a given pipe.
<Pipe>
Show pipe details.

2.2.69. pptp

Show PPTP information.

Description

Shows PPTP information and statistics.

Usage

pptp -state={ALL | ACTIVE | LISTENING | CHILDONLY} [-child]
     [-num=<Integer>]
Show all PPTP sessions.
pptp -pptpserver=<PPTP/L2TP Server> [-state={ALL | ACTIVE |
     LISTENING | CHILDONLY}] [-child] [-num=<Integer>]
List PPTP sessions.
pptp -pptpclient=<PPTP/L2TP Client> [-state={ALL | ACTIVE |
     LISTENING | CHILDONLY}] [-child] [-num=<Integer>]
List PPTP sessions.

Options

-child
Include child sessions.
-num=<Integer>
Number of entries to list.
-pptpclient=<PPTP/L2TP Client>
Only show sessions belonging to this PPTP client (L2TPClient with TunnelProtocol == PPTP).
-pptpserver=<PPTP/L2TP Server>
Only show sessions belonging to this PPTP server (L2TPServer with TunnelProtocol == PPTP).
-state={ALL | ACTIVE | LISTENING | CHILDONLY}
Show sessions with specified state. (Default: active)

2.2.70. pptpalg

Show PPTP ALG information.

Description

Shows information and statistics of the PPTP ALGs.

Usage

pptpalg
Show all configured PPTP ALGs.
pptpalg -sessions <PPTP ALG> [-verbose] [-num=<Integer>]
List all PPTP sessions.
pptpalg -services <PPTP ALG>
List all services attached to PPTP ALG.

Options

-num=<Integer>
Number of entries to list.
-services
List all services attached to PPTP ALG.
-sessions
List all session using a PPTP tunnel.
-verbose
Verbose output.
<PPTP ALG>
PPTP ALG.

2.2.71. reconfigure

Initiates a configuration re-read.

Description

Restart the firewall using the currently active configuration.

Usage

[Note] Note
Requires Administrator privileges.

2.2.72. rekeysa

Rekey IPsec or IKE SAs established with given remote peer.

Description

Rekey IPsec or IKE SAs associated with a given remote IKE peer, or optionally all IPsec or IKE SAs in the system.

Usage

rekeysa -ike <ip address>
Rekey IKE SAs.
rekeysa -ipsec <ip address>
Rekey IPsec SAs.
rekeysa <ip address>
Rekey IPsec SAs.

Options

-ike
Rekey IKE SAs.
-ipsec
Rekey IPsec SAs.
<ip address>
IP address of remote peer.
[Note] Note
Requires Administrator privileges.

2.2.73. route

Alias for routes.

2.2.74. routemon

List the currently monitored interfaces and gateways.

Description

List the currently monitored interfaces and/or gateways.

Usage

routemon

2.2.75. rtmonitor

Real-time monitor information.

Description

Show information about real-time monitor objects, and real-time monitor alerts.

All objects matching the specified filter are displayed. The filter can be the name of an object, or the beginning of a name. If no filter is specified, all objects are displayed.

If the option "monitored" is specified, only objects that have an associated real-time monitor alert are displayed.

Example 2.10. Show all monitored objects in the alg/http category

gw-world:/> rtmonitor alg/http -m

Usage

rtmonitor [<filter>] [-terse] [-monitored] [-num={ALL | <Integer>}]

Options

-monitored
Only show monitored objects.
-num={ALL | <Integer>}
Maximum number of entries to show (Default: 20).
-terse
Only show object name.
<filter>
Object filter.

2.2.76. rules

Show rules lists.

Description

Shows the content of the various types of rules, i.e. main ruleset, pipe ruleset, etc.

Example 2.11. Show a range of rules

rules -verbose 1-5 7-9

Usage

rules -type=IP [-ruleset={* | MAIN | <IP Rule Set>}] [-verbose]
      [-schedule] [-usageless=<usageless>] [-usagemore=<usagemore>]
      [<rules>]...
Show IP rules.
rules -type={ROUTING | PIPE | IDP | THRESHOLD | IGMP} [-verbose]
      [-schedule] [-usageless=<usageless>] [-usagemore=<usagemore>]
      [<rules>]...
Show a specific type of rules.

Options

-ruleset={* | MAIN | <IP Rule Set>}
Show a specified IP ruleset.
-schedule
Filter out rules that are not currently allowed by selected schedules.
-type={IP | ROUTING | PIPE | IDP | THRESHOLD | IGMP}
Type of rules to display. (Default: IP)
-usageless=<usageless>
Filter on usage below(<=) specified limit.
-usagemore=<usagemore>
Filter on usage above(>=) specified limit.
-verbose
Verbose: show all parameters of the rules.
<rules>
Range of rules to display. (Default: all rules)

2.2.77. selftest

Run appliance self tests.

Description

The appliance self tests are used to verify the correct function of hardware components.

IMPORTANT: In order for a selftest result to be reliable the test must be run using a default configuration and having the firewall disconnected from any networks.

IMPORTANT: Normal firewall operations might be disrupted during the test(s).

The outcome of the throughput crypto accelerator tests are dependent on configuration values. If the number of large buffers (LocalReassSettings->LocalReass_NumLarge) too low, it might lower throughput result. In the field 'Drop/Fail', the 'Drop' column contains the number of packets that were dropped before ever reaching the crypto accelerator and the 'Fail' column contains the number of packets that for some reason failed encryption. The 'Pkt In/Out' field shows the total number of packets sent to, and returned from the accelerator.

The interface tests 'traffic' and 'throughput' are dependent on the settings for the NIC ring sizes and possibly also license limitations. The 'traffic' test uses a uniform random distribution of six packet sizes between 60 and 1518 bytes. The content of each received packet is validated. The 'throughput' test uses only the largest packet size, and does not validate the contents of the received packets.

Example 2.12. Interface ping test between all interfaces

selftest -ping

Example 2.13. Interface ping test between interfaces 'if1' and 'if2'

selftest -ping -interfaces=if1,if2

Example 2.14. Start 30 min burn-in, testing RAM, storage media and crypto accelerator

selftest -burnin -minutes 30 -media -memory -cryptoaccel

Usage

selftest -memory [-num=<Integer>]
Check the sanity of the RAM.
selftest -ssl
Validation and Performance test for SSL.
selftest -media [-size=<Integer>]
Check the sanity of the disk drive.
selftest -mac
Check if there are MAC address collisions on the interfaces.
selftest -ping [-interfaces=<Interface>]
Run a ping test over the interfaces.
selftest -throughput [-interfaces=<Interface>]
Run a throughput test over the interfaces.
selftest -traffic [-interfaces=<Interface>] [-verbose]
Run a traffic test over the interfaces.
selftest -latency [-interfaces=<Interface>]
Run a latency test over the interfaces.
selftest -cryptoaccel
Verify the correct functioning of the accelerator cards.
selftest -burnin [-hours[=<Integer>]] [-minutes[=<Integer>]]
         [-memory] [-media] [-ping] [-throughput] [-traffic]
         [-cryptoaccel] [-size=<Integer>]
Run burn-in tests for a set of sub tests. If no sub tests are specified the following are included: -memory, -ping, -traffic, -cryptoaccel.
selftest -abort
Abort a running self test.
selftest
Show the status of a running test.

Options

-abort
Abort a running self test.
-burnin
Run burn-in tests for a selected set of sub tests.
-cryptoaccel
Verify the correct functioning of available crypto accelerator cards.
-hours[=<Integer>]
Test duration in hours. (Default: 48)
-interfaces=<Interface>
Ethernet interface(s).
-latency
Measure min/avg/max latency using low volume traffic test.
-mac
Check if there are MAC address collisions on the interfaces.
-media
Check the sanity of the disk drive.
-memory
Check the sanity of the RAM.
-minutes[=<Integer>]
Test duration in minutes. (Default: 0)
-num=<Integer>
Number of times to execute the test. (Default: 1)
-ping
Run a ping test over the interfaces.
-size=<Integer>
Size of media space to utilize in the test. Set in MB. (Default: 1)
-ssl
Validation and Performance test for SSL.
-throughput
Run a throughput test over the interfaces. This will show the maximal achievable interface throughput.
-traffic
Run a traffic test over the interfaces. The traffic test uses mixed frame sizes and verifies the content of each received frame.
-verbose
Print extra information about the test.
[Note] Note
Requires Administrator privileges.

2.2.78. services

Show runtime values of configured services.

Description

Shows the runtime values of all configured services.

Example 2.15.  List all services which names begin with "http" 

services http*

Usage

services
List services.
services <String>
Show services.
services -policy [<String>]
Show IP Policy generated services.

Options

-policy
Show IP Policy generated service information.
<String>
Name or pattern.

2.2.79. sessionmanager

Session Manager.

Description

Show information about the Session Manager, and list currently active users.

Explanation of Timeout flags for sessions:

D
Session is disabled
S
Session uses a timeout in its subsystem
-
Session does not use timeout

Usage

sessionmanager
Show Session Manager status.
sessionmanager -status
Show Session Manager status.
sessionmanager -list [-num=<n>]
List active sessions.
sessionmanager -info <session name> <database>
Show in-depth information about session(s).
sessionmanager -message <session name> <database> <message text>
Send message to session with console.
sessionmanager -disconnect <session name> <database> [<IP Address>
               [{LOCAL | SSH | NETCON | HTTP | HTTPS}]]
Forcibly terminate session(s).

Options

-disconnect
Forcibly terminate session(s). (Admin only)
-info
Show in-depth information about session.
-list
List active sessions.
-message
Send message to session.
-num=<n>
List <n> number of session.
-status
Show Session Manager status.
<database>
Name of user database.
<IP Address>
IP address.
<message text>
Message to send.
<session name>
Name of session.
{LOCAL | SSH | NETCON | HTTP | HTTPS}
Session type.

2.2.80. shutdown

Initiate core or system shutdown.

Description

Initiate restart of the core/system.

Usage

shutdown [<seconds>] [-normal] [-reboot]

Options

-normal
Initiate core shutdown.
-reboot
Initiate system reboot.
<seconds>
Seconds until shutdown. (Default: 5)
[Note] Note
Requires Administrator privileges.

2.2.81. sipalg

SIP ALG.

Description

List running SIP-ALG configurations, SIP registration and call information.

The -flags option with -snoop allows any combination of the following values:

-
0x00000001 GENERAL
-
0x00000002 ERRORS
-
0x00000004 OPTIONS
-
0x00000008 PARSE
-
0x00000010 VALIDATE
-
0x00000020 SDP
-
0x00000040 ALLOW_CHANGES
-
0x00000080 SUPPORTED_CHANGES
-
0x00000100 2543COMPLIANCE
-
0x00000200 RECEPTION
-
0x00000400 SESSION
-
0x00000800 REQUEST
-
0x00001000 RESPONSE
-
0x00002000 TOPO_CHANGES
-
0x00004000 MEDIA
-
0x00008000 CONTACT
-
0x00010000 CONN
-
0x00020000 PING
-
0x00040000 TRANSACTION
-
0x00080000 CALLLEG
-
0x00100000 REGISTRY

Flags can be added in the usual way. The default value is 0x00000003 (GENERAL and ERRORS).

NOTE: 'verbose' option outputs a lot of information on the console which may lead to system instability. Use with caution.

Usage

sipalg -definition [<alg>]
Show running ALG configuration parameters.
sipalg -registration[={SHOW | FLUSH}] <alg>
Show or flush current registration table.
sipalg -calls <alg>
Show active calls table.
sipalg -session <alg>
Show active SIP sessions.
sipalg -connection <alg> [-num=<n>]
Show SIP connections.
sipalg -statistics[={SHOW | FLUSH}] <alg>
Show or flush SIP counters.
sipalg -snoop={ON | OFF | VERBOSE} [<ipaddr>] [-flags=<String>]
Control SIP snooping. Useful for troubleshooting SIP transactions. NOTE: 'verbose' option outputs a lot of information on the console which may lead to system instability. Use with caution.

Options

-calls
Show active calls table.
-connection
Show SIP connections.
-definition
Show running ALG configuration parameters.
-flags=<String>
SIP snooping for certain levels. Expected number in hexadecimal notation.
-num=<n>
Limit list to <n> connections. (Default: 20)
-registration[={SHOW | FLUSH}]
Show or flush registration table. (Default: show)
-session
Show active SIP sessions.
-snoop={ON | OFF | VERBOSE}
Enable or disable SIP snooping. NOTE: 'verbose' option outputs a lot of information on the console which may lead to system instability. Use with caution. (Admin only)
-statistics[={SHOW | FLUSH}]
Show or flush SIP counters. (Default: show)
<alg>
SIP-ALG name.
<alg>
SIP-ALG name.
<ipaddr>
IP Address to snoop.

2.2.82. slb

Manage and show status for SLB.

Description

Display SLB status and preform various related actions

Usage

slb
Display status for all policies.
slb -status <String>
Display status for specific policy.
slb -suspend <String> <ip address>
Suspend load distribution to server.
slb -resume <String> <ip address>
Resume load distribution to server.

Options

-resume
Resume load distribution to SLB server (maintenance off).
-status
Display status for specific SLB policy.
-suspend
Suspend load distribution to SLB server (maintenance on).
<ip address>
IP address.
<String>
SLB policy.

2.2.83. smtp

List SMTP LogReceiver sessions and send test mail.

Description

List SMTP sessions for configured SMTP LogReceivers and CLI SMTP sessions created when using "sendmail" to send test mail to SMTP LogReceiver. The temporary CLI sessions, marked with (CLI), has a lifetime of 300s.

Usage

smtp -list [-num[=<1...1000>]] [-verbose]
Show SMTP sessions.
smtp -verbose
Show SMTP sessions with verbose output.
smtp -stat
Show SMTP statistics.
smtp -sendmail -logreceiver=<Mail Alerting> [-message=<String>]
Send mail to specified SMTP LogReceiver.

Options

-list
Show SMTP sessions.
-logreceiver=<Mail Alerting>
LogReceiver.
-message=<String>
Mail message.
-num[=<1...1000>]
Number of entries to list. (Default: 40)
-sendmail
Send test mail to SMTP LogReceiver.
-stat
Show SMTP statistics.
-verbose
Verbose output.

2.2.84. snmp

Show SNMP information.

Description

Show SNMP status

Usage

snmp [-engineId]

Options

-engineId
Display the system's SNMPv3 engine ID.

2.2.85. sshserver

SSH Server.

Description

Show SSH Server status, or start/stop/restart SSH Server.

Usage

sshserver
Show server status and list all connected clients.
sshserver -status [-verbose]
Show server status and list all connected clients.
sshserver -keygen <Local System SSH Host Key>
Generate SSH Server private keys.
sshserver -restart <ssh server>
Restart SSH Server.

Options

-keygen
Generate SSH Server private keys. This operation may take a long time to finish, up to several minutes!
-restart
Stop and start the SSH Server.
-status
Show server status and list all connected clients.
-verbose
Verbose output.
<Local System SSH Host Key>
Key type to create.
<ssh server>
SSH Server.
[Note] Note
Requires Administrator privileges.

2.2.86. sslvpn

SSLVPN tunnels.

Description

List running SSLVPN configurations, SSLVPN active tunnels and call information.

Usage

sslvpn [-num=<n>]

Options

-num=<n>
Limit display to <n> entries. (Default: 20)

2.2.87. stats

Display various general firewall statistics.

Description

Display general information about the firewall, such as uptime, CPU load, resource consumption and other performance data.

Usage

2.2.88. sysmsgs

Display system/OS messages.

Description

Show contents of the sysmsg buffer.

Usage

sysmsgs
Show system messages.
sysmsgs -num=<n>
Show system messages.

Options

-num=<n>
Limit number of shown entries. (Default: 80)

2.2.89. techsupport

Technical Support information.

Description

Generate information useful for technical support.

Due to the large amount of output, this command might show a truncated result when execute from the local console.

Usage

techsupport

2.2.90. time

Display current system time.

Description

Display/set the system date and time.

Usage

time
Display current system time.
time -verbose
Display current system time.
time -set <date> <time>
Set system local time: <YYYY-MM-DD> <HH:MM:SS>.
time -sync [-force]
Synchronize time with timeserver(s) (specified in settings).

Options

-force
Force synchronization regardless of the MaxAdjust setting.
-set
Set system local time: <YYYY-MM-DD> <HH:MM:SS>. (Admin only)
-sync
Synchronize time with timeserver(s) (specified in settings).
-verbose
Show more information about time zone and DST.
<date>
Date YYYY-MM-DD.
<time>
Time HH:MM:SS.

2.2.91. uarules

Show user authentication rules.

Description

Displays the contents of the user authentication ruleset.

Example 2.16. Show a range of rules

uarules -v 1-2,4-5

Usage

uarules [-verbose] [<Integer Range>]

Options

-verbose
Verbose output.
<Integer Range>
Range of rules to list.

2.2.92. updatecenter

Show status and manage autoupdate information.

Description

Show autoupdate mechanism status or force an update.

Usage

updatecenter
Show update status and database information.
updatecenter -status[={ANTIVIRUS | IDP | IPREPUTATION | ALL}]
Show update status and database information.
updatecenter -update[={ANTIVIRUS | IDP | IPREPUTATION | ALL}]
Initiate an update check of the specified database.
updatecenter -removedb={ANTIVIRUS | IDP | IPREPUTATION}
Remove the specified signature database.
updatecenter -servers
Show status of update servers.

Options

-removedb={ANTIVIRUS | IDP | IPREPUTATION}
Remove the database for the specified service.
-servers
Show autoupdate server information.
-status[={ANTIVIRUS | IDP | IPREPUTATION | ALL}]
Show update status and service information. (Admin only; Default: all)
-update[={ANTIVIRUS | IDP | IPREPUTATION | ALL}]
Force an update now for the specified service. (Admin only; Default: all)

2.2.93. userauth

Show logged-on users.

Description

Show currently logged-on users and other information. Also allows logged-on users to be forcibly logged out.

Note: In the user listing -list, only privileges actually used by the policy are displayed.

Usage

userauth
List all authenticated users.
userauth -list [-num=<n>] [-blocked] [-verbose]
List all authenticated users.
userauth -privilege
List all known privileges (usernames and groups).
userauth -user [<user ip>]
Show all information for user(s) with this IP address.
userauth -remove [<user ip> [<Interface>]] [-all]
Forcibly log out an authenticated user.

Options

-all
All users.
-blocked
List all blocked users.
-list
List all authenticated users.
-num=<n>
Limit list of authenticated users. (Default: 20)
-privilege
List all known privileges (usernames and groups).
-remove
Forcibly log out an authenticated user. (Admin only)
-user
Show all information for user(s) with this IP address.
-verbose
List all blocked users history.
<Interface>
Interface.
<user ip>
IP address for user(s).

2.2.94. vlan

Show information about VLAN.

Description

Show list of attached Virtual LAN Interfaces, or in-depth information about a specified VLAN.

Usage

vlan
List attached VLANs.
vlan -num=<n> [-page[=<n>]] [-verbose]
Set number of display lines per page and display page.
vlan <Interface>
Display in-depth information about a VLAN interface, and/or the VLAN interfaces that are based on a specific interface.
vlan -verbose
Show more details, eg zone and PBR table, for the configured VLAN interfaces.

Options

-num=<n>
Limit display lines to <n> entries in page. (Default: 20)
-page[=<n>]
Set page <n> for lines to display. (Default: 1)
-verbose
Show more details, eg zone and PBR table, for the configured VLAN interfaces.
<Interface>
Display VLAN information about this interface.

2.2.95. zonedefense

Zonedefense.

Description

Block/unblock IP addresses/net and ethernet addresses.

Usage

zonedefense [-save] [-blockip=<ip address>]
            [-blockenet=<ethernet address>] [-eraseip=<ip address>]
            [-eraseenet=<ethernet address>] [-status] [-show]

Options

-blockenet=<ethernet address>
Block the specified ethernet address. (Admin only)
-blockip=<ip address>
Block the specified IP address/net. (Admin only)
-eraseenet=<ethernet address>
Unblock the specified ethernet address.
-eraseip=<ip address>
Unblock the specified IP address/net.
-save
Save the current zonedefense state on all switches.
-show
Show the current block database.
-status
Show the current status of the zonedefense state machine.

Home  Prev   Next