Home  Prev  cOS Stream 4.00.05 CLI Reference Guide  Next

2.2. Runtime

2.2.1. appcontrol

Show application control status.

Description

View general information about the Application Control system or browse the Application Control database.

Usage

appcontrol
Show general information about application control system.
appcontrol -show-applications [-name=<String>] [-family=<String>]
           [-risk={VERY_LOW | LOW | MEDIUM | HIGH | VERY_HIGH}]
           [-tag=<String>] [-num={ALL | <n>}] [-verbose]
Show information about supported applications.

Options

-family=<String>
Application family.
-name=<String>
Application name (wildcards allowed).
-num={ALL | <n>}
Limit display to <n> applications. (Default: 20)
-risk={VERY_LOW | LOW | MEDIUM | HIGH | VERY_HIGH}
Application risk level.
 
-show-applications
Shows applications matching certain criteria.
-tag=<String>
Application tag.
-verbose
Verbose (more information).

2.2.2. arp

Show ARP entries for given interface.

Description

List the ARP cache entries of specified interfaces.

If no interface is given the ARP cache entries of all interfaces will be presented.

The presented list can be filtered using the ip and hw options.

Usage

arp
Show all ARP entries.
arp -show [<interface>] [-ip=<pattern>] [-hw=<pattern>] [-num=<n>]
    [-all]
Show ARP entries.
arp -flush [<interface>]
Flush ARP cache of specified interface.
arp -notify=<ip> <interface> [-hwsender=<String>]
Send gratuitous ARP for IP.

Options

-all
Show all ARP entries.
-flush
Flush ARP cache of all specified interfaces. (Admin only)
-hw=<pattern>
Show only hardware addresses matching pattern.
-hwsender=<String>
Sender ethernet address.
-ip=<pattern>
Show only IP addresses matching pattern.
-notify=<ip>
Send gratuitous ARP for <ip>.
-num=<n>
Show only the first <n> entries per interface. (Default: 20)
-show
Show ARP entries for given interface(s).
<interface>
Interface name.

2.2.3. arpsnoop

Toggle snooping and displaying of ARP requests.

Description

Toggle snooping and displaying of ARP queries and responses on-screen.

Aborting the arpsnoop command can be done by calling 'arpsnoop none' or by pressing CTRL-C. Using CTRL-C will also terminate all other running CLI commands.

Usage

arpsnoop
Show snooped interfaces.
arpsnoop {ALL | NONE | <interface>} [-verbose]
Snoop specified interface.

Options

-verbose
Verbose.
{ALL | NONE | <interface>}
Interface name.

2.2.4. authentication

User authentication information.

Description

Show currently logged-on users and other information. Also allows logged-on users to be forcibly logged out.

Usage

authentication
List logged in users.
authentication -num=<Integer>
List logged in users.
authentication -all
List all logged in users.
authentication -show <Integer>
Show user details.
authentication -profile [<User Authentication Profile>]
Show authentication profiles.
authentication -logout_id <Integer>
Logout user via user ID.
authentication -logout_src <IP> <Interface>
               <User Authentication Profile>
Logout user via source IP.
authentication -logout_name <username>
               <User Authentication Profile>
Logout all users matching username in the profile.
authentication -privilege
Show currently known privileges.

Options

-all
List all users.
-logout_id
Logout user. (Admin only)
-logout_name
Logout user. (Admin only)
-logout_src
Logout user. (Admin only)
-num=<Integer>
Number of users to show.
-privilege
Show privileges.
-profile
Find authentication profile.
-show
Show user information.
<Integer>
User ID.
<Interface>
Receiving Interface. (Default: any)
<IP>
Source IP.
<User Authentication Profile>
Authentication Profile.
<username>
Username.

2.2.5. bgp

BGP monitoring/control commands.

Description

Display information about BGP

Usage

bgp
Show summary for BGP process.
bgp -neighbors [-neighbor=<neighbor>] [-prefixes-advertised]
    [-prefixes-received]
Show neighbor information.
bgp -snoop={ON | OFF} [-category={ALL | BGP-ALL | BFD-ALL |
    ROUTE-ALL | BGP-UPD | ROUTE-ADD | ROUTE-MOD | ROUTE-DEL}]
    [-level=<0...7>]
Enable/disable BGP snooping.
bgp -execute={RESTART-FULL | NEIGHBOR-RECONNECT}
    [-neighbor=<neighbor>]
Execute operation.
bgp -prefixes [-num={ALL | <n>}] [-ipv6] [-network=<network>]
    [-routemap=<routemap>] [-aspath=<AS path>]
Show prefixes.
bgp -techsupport
Show internal technical support information.
bgp -bfd [-verbose]
Show BFD overview.

Options

-aspath=<AS path>
Display prefixes matching the AS path regular expression.
-bfd
Show BFD overview.
-category={ALL | BGP-ALL | BFD-ALL | ROUTE-ALL | BGP-UPD | ROUTE-ADD | ROUTE-MOD | ROUTE-DEL}
Snooping categories.
 
-execute={RESTART-FULL | NEIGHBOR-RECONNECT}
Execute command. (Admin only)
 
-ipv6
IPv6.
-level=<0...7>
Snooping level (higher number equals more details).
-neighbor=<neighbor>
Display the specified neighbor only.
-neighbors
Show neighbors.
-network=<network>
Display prefixes covering the specified network.
-num={ALL | <n>}
Limit display to <n> entries. (Default: 100)
-prefixes
Show received/announced prefixes.
-prefixes-advertised
Lists prefixes advertised to neighbor.
-prefixes-received
Lists prefixes received from neighbor.
-routemap=<routemap>
Display prefixes matching the specified route-map.
-snoop={ON | OFF}
Control BGP snoop debugging.
-techsupport
Show internal technical support information.
-verbose
Verbose data.

2.2.6. blacklist

Block and unblock hosts.

Description

Block and unblock specific hosts for specific source interface(s).

If no option is chosen both blacklist and whitelist entries will be presented.

The presented list can be filtered using the show option, specifying whether blacklist, whitelist or both of the lists need to be displayed.

Usage

blacklist
Show both blacklist and whitelist entries.
blacklist -show={BLACKLIST | WHITELIST | ALL} [-num=<number>]
Show either blacklist,whitelist or both.
blacklist -add -srciface=<Interface> -srcip=<ip address>
          [-destip=<ip address>] [-port=<port range>] [-proto={ICMP
          | IGMP | TCP | UDP | GRE | ESP | AH | ICMPV6 | OSPF | MTP
          | L2TP | SCTP | ALL | <0...256>}] [-timeout=<number>]
Add a blacklist entry.
blacklist -remove [-all] [-srciface=<Interface>]
          [-srcip=<ip address>] [-destip=<ip address>]
          [-port=<port range>] [-proto={ICMP | IGMP | TCP | UDP |
          GRE | ESP | AH | ICMPV6 | OSPF | MTP | L2TP | SCTP | ALL
          | <0...256>}]
Remove a blacklist entry.
blacklist -lookup [-srciface=<Interface>] [-srcip=<ip address>]
          [-destip=<ip address>] [-port=<port range>]
          [-num=<number>]
Lookup blacklisted entries.

Options

-add
Add blacklisted entry. (Admin only)
-all
Remove all blacklisted entries. (Admin only)
-destip=<ip address>
Destination IP address to block/unblock.
-lookup
Lookup blacklisted entries.
-num=<number>
Limit output to <n> entries. (Default: 10)
-port=<port range>
Destination port range to block/unblock. The option can only be set when 'proto' option is set to 'ICMP', 'SCTP', 'TCP' or 'UDP'.
-proto={ICMP | IGMP | TCP | UDP | GRE | ESP | AH | ICMPV6 | OSPF | MTP | L2TP | SCTP | ALL | <0...256>}
Protocol to block/unblock.
 
-remove
Remove entry from blacklist. (Admin only)
-show={BLACKLIST | WHITELIST | ALL}
Show either blacklist,whitelist or both.
-srciface=<Interface>
Source Interface to block/unblock.
-srcip=<ip address>
Source IP address to block/unblock.
-timeout=<number>
Time in seconds that the host will remain blocked. (Default: 0)

2.2.7. cryptostat

Show information about cryptographic operations.

Description

Show information about cryptographic devices and cryptographic operations.

Usage

cryptostat
Show status of available crypto devices.
cryptostat -show [-status] [-verbose] [-poll] [-session]
Show selected information.

Options

-poll
Show statistics related to polling crypto devices.
-session
Show statistics related to crypto device sessions.
-show
Show specified information.
-status
Show status of available crypto devices.
-verbose
Show detailed information.

2.2.8. dhcpclient

DHCP Client commands.

Description

Show interfaces using DHCP client and various information about leases.

Usage

dhcpclient
Show DHCP Client active interfaces if no option is supplied.
dhcpclient -list
Show DHCP Client active interfaces.
dhcpclient <interface>
Show DHCP Client interface information.
dhcpclient -renew <interface>
Renew lease on an interface manually.
dhcpclient -release <interface>
Release lease on an interface that is no longer needed.
dhcpclient -snoop={ON | OFF} <interface> [-verbose]
Enable/Disable DHCP snoop on an interface.

Options

-list
Show enabled interfaces.
-release
Release lease on an interface that is no longer needed.
-renew
Renew lease on an interface manually.
-snoop={ON | OFF}
Show troubleshooting messages on the DHCP negotiation.
-verbose
Show extended snoop output.
<interface>
Interface.

2.2.9. dhcpserver

DHCP Server commands.

Description

Show the content of the DHCP server ruleset and various information about leases and mappings.

Usage

dhcpserver
Show all DHCP Server active leases if no option is supplied.
dhcpserver -rule=<DHCP Server Rule> [-num=<Integer>]
           [-fromentry=<Integer>] [-blacklist]
Show DHCP Server active leases.
dhcpserver -information
Show DHCP Server general information.
dhcpserver -statistics
Show DHCP Server statistics.
dhcpserver -rules
Show DHCP Server Rules.
dhcpserver -mappings [-rule=<DHCP Server Rule>] [-ip=<IP address>]
           [-num=<Integer>] [-fromentry=<Integer>]
Show DHCP Server mappings.
dhcpserver -blacklist [-rule=<DHCP Server Rule>] [-ip=<IP address>]
           [-num=<Integer>] [-fromentry=<Integer>]
Show DHCP Server blacklisted addresses.
dhcpserver -leases [-rule=<DHCP Server Rule>] [-ip=<IP address>]
           [-interface=<interface>] [-num=<Integer>]
           [-fromentry=<Integer>]
Show DHCP Server active leases.
dhcpserver -releaseblacklist [-rule=<DHCP Server Rule>]
           [-ip=<IP address>]
Release one or all blacklisted addresses.
dhcpserver -releasemappings [-rule=<DHCP Server Rule>]
           [-interface=<interface>] [-ip=<IP address>]
Release one or all address mappings.
dhcpserver -snoop={ON | OFF} [-rule=<DHCP Server Rule>]
Snoop specified DHCP Server Rule.

Options

-blacklist
Show DHCP server blacklsted address per rule.
-fromentry=<Integer>
Shows DHCP Server lease list from offset <n>. (Default: 1)
-information
Show DHCP server general information.
-interface=<interface>
Interface.
-ip=<IP address>
IP address.
-leases
Show DHCP server leases.
-mappings
Show DHCP server IP mappings.
-num=<Integer>
Limit list to <n> leases. (Default: 20)
-releaseblacklist
Release one or all blacklisted addresses per rule. (Admin only)
-releasemappings
Release one or all address mappings per rule. (Admin only)
-rule=<DHCP Server Rule>
Specify DHCP Server Rule with the name <n>. All rules will be included if this option is not set.
-rules
Show DHCP server rules.
-snoop={ON | OFF}
Show troubleshooting messages on the DHCP Server Rule.
-statistics
Show DHCP server statistics.

2.2.10. dns

DNS client and queries.

Description

Display information about the DNS client and perform name server lookups.

Usage

dns
Display contents of cache.
dns -list [<String>] [-num={ALL | <n>}]
List specific entries from cache. Wildcards can be used, e.g. "*.com".
dns <String> [-type={A | AAAA | PTR}] [-num={ALL | <n>}]
Do a lookup. If the type is not specified, "PTR" is used for IP addresses and otherwise "A" is used.
dns -flush [<String>]
Remove cache entries. It is possible to specify an IP address or a domain name. Wildcards can be used, e.g. "*.com".

Options

-flush
Remove cache entries. (Admin only)
-list
List cache entries.
-num={ALL | <n>}
Limit display to <n> entries. (Default: 20)
-type={A | AAAA | PTR}
Query type.
<String>
Name.

2.2.11. dnsalg

Displays the state of the DNS ALG.

Description

Displays DNS ALG runtime information.

Usage

dnsalg
Show DNS sessions handled by the ALG.
dnsalg -show [-num={ALL | <n>}] [-profile=<DNS ALG Profile>]
       [-srciface=<Interface>] [-destiface=<Interface>]
       [-ip=<IP range>] [-clientip=<IP range>]
       [-serverip=<IP range>]
Show DNS sessions handled by the ALG.
dnsalg -close [-all] [-session=<Integer>]
       [-profile=<DNS ALG Profile>] [-srciface=<Interface>]
       [-destiface=<Interface>] [-ip=<IP range>]
       [-clientip=<IP range>] [-serverip=<IP range>]
Close active DNS sessions.
dnsalg -snoop={ON | OFF} [-profile=<DNS ALG Profile>]
       [-srciface=<Interface>] [-destiface=<Interface>]
       [-ip=<IP range>] [-clientip=<IP range>]
       [-serverip=<IP range>]
Enable/disable snooping on the DNS ALG.

Options

-all
All DNS sessions.
-clientip=<IP range>
Match client IP address.
-close
Close DNS sessions.
-destiface=<Interface>
Filter on destination interface.
-ip=<IP range>
Match client or server IP address.
-num={ALL | <n>}
Limit display to <n> entries. (Default: 20)
-profile=<DNS ALG Profile>
Profile to snoop on.
-serverip=<IP range>
Match server IP address.
-session=<Integer>
DNS session ID.
-show
Show DNS sessions handled by the ALG.
-snoop={ON | OFF}
Enable/Disable snoooping on the DNS ALG.
-srciface=<Interface>
Filter on source interface.

2.2.12. flow

List current state-tracked flows.

Description

Display the current state-tracked flows.

Explanation of Flags field in verbose output

T
Tag Flow - Flow has 'tag' set
g
Agnostic Flow - Flow is forwarding traffic independently of the HA state
P
HA Private Flow - Flow is not synchronized to its HA peer since it is local to this node
R
Reject Flow - Flow is a reject flow and will not forward any traffic
!
Defunct Flow - Flow is broken; something (usually ARP/NDP resolve) went wrong and the flow is silently dropping packets
?
Optimistic Flow - Flow is is being forwarded to the last known destination, though the last update had some minor issues (typically ARP/NDP failed to resolve)
*
Maintenance - Flow is in maintenance mode; packets will be buffered until maintenance is done
A
ARP/NDP resolve in progress - Flow is currently trying to resolve the HW destination using ARP/NDP
Z
Zombie - Flow is closed and awaits being removed; it cannot be used to forward any packets
O
AppControl - Flow is classified and offloaded from the appcontrol engine

Usage

flow -show [-num=<n>] [-verbose] [-usage] [-compact] [-mtu]
     [-pipechain] [-pipe=<Pipe>] [-srciface=<Interface>]
     [-destiface=<Interface>] [-protocol={TCP | UDP | ICMP | ICMPV6
     | IGMP | GRE | ESP | SCTP | <name/num>}] [-srcport=<port>]
     [-destport=<port>] [-srcip=<ip addr>] [-destip=<ip addr>]
     [-sequence] [-sequence-info] [-rules] [-tagged] [-untagged]
     [-idle] [-ha] [-hastate={NOTSYNCED | SYNCING | SYNCED |
     SYNCFAILED | DONTSYNC}] [-disable-progress-updates] [-app]
     [-appfilter=<String>] [-state]
List flows.
flow
Same as "flow -show".
flow -close [-all] [-pipe=<Pipe>] [-srciface=<Interface>]
     [-destiface=<Interface>] [-protocol={TCP | UDP | ICMP | ICMPV6
     | IGMP | GRE | ESP | SCTP | <name/num>}] [-srcport=<port>]
     [-destport=<port>] [-srcip=<ip addr>] [-destip=<ip addr>]
     [-deepflush] [-tagged] [-untagged] [-idle]
     [-hastate={NOTSYNCED | SYNCING | SYNCED | SYNCFAILED |
     DONTSYNC}] [-disable-progress-updates] [-appfilter=<String>]
Close flows.
flow -tag [-all] [-pipe=<Pipe>] [-srciface=<Interface>]
     [-destiface=<Interface>] [-protocol={TCP | UDP | ICMP | ICMPV6
     | IGMP | GRE | ESP | SCTP | <name/num>}] [-srcport=<port>]
     [-destport=<port>] [-srcip=<ip addr>] [-destip=<ip addr>]
     [-idle] [-disable-progress-updates] [-appfilter=<String>]
Tag flows.
flow -untag [-all] [-pipe=<Pipe>] [-srciface=<Interface>]
     [-destiface=<Interface>] [-protocol={TCP | UDP | ICMP | ICMPV6
     | IGMP | GRE | ESP | SCTP | <name/num>}] [-srcport=<port>]
     [-destport=<port>] [-srcip=<ip addr>] [-destip=<ip addr>]
     [-idle] [-disable-progress-updates] [-appfilter=<String>]
Untag flows.
flow -retag [-all] [-pipe=<Pipe>] [-srciface=<Interface>]
     [-destiface=<Interface>] [-protocol={TCP | UDP | ICMP | ICMPV6
     | IGMP | GRE | ESP | SCTP | <name/num>}] [-srcport=<port>]
     [-destport=<port>] [-srcip=<ip addr>] [-destip=<ip addr>]
     [-idle] [-disable-progress-updates] [-appfilter=<String>]
Invert tag on flows.
flow -hainfo
Show troubleshooting information for flow HA synchronization.

Options

-all
Mark all flows.
-app
Show the application using the flow. If -verbose is specified the whole application path is shown.
-appfilter=<String>
Show only flows matching a given application pattern.
-close
Close all flows that match the filter expression. (Admin only)
-compact
Show reduced version of the table. If -verbose is specified the values are separated for each flow direction.
-deepflush
Removes any flow setup optimization states. (Admin only)
-destiface=<Interface>
Filter on destination interface.
-destip=<ip addr>
Filter on destination IP address.
-destport=<port>
Show only given destination TCP/UDP port.
-disable-progress-updates
Prevents the command from showing its progress, even if the command takes a long time to complete. Can be helpful if the output is to be automatically processed.
-ha
Include HA information about the displayed flows.
-hainfo
Show troubleshooting information for flow HA synchronization.
-hastate={NOTSYNCED | SYNCING | SYNCED | SYNCFAILED | DONTSYNC}
Filter on HA state.
-idle
Filter on idle flows. (Advanced view)
-mtu
Show path MTU used by the flow. If -verbose is specified the values are separated for each flow direction.
-num=<n>
Limit list to <n> flows. (Default: 20)
-pipe=<Pipe>
Filter on pipe object.
-pipechain
Show pipe chain used by flow.
-protocol={TCP | UDP | ICMP | ICMPV6 | IGMP | GRE | ESP | SCTP | <name/num>}
Show only given IP protocol.
 
-retag
Invert tag on flows matching filter. (Advanced view)
-rules
Show rules associated with each flow. (Admin only)
-sequence
Show PMU sequence. (Admin only)
-sequence-info
Show PMU sequence with extended information from the PMUs. (Admin only)
-show
Show flows.
-srciface=<Interface>
Filter on source interface.
-srcip=<ip addr>
Filter on source IP address.
-srcport=<port>
Show only given source TCP/UDP port.
-state
Show the state of the flow instead of the protocol. For flows with no particular state the protocol will be shown as state.
-tag
Set tag on flows matching filter. (Advanced view)
-tagged
Filter on flows with tag set. (Advanced view)
-untag
Clear tag on flows matching filter. (Advanced view)
-untagged
Filter on flows with tag unset. (Advanced view)
-usage
Show flow usage statistics. If -verbose is specified the values are separated for each flow direction.
-verbose
Verbose (more information).

2.2.13. ftpalg

Show the state of the FTP ALG.

Description

Show runtime information about the FTP ALG.

Usage

ftpalg
Show FTP sessions handled by the ALG.
ftpalg -show [-num={ALL | <n>}] [-profile=<FTP ALG Profile>]
       [-srciface=<Interface>] [-destiface=<Interface>]
       [-ip=<IP range>] [-clientip=<IP range>]
       [-serverip=<IP range>]
Show FTP sessions handled by the ALG.
ftpalg -close [-all] [-session=<Integer>]
       [-profile=<FTP ALG Profile>] [-srciface=<Interface>]
       [-destiface=<Interface>] [-ip=<IP range>]
       [-clientip=<IP range>] [-serverip=<IP range>]
Close active FTP sessions.
ftpalg -snoop={ON | OFF} [-profile=<FTP ALG Profile>]
       [-srciface=<Interface>] [-destiface=<Interface>]
       [-ip=<IP range>] [-clientip=<IP range>]
       [-serverip=<IP range>]
Enable/disable snooping on the FTP ALG.

Options

-all
All FTP sessions.
-clientip=<IP range>
Match client IP address.
-close
Close FTP sessions.
-destiface=<Interface>
Filter on destination interface.
-ip=<IP range>
Match client or server IP address.
-num={ALL | <n>}
Limit display to <n> entries. (Default: 20)
-profile=<FTP ALG Profile>
Profile to snoop on.
-serverip=<IP range>
Match server IP address.
-session=<Integer>
FTP session ID.
-show
Show FTP sessions handled by the ALG.
-snoop={ON | OFF}
Enable/Disable snoooping on the FTP ALG.
-srciface=<Interface>
Filter on source interface.

2.2.14. geoip

Display IP geolocation related information.

Description

Display information about the systems IP geolocation databases and perform lookup of the geographical locations associated with given IP addresses.

Usage

geoip
Display status of geolocation databases.
geoip -activate=<String>
Activate a geolocation database file.
geoip -lookup=<IP>
Get geographical information for a set of IP addresses.
geoip -remove=<String>
Remove geolocation database files from storage.
geoip -status
Display status of geolocation databases.

Options

-activate=<String>
Activate a geolocation database file. (Advanced view; Matching: *.bin)
-lookup=<IP>
Get geographical information for a set of IP addresses.
-remove=<String>
Remove geolocation database files from storage. (Advanced view; Matching: *.bin)
-status
Display status of geolocation databases.

2.2.15. gtp

Shows info about GTP such as PDP contexts, GGSN connections or other related information.

Description

The GTP command show information about PDP context or GGSN connections currently instantiated with the GTP.

Usage

gtp
List PDP contexts for all GTP interfaces.
gtp -ggsn [-iface=<GTPTunnel>] [-num={ALL | <Integer>}]
    [-localip=<IPAddress>] [-ggsnip=<IPAddress>]
List active GGSN connections.
gtp -listen [-localip=<IPAddress>] [-ggsnip=<IPAddress>]
List listening GGSN connections.
gtp -pdp [-iface=<GTPTunnel>] [-verbose] [-num={ALL | <Integer>}]
    [-localendpoint=<IPAddress>] [-enduseraddress=<IPAddress>]
    [-remoteendpoint=<IPAddress>]
List PDP contexts.

Options

-enduseraddress=<IPAddress>
Filter on end user address.
-ggsn
List active GGSN connections.
-ggsnip=<IPAddress>
Filter on GGSN IP.
-iface=<GTPTunnel>
Filter on GTP interface.
-listen
List listening GGSN connections.
-localendpoint=<IPAddress>
Filter on local endpoint.
-localip=<IPAddress>
Filter on local IP.
-num={ALL | <Integer>}
Maximum number of entries to show. (Default: 40)
-pdp
List PDP contexts.
-remoteendpoint=<IPAddress>
Filter on remote endpoint.
-verbose
Verbose information.

2.2.16. gtpinspection

Displays the state of GTP inspection.

Description

Display runtime information about GTP Inspection.

Usage

gtpinspection
Show GTP-C/GTP-U sessions handled by GTP Inspection.
gtpinspection -show={BRIEF | FULL} [-control] [-user] [-num={ALL |
              <n>}] [-version={GTPV1 | GTPV2}]
              [-profile=<GTP Inspection Profile>]
              [-origiface=<Interface>] [-termiface=<Interface>]
              [-origip=<IP range>] [-termip=<IP range>]
              [-origteid=<Integer>] [-termteid=<Integer>]
              [-imsi=<String>] [-msisdn=<String>] [-eua=<IP range>]
              [-imei=<String>] [-apn=<String>] [-session=<Integer>]
              [-state={PENDING | ESTABLISHED | BOTH}]
Show GTP-C/GTP-U sessions handled by GTP Inspection.
gtpinspection -close [-control] [-user] [-version={GTPV1 | GTPV2}]
              [-profile=<GTP Inspection Profile>]
              [-origiface=<Interface>] [-termiface=<Interface>]
              [-origip=<IP range>] [-termip=<IP range>]
              [-origteid=<Integer>] [-termteid=<Integer>]
              [-imsi=<String>] [-msisdn=<String>] [-eua=<IP range>]
              [-imei=<String>] [-apn=<String>] [-session=<Integer>]
              [-all] [-state={PENDING | ESTABLISHED | BOTH}]
Close active GTP-C/GTP-U sessions.
gtpinspection -snoop={FULL | BRIEF | OFF}
              [-profile=<GTP Inspection Profile>]
              [-origiface=<Interface>] [-origip=<IP range>]
              [-termip=<IP range>]
Enable/Disable GTP message snooping.

Options

-all
All GTP sessions.
-apn=<String>
Match the APN.
-close
Close GTP Sessions.
-control
Match control plane (GTP-C) sessions.
-eua=<IP range>
Match the end-user address.
-imei=<String>
Match the IMEI.
-imsi=<String>
Match the IMSI.
-msisdn=<String>
Match the MSISDN.
-num={ALL | <n>}
Limit display to <n> entries. (Default: 20)
-origiface=<Interface>
Filter on originating interface.
-origip=<IP range>
Match originating IP address.
-origteid=<Integer>
Match the originating Tunnel Endpoint Identifier (TEID).
-profile=<GTP Inspection Profile>
Filter on profile.
-session=<Integer>
Match the session id.
-show={BRIEF | FULL}
Show GTP-C/GTP-U sessions handled by GTP Inspection.
-snoop={FULL | BRIEF | OFF}
Enable/Disable GTP message snooping.
-state={PENDING | ESTABLISHED | BOTH}
Match the session state.
-termiface=<Interface>
Filter on terminating interface.
-termip=<IP range>
Match terminating IP address.
-termteid=<Integer>
Match the terminating Tunnel Endpoint Identifier (TEID).
-user
User plane (GTP-U) sessions.
-version={GTPV1 | GTPV2}
Match the GTP-C version.

2.2.17. ha

Control and show status of the HA system.

Description

Control and show status of the HA system.

Usage

ha
Show the HA status of the system.
ha -status [-module] [-internal]
Show the HA status of the system.
ha -activate [-force]
Request that this HA node will become the active one.
ha -deactivate [-force]
Request that this HA node will become the inactive one.
ha -recvconf [-reboot] [-force]
Receive configuration from HA peer.
ha -sendconf [-reboot] [-force]
Send configuration to HA peer.
ha -reboot [-local] [-peer] [-force]
Reboot local/peer HA node.
ha -compconf
Compare configuration with HA peer.
ha
Show the HA status of the system.

Options

-activate
Request that this HA node will become the active one. (Admin only)
-compconf
Executed on any HA node with the purpose of manually comparing the configuration to its HA peer's configuration. (Admin only)
-deactivate
Request that this HA node will become the inactive one. (Admin only)
-force
Force requested behavior.
-internal
Show internal HA status that might be required for technical support.
-local
Local HA node. (Admin only)
-module
Show info about modules using HA.
-peer
Remote HA node. (Admin only)
-reboot
Request that the specified HA node reboots. If used with -sendconf or -recvconf, the node receiving the configuration will reboot and use the new configuration at boot-up. (Admin only)
-recvconf
Executed on any HA node with the purpose of manually synchronizing the configuration from its HA peer. The configuration is downloaded from the peer and activated and committed. (Admin only)
-sendconf
Executed on any HA node with the purpose of manually synchronizing the configuration to its HA peer. The configuration is uploaded to the peer and activated and committed. (Admin only)
-status
Show the HA status of the system.

2.2.18. hwmon

Hardware monitoring command.

Description

Retrieves sensor and sensor monitor information.

Usage

hwmon
Show brief monitor information.
hwmon -sensorlist
Show the system sensor list.
hwmon -show [<String>]
Show specific monitor information.
hwmon -techsupport={DEVICESENSORS | IPMISTATUS}
Show internal technical support information.

Options

-sensorlist
Show available system sensors.
-show
Show monitor information.
-techsupport={DEVICESENSORS | IPMISTATUS}
Show internal technical support information.
<String>
Shows information on specific monitor.

2.2.19. ifeqv

Show interface equivalence.

Description

Show interface equivalence

Usage

ifeqv

2.2.20. ifstat

Check interface status.

Description

Prints out basic information about an interface.

Usage

ifstat
List all ethernet interfaces.
ifstat -devicescan
Display the currently avaliable devices in the system.
ifstat -device=<hardware port> [-per-queue-stats]
Display information (link status, statistics) about a specific hardware port.
ifstat -type={ALL | CORE | NULL | ETHERNET | IPSEC | GRE | GTP |
       VLAN | SSLVPN | LAG | IFACEGROUP | ZONE} [-allindepth]
       [-num={ALL | <Integer>}]
List interfaces currently configured in the system.
ifstat -allindepth [-type={ALL | CORE | NULL | ETHERNET | IPSEC |
       GRE | GTP | VLAN | SSLVPN | LAG | IFACEGROUP | ZONE}]
       [-num={ALL | <Integer>}] [-per-queue-stats]
Display detailed information about all interfaces.
ifstat <interface> [-up] [-down] [-per-queue-stats]
Display detailed interface information.
ifstat
List all ethernet interfaces.

Options

-allindepth
Show details of all interfaces.
-device=<hardware port>
EthernetDevice name. (Advanced view)
-devicescan
Scan for currently available devices. (Admin only; Advanced view)
-down
Stop the interface (Ethernet interfaces only). (Admin only)
-num={ALL | <Integer>}
Maximum number of entries to show. (Default: 40)
-per-queue-stats
Include hardware statistics per queue (not supported by all Ethernet interface types and might show just zeros).
-type={ALL | CORE | NULL | ETHERNET | IPSEC | GRE | GTP | VLAN | SSLVPN | LAG | IFACEGROUP | ZONE}
Filter interface type. (Default: ethernet)
 
 
-up
Start the interface (Ethernet interfaces only). (Admin only)
<interface>
Interface name.

2.2.21. ike

Shows info about IKE SAs or performs connect/delete/rekey operations.

Description

The command gives information about the IKE SAs currently established or in negotiation. It can also be used to initiate a tunnel negotiation, tear down or rekey.

The command can also be used to give a human readable printout of IKE messages passed to/from the IKE daemon.

Usage

ike -show [-tunnel=<IPsecTunnel>] [-id=<Integer>] [-excl]
    [-state={CREATED | CONNECTING | ESTABLISHED | PASSIVE |
    REKEYING | DELETING | DESTROYING}] [-numchild={ALL |
    <Integer>}] [-localendpoint=<IP range>]
    [-remoteendpoint=<IP range>] [-localaddress=<IP range>]
    [-remoteaddress=<IP range>] [-recviface[=<Interface>]]
    [-verbose] [-num={ALL | <Integer>}] [-clone=<Integer Range>]
    [-sort={NONE | ID | NAME | LOCALADDRESS | REMOTEADDRESS |
    LOCALENDPOINT | REMOTEENDPOINT}] [-order={ASC | DESC}]
Show established IKE SAs.
ike -connect [-tunnel=<IPsecTunnel>] [-id=<Integer>]
    [-clone=<Integer Range>] [-active=<Integer>]
Initiate an IKE negotiation.
ike -rekey={IKE | IPSEC} [-tunnel=<IPsecTunnel>] [-id=<Integer>]
    [-verbose] [-clone=<Integer Range>] [-active=<Integer>]
Initiate an IKE rekey.
ike -delete [-tunnel=<IPsecTunnel>] [-id=<Integer>] [-force]
    [-verbose] [-clone=<Integer Range>]
Delete established IKE SAs.
ike -snoop={BRIEF | FULL | OFF} [-localendpoint=<IP range>]
    [-remoteendpoint=<IP range>] [-recviface[=<Interface>]]
    [-routingtable=<Routing Table>]
Enable/Disable IKE message snooping.
ike -certshow [-type={ANY | CERT | CRL}] [-verbose]
    [-subject=<String>] [-issuer=<String>] [-strict] [-num={ALL |
    <Integer>}]
Show certificate cache.
ike -certflush [-type={ANY | CERT | CRL}]
Flush certificate cache.
ike -ippool [-static] [-tunnel=<IPsecTunnel>] [-num={ALL |
    <Integer>}]
Show IP pool information.
ike -stat [-jobs]
Show IKE statistics.
ike
Same as "ike -show".

Options

-active=<Integer>
Maximum number of active negotiations.
-certflush
Flush certificate cache.
-certshow
Show certificate cache.
-clone=<Integer Range>
Specifies the clone range. (Default: 0)
-connect
Initiate an IKE negotiation. (Admin only)
-delete
Delete an existing IKE SA. (Admin only)
-excl
Exclude IKE SA matching the filter. (Advanced view)
-force
Force deletion without sending notification to peer.
-id=<Integer>
Filter on IKE ID.
-ippool
Show IP pool information.
-issuer=<String>
Filter certificates by issuer.
-jobs
Show the job load on the IKE daemon.
-localaddress=<IP range>
Filter on local address used inside tunnel. (Advanced view)
-localendpoint=<IP range>
Filter on local endpoint.
-num={ALL | <Integer>}
Maximum number of entries to show. (Default: 40)
-numchild={ALL | <Integer>}
Maximum number of IPSec child SA to show (default: 0 in verbose mode, all in normal mode). (Advanced view)
-order={ASC | DESC}
Order to sort entries in. (Default: asc)
-recviface[=<Interface>]
Filter on receive interface. (Default: any)
-rekey={IKE | IPSEC}
Rekey an existing IKE/IPsec SA. (Admin only)
-remoteaddress=<IP range>
Filter on remote address used inside tunnel. (Advanced view)
-remoteendpoint=<IP range>
Filter on remote endpoint.
-routingtable=<Routing Table>
Filter on routing table used for outbound IKE messages. If not specified, routing table membership of the receive interface will be used.
-show
Show all IKE SAs.
-snoop={BRIEF | FULL | OFF}
Enable/Disable IKE message snoooping.
-sort={NONE | ID | NAME | LOCALADDRESS | REMOTEADDRESS | LOCALENDPOINT | REMOTEENDPOINT}
Key to sort entries by. (Default: id)
 
-stat
Show IKE statistics.
-state={CREATED | CONNECTING | ESTABLISHED | PASSIVE | REKEYING | DELETING | DESTROYING}
Restrict operation(s) to IKE SA in given state. (Advanced view)
 
-static
Show static IP pool information.
-strict
Filter certificates using strict sub part matching.
-subject=<String>
Filter certificates by subject.
-tunnel=<IPsecTunnel>
Filter on tunnel interface.
-type={ANY | CERT | CRL}
Type of certificate.
-verbose
Verbose information.

2.2.22. iostat

Show statistics related packet input/output.

Description

Show statistics related packet input/output.

Usage

iostat [-cpu] [-quiet]

Options

-cpu
Sort output on CPU.
-quiet
Run the command to define the start of a new sampling interval but discard the output.

2.2.23. ips

Intrusion prevention system.

Description

Intrusion Prevention System.

Show number of signatures in rules, groups or categiries. To show individual signatures use -verbose.

Command to activate and remove signature files.

Example 2.8. Show individual signatures in categury IPS_WEB_*, limiting output to 40 signatures.

ips -show=category ips_web_* -verbose -num=40

Usage

ips -num=<number>
Show signatures by rule.
ips -show=rule [<Rule>] [-verbose] [-num=<number>]
Show signatures by rule.
ips -show=signature <Signature ID>
Show signature by ID.
ips -show=category [<Category>] [-verbose] [-num=<number>]
Show signatures by category.
ips -show=group [<Group>] [-verbose] [-num=<number>]
Show signatures by group.
ips -show=file
Show signatures by file.
ips -activate <Filename>
Activate IPS signature file.
ips -remove <Filename>
Remove active IPS signature file from media.
ips -show=filewarnings [<Filename>] [-num=<number>]
Show errors found while parsing signature files.

Options

-activate
Activate IPS signature file.
-num=<number>
Limit output to <n> entries. (Default: 20)
-remove
Remove an active IPS signature file from the media.
-show={RULE | SIGNATURE | CATEGORY | GROUP | FILEWARNINGS | FILE}
Show signatures by rule, group, category or signature id.
-verbose
Show extended output, i.e. individual signatures.
<Category>
Signature Category (wildcards * and ? allowed).
<Filename>
IPS signature file (still not activated).
<Filename>
IPS signature file (activated).
<Group>
Signature Group name.
<Rule>
IPS rule name.
<Signature ID>
IPS Signature ID.

2.2.24. ipsec

Show SAD/SPD.

Description

Show information about entries in the Security Association Database (SAD) as well as in the Security Policy Database (SPD).

Usage

ipsec -show={SAD | SPD | TUNNELS} [-verbose]
      [-tunnel=<IPsecTunnel>] [-localendpoint=<IP range>]
      [-remoteendpoint=<IP range>] [-localaddress=<IP range>]
      [-remoteaddress=<IP range>] [-excl] [-spi=<Integer>]
      [-num[=<Integer>]]
Show IPsec SAD/SPD/Tunnels.
ipsec -verbose [-localendpoint=<IP range>]
      [-remoteendpoint=<IP range>] [-localaddress=<IP range>]
      [-remoteaddress=<IP range>] [-excl] [-spi=<Integer>]
      [-num[=<Integer>]]
Same as "ipsec -show=tunnels -verbose".
ipsec
Same as "ipsec -show=tunnels".

Options

-excl
Exclude tunnels matching the filter. (Advanced view)
-localaddress=<IP range>
Filter on local address inside tunnel. (Advanced view)
-localendpoint=<IP range>
Filter on local endpoint.
-num[=<Integer>]
Maximum number of entries to show. (Default: 40)
-remoteaddress=<IP range>
Filter on remote address inside tunnel. (Advanced view)
-remoteendpoint=<IP range>
Filter on remote endpoint.
-show={SAD | SPD | TUNNELS}
Show IPsec SAD/SPD.
-spi=<Integer>
Filter on SPI.
-tunnel=<IPsecTunnel>
Filter on tunnel interface.
-verbose
Verbose information.

2.2.25. ipsectunnels

Lists the current IPsec configuration.

Description

Lists the current IPsec configuration,

Usage

ipsectunnels -iface=<recv iface>
Show specific interface.
ipsectunnels -num={ALL | <Integer>}
Show specific number if interface.
ipsectunnels
Show interfaces.

Options

-iface=<recv iface>
IPsec interface to show information about.
-num={ALL | <Integer>}
Maximum number of entries to show. (Default: 40)

2.2.26. lcdctrl

Debug functionality for LCD.

Description

LCD controller

Usage

lcdctrl
...
lcdctrl -text [<String>]
Write text to LCD display.
lcdctrl -clear
Clear LCD display.
lcdctrl -backlight={OFF | ON}
Set state of LCD back light.
lcdctrl -statusled={OFF | ON | BLUE/GREEN | RED | BLINK |
        BLINK-GREEN-OFF | BLINK-RED-OFF | BLINK-RED-GREEN}
Set state of the status LED.
lcdctrl -goto [-x=<X>] [-y=<Y>]
Move cursor on LCD display.
lcdctrl -up
Simulate up from the keypad.
lcdctrl -down
Simulate down from the keypad.
lcdctrl -left
Simulate left from the keypad.
lcdctrl -right
Simulate right from the keypad.

Options

-backlight={OFF | ON}
Set state of LCD back light.
-clear
Clear LCD display.
-down
Simulate down from the keypad.
-goto
Move cursor on LCD display.
-left
Simulate left from the keypad.
-right
Simulate right from the keypad.
-statusled={OFF | ON | BLUE/GREEN | RED | BLINK | BLINK-GREEN-OFF | BLINK-RED-OFF | BLINK-RED-GREEN}
Set state of the status LED.
-text
Write text to LCD display.
-up
Simulate up from the keypad.
-x=<X>
X-coordinate.
-y=<Y>
Y-coordinate.
<String>
Text.

2.2.27. memory

Memory.

Description

Show memory consumption.

Usage

memory -unit={KB | MB | GB}
Show memory usage.
memory -limit=<Integer>
Show only categories with memory usage above specified limit.
memory -verbose [-detailed] [-limit=<Integer>] [-unit={KB | MB |
       GB}]
Show memory usage.
memory -proc
Show memory usage for all categories.

Options

-detailed
Include extra information in the output.
-limit=<Integer>
Show only categories with memory usage above this limit in KB. (Default: 10)
-proc
Show memory usage per process.
-unit={KB | MB | GB}
Memory unit.
-verbose
Show memory usage per main category.

2.2.28. natpool

Show NAT Pool runtime information.

Description

The natpool CLI command may be used for inspecting the status of the IP address usage of NAT Pools.

Example 2.9. Review NAT Pool mynatpool

Device:/> natpool mynatpool

Example 2.10. Retrieve extended NAT Pool info (deterministic NAT Pool)

Device:/> natpool mydetnatpool -verbose
(will show a extended summary of the NAT Pool configured blocks.)
(for in detailed information use the -externalip or the -internalip opti
ons)

Example 2.11. Retrieve extended NAT Pool info for a specific translation IP

Device:/> natpool mynatpool -externalip=111.111.111.111
(the output info depends on NAT Pool type)
(for deterministic NAT will show all blocks assigned to the IP)

Example 2.12. Retrieve extended NAT Pool info for a specific internal IP (deterministic NAT Pool) 

Device:/> natpool mynatpool -internalip=111.111.111.111
(will show all blocks the internal ip is using)

Example 2.13. Backward mapping for one IP (deterministic NAT Pool)

Device:/> natpool -reverse mydetnatpool -externalip=111.111.111.111 
          -externalport=12345
(the output info depends on mydetnatpool configured parameters)

Usage

natpool <pool name> [-verbose] [-internalip=<IP>]
        [-externalip=<IP>] [-num=<n>]
Shows information on a specific NAT Pool IP.
natpool -reverse <pool name> [-externalip=<IP>]
        [-externalport=<port number>]
Reverse maps from external IP and port to internal IP. Usable only for deterministic NAT Pools.
natpool
Shows a summary for all configured NAT Pools.

Options

-externalip=<IP>
External (translated) IP.
-externalport=<port number>
Deterministic reverse mapping. External port to map from.
-internalip=<IP>
Internal IP.
-num=<n>
Limit list to <n> entries. (Default: 20)
-reverse
Performs a reverse map based on the deterministic NAT Pool parameters.
-verbose
Show extended information on deterministic NAT Pool.
<pool name>
NAT Pool name.

2.2.29. ndp

Show ND entries for given interface.

Description

List the ND cache entries of specified interfaces.

If no interface is given the ND cache entries of all interfaces will be presented.

The presented list can be filtered using the ip and hw options.

Usage

ndp
Same as 'ndp -show -type=Neighbor'.
ndp -show [<interface>] [-iprange=<IP range>] [-num=<n>]
    [-type={NEIGHBOR | ROUTER | DNSSERVER}] [-state={ALL | DYNAMIC
    | NORMAL | STALE | UNRESOLVED | CRYPTO | STATIC | PUBLISH |
    XPUBLISH}]
Show ND entries.
ndp -flush [<interface>] [-iprange=<IP range>] [-state={ALL |
    DYNAMIC | NORMAL | STALE | UNRESOLVED | CRYPTO | STATIC |
    PUBLISH | XPUBLISH}]
Flush ND cache of specified interface.
ndp -notify <interface> -ip=<IP address> [-hwsender=<String>]
Send gratuitous ND for IP.
ndp -releaserouter [<interface> [<String>]]
Remove specified routers from the table of all specified interfaces.
ndp -releasedns [<interface>]
Remove DNS servers from the table of all specified interfaces.
ndp -renew [<interface>]
Send router solicitation.

Options

-flush
Flush ND cache of all specified interfaces. (Admin only)
-hwsender=<String>
Sender ethernet address.
-ip=<IP address>
IP address to send gratuitous IP for.
-iprange=<IP range>
Show/Flush only IP addresses in range.
-notify
Send gratuitous ND for <ip>.
-num=<n>
Show only the first <n> entries per interface. (Default: 20)
-releasedns
Remove DNS servers learned through SLAAC from the table of all specified interfaces. (Admin only)
-releaserouter
Remove specified routers from the table of all specified interfaces. (Admin only)
-renew
Send router solicitation.
-show
Show ND entries for given interface(s).
-state={ALL | DYNAMIC | NORMAL | STALE | UNRESOLVED | CRYPTO | STATIC | PUBLISH | XPUBLISH}
Specifies a category of neighbor entries, only valid for -type=Neighbor. (Default: dynamic)
 
-type={NEIGHBOR | ROUTER | DNSSERVER}
Specifies what type of ND data to operate on. (Default: Neighbor)
<interface>
Interface name.
<String>
Specifies IPv6 router.

2.2.30. ndpsnoop

Toggle snooping and displaying of NDP requests.

Description

Toggle snooping and displaying of NDP queries and responses on-screen.

Aborting the ndpsnoop command can be done by calling 'ndpsnoop none' or by pressing CTRL-C. Using CTRL-C will also terminate all other running CLI commands.

Usage

ndpsnoop
Show snooped interfaces.
ndpsnoop {ALL | NONE | <interface>} [<Network>] [-type={NEIGHBOR |
         ROUTER | ANY}] [-verbose]
Snoop specified interface.

Options

-type={NEIGHBOR | ROUTER | ANY}
Type of NDP traffic.
-verbose
Verbose.
<Network>
Network filter. (Default: ::/0)
{ALL | NONE | <interface>}
Interface name.

2.2.31. netcon

List current Netcon connections.

Description

Lists current Netcon connections and shows the interface, IP-address and port for each connection.

Usage

2.2.32. netobjects

List runtime values of configured network objects.

Description

Displays named network objects and their contents.

Usage

netobjects [<IP>] [-num=<num>] [-verbose]

Options

-num=<num>
Number of entries to show. Default number of printed objects depends on screen row count. (Default: 0)
-verbose
Verbose.
<IP>
Address/address folder name.

2.2.33. ospf

Show runtime OSPF information.

Description

Show runtime information about OSPF router processes.

Usage

ospf
Show runtime information.
ospf -process=<OSPF Router Process>
Show runtime information for specific OSPF router process.
ospf -iface [<interface>] [-process=<OSPF Router Process>]
Show interface information.
ospf -area [<OSPF Area>] [-process=<OSPF Router Process>]
Show area information.
ospf -neighbor [<OSPF Neighbor>] [-process=<OSPF Router Process>]
Show neighbor information.
ospf -route [{HA | ALT}] [-process=<OSPF Router Process>]
Show the internal OSPF process routingtable.
ospf -database [-verbose] [-process=<OSPF Router Process>]
Show the LSA database.
ospf -lsa <lsaID> [-process=<OSPF Router Process>]
Show details for a specified LSA.
ospf -snoop={ON | OFF} [-verbose] [-process=<OSPF Router Process>]
Show troubleshooting messages on the console.
ospf -ifacedown <interface>
Take specified interface offline.
ospf -ifaceup <interface>
Take specified interface online.
ospf -execute={STOP | START | RESTART}
     [-process=<OSPF Router Process>]
Start/stop/restart OSPF process.

Options

-area
Show area information.
-database
Show the LSA database.
-execute={STOP | START | RESTART}
Start/stop/restart OSPF process. (Admin only)
-iface
Show interface information.
-ifacedown
Take specified interface offline. (Admin only)
-ifaceup
Take specified interface online. (Admin only)
-lsa
Show details for a specified LSA <lsaID>.
-neighbor
Show neighbor information.
-process=<OSPF Router Process>
Specify OSPF router process.
-route
Show the internal OSPF process routingtable.
-snoop={ON | OFF}
Show troubleshooting messages on the console.
-verbose
Increase amount of information to display.
<interface>
OSPF enabled interface.
<lsaID>
LSA ID.
<OSPF Area>
OSPF Area.
<OSPF Neighbor>
Neighbor.
{HA | ALT}
Show HA routingtable.

2.2.34. pipe

List pipes and display their status.

Description

Display the current status of traffic shaping.

Usage

pipe -num=<n> [-average] [-grouping]
List pipe objects.
pipe <Pipe> [-average] [-statistics={ENABLE | DISABLE | RESET}]
     [-grouping] [-num=<n>]
Display pipe details.
pipe -group=<String> <Pipe> [-average] [-statistics={ENABLE |
     DISABLE | RESET}]
Display group details for a specific pipe.
pipe -reset <Pipe>
Reset specific pipe statistics.
pipe -reset
Reset pipe statistics.
pipe
Same as "pipe -show".

Options

-average
Show information (average and total) since last reset.
-group=<String>
Show info about this specific group.
-grouping
Show dynamic limits and group info.
-num=<n>
Limit list to <n> pipes. (Default: 20)
-reset
Reset statistics. (Admin only; Advanced view)
-statistics={ENABLE | DISABLE | RESET}
Enable/Disable statistics for group(s) pipe must have been configured with per-group statistic support. (Admin only)
<Pipe>
Display specific pipe.

2.2.35. portmgr

Show portmanager state.

Description

The portmanager CLI command may be used for inspecting the current port usage for a specific source and destination IP pair.

The source IP address is usually a local IP address assigned to one of the gateway's interfaces and used as source address for NAT'ing. The destination address is a remote destination to where the gateway has a connection.

Usage

portmgr -srcip=<ip addr> -destip=<ip addr> [-port=<1...65535>]

Options

-destip=<ip addr>
Destination IP address.
-port=<1...65535>
Port number.
-srcip=<ip addr>
Source IP address.

2.2.36. radiussnoop

Enable/Disable snooping on RADIUS interface.

Description

The radiussnoop command is used to view information about messages transferred on the RADIUS interface.

Using the server and user options it is possible to filter the displayed information.

Example 2.14. Display status and used filters

Device:/> radiussnoop

Usage

radiussnoop [-server=<RADIUS Server>] [-user=<String>] [-on] [-off]
            [-verbose]

Options

-off
Turn RADIUS snooping off.
-on
Turn RADIUS snooping on.
-server=<RADIUS Server>
Name of configured RADIUS Server to snoop on.
-user=<String>
Username to snoop on. Wildcard strings are supported.
-verbose
Enable RADIUS snooping with verbose output.

2.2.37. rfo

Route monitoring commands.

Description

Display information about monitored routes

Usage

rfo
Show monitored routes.
rfo -show [-verbose]
Show verbose information.
rfo -forceenable <Integer>
Force enable route.
rfo -forcedisable <Integer>
Force disable route.

Options

-forcedisable
Force disable route.
-forceenable
Force enable route.
-show
Show monitored routes.
-verbose
Show verbose information.
<Integer>
Route monitor session ID.

2.2.38. routes

Display user space routing tables.

Description

Display information about the user space routing table(s):

-
Contents of a (named) routing table.
-
The list of routing tables, along with a total count of route entries in each table, as well as how many of the entries are single-host routes.

Note that "core" routes for interface IP addresses are not normally shown. Use the -all switch to show core routes also.

Explanation of Flags field of the routing tables:

A
Published via Proxy ARP
B
Learned via BGP
D
Dynamic (from e.g. DHCP relay, IPsec, L2TP/PPP servers, etc.)
H
HA synced from cluster peer
L
Local IP
M
Route is Monitored
O
Learned via OSPF
S
Route is stale (pending update)
P
HA Private
X
Route is Disabled
Z
Route is being updated

Usage

routes -lookup=<ip address> [<table name>] [-rawdb]
Lookup IP address.
routes
Show routes.
routes -show [{<ALL> | <table name>}] [-alltypes] [-num={ALL |
       <n>}] [-nonhost] [-verbose] [-rawdb]
Show routes.
routes -tables
Show named tables.

Options

-alltypes
Also show routes for interface addresses.
-lookup=<ip address>
Lookup the route for the given IP address.
-nonhost
Do not show single-host routes.
-num={ALL | <n>}
Limit display to <n> entries. (Default: 20)
-rawdb
Show results from slowpath routing tables. (Advanced view)
-show
Show routes in routing table.
-tables
Display list of named routing tables.
-verbose
Verbose.
<table name>
Name of routing table.
{<ALL> | <table name>}
Name of routing table.

2.2.39. rules

Show rules lists.

Description

Shows the content of the various types of rules, i.e. main ruleset.

Example 2.15. Show a range of rules.

rules 1-5,7-9 -verbose

Usage

rules
Show IP rules.
rules -num=<n>
Show num IP rules.
rules -verbose
Show IP rules with verbose output.
rules -type={IP | ACCESS | PBR} [<rules>] [-verbose] [-num=<n>]
Show rules (verbose output).
rules <rules> [-verbose]
Show IP rules within range 'rules'.

Options

-num=<n>
Limit list to <n> rules. (Default: 40)
-type={IP | ACCESS | PBR}
Type of rules to display. (Default: IP)
-verbose
Verbose: show all parameters of the rules.
<rules>
Range of rules to display. (default: all rules)

2.2.40. rulesnoop

Toggle snooping and displaying of RULE requests.

Description

Toggle snooping and displaying of RULE queries and responses on-screen.

Aborting the rulesnoop command can be done by calling 'rulesnoop none' or by pressing CTRL-C. Using CTRL-C will also terminate all other running CLI commands.

Usage

rulesnoop
Show snooped state.
rulesnoop {ALL | CORE | NONE | <interface>} [<destination>
          [<source>]] [-verbosity={BASIC | INFORMATIVE | EXTREME}]
          [-ratelim=<1...65535>]
Snoop specified interface.

Options

-ratelim=<1...65535>
Ratelimit; rule operations snooped per second. (Default: 1)
-verbosity={BASIC | INFORMATIVE | EXTREME}
Verbosity level. The higher level, the more information is output about the lookup decisions. Each higher level will include output from the lower levels as well. (Default: basic)
<destination>
Destination network filter.
<source>
Source network filter.
{ALL | CORE | NONE | <interface>}
Name of receive interface.

2.2.41. sctp

List current state of SCTP associations.

Description

Display the current state of SCTP associations.

Usage

sctp
Same as "sctp -show".
sctp -show [-num=<number>] [-initip=<ip address>]
     [-respip=<ip address>] [-initport=<port>] [-respport=<port>]
     [-initif=<Interface>] [-respif=<Interface>] [-vtag=<String>]
     [-state={INIT | INIT-ACK | COOKIE-ECHO | ESTABLISHED |
     SHUTDOWN | SHUTDOWN-WAIT}] [-showvtag] [-compact] [-showalias]
     [-linger]
Show SCTP associations.
sctp -close [-all] [-initip=<ip address>] [-respip=<ip address>]
     [-initport=<port>] [-respport=<port>] [-initif=<Interface>]
     [-respif=<Interface>] [-vtag=<String>] [-state={INIT |
     INIT-ACK | COOKIE-ECHO | ESTABLISHED | SHUTDOWN |
     SHUTDOWN-WAIT}]
Close an SCTP association.

Options

-all
Close all SCTP associations. (Admin only)
-close
Close an SCTP association. (Admin only)
-compact
Show reduced version of the table.
-initif=<Interface>
Receive Interface of the initiator of an SCTP association.
-initip=<ip address>
IP address of the initiator of an SCTP association.
-initport=<port>
Port of the initiator of the SCTP association.
-linger
Also display deleted associations lingering in the wait queue.
-num=<number>
Limit output to <n> entries. (Default: 10)
-respif=<Interface>
Receive Interface of the responder of an SCTP association.
-respip=<ip address>
IP address of the responder of an SCTP association.
-respport=<port>
Port of the responder of the SCTP association.
-show
Show SCTP associations.
-showalias
Show also the aliases of an association.
-showvtag
Display the verification tags used by the peers of an association.
-state={INIT | INIT-ACK | COOKIE-ECHO | ESTABLISHED | SHUTDOWN | SHUTDOWN-WAIT}
State in which an association should be in order to be displayed.
 
-vtag=<String>
Verification tag used by either the initiator or the responder of an association to filter on.

2.2.42. sipalg

SIP ALG.

Description

List running SIP-ALG configurations, SIP registration and call information.

The -flags option with -snoop allows any combination of the following values:

-
0x00000001 GENERAL
-
0x00000002 ERRORS
-
0x00000004 OPTIONS
-
0x00000008 PARSE
-
0x00000010 VALIDATE
-
0x00000020 SDP
-
0x00000040 ALLOW_CHANGES
-
0x00000080 SUPPORTED_CHANGES
-
0x00000100 2543COMPLIANCE
-
0x00000200 RECEPTION
-
0x00000400 SESSION
-
0x00000800 REQUEST
-
0x00001000 RESPONSE
-
0x00002000 TOPO_CHANGES
-
0x00004000 MEDIA
-
0x00008000 CONTACT
-
0x00010000 CONN
-
0x00020000 PING
-
0x00040000 TRANSACTION
-
0x00080000 CALLLEG
-
0x00100000 REGISTRY

Flags can be added in the usual way. The default value is 0x00000003 (GENERAL and ERRORS).

NOTE: 'verbose' option outputs a lot of information on the console which may lead to system instability. Use with caution.

Usage

sipalg -definition [<ALG>]
Show running ALG configuration parameters.
sipalg -registration[={SHOW | FLUSH}] [<ALG>] [-num=<number>]
       [-index=<number>] [-compact] [-iface=<Interface>]
       [-user=<String>] [-ip=<ip address>] [-sort-column=<number>]
Show or flush current registration table.
sipalg -call [<ALG>] [-num=<number>] [-sort-column=<number>]
Show active SIP calls.
sipalg -session [<ALG>] [-num=<number>] [-sort-column=<number>]
Show active SIP sessions.
sipalg -connection [<ALG>] [-num=<number>]
Show SIP connections.
sipalg -statistics[={SHOW | FLUSH}] [<ALG>]
Show or flush SIP counters.
sipalg -snoop={ON | OFF | VERBOSE} [-flags=<String>]
Control SIP snooping. Useful for troubleshooting SIP transactions. NOTE: 'verbose' option outputs a lot of information on the console which may lead to system instability. Use with caution.

Options

-call
Show active calls table.
-compact
Show compact version of the table.
-connection
Show SIP connections.
-definition
Show running ALG configuration parameters.
-flags=<String>
SIP snooping for certain levels. Expected number in hexadecimal notation.
-iface=<Interface>
Filter on interface.
-index=<number>
Show only <index> entry. (Default: 0)
-ip=<ip address>
Filter on IP address.
-num=<number>
Limit output to <n> entries. (Default: 20)
-registration[={SHOW | FLUSH}]
Show or flush registration table. (Default: show)
-session
Show active SIP sessions.
-snoop={ON | OFF | VERBOSE}
Enable or disable SIP snooping. NOTE: 'verbose' option outputs a lot of information on the console which may lead to system instability. Use with caution. (Admin only)
-sort-column=<number>
Sort the table by the specified column.
-statistics[={SHOW | FLUSH}]
Show or flush SIP counters. (Default: show)
-user=<String>
Filter on user name.
<ALG>
SIP-ALG name.

2.2.43. sslvpn

Displays the state of SSLVPN servers.

Description

The sslvpn command is used to view information about and manage SSLVPNServer tunnel interfaces. It can be used to view and close SSL VPN sessions, and to trigger rekeying of sessions.

Usage

sslvpn -num={ALL | <n>}
Show SSLVPN service summary.
sslvpn -show [<tunneliface>] [-remoteip=<IP range>]
       [-remoteport=<Integer Range>] [-assignedip=<IP range>]
       [-recviface[=<Interface>]] [-state={CONNECTED | CONNECTING}]
       [-num={ALL | <n>}]
Show SSLVPN sessions.
sslvpn -snoop={OFF | BRIEF | FULL} [<tunneliface>]
       [-localip=<IP range>] [-remoteip=<IP range>]
       [-remoteport=<Integer Range>] [-recviface[=<Interface>]]
Enable/Disable SSLVPN message snooping.
sslvpn -close [<tunneliface>] [-all] [-nohalt]
       [-remoteip=<IP range>] [-remoteport=<Integer Range>]
       [-assignedip=<IP range>] [-recviface[=<Interface>]]
       [-state={CONNECTED | CONNECTING}]
Close SSLVPN sessions.
sslvpn -rekey [<tunneliface>] [-all] [-remoteip=<IP range>]
       [-remoteport=<Integer Range>] [-assignedip=<IP range>]
Rekey connected SSLVPN sessions.

Options

-all
All SSLVPN sessions.
-assignedip=<IP range>
Filter on IP address assigned to client.
-close
Close SSLVPN sessions.
-localip=<IP range>
Filter on local endpoint IP address.
-nohalt
Do not send a halt message to the SSLVPN client when a session is about to be closed.
-num={ALL | <n>}
Limit display to <n> entries. (Default: 20)
-recviface[=<Interface>]
Filter on receive interface. (Default: any)
-rekey
Trigger key renegotiation for connected SSLVPN sessions.
-remoteip=<IP range>
Filter on remote endpoint IP address.
-remoteport=<Integer Range>
Filter on remote TCP/UDP port by specifying a number or range.
-show
Show SSLVPN sessions.
-snoop={OFF | BRIEF | FULL}
Enable/Disable snooping of an SSLVPN interface.
-state={CONNECTED | CONNECTING}
Filter on session state.
<tunneliface>
SSLVPN tunnel interface.

2.2.44. statistics

View statistical values generated by the system.

Description

View statistical values generated by the system.

In order to view statistical values they must first be specified by using the -add option. The list of values that have been created using -add can be reduced by using the -remove option. Running the command again will then poll the current list of values.

Example 2.16. Add statistical values

Add all interface statistics:
 statistics -add /interfacesbytes_recv

Example 2.17. Poll selected values

Using an interval of 2 seconds:
 statistics -poll -interval=2
Once:
 statistics

Usage

statistics -listall
List available statistical values.
statistics -listpolled
Show the poll list.
statistics -stop
Stop interval polling of statistical values.
statistics -add <value>
Add statistical values to the list of polled values.
statistics -remove <value>
Remove statistical values from the list of polled values.
statistics -poll [-interval=<interval>] [-nonzero]
           [-rate[={COUNTERS | MAX | MIN | MOMENTARY | NUMERIC}]]
           [-diff-counters] [-human] [-format={HUMAN | RAW}]
           [-transferrate={BITS | BYTES}] [-numdigits=<1...10>]
           [-timefmt={DECIMAL | UNITS}] [-quiet] [-verbose]
Poll values.
statistics -snapshot-counters [-quiet]
Create (or update) the local snapshot of counter based values.
statistics -get <values> [-human] [-format={HUMAN | RAW}]
           [-numdigits=<1...10>] [-timefmt={DECIMAL | UNITS}]
Directly display values of statistical counters.
statistics
Poll values.

Options

-add
Add statistical values to the list of polled values.
-diff-counters
For counter based values; show the difference compared to the local snapshot instead of the real value.
-format={HUMAN | RAW}
Controls the formatting of the output.
-get
Directly display values of statistical counters.
-human
Output values in a human readable format, for instance, by using a prefix to the unit such as k (kilo), Ki (kibi), M (mega), Mi (mebi) etc. Short form of -format=human.
-interval=<interval>
Number of seconds between polls. (Default: 0)
-listall
List available statistical values.
-listpolled
Show the poll list.
-nonzero
Only include non-zero values in the output.
-numdigits=<1...10>
Number of digits to strive for when doing human readable formatting.
-poll
Poll values.
-quiet
Poll values, but supress normal output. Useful to fetch baseline values for rate or difference calculations.
-rate[={COUNTERS | MAX | MIN | MOMENTARY | NUMERIC}]
Show average rate since last poll, per default, for counter based values only. (Default: counters)
-remove
Remove statistical values from the list of polled values.
-snapshot-counters
Create (or update) the local snapshot of counter based values.
-stop
Stop interval polling of statistical values.
-timefmt={DECIMAL | UNITS}
Controls how values representing time are formatted, when doing human readable formatting.
-transferrate={BITS | BYTES}
Controls which unit that is used for the rate of byte counters representing transferred data; bits per second (default) or bytes per second. This option only applies to human readable formatting.
-verbose
Show value update info in the output.
<value>
Single statistical value or a group of values.
<values>
Comma separated list of statistical values or a group of values.

2.2.45. testmem

Memory Test command.

Description

Test memory library

Usage

testmem -diff [-allocate] [-type={CHAR | UINT}] [-size=<Integer>]
Allocate memory in 2 different locations.
testmem -allocate [-type={CHAR | UINT}] [-num=<Integer>]
        [-size=<Integer>] [-cat=<1...2>]
Allocate memory.
testmem -free [-type={CHAR | UINT}] [-id=<Integer>] [-cat=<1...2>]
Free memory.
testmem -list
List allocated memory.
testmem -killme
Exit application.
testmem -fastexit
Exit application now.
testmem -track
Print memory allocations.
testmem -start [-size=<Integer>] [-memleak] [-z]
Start allocation thread.
testmem -stop
Stop allocation thread.
testmem -usedMem
Mem_test memory usage.

Options

-allocate
Allocate memory.
-cat=<1...2>
Category to use for allocations. (Default: 1)
-diff
Allocate from different location.
-fastexit
Exit application now.
-free
Free memory.
-id=<Integer>
Index to free.
-killme
Exit application.
-list
List memory consumption.
-memleak
Dont free allocations.
-num=<Integer>
Number of objects to allocate. (Default: 1)
-size=<Integer>
Size of object to allocate. (Default: 1)
-start
Start allocate thread.
-stop
Stop allocate thread.
-track
Print memory allocations.
-type={CHAR | UINT}
Variable type. (Default: char)
-usedMem
Memory used by testmem.
-z
Two allocate threads.

2.2.46. threshold

List current threshold state.

Description

Display the current threshold state.

Explanation of columns in the "-show" output. Group Limit, Max Current, Active Groups vs Exceeding Groups difference.

Group Limit
The effective limit per group. It is only relevant when the threshold has been configured with "shared scope", otherwise it will just be the configured limit.
Max Current
The largest value measured by any group. The currently largest value, it's not a historical value. When this group violates the threshold condition(s), the time that it has been violating the threshold condition will also be displayed. E.g. 501/3.03s, meaning 501 concurrent flows(or flows/s) measured, and this measurement has violated (exceeded) the configured threshold for 3.03s.
Active Groups
The number of groups that are considered "active".
Exceeding Groups
Those (active) groups that are violating the configured threshold condition(s). Exceeding groups are thus a subset of the Active Groups.
NOTE:
When "flow rate" is configured, any group with at least 1 flow setup attempt per configured interval (normally 1s), is considered to be an "active group". When "concurrent flows" is configured, any group with at least 1 open flow, is considered to be an "active group".

Explanation of column in "-show -grouping" output.

Duration
When a group has never violated the corresponding threshold definition(s), it will display the time that the group has been "active". If the group currently violates the threshold definition(s), it is the time that the group has been violating the threshold definition(s).
In simple words it shows the time the group is in the current state (how long has it been violating the threshold, how long since it stopped violating the threshold, how long has it been active).

Usage

threshold -reset
Reset grouping state of threshold rules.
threshold -show [-num=<n>] [-grouping]
List grouping state of threshold rules.
threshold -show [-num=<n>]
Display current state of threshold rules.
threshold <rule> [-num=<n>] [-grouping] [-threshold=<String>]
Display grouping state for a specific threshold rule.
threshold
Same as "threshold -show".

Options

-grouping
Show dynamic limits and group info for threshold rule(s).
-num=<n>
Limit output to <n> rows/entries. (Default: 20)
-reset
Reset group state; active groups will be recreated without history. (Admin only; Advanced view)
-show
Show threshold state.
-threshold=<String>
Restrict command to this specific threshold definition.
<rule>
Specific threshold rule.

Home  Prev   Next