Table of Contents
Note: This document is also available in other formats | |
---|---|
A PDF version of this document along with all current and older documentation in PDF format can be found at https://my.clavister.com. It is also available in a framed HTML version. |
This guide is a reference for all commands and configuration object types that are accessible through the Command Line Interface (CLI). This introduction gives a brief overview of the CLI help and autocompletion capabilities. CLI connection and usage is described in more depth in the separate Clavister firewall Administration Guide.
Case Sensitivity
The CLI is case-sensitive. However, the tab-completion feature of the CLI does not require the correct case to perform completion and will alter the typed case if it is required.String Delimiters, the Escape Character and Special Characters
When entering CLI commands, literal strings can be enclosed in double quotation mark characters ("..."). For example:add User my-user Password="pass word"
However, to include the double quotation mark itself in a string, it must be preceded by a backslash
(\) which is the CLI escape character:
set User my-user Password="pass\"word"
Other special characters that might be needed are the following:
For example:
set RemoteManagement RemoteMgmtSSH ssh Banner="Welcome!\r\n - Type \"help\"
Running a Command
The commands described in this guide can be run by typing the command along with any options followed by pressing the return key. Many commands require options to be set. If a mandatory option is missing, a brief syntax help will be displayed after the enter key is pressed.CLI Function Keys
In addition to the return key there are a number of function keys that can be used with the CLI. These are listed below:The CLI History
Every time a command is run, the command line is added to a cached history of commands. The up and down arrow keys are used to access previous commands. The up arrow key displays the next oldest command in the history and the down arrow key returns to newer command lines.The history command shows the entire contents of the history cache.
Example 1.1. CLI History
Using the command line history via the arrow keys:
Device:/>
show AddressDevice:/>
(up arrow)Device:/>
show Address (the previous command is displayed)
CLI Help
There are two ways of getting help about a command. A brief help is displayed if the command name is typed followed by-?
. This applies to all commands
and is therefore not listed in the option list for each command in this guide.
In most cases it is possible to type the command help followed by the command name to get the detailed help for that command. To list all available commands, type help on its own and press return.
See Section 2.4.9, help for a more detailed description of the help command.
Example 1.2. CLI Help
Brief help for the activatecommand:
Device:/>
activate -?
activate (ac). Activate changes.
Full help for activate:
Device:/>
help activate
COMMAND
activate (ac). Activate changes.
DESCRIPTION
Activate the latest changes.
This will issue a reconfiguration, using the new configuration.
If the reconfiguration is successful a commit command must be
issued within the configured timeout interval in order to save
the changes to media. If not, the system will revert to using
the previous version of the configuration.
USAGE
activate
List all available commands:
Device:/>
help
Available commands (type "help help" for more help):
"
"
Tab Completion
By using the tab function key in the CLI, the names of commands, options, objects and object properties can be automatically completed. If the text entered before pressing tab only matches one possible item, e.g. "activate" is the only match for "acti", and a command is expected, the name will be autocompleted.Should there be more than one match, the part common to all matches will be completed. At this point the user can either enter more characters or press tab again, which will display a list of the possible completions. This can also be done without entering any characters, but the resulting list might be long if there are many possible completions, e.g. all commands.
Example 1.3. Tab Completion
An example of tab completion when using the add command:
Device:/>
add Add (tab)Device:/>
add Address ("ress" was autocompleted)Device:/>
add Address i (tab)Device:/>
add Address IP ("IP" was autocompleted)Device:/>
add Address IPa (tab)Device:/>
add Address IPAddress ("IPAddress" was autocompleted)Device:/>
add Address IPAddress example_ip a (tab)Device:/>
add Address IPAddress example_ip Address= (autocompleted)Device:/>
add Address IPAddress example_ip Address=1.2.3.4
Mandatory Properties are Shown First
When using autocompletion, the optional object properties are not displayed until all mandatory properties have been assigned values.For example, the Name parameter for an IP rule is optional. It will not be displayed by autocompletion until the such mandatory parameters as source/destination network/interface are emtered.
Inline Help
It is possible to also get help about available properties while a command line is being typed by typing tab. This will either result in a message to say what the next option is or show a list if there are several alternatives.Example 1.4. Inline Help
Get inline help for all properties of an IPAddress:
Device:/>
add Address IPAddress (tab)
Enter a name for the new object.
Object Properties Help
It is possible to get information about the valid properties for an object through using the tab key:Example 1.5. Option Properties Help
Option help for the Address= parameter of IPAddress:
Device:/>
add Address IPAddress my_ip (tab)
<key-value pair>:
Address Comments NoDefinedCredentials UserAuthGroups
Other valid options: -force, <enter>
Special Characters Used with Tab Completion
When entering the value of an object property, the tab character can be preceded by either of the following characters:Entering the period "." (period) character before entering tab will insert the current value of the object property.
For example, assume that there is already an object in the address book called my_address and it has the IPv4 address value 203.0.113.10. Now enter the following command:
Device:/>
set Address IPAddress my_address Address=.(tab)
This will cause the current IP address to be displayed:
Device:/>
set Address IPAddress my_address Address=203.0.113.10
Entering the " * " (asterisk/star) character before entering tab will cause the default property value to be automatically filled in.
Device:/>
set RemoteManagement RemoteMgmtSSH RemoteMgmtSSH
LogEnabled=?(tab)
Type: Boolean
Description: Enable logging.
Default: Yes
Current Value: Yes
User Restrictions
Certain commands and options cannot be used unless the CLI user has administrator privileges. This is indicated in this guide by a note following the command stating Requires Administrator Privilege. Individual command options may be also be labelled Admin only.Activate changes.
Description
Activate the latest changes.This will issue a reconfiguration, using the new configuration. If the reconfiguration is successful a commit command must be issued within the configured timeout interval in order to save the changes to media. If not, the system will revert to using the previous version of the configuration.
Usage
activate [-force]
Options
Note | |
---|---|
Requires Administrator privileges. |
Create a new object.
Description
Create a new object and add it to the configuration.Specify the type of object you want to create and the identifier, if the type has one, unless the object is identified by an index. Set the properties of the object by writing the propertyname equals (=) and then the value. An optional category can be specified for some object types when using tab completion.
If a mandatory property isn't specified a list of errors will be shown after the object is created. If an invalid property or value type is specified or if the identifier is missing the command will fail and not create an object.
Adjustments can be made after the object is created by using the set command.
Example 2.1. Create a new object
Add objects with an identifier property (not index): gw-world:/> add Address IPAddress example_ip Address=1.2.3.4 Comments="This is an example" gw-world:/> add IPAddress example_ip2 Address=2.3.4.5 Add an object with an index: gw-world:/RoutingTable/main> add Route Interface=lan Network=all-nets-i p4
Usage
add [<Category>] <Type> [<Identifier>] [-force] [<key-value pair>]...
Options
Note | |
---|---|
Requires Administrator privileges. |
Change the current context.
Description
Change the current configuration context.A context is a group of objects that are dependent on and grouped by a parent object. Many objects lie in the "root" context and do not have a specific parent. Other objects, e.g. User objects lie in a sub-context (or child context) of the root - in this case in a LocalUserDatabase. In order to add or modify users you have to be in the correct context, e.g. a LocalUserDatabase called "exampledb". Only objects in the current context can be accessed.
Example 2.2. Change context
Change to a sub/child context: gw-world:/> cc LocalUserDatabase exampledb gw-world:/LocalUserDatabase/exampledb> Go back to the parent context: gw-world:/ospf1/area1> cc .. gw-world:/ospf1> cc .. gw-world:/> Go back to the root context: gw-world:/ospf1/area1> cc gw-world:/> or gw-world:/ospf1/area1> cc / gw-world:/>
Usage
cc [<Category>] <Type> <Identifier>Change the current context.
cc -printPrint the current context.
ccChange to root context (same as "cc /").
Options
Save new configuration to media.
Description
Save the new configuration to media. This command can only be issued after a successful activate command.Usage
commit
Note | |
---|---|
Requires Administrator privileges. |
Delete specified objects.
Description
Delete the specified object, removing it from the configuration.Add the force flag to delete the object even if it is referenced by other objects or if it is a context that has child objects that aren't deleted. This may cause objects referring to the specified object or one of its children to get errors that must be corrected before the configuration can be activated.
See also: undelete
Example 2.3. Delete an object
Delete an unreferenced object: gw-world:/> delete Address IPAddress example_ip Delete a referenced object: (will cause error in examplerule) gw-world:/IPRuleSet/main> set IPRule 1(examplerule) SourceNetwork=examp lenet gw-world:/> delete Address IPAddress examplenet -force Delete a range of objects: gw-world:/IPRuleSet/main> delete IPRule -range=1-10
Usage
delete [<Category>] <Type> [<Identifier>] [-force] [-range=<Integer Range>]
Options
Note | |
---|---|
Requires Administrator privileges. |
Reject changes.
Description
Reject the changes made to the specified object by reverting to the values of the last committed configuration.All changes made to the object will be lost. If the object is added after the last commit, it will be removed.
To reject the changes in more than one object, use either the -recursive
flag to delete a context and all its children recursively or the
-all
flag to reject the changes in all objects in the
configuration.
Example 2.4. Reject changes
Reject changes in individual objects: gw-world:/> set Address IPAddress example_ip Comments="This comment will be rejected" gw-world:/> reject Address IPAddress example_ip gw-world:/> add Address IPAddress example_ip2 Address=1.2.3.4 Comments="This whole object will be removed" gw-world:/> reject Address IPAddress example_ip2 Reject changes recursively: (will reject changes in the user database and all users) gw-world:/LocalUserDatabase/exampledb> set User user1 Comments="Somethi ng" gw-world:/LocalUserDatabase/exampledb> set User user2 Comments="that wi ll be" gw-world:/LocalUserDatabase/exampledb> set User user3 Comments="rejecte d" gw-world:/LocalUserDatabase/exampledb> cc .. gw-world:/> reject LocalUserDatabase exampledb -recursive Reject all changes: gw-world:/anycontext> reject -all All changes since the last commit will be rejected: (example_ip will be removed since it is newly added) gw-world:/> add Address IPAddress example_ip Address=1.2.3.4 gw-world:/> delete Address IPAddress example_ip gw-world:/> reject Address IPAddress example_ip
Usage
reject [<Category>] <Type> [<Identifier>] [-recursive]Reject changes made to the specified object.
reject -allReject all changes in the configuration.
Options
Note | |
---|---|
Requires Administrator privileges. |
Set property values.
Description
Set property values of configuration objects.Specify the type of object you want to modify and the identifier, if the type has one. Set the properties of the object by writing the propertyname equals (=) and then the value. An optional category can be specified for some object types when using tab completion.
If a mandatory property hasn't been specified or if a property has an error a list of errors will be shown after the specified properties have been set. If an invalid property or value type is specified the command will fail and not modify the object.
See also: add
Example 2.5. Set property values
Set properties for objects that have an identifier property: gw-world:/> set Address IPAddress example_ip Address=1.2.3.4 Comments="This is an example" gw-world:/> set IPAddress example_ip2 Address=2.3.4.5 Comments=comment_without_whitespace gw-world:/RoutingTable/main> set Route 1 Comments="A route" gw-world:/IPRuleSet/main> set IPRule 12 Index=1 Set properties on a range of objects: gw-world:/IPRuleSet/main> set IPRule -range=1-10 LogEnabled=No
Usage
set [<Category>] <Type> [<Identifier>] [-disable] [-enable] [-force] [-range=<Integer Range>] [<key-value pair>]...
Options
Note | |
---|---|
Requires Administrator privileges. |
Show objects.
Description
Show objects.Show the properties of a specified object.
There are a number of flags that can be specified to show otherwise hidden properties.
To show a list of object types and categories available in the current context, just type show.
Show a table of all objects of a type by specifying a type or a category. Use the
-errors
or -changes
flags to show what objects have been changed or have
errors in the configuration.
When showing a table of all objects of a certain type, the status of each object since the last time the configuration was committed is indicated by a flag. The flags used are:
Unchanged objects are not indicated by a flag.
When listing categories and object types, categories are indicated by [] and types where objects may be contexts by /.
Example 2.6. Show objects
Show the properties of an individual object: gw-world:/> show Address IPAddress example_ip gw-world:/RoutingTable/main> show Route 1 Show a table of all objects of a type and a selection of their properties as well as their status: gw-world:/> show Address IPAddress gw-world:/> show IPAddress Show a table of all objects for each type in a category: gw-world:/> show Address Show objects with changes and errors: gw-world:/> show -changes gw-world:/> show -errors Show what objects use (refer to) a certain object: gw-world:/> show Address IPAddress example_ip -references
Usage
showShow the types and categories available in the current context.
show [<Category>] [<Type> [<Identifier>]] [-system] [-disabled] [-references] [-expand]Show an object or list a type or category.
show -errors [-verbose]Show all errors.
show -changesShow all changes.
show -expandShow objects with expanded symbolic names where supported.
Options
Restore previously deleted objects.
Description
Restore a previously deleted object.This is possible as long as the activate command has not been called.
See also: delete
Example 2.7. Undelete an object
Undelete an unreferenced object: gw-world:/> delete Address IPAddress example_ip gw-world:/> undelete Address IPAddress example_ip Undelete a referenced object: (will remove the error in examplerule) gw-world:/IPRuleSet/main> set IPRule 1(examplerule) SourceNetwork=examp lenet gw-world:/> delete Address IPAddress examplenet -force gw-world:/> undelete Address IPAddress examplenet
Usage
undelete [<Category>] <Type> [<Identifier>]
Options
Note | |
---|---|
Requires Administrator privileges. |
Show application control status.
Description
View general information about the Application Control system or browse the Application Control database.Usage
appcontrolShow general information about application control system.
appcontrol -show-applications [-name=<String>] [-family=<String>] [-risk={VERY_LOW | LOW | MEDIUM | HIGH | VERY_HIGH}] [-tag=<String>] [-num={ALL | <n>}] [-verbose]Show information about supported applications.
Options
Show ARP entries for given interface.
Description
List the ARP cache entries of specified interfaces.If no interface is given the ARP cache entries of all interfaces will be presented.
The presented list can be filtered using the ip
and hw
options.
Usage
arpShow all ARP entries.
arp -show [<interface>] [-ip=<pattern>] [-hw=<pattern>] [-num=<n>] [-all]Show ARP entries.
arp -flush [<interface>]Flush ARP cache of specified interface.
arp -notify=<ip> <interface> [-hwsender=<String>]Send gratuitous ARP for IP.
Options
Toggle snooping and displaying of ARP requests.
Description
Toggle snooping and displaying of ARP queries and responses on-screen.Aborting the arpsnoop command can be done by calling 'arpsnoop none' or by pressing CTRL-C. Using CTRL-C will also terminate all other running CLI commands.
Usage
arpsnoopShow snooped interfaces.
arpsnoop {ALL | NONE | <interface>} [-verbose]Snoop specified interface.
Options
User authentication information.
Description
Show currently logged-on users and other information. Also allows logged-on users to be forcibly logged out.Usage
authenticationList logged in users.
authentication -num=<Integer>List logged in users.
authentication -allList all logged in users.
authentication -show <Integer>Show user details.
authentication -profile [<User Authentication Profile>]Show authentication profiles.
authentication -logout_id <Integer>Logout user via user ID.
authentication -logout_src <IP> <Interface> <User Authentication Profile>Logout user via source IP.
authentication -logout_name <username> <User Authentication Profile>Logout all users matching username in the profile.
authentication -privilegeShow currently known privileges.
Options
BGP monitoring/control commands.
Description
Display information about BGPUsage
bgpShow summary for BGP process.
bgp -neighbors [-neighbor=<neighbor>] [-prefixes-advertised] [-prefixes-received]Show neighbor information.
bgp -snoop={ON | OFF} [-category={ALL | BGP-ALL | BFD-ALL | ROUTE-ALL | BGP-UPD | ROUTE-ADD | ROUTE-MOD | ROUTE-DEL}] [-level=<0...7>]Enable/disable BGP snooping.
bgp -execute={RESTART-FULL | NEIGHBOR-RECONNECT} [-neighbor=<neighbor>]Execute operation.
bgp -prefixes [-num={ALL | <n>}] [-ipv6] [-network=<network>] [-routemap=<routemap>] [-aspath=<AS path>]Show prefixes.
bgp -techsupportShow internal technical support information.
bgp -bfd [-verbose]Show BFD overview.
Options
Block and unblock hosts.
Description
Block and unblock specific hosts for specific source interface(s).If no option is chosen both blacklist and whitelist entries will be presented.
The presented list can be filtered using the show
option, specifying whether blacklist, whitelist or both of the lists need to be displayed.
Usage
blacklistShow both blacklist and whitelist entries.
blacklist -show={BLACKLIST | WHITELIST | ALL} [-num=<number>]Show either blacklist,whitelist or both.
blacklist -add -srciface=<Interface> -srcip=<ip address> [-destip=<ip address>] [-port=<port range>] [-proto={ICMP | IGMP | TCP | UDP | GRE | ESP | AH | ICMPV6 | OSPF | MTP | L2TP | SCTP | ALL | <0...256>}] [-timeout=<number>]Add a blacklist entry.
blacklist -remove [-all] [-srciface=<Interface>] [-srcip=<ip address>] [-destip=<ip address>] [-port=<port range>] [-proto={ICMP | IGMP | TCP | UDP | GRE | ESP | AH | ICMPV6 | OSPF | MTP | L2TP | SCTP | ALL | <0...256>}]Remove a blacklist entry.
blacklist -lookup [-srciface=<Interface>] [-srcip=<ip address>] [-destip=<ip address>] [-port=<port range>] [-num=<number>]Lookup blacklisted entries.
Options
Show information about cryptographic operations.
Description
Show information about cryptographic devices and cryptographic operations.Usage
cryptostatShow status of available crypto devices.
cryptostat -show [-status] [-verbose] [-poll] [-session]Show selected information.
Options
DHCP Client commands.
Description
Show interfaces using DHCP client and various information about leases.Usage
dhcpclientShow DHCP Client active interfaces if no option is supplied.
dhcpclient -listShow DHCP Client active interfaces.
dhcpclient <interface>Show DHCP Client interface information.
dhcpclient -renew <interface>Renew lease on an interface manually.
dhcpclient -release <interface>Release lease on an interface that is no longer needed.
dhcpclient -snoop={ON | OFF} <interface> [-verbose]Enable/Disable DHCP snoop on an interface.
Options
DHCP Server commands.
Description
Show the content of the DHCP server ruleset and various information about leases and mappings.Usage
dhcpserverShow all DHCP Server active leases if no option is supplied.
dhcpserver -rule=<DHCP Server Rule> [-num=<Integer>] [-fromentry=<Integer>] [-blacklist]Show DHCP Server active leases.
dhcpserver -informationShow DHCP Server general information.
dhcpserver -statisticsShow DHCP Server statistics.
dhcpserver -rulesShow DHCP Server Rules.
dhcpserver -mappings [-rule=<DHCP Server Rule>] [-ip=<IP address>] [-num=<Integer>] [-fromentry=<Integer>]Show DHCP Server mappings.
dhcpserver -blacklist [-rule=<DHCP Server Rule>] [-ip=<IP address>] [-num=<Integer>] [-fromentry=<Integer>]Show DHCP Server blacklisted addresses.
dhcpserver -leases [-rule=<DHCP Server Rule>] [-ip=<IP address>] [-interface=<interface>] [-num=<Integer>] [-fromentry=<Integer>]Show DHCP Server active leases.
dhcpserver -releaseblacklist [-rule=<DHCP Server Rule>] [-ip=<IP address>]Release one or all blacklisted addresses.
dhcpserver -releasemappings [-rule=<DHCP Server Rule>] [-interface=<interface>] [-ip=<IP address>]Release one or all address mappings.
dhcpserver -snoop={ON | OFF} [-rule=<DHCP Server Rule>]Snoop specified DHCP Server Rule.
Options
DNS client and queries.
Description
Display information about the DNS client and perform name server lookups.Usage
dnsDisplay contents of cache.
dns -list [<String>] [-num={ALL | <n>}]List specific entries from cache. Wildcards can be used, e.g. "*.com".
dns <String> [-type={A | AAAA | PTR}] [-num={ALL | <n>}]Do a lookup. If the type is not specified, "PTR" is used for IP addresses and otherwise "A" is used.
dns -flush [<String>]Remove cache entries. It is possible to specify an IP address or a domain name. Wildcards can be used, e.g. "*.com".
Options
Displays the state of the DNS ALG.
Description
Displays DNS ALG runtime information.Usage
dnsalgShow DNS sessions handled by the ALG.
dnsalg -show [-num={ALL | <n>}] [-profile=<DNS profile>] [-srciface=<Interface>] [-destiface=<Interface>] [-ip=<IP range>] [-clientip=<IP range>] [-serverip=<IP range>]Show DNS sessions handled by the ALG.
dnsalg -close [-all] [-session=<Integer>] [-profile=<DNS profile>] [-srciface=<Interface>] [-destiface=<Interface>] [-ip=<IP range>] [-clientip=<IP range>] [-serverip=<IP range>]Close active DNS sessions.
dnsalg -snoop={ON | OFF} [-profile=<DNS profile>] [-srciface=<Interface>] [-destiface=<Interface>] [-ip=<IP range>] [-clientip=<IP range>] [-serverip=<IP range>]Enable/disable snooping on the DNS ALG.
Options
List current state-tracked flows.
Description
Display the current state-tracked flows.Explanation of Flags field in verbose output
Usage
flow -show [-num=<n>] [-verbose] [-usage] [-compact] [-mtu] [-pipechain] [-pipe=<Pipe>] [-srciface=<Interface>] [-destiface=<Interface>] [-protocol={TCP | UDP | ICMP | ICMPV6 | IGMP | GRE | ESP | SCTP | <name/num>}] [-srcport=<port>] [-destport=<port>] [-srcip=<ip addr>] [-destip=<ip addr>] [-sequence] [-sequence-info] [-rules] [-tagged] [-untagged] [-idle] [-ha] [-hastate={NOTSYNCED | SYNCING | SYNCED | SYNCFAILED | DONTSYNC}] [-disable-progress-updates] [-app] [-appfilter=<String>] [-state]List flows.
flowSame as "flow -show".
flow -close [-all] [-pipe=<Pipe>] [-srciface=<Interface>] [-destiface=<Interface>] [-protocol={TCP | UDP | ICMP | ICMPV6 | IGMP | GRE | ESP | SCTP | <name/num>}] [-srcport=<port>] [-destport=<port>] [-srcip=<ip addr>] [-destip=<ip addr>] [-deepflush] [-tagged] [-untagged] [-idle] [-hastate={NOTSYNCED | SYNCING | SYNCED | SYNCFAILED | DONTSYNC}] [-disable-progress-updates] [-appfilter=<String>]Close flows.
flow -tag [-all] [-pipe=<Pipe>] [-srciface=<Interface>] [-destiface=<Interface>] [-protocol={TCP | UDP | ICMP | ICMPV6 | IGMP | GRE | ESP | SCTP | <name/num>}] [-srcport=<port>] [-destport=<port>] [-srcip=<ip addr>] [-destip=<ip addr>] [-idle] [-disable-progress-updates] [-appfilter=<String>]Tag flows.
flow -untag [-all] [-pipe=<Pipe>] [-srciface=<Interface>] [-destiface=<Interface>] [-protocol={TCP | UDP | ICMP | ICMPV6 | IGMP | GRE | ESP | SCTP | <name/num>}] [-srcport=<port>] [-destport=<port>] [-srcip=<ip addr>] [-destip=<ip addr>] [-idle] [-disable-progress-updates] [-appfilter=<String>]Untag flows.
flow -retag [-all] [-pipe=<Pipe>] [-srciface=<Interface>] [-destiface=<Interface>] [-protocol={TCP | UDP | ICMP | ICMPV6 | IGMP | GRE | ESP | SCTP | <name/num>}] [-srcport=<port>] [-destport=<port>] [-srcip=<ip addr>] [-destip=<ip addr>] [-idle] [-disable-progress-updates] [-appfilter=<String>]Invert tag on flows.
flow -hainfoShow troubleshooting information for flow HA synchronization.
Options
Show the state of the FTP ALG.
Description
Show runtime information about the FTP ALG.Usage
ftpalgShow FTP sessions handled by the ALG.
ftpalg -show [-num={ALL | <n>}] [-profile=<FTP profile>] [-srciface=<Interface>] [-destiface=<Interface>] [-ip=<IP range>] [-clientip=<IP range>] [-serverip=<IP range>]Show FTP sessions handled by the ALG.
ftpalg -close [-all] [-session=<Integer>] [-profile=<FTP profile>] [-srciface=<Interface>] [-destiface=<Interface>] [-ip=<IP range>] [-clientip=<IP range>] [-serverip=<IP range>]Close active FTP sessions.
ftpalg -snoop={ON | OFF} [-profile=<FTP profile>] [-srciface=<Interface>] [-destiface=<Interface>] [-ip=<IP range>] [-clientip=<IP range>] [-serverip=<IP range>]Enable/disable snooping on the FTP ALG.
Options
Display IP geolocation related information.
Description
Display information about the systems IP geolocation databases and perform lookup of the geographical locations associated with given IP addresses.Usage
geoipDisplay status of geolocation databases.
geoip -activate=<String>Activate a geolocation database file.
geoip -lookup=<IP>Get geographical information for a set of IP addresses.
geoip -remove=<String>Remove geolocation database files from storage.
geoip -statusDisplay status of geolocation databases.
Options
Shows info about GTP such as PDP contexts, GGSN connections or other related information.
Description
The GTP command show information about PDP context or GGSN connections currently instantiated with the GTP.Usage
gtpList PDP contexts for all GTP interfaces.
gtp -ggsn [-iface=<GTPTunnel>] [-num={ALL | <Integer>}] [-localip=<IPAddress>] [-ggsnip=<IPAddress>]List active GGSN connections.
gtp -listen [-localip=<IPAddress>] [-ggsnip=<IPAddress>]List listening GGSN connections.
gtp -pdp [-iface=<GTPTunnel>] [-verbose] [-num={ALL | <Integer>}] [-localendpoint=<IPAddress>] [-enduseraddress=<IPAddress>] [-remoteendpoint=<IPAddress>]List PDP contexts.
Options
Displays the state of GTP inspection.
Description
Display runtime information about GTP Inspection.Usage
gtpinspectionShow GTP-C/GTP-U sessions handled by GTP Inspection.
gtpinspection -show={BRIEF | FULL} [-control] [-user] [-num={ALL | <n>}] [-version={GTPV1 | GTPV2}] [-profile=<GTP Inspection Profile>] [-origiface=<Interface>] [-termiface=<Interface>] [-origip=<IP range>] [-termip=<IP range>] [-origteid=<Integer>] [-termteid=<Integer>] [-imsi=<String>] [-msisdn=<String>] [-eua=<IP range>] [-imei=<String>] [-apn=<String>] [-session=<Integer>] [-state={PENDING | ESTABLISHED | BOTH}]Show GTP-C/GTP-U sessions handled by GTP Inspection.
gtpinspection -close [-control] [-user] [-version={GTPV1 | GTPV2}] [-profile=<GTP Inspection Profile>] [-origiface=<Interface>] [-termiface=<Interface>] [-origip=<IP range>] [-termip=<IP range>] [-origteid=<Integer>] [-termteid=<Integer>] [-imsi=<String>] [-msisdn=<String>] [-eua=<IP range>] [-imei=<String>] [-apn=<String>] [-session=<Integer>] [-all] [-state={PENDING | ESTABLISHED | BOTH}]Close active GTP-C/GTP-U sessions.
gtpinspection -snoop={FULL | BRIEF | OFF} [-profile=<GTP Inspection Profile>] [-origiface=<Interface>] [-origip=<IP range>] [-termip=<IP range>]Enable/Disable GTP message snooping.
Options
Control and show status of the HA system.
Description
Control and show status of the HA system.Usage
haShow the HA status of the system.
ha -status [-module] [-internal]Show the HA status of the system.
ha -activate [-force]Request that this HA node will become the active one.
ha -deactivate [-force]Request that this HA node will become the inactive one.
ha -recvconf [-reboot] [-force]Receive configuration from HA peer.
ha -sendconf [-reboot] [-force]Send configuration to HA peer.
ha -reboot [-local] [-peer] [-force]Reboot local/peer HA node.
ha -compconfCompare configuration with HA peer.
haShow the HA status of the system.
Options
Hardware monitoring command.
Description
Retrieves sensor and sensor monitor information.Usage
hwmonShow brief monitor information.
hwmon -sensorlistShow the system sensor list.
hwmon -show [<String>]Show specific monitor information.
hwmon -techsupport={DEVICESENSORS | IPMISTATUS}Show internal technical support information.
Options
Check interface status.
Description
Prints out basic information about an interface.Usage
ifstatList all ethernet interfaces.
ifstat -devicescanDisplay the currently avaliable devices in the system.
ifstat -device=<hardware port> [-per-queue-stats]Display information (link status, statistics) about a specific hardware port.
ifstat -type={ALL | CORE | NULL | ETHERNET | IPSEC | GRE | GTP | VLAN | SSLVPN | LAG | IFACEGROUP | ZONE} [-allindepth] [-num={ALL | <Integer>}]List interfaces currently configured in the system.
ifstat -allindepth [-type={ALL | CORE | NULL | ETHERNET | IPSEC | GRE | GTP | VLAN | SSLVPN | LAG | IFACEGROUP | ZONE}] [-num={ALL | <Integer>}] [-per-queue-stats]Display detailed information about all interfaces.
ifstat <interface> [-up] [-down] [-per-queue-stats]Display detailed interface information.
ifstatList all ethernet interfaces.
Options
Shows info about IKE SAs or performs connect/delete/rekey operations.
Description
The command gives information about the IKE SAs currently established or in negotiation. It can also be used to initiate a tunnel negotiation, tear down or rekey.The command can also be used to give a human readable printout of IKE messages passed to/from the IKE daemon.
Usage
ike -show [-tunnel=<IPsecTunnel>] [-id=<Integer>] [-excl] [-state={CREATED | CONNECTING | ESTABLISHED | PASSIVE | REKEYING | DELETING | DESTROYING}] [-numchild={ALL | <Integer>}] [-localendpoint=<IP range>] [-remoteendpoint=<IP range>] [-localaddress=<IP range>] [-remoteaddress=<IP range>] [-recviface[=<Interface>]] [-verbose] [-num={ALL | <Integer>}] [-clone=<Integer Range>] [-sort={NONE | ID | NAME | LOCALADDRESS | REMOTEADDRESS | LOCALENDPOINT | REMOTEENDPOINT}] [-order={ASC | DESC}]Show established IKE SAs.
ike -connect [-tunnel=<IPsecTunnel>] [-id=<Integer>] [-clone=<Integer Range>] [-active=<Integer>]Initiate an IKE negotiation.
ike -rekey={IKE | IPSEC} [-tunnel=<IPsecTunnel>] [-id=<Integer>] [-verbose] [-clone=<Integer Range>] [-active=<Integer>]Initiate an IKE rekey.
ike -delete [-tunnel=<IPsecTunnel>] [-id=<Integer>] [-force] [-verbose] [-clone=<Integer Range>]Delete established IKE SAs.
ike -snoop={BRIEF | FULL | OFF} [-localendpoint=<IP range>] [-remoteendpoint=<IP range>] [-recviface[=<Interface>]] [-routingtable=<RoutingTable>]Enable/Disable IKE message snooping.
ike -certshow [-type={ANY | CERT | CRL}] [-verbose] [-subject=<String>] [-issuer=<String>] [-strict] [-num={ALL | <Integer>}]Show certificate cache.
ike -certflush [-type={ANY | CERT | CRL}]Flush certificate cache.
ike -ippool [-static] [-tunnel=<IPsecTunnel>] [-num={ALL | <Integer>}]Show IP pool information.
ike -stat [-jobs]Show IKE statistics.
ikeSame as "ike -show".
Options
Show statistics related packet input/output.
Description
Show statistics related packet input/output.Usage
iostat [-cpu]
Options
Intrusion prevention system.
Description
Intrusion Prevention System.Show number of signatures in rules, groups or categiries. To show individual signatures use -verbose.
Command to activate and remove signature files.
Example 2.8. Show individual signatures in categury IPS_WEB_*, limiting output to 40 signatures.
ips -show=category ips_web_* -verbose -num=40
Usage
ips -num=<number>Show signatures by rule.
ips -show=rule [<Rule>] [-verbose] [-num=<number>]Show signatures by rule.
ips -show=signature <Signature ID>Show signature by ID.
ips -show=category [<Category>] [-verbose] [-num=<number>]Show signatures by category.
ips -show=group [<Group>] [-verbose] [-num=<number>]Show signatures by group.
ips -show=fileShow signatures by file.
ips -activate <Filename>Activate IPS signature file.
ips -remove <Filename>Remove active IPS signature file from media.
ips -show=filewarnings [<Filename>] [-num=<number>]Show errors found while parsing signature files.
Options
Show SAD/SPD.
Description
Show information about entries in the Security Association Database (SAD) as well as in the Security Policy Database (SPD).Usage
ipsec -show={SAD | SPD | TUNNELS} [-verbose] [-tunnel=<IPsecTunnel>] [-localendpoint=<IP range>] [-remoteendpoint=<IP range>] [-localaddress=<IP range>] [-remoteaddress=<IP range>] [-excl] [-spi=<Integer>] [-num[=<Integer>]]Show IPsec SAD/SPD/Tunnels.
ipsec -verbose [-localendpoint=<IP range>] [-remoteendpoint=<IP range>] [-localaddress=<IP range>] [-remoteaddress=<IP range>] [-excl] [-spi=<Integer>] [-num[=<Integer>]]Same as "ipsec -show=tunnels -verbose".
ipsecSame as "ipsec -show=tunnels".
Options
Lists the current IPsec configuration.
Description
Lists the current IPsec configuration,Usage
ipsectunnels -iface=<recv iface>Show specific interface.
ipsectunnels -num={ALL | <Integer>}Show specific number if interface.
ipsectunnelsShow interfaces.
Options
Debug functionality for LCD.
Description
LCD controllerUsage
lcdctrl...
lcdctrl -text [<String>]Write text to LCD display.
lcdctrl -clearClear LCD display.
lcdctrl -backlight={OFF | ON}Set state of LCD back light.
lcdctrl -statusled={OFF | ON | BLUE/GREEN | RED | BLINK | BLINK-GREEN-OFF | BLINK-RED-OFF | BLINK-RED-GREEN}Set state of the status LED.
lcdctrl -goto [-x=<X>] [-y=<Y>]Move cursor on LCD display.
lcdctrl -upSimulate up from the keypad.
lcdctrl -downSimulate down from the keypad.
lcdctrl -leftSimulate left from the keypad.
lcdctrl -rightSimulate right from the keypad.
Options
Memory.
Description
Show memory consumption.Usage
memory -unit={KB | MB | GB}Show memory usage.
memory -limit=<Integer>Show only categories with memory usage above specified limit.
memory -verbose [-detailed] [-limit=<Integer>] [-unit={KB | MB | GB}]Show memory usage.
memory -procShow memory usage for all categories.
Options
Show NAT Pool runtime information.
Description
The natpool CLI command may be used for inspecting the status of the IP address usage of NAT Pools.Example 2.10. Retrieve extended NAT Pool info (deterministic NAT Pool)
Device:/> natpool mydetnatpool -verbose (will show a extended summary of the NAT Pool configured blocks.) (for in detailed information use the -externalip or the -internalip opti ons)
Example 2.11. Retrieve extended NAT Pool info for a specific translation IP
Device:/> natpool mynatpool -externalip=111.111.111.111 (the output info depends on NAT Pool type) (for deterministic NAT will show all blocks assigned to the IP)
Example 2.12. Retrieve extended NAT Pool info for a specific internal IP (deterministic NAT Pool)
Device:/> natpool mynatpool -internalip=111.111.111.111 (will show all blocks the internal ip is using)
Example 2.13. Backward mapping for one IP (deterministic NAT Pool)
Device:/> natpool -reverse mydetnatpool -externalip=111.111.111.111 -externalport=12345 (the output info depends on mydetnatpool configured parameters)
Usage
natpool <pool name> [-verbose] [-internalip=<IP>] [-externalip=<IP>] [-num=<n>]Shows information on a specific NAT Pool IP.
natpool -reverse <pool name> [-externalip=<IP>] [-externalport=<port number>]Reverse maps from external IP and port to internal IP. Usable only for deterministic NAT Pools.
natpoolShows a summary for all configured NAT Pools.
Options
Show ND entries for given interface.
Description
List the ND cache entries of specified interfaces.If no interface is given the ND cache entries of all interfaces will be presented.
The presented list can be filtered using the ip
and hw
options.
Usage
ndpSame as 'ndp -show -type=Neighbor'.
ndp -show [<interface>] [-iprange=<IP range>] [-num=<n>] [-type={NEIGHBOR | ROUTER | DNSSERVER}] [-state={ALL | DYNAMIC | NORMAL | STALE | UNRESOLVED | CRYPTO | STATIC | PUBLISH | XPUBLISH}]Show ND entries.
ndp -flush [<interface>] [-iprange=<IP range>] [-state={ALL | DYNAMIC | NORMAL | STALE | UNRESOLVED | CRYPTO | STATIC | PUBLISH | XPUBLISH}]Flush ND cache of specified interface.
ndp -notify <interface> -ip=<IP address> [-hwsender=<String>]Send gratuitous ND for IP.
ndp -releaserouter [<interface> [<String>]]Remove specified routers from the table of all specified interfaces.
ndp -releasedns [<interface>]Remove DNS servers from the table of all specified interfaces.
ndp -renew [<interface>]Send router solicitation.
Options
Toggle snooping and displaying of NDP requests.
Description
Toggle snooping and displaying of NDP queries and responses on-screen.Aborting the ndpsnoop command can be done by calling 'ndpsnoop none' or by pressing CTRL-C. Using CTRL-C will also terminate all other running CLI commands.
Usage
ndpsnoopShow snooped interfaces.
ndpsnoop {ALL | NONE | <interface>} [<Network>] [-type={NEIGHBOR | ROUTER | ANY}] [-verbose]Snoop specified interface.
Options
List current Netcon connections.
Description
Lists current Netcon connections and shows the interface, IP-address and port for each connection.Usage
List runtime values of configured network objects.
Description
Displays named network objects and their contents.Usage
netobjects [<IP>] [-num=<num>] [-verbose]
Options
Show runtime OSPF information.
Description
Show runtime information about OSPF router processes.Usage
ospfShow runtime information.
ospf -process=<OSPF Router Process>Show runtime information for specific OSPF router process.
ospf -iface [<interface>] [-process=<OSPF Router Process>]Show interface information.
ospf -area [<OSPF Area>] [-process=<OSPF Router Process>]Show area information.
ospf -neighbor [<OSPF Neighbor>] [-process=<OSPF Router Process>]Show neighbor information.
ospf -route [{HA | ALT}] [-process=<OSPF Router Process>]Show the internal OSPF process routingtable.
ospf -database [-verbose] [-process=<OSPF Router Process>]Show the LSA database.
ospf -lsa <lsaID> [-process=<OSPF Router Process>]Show details for a specified LSA.
ospf -snoop={ON | OFF} [-verbose] [-process=<OSPF Router Process>]Show troubleshooting messages on the console.
ospf -ifacedown <interface>Take specified interface offline.
ospf -ifaceup <interface>Take specified interface online.
ospf -execute={STOP | START | RESTART} [-process=<OSPF Router Process>]Start/stop/restart OSPF process.
Options
List pipes and display their status.
Description
Display the current status of traffic shaping.Usage
pipe -num=<n> [-average] [-grouping]List pipe objects.
pipe <Pipe> [-average] [-statistics={ENABLE | DISABLE | RESET}] [-grouping] [-num=<n>]Display pipe details.
pipe -group=<String> <Pipe> [-average] [-statistics={ENABLE | DISABLE | RESET}]Display group details for a specific pipe.
pipe -reset <Pipe>Reset specific pipe statistics.
pipe -resetReset pipe statistics.
pipeSame as "pipe -show".
Options
Show portmanager state.
Description
The portmanager CLI command may be used for inspecting the current port usage for a specific source and destination IP pair.The source IP address is usually a local IP address assigned to one of the gateway's interfaces and used as source address for NAT'ing. The destination address is a remote destination to where the gateway has a connection.
Usage
portmgr -srcip=<ip addr> -destip=<ip addr> [-port=<1...65535>]
Options
Enable/Disable snooping on RADIUS interface.
Description
The radiussnoop command is used to view information about messages transferred on the RADIUS interface.
Using the server
and user
options it is possible to filter the displayed information.
Usage
radiussnoop [-server=<RADIUS Server>] [-user=<String>] [-on] [-off] [-verbose]
Options
Route monitoring commands.
Description
Display information about monitored routesUsage
rfoShow monitored routes.
rfo -show [-verbose]Show verbose information.
rfo -forceenable <Integer>Force enable route.
rfo -forcedisable <Integer>Force disable route.
Options
Display user space routing tables.
Description
Display information about the user space routing table(s):Note that "core" routes for interface IP addresses are not normally shown.
Use the -all
switch to show core routes also.
Explanation of Flags field of the routing tables:
Usage
routes -lookup=<ip address> [<table name>] [-rawdb]Lookup IP address.
routesShow routes.
routes -show [{<ALL> | <table name>}] [-alltypes] [-num={ALL | <n>}] [-nonhost] [-verbose] [-rawdb]Show routes.
routes -tablesShow named tables.
Options
Show rules lists.
Description
Shows the content of the various types of rules, i.e. main ruleset.Usage
rulesShow IP rules.
rules -num=<n>Show num IP rules.
rules -verboseShow IP rules with verbose output.
rules -type={IP | ACCESS | PBR} [<rules>] [-verbose] [-num=<n>]Show rules (verbose output).
rules <rules> [-verbose]Show IP rules within range 'rules'.
Options
Toggle snooping and displaying of RULE requests.
Description
Toggle snooping and displaying of RULE queries and responses on-screen.Aborting the rulesnoop command can be done by calling 'rulesnoop none' or by pressing CTRL-C. Using CTRL-C will also terminate all other running CLI commands.
Usage
rulesnoopShow snooped state.
rulesnoop {ALL | CORE | NONE | <interface>} [<destination> [<source>]] [-verbosity={BASIC | INFORMATIVE | EXTREME}] [-ratelim=<1...65535>]Snoop specified interface.
Options
List current state of SCTP associations.
Description
Display the current state of SCTP associations.Usage
sctpSame as "sctp -show".
sctp -show [-num=<number>] [-initip=<ip address>] [-respip=<ip address>] [-initport=<port>] [-respport=<port>] [-initif=<Interface>] [-respif=<Interface>] [-vtag=<String>] [-state={INIT | INIT-ACK | COOKIE-ECHO | ESTABLISHED | SHUTDOWN | SHUTDOWN-WAIT}] [-showvtag] [-compact] [-showalias] [-linger]Show SCTP associations.
sctp -close [-all] [-initip=<ip address>] [-respip=<ip address>] [-initport=<port>] [-respport=<port>] [-initif=<Interface>] [-respif=<Interface>] [-vtag=<String>] [-state={INIT | INIT-ACK | COOKIE-ECHO | ESTABLISHED | SHUTDOWN | SHUTDOWN-WAIT}]Close an SCTP association.
Options
SIP ALG.
Description
List running SIP-ALG configurations, SIP registration and call information.The -flags option with -snoop allows any combination of the following values:
Flags can be added in the usual way. The default value is 0x00000003 (GENERAL and ERRORS).
NOTE: 'verbose' option outputs a lot of information on the console which may lead to system instability. Use with caution.
Usage
sipalg -definition [<ALG>]Show running ALG configuration parameters.
sipalg -registration[={SHOW | FLUSH}] [<ALG>] [-num=<number>] [-index=<number>] [-compact] [-iface=<Interface>] [-user=<String>] [-ip=<ip address>] [-sort-column=<number>]Show or flush current registration table.
sipalg -call [<ALG>] [-num=<number>] [-sort-column=<number>]Show active SIP calls.
sipalg -session [<ALG>] [-num=<number>] [-sort-column=<number>]Show active SIP sessions.
sipalg -connection [<ALG>] [-num=<number>]Show SIP connections.
sipalg -statistics[={SHOW | FLUSH}] [<ALG>]Show or flush SIP counters.
sipalg -snoop={ON | OFF | VERBOSE} [-flags=<String>]Control SIP snooping. Useful for troubleshooting SIP transactions. NOTE: 'verbose' option outputs a lot of information on the console which may lead to system instability. Use with caution.
Options
Displays the state of SSLVPN servers.
Description
The sslvpn command is used to view information about and manage SSLVPNServer tunnel interfaces. It can be used to view and close SSL VPN sessions, and to trigger rekeying of sessions.Usage
sslvpn -num={ALL | <n>}Show SSLVPN service summary.
sslvpn -show [<tunneliface>] [-remoteip=<IP range>] [-remoteport=<Integer Range>] [-assignedip=<IP range>] [-recviface[=<Interface>]] [-state={CONNECTED | CONNECTING}] [-num={ALL | <n>}]Show SSLVPN sessions.
sslvpn -snoop={OFF | BRIEF | FULL} [<tunneliface>] [-localip=<IP range>] [-remoteip=<IP range>] [-remoteport=<Integer Range>] [-recviface[=<Interface>]]Enable/Disable SSLVPN message snooping.
sslvpn -close [<tunneliface>] [-all] [-nohalt] [-remoteip=<IP range>] [-remoteport=<Integer Range>] [-assignedip=<IP range>] [-recviface[=<Interface>]] [-state={CONNECTED | CONNECTING}]Close SSLVPN sessions.
sslvpn -rekey [<tunneliface>] [-all] [-remoteip=<IP range>] [-remoteport=<Integer Range>] [-assignedip=<IP range>]Rekey connected SSLVPN sessions.
Options
View statistical values generated by the system.
Description
View statistical values generated by the system.
In order to view statistical values they must first be specified by using the -add
option. The list of values that have been created using -add
can be reduced by using the
-remove
option. Running the command again will then poll the current list of values.
Example 2.16. Add statistical values
Add all interface statistics: statistics -add /interfacesbytes_recv
Example 2.17. Poll selected values
Using an interval of 2 seconds: statistics -poll -interval=2 Once: statistics
Usage
statistics -listallList available statistical values.
statistics -listpolledShow the poll list.
statistics -stopStop interval polling of statistical values.
statistics -add <value>Add statistical values to the list of polled values.
statistics -remove <value>Remove statistical values from the list of polled values.
statistics -poll [-interval=<interval>] [-nonzero] [-rate[={COUNTERS | MAX | MIN | MOMENTARY | NUMERIC}]] [-diff-counters] [-human] [-format={HUMAN | RAW}] [-transferrate={BITS | BYTES}] [-numdigits=<1...10>] [-timefmt={DECIMAL | UNITS}] [-verbose]Poll values.
statistics -snapshot-countersCreate (or update) the local snapshot of counter based values.
statistics -get <values> [-human] [-format={HUMAN | RAW}] [-numdigits=<1...10>] [-timefmt={DECIMAL | UNITS}]Directly display values of statistical counters.
statisticsPoll values.
Options
Memory Test command.
Description
Test memory libraryUsage
testmem -diff [-allocate] [-type={CHAR | UINT}] [-size=<Integer>]Allocate memory in 2 different locations.
testmem -allocate [-type={CHAR | UINT}] [-num=<Integer>] [-size=<Integer>] [-cat=<1...2>]Allocate memory.
testmem -free [-type={CHAR | UINT}] [-id=<Integer>] [-cat=<1...2>]Free memory.
testmem -listList allocated memory.
testmem -killmeExit application.
testmem -fastexitExit application now.
testmem -trackPrint memory allocations.
testmem -start [-size=<Integer>] [-memleak] [-z]Start allocation thread.
testmem -stopStop allocation thread.
testmem -usedMemMem_test memory usage.
Options
List current threshold state.
Description
Display the current threshold state.Explanation of columns in the "-show" output. Group Limit, Max Current, Active Groups vs Exceeding Groups difference.
Explanation of column in "-show -grouping" output.
Usage
threshold -resetReset grouping state of threshold rules.
threshold -show [-num=<n>] [-grouping]List grouping state of threshold rules.
threshold -show [-num=<n>]Display current state of threshold rules.
threshold <rule> [-num=<n>] [-grouping] [-threshold=<String>]Display grouping state for a specific threshold rule.
thresholdSame as "threshold -show".
Options
Handles configuration/system backup.
Description
Backup, restore, or revert the status of current system.There are different types of backups: partial system backups, which only stores system configuration data, and complete system backup, which stores both the system software and configuration data. The configuration and/or software data is stored to a single backup file on the device as they are created. Backup files may also be transferred to the device remotely.
Using the restore command option, backup files can be used to restore the configuration and/or software from a previously backed up state. Following a backup restore, it is possible to revert to the previous configuration and/or software using the revert command option. Note that performing a complete system restore or complete system revert will require the system to be restarted.
Performing a factory reset will reset the configuration and/or software to the factory defaults of the device. Please consult the administrators guide before using this option.
Example 2.18. List all backup files
Device:/> backup (command output) Device:/> backup -list (command output)
Example 2.19. Perform a partial (configuration only) system backup and restore
Device:/> backup -create configuration_backup.bkp Backup file "configuration_backup.bkp" created (command output) Device:/> backup -restore configuration_backup.bkp (command output) Backup restore successful using "configuration_backup.bkp" Changes must be activated and committed to be applied
Example 2.20. Perform a complete system backup and restore
Device:/> backup -create complete_backup.bkp -system Creating full system backup. This may take some time... Backup file "complete_backup.bkp" created (command output) Device:/> backup -restore complete_backup.bkp -system This will restore the system backup "complete_backup.bkp". On completion the system will be rebooted. Are you sure you want to restore the system backup? [yes/no]: (command output)
Example 2.21. Revert the system following a partial system restore
Device:/> backup -revert (command output) Revert successful Changes must be activated and committed to be applied
Example 2.22. Revert the system following a complete system restore
Device:/> backup -revert This will revert the system to the point BEFORE the last backup restore. On completion the system will be rebooted. Are you sure you want to revert the system? [yes/no] (command output)
Example 2.23. Deleting backup files
Device:/> backup -delete backupfile.bkp Removed simplebackup.bkp successfully. Device:/> backup -delete backupfile-???.bkp Removed some files successfully. Device:/> backup -delete backupfile-2015*.bkp Removed some files successfully. Device:/> backup -delete all Removed all files successfully.
Example 2.24. Perform a partial factory reset (configuration only)
Device:/> backup -factoryreset This will reset the configuration (but not the firmware) to factory default. This change is not reversible. Are you sure you want to continue? [yes/no]: (command output)
Example 2.25. Perform a complete factory reset
Device:/> backup -factoryreset -system This will reset the whole system (both firmware and configuration) to factory default. This change is not reversible. Are you sure you want to continue? [yes/no]: (command output)
Usage
backup -listList backup files.
backup -create [<create filename>] [-system] [-force]Create backup.
backup -restore <restore filename> [-force] [-reboot]Restore backup.
backup -delete <delete filename>Delete backup.
backup -revertRevert applied restore.
backup -factoryreset [-system] [-force]Reset the configuration or system to default.
backupList backup files.
Options
Note | |
---|---|
Requires Administrator privileges. |
Certificate management.
Description
Manages certificate retrieval and updates.An example of a "subject" string:
CN=name,O=organization,C=country
An example of a "subjectAltName" string:
172.22.36.1,fc01:2002::1,email@somewhere.com,fqdn.network.org
Usage
certmgr -initiate -clientcert=<Certificate> -username=<String> -password=<String> -subject=<String> [-subjectAltName=<String>] [-hex]Initiate certificate fetching from a CA.
certmgr -update -clientcert=<Certificate>Update an existing valid certificate.
certmgr -revoke -clientcert=<Certificate>Revoke an existing valid certificate.
Options
Display Openstack config drive contents. (NOTE: Command not available when running as a container)
Description
This command is used to display Openstack config drive contents.Usage
cloudconfig -show <filename> [-nopages]Show config drive file contents.
cloudconfigDisplay config drive availability.
Options
Manage application crash dumps.
Description
The crashdump command is used to manage crashdump files. Crashdump files are binary files created if the system or subsystem crashes. They hold information on the state of the system at the time of the crash.Example 2.26. List all crashdump files
Device:/> crashdump (not shown here) Device:/> crashdump -list (not shown here)
Example 2.27. Delete a single crashdump file
Device:/> crashdump -delete 2016-04-21_13.54.25_dhcpserver.dump (not shown here)
Example 2.28. Delete a crashdump file using wildcards (*?[])
Device:/> crashdump -delete 2014-11-16_12.??.??_dhcpserver.dump (not shown here) Device:/> crashdump -delete *_dhcpserver.dump (not shown here)
Usage
crashdumpList all crash dump files.
crashdump -listList all crash dump files.
crashdump -delete {ALL | <filename>}Delete crash dump file(s).
Options
View Diagnostic messages generated by the system.
Description
The diagnostic console is used to help troubleshooting internal problems within the firewall.Using date, severity,app and category options it is possible to filter the diagnostic messages. Setting a date limit will only show entries from this date and forward. Setting Category(s) only will show entries with the specified Category(s).The categories will be the same as is used for logging. Setting a app(application name) will show only entries with the specified application. Setting severity will show only entries with specified severity and higher. Severity levels are (in order precedence from highest to lowest): Critical, High, Info(Informational) and Debug.
Aborting the dconsole command can be by pressing CTRL-C. Using CTRL-C will also terminate all other running CLI commands.
Usage
dconsoleShow all Dcon log entries.
dconsole -show [-severity={CRITICAL | HIGH | INFO | DEBUG}] [-app=<String>] [-category=<String>] [-date=<String>]Show Dcon log entries.
dconsole -cleanClears the event message list and removes event message disk file.
dconsole -flushFlushes the event message list to disk.
Options
IP echoserver.
Description
The echo server functionality is used to receive, interpret and echo back IP packets. The rules that are set up when enabling the echo server can be listed using the 'ruledb' CLI command. These rules are among the ones named 'socket'.IP protocols that are fully supported are the ones listed within the 'protocol' property - there protocol headers are parsed and modified accordingly when echoed back to the sender. It is however possible to set up a echo server for any IP protocol by specifying the IP protocol number and also specifying to use raw IP format.
The echo server statistics that can be listed using '-stats' show the number of received and echoed packets along with the sum of data sizes for received and sent packets. The packet data sizes are counted without packet headers. I.e. for UPD packets it the size of the UPD packet data and for any raw packet it is the size of the data without the IP header.
Usage
echoserver [-ip=<ip addr>] [-iface=<Interface>] [-stats] [-start] [-stop] [-verbose] [-ipv6] [-protocol={UDP | ICMP | ICMPV4 | ICMPV6 | ANY | <String>}] [-port=<port>] [-flowcnt=<n>] [-raw]
Options
Note | |
---|---|
Requires Administrator privileges. |
List ethernet devices and add new devices to the configuration.
Description
The ethupdate command detects available ethernet interfaces and allows for listing these as well as automatically creating the appropriate EthernetDevice configuration objects.Usage
ethupdateList all ethernet devices.
ethupdate -cfgupdateUpdate the configuration by adding new ethernet devices.
ethupdate -statusShow status of the ethernet devices configuration.
Options
Manage and show information about the license.
Description
Activate a new license, show information about the license, or remove the license.To activate a new license file, first upload it using scp.
Usage
licenseShow information about the license.
license removeRemove the license.
license activate [<Filename>]Activate new license.
Options
View log messages generated by the system.
Description
View log messages generated by the system.This command displays the system log messages. By specifying filter conditions (like 'category', 'action', 'srcip' etc), unwanted log messages can be filtered out. There are two modes, include and exclude mode. By default include mode is used, which means that only the log messages satisfying filter conditions will be shown. Specifying the switch 'excl' will turn on exclude mode. In this case only the log messages not satisfying the filter conditions will be displayed. If the command is already running, users can reset the filter conditions by submitting new ones.
Using 'rate' and 'num' display limits can prevent the console from message flooding. Setting a 'rate' limit will allow the system to show only the specified number of log messages per second, discarding the rest. When a 'num' limit is set, showing is automatically turned off as soon as the amount of log messages displayed reaches the specified limit.
Aborting the log command can be achieved by calling it without arguments or by pressing CTRL-C. Notice that using CTRL-C will also terminate all other running CLI commands.
Example 2.30. Show logs with different filter conditions setup
Destination IP address ranges from 192.168.1.1 to 192.168.1.254: System:/> log -on -destip=192.168.1.1-192.168.1.254 Actions is NOT drop: System:/> log -on -action=drop -excl Logs containing text "user" and limit to at most 10 logs per second: System:/> log -on -text=user -rate=10 First 9 logs with category either "IPv4" or "ARP": System:/> log -on -category=IPV4,ARP -num=9
Usage
log -on [-excl] [-text=<String>] [-regexp=<String>] [-category=<String>] [-action=<String>] [-id=<String>] [-tag] [-prio=<String>] [-srcip=<ip addr>] [-destip=<ip addr>] [-ip=<ip addr>] [-srciface=<Interface>] [-destiface=<Interface>] [-iface=<Interface>] [-srcport=<Integer Range>] [-destport=<Integer Range>] [-rate=<Integer>] [-num=<Integer>] [-event=<String>]Start displaying log messages, with specified filter conditions. If logging is already enabled, filter conditions will be changed to the new ones specified.
log -offStop receiving log messages.
logToggle logging on/off.
Options
Packet capture utility.
Description
Capture, save and view packets.Example 2.31. Perform packet capture on interface "if1". Packets will be written to a file with an auto-generated name when capture is stopped.
Device:/> pcapdump -start if1 Device:/> pcapdump -stop if1 Stopping packet capture: if1. Interface Pkts(In) Pkts(Out) Saved to file --------- -------- --------- --------------------------- if1 26 25 if1_2015-01-01_00.00.00.cap
Example 2.32. Perform packet capture on interface "if1". Write the packets to a file called "if1.cap".
Device:/> pcapdump -start if1 -nowrite Device:/> pcapdump -stop if1 Device:/> pcapdump -write if1 if1.cap
Example 2.33. Perform packet snoop on interface "if1" with filters.
Device:/> pcapdump -start if1 -out -nocap -ipsrc=192.168.0.1 -port=999 #1 >if1 IP 192.168.0.1->192.168.255.255 IHL:20 DataLen:48 TTL:255 Prot o:UDP UDP 999->999 DataLen:40 Device:/> pcapdump -stop if1
Example 2.34. Show the capture status.
System:/> pcapdump -status PCAP Status Interface Mode Packets(In) Packets(Out) Filter --------- ------ ----------- ------------ ------ if1 Active 27 0 Explanation of the "Mode" column: "Active" - The interface is being captured. "Snoop" - Packets are being printed out but not captured. "Idle" - Capture has stopped and packets can to be written to storag e by using "pcapdump -write".
Example 2.36. Show the content of a capture file in hexadecimal format.
Device:/> pcapdump -show if1_2015-01-01_00.00.00.cap -hex
Example 2.37. Remove the capture files and free the memory used by pcapdump.
Device:/> pcapdump -remove
Usage
pcapdumpShow capture status.
pcapdump -statusShow capture status.
pcapdump -listList capture files in the storage.
pcapdump -start [<interface>] [-eth=<EthernetAddress>] [-ethsrc=<EthernetAddress>] [-ethdest=<EthernetAddress>] [-ip=<IP>] [-ipsrc=<IP>] [-ipdest=<IP>] [-proto={ICMP | IGMP | IPV4 | TCP | UDP | IPV6 | GRE | ESP | AH | ICMPV6 | OSPF | MTP | L2TP | SCTP | <Integer Range>}] [-port={BOOTPS | BOOTPC | FTP | SSH | TELNET | SMTP | HTTP | NTP | SNMP | BGP | HTTPS | <Integer Range>}] [-portsrc={BOOTPS | BOOTPC | FTP | SSH | TELNET | SMTP | HTTP | NTP | SNMP | BGP | HTTPS | <Integer Range>}] [-portdest={BOOTPS | BOOTPC | FTP | SSH | TELNET | SMTP | HTTP | NTP | SNMP | BGP | HTTPS | <Integer Range>}] [-bufsize=<Integer>] [-count=<Integer>] [-snaplen=<Integer>] [-out] [-nocap] [-hex] [-k12] [-nowrite] [-verbose]Start capture with specified filters and limits. If capture is already started, the filters and limits will be changed to the new ones specified.
pcapdump -stop [<interface>]Stop capture.
pcapdump -show [<interface>] [-filename=<filename>] [-num[={ALL | <1...65535>}]] [-hex] [-k12] [-verbose]Show a brief of captured packets.
pcapdump -write [<interface> [<filename>]]Write the captured packets to storage.
pcapdump -remove [<interface>] [-filename=<filename>]Remove the packets captured on an interface, or remove a capture file. If interface and filename are not specified, all captured packets and files will be removed.
Options
Note | |
---|---|
Requires Administrator privileges. |
Ping host.
Description
Sends one or more ICMP ECHO, TCP or UDP packets to the specified IP address of a host. All datagrams are sent preloaded-style (all at once).
The data size -length
given is the ICMP or UDP data size.
1472 bytes of ICMP data results in a 1500-byte IP datagram (1514 bytes ethernet).
When -srciface
IS NOT specified, the outbound packet is routed using the "main" RoutingTable,
unless -routingtable
is specified.
Once route lookup is done, the packet is always allowed to
be sent out, regardless of configured rule sets.
When -srciface
IS specified, the system simulates that
it has received the packet from -srcip
on -srciface
and will perform route lookup according to the system configuration
(RoutingRules, InterfaceMembership, etc.).
Then the packet will be processed according to the configured rule sets.
It's possible to use -v
or even -vv
to show more information.
Example 2.38. Using TCP to probe network connectivity against a HTTP server.
gw-world:/> ping -tcp server_ip -port=80 -request="GET / HTTP/1.0\n\n"
Example 2.39. Using ICMP simulation to troubleshoot connectivity from an endpoint on the LAN network to a server on the WAN network.
gw-world:/> ping server_ip -srcip=ip-of-lan-endpoint -srciface=lan -vv
Usage
ping <host> [-sharedip] [-srciface=<interface>] [-srcip=<ip address>] [-iface=<interface>] [-routingtable=<table>] [-num=<1...10>] [-length=<4...59948>] [-v] [-verbose] [-vv]Send an ICMP ping.
ping -udp <host> [-sharedip] [-srciface=<interface>] [-srcip=<ip address>] [-routingtable=<table>] [-num=<1...10>] [-length=<4...59948>] [-srcport=<1...65535>] [-port=<1...65535>] [-v] [-verbose] [-vv]Send a UDP ping.
ping -tcp <host> [-iface=<interface>] [-srciface=<interface>] [-srcip=<ip address>] [-routingtable=<table>] [-port=<1...65535>] [-request=<String>] [-v] [-verbose] [-vv] [-num=<1...10>] [-srcport=<1...65535>]Send a TCP ping.
Options
Note | |
---|---|
Requires Administrator privileges. |
Run and manage script files.
Description
The script command can be used to create, run and manage scripts.Configuration script files are files that consists of CLI configuration commands, one per line. Script file comment lines begin with the character '#'. Arguments to scripts are available by variable substitution, where '$0' is replaced by the script file name and the variables $1-$N are replaced by the supplied arguments. Escaping the '$' sign is done as '\$'.
All or parts of the current running configuration that are not read-only can be created as a script file and either displayed to the console or stored to disk. When selecting to create a script of parts of the configuration this can be done with the granularity of object category e.g. [Address], object class e.g. IPAddress or a single object.
When a script is created from the configuration it will include any uncommitted objects. I.e. it is possible to create script files of changes without committing them to the system first.
Script files are transfered to and from the device by using the SCP protocol. On the device, script files must be stored in the "/scripts" folder in order for the script command to make use of them.
When adding or changing configuration objects using a script file it is possible to do the changes 'out-of-order'. I.e. if one object refers to another object, the first object can be added and refer to the second object even though that object has not yet been added. Normally when a configuration change is done through the CLI, it is immediately validated and any errors are reported back to the user. When running commands from a script file the reference validation is turned off during execution of consecutive 'add' and 'set' commands and turned back on again when any other command is executed, or the script ends.
It is not recommended running scripts while doing configuration modifications from other user sessions.
Example 2.41. Create and show script of Address objects
Show script of Address category objects: Device:/> script -create Address (not shown here) Show script of all IPAddress objects: Device:/> script -create Address IPAddress (not shown here) Show script of a single IPAddress object: Device:/> script -create Address IPAddress myaddress (not shown here)
Example 2.42. View and run the example script example.sgs
Show the file: Device:/> script -show example.sgs (not shown here) Running the script: Device:/> script -run example.sgs test 1.2.3.4 (not shown here)
Example 2.43. Script using substitution
"script.sgs": add Address IPAddress $1 Address=$2 Comments="$0: \$100". Device:/> script -run script.sgs ip_test 127.0.0.1 is executed as line: add Address IPAddress ip_test Address=127.0.0.1 Comments="script.sgs: $1 00"
Usage
scriptList script files.
script -listList script files.
script -create [[<Category>] <Type> [<Identifier>]] [-filename=<script file>]Create a script containing the selected object types.
script -run <script file> [-verbose] [-force] [<arguments>]...Run script.
script -delete <script file>Delete script.
script -show <script file>Show script in console window.
Options
Note | |
---|---|
Requires Administrator privileges. |
SSH Server.
Description
Show SSH Server status, or restart SSH Server.Usage
sshserverShow server status and list all connected clients.
sshserver -status [-verbose]Show server status and list all connected clients.
sshserver -keygen [-bits=<bits>] [-type={RSA | DSA | ECDSA}]Generate SSH Server private keys.
sshserver -fingerprint [-md5]Show the fingerprints of the SSH keys.
sshserver -restart [<ssh server>] [-full]Restart SSH Server.
Options
Note | |
---|---|
Requires Administrator privileges. |
Handles system operations and shows system information.
Description
Handles system operations and shows system information.Usage
system -cpuinfo [-verbose]Show information about the CPU.
system -update-bootloader-configuration [-force]Update the bootloader configuration. This command should only be run when instructed to do so.
Options
Stores and views Technical Support Information.
Description
Used to collect technical support information from the system. Issuing the command without options will write the information to a file stored locally on the device. Any existing file will be overwritten.After successful storage, the file may be remotely copied over the SSH Remote Management interface (using SCP) or printed to console using the 'show' command option.
Usage
techsupportStore technical support information to file.
techsupport -show [-nopages]Display stored technical support information.
techsupport -printconf [-nopages]Display system configuration as XML.
techsupportStore technical support information to file.
Options
Note | |
---|---|
Requires Administrator privileges. |
Display and set current system time.
Description
Display and set the system date and time.Usage
time -sleep=<String>Pause CLI session for the specified number of seconds.
time -sync [-force]Synchronize time with timeserver(s) (specified in settings).
time -statusShow time synchronization status information.
time -set <date> <time>Set local system time: <YYYY-MM-DD> <HH:MM:SS>.
timeDisplay current system time.
Options
Show CPU usage of the system.
Description
Show CPU usage of the system.Time - The time measurement uses the format S.s, MM:SS or HH:MM:SS depending on the amount of time to display.
CPU - The system CPU measurement spans from zero to a hundred percent, measuring the current amount of CPU resources not beeing idle. When measuring the CPU usage per module a value above 100% indicates that this module utilizes resources from several CPU units.
Usage
topList processes and show CPU utilization.
top -list [-num=<n>] [-sort={ALPHA | TIME | TOP}]List processes and show CPU utilization.
Options
Trace the route to a destination.
Description
Print the route packets take to a network host.Usage
traceroute <host> [-timeout=<1...60000>] [-srcip=<ip address>] [-iface=<interface>] [-routingtable=<table>] [-interval=<0...60000>] [-length=<1...8192>] [-verbose] [-queries=<1...10>] [-ttl=<1...255>] [-maxttl=<1...255>] [-noresolve] [-ipver={4 | 6}]Send a ICMP probe.
traceroute -udp <host> [-timeout=<1...60000>] [-srcip=<ip address>] [-routingtable=<table>] [-queries=<1...10>] [-length=<1...8192>] [-port=<1...65535>] [-verbose] [-interval=<0...60000>] [-ttl=<1...255>] [-maxttl=<1...255>] [-noresolve] [-ipver={4 | 6}]Send a UDP probe.
traceroute -tcp <host> [-timeout=<1...60000>] [-srcip=<ip address>] [-routingtable=<table>] [-queries=<1...10>] [-length=<1...8192>] [-port=<1...65535>] [-verbose] [-iface=<interface>] [-interval=<0...60000>] [-ttl=<1...255>] [-maxttl=<1...255>] [-noresolve] [-ipver={4 | 6}]Send a TCP probe.
Options
Note | |
---|---|
Requires Administrator privileges. |
Upgrade system. (NOTE: Command not available when running as a container)
Description
Perform system upgrades and manage upgrade files.Upgrading the system software/firmware is performed by applying upgrade files stored on the device. Upgrade files are digitally signed software binary files created specifically for different hardware models. Apart from performing upgrades, the command also allows listing of upgrade files stored on the device as well as deleting the files.
NOTE: Make sure to select an upgrade file that matches the hardware model used.
NOTE: Upgrading the software/firmware will require a complete system restart and it is therefore highly recommended to perform a complete backup of the system before proceeding.
Example 2.45. Upgrade to a new software/firmware version
Device:/> upgrade firmware_v1_20.upg (command output)
Example 2.46. List all upgrade files
Device:/> upgrade (command output) Device:/> upgrade -list (command output)
Example 2.47. Delete upgrade files
Device:/> upgrade -delete firmware_v1_20.upg Removed firmware_version_x.upg successfully. Device:/> upgrade -delete firmware_v1_??.upg Removed some files successfully. Device:/> upgrade -delete firmware_*.upg Removed some files successfully. Device:/> upgrade -delete * Removed all files successfully.
Usage
upgradeList upgrade files.
upgrade -listList upgrade files.
upgrade <upgrade filename> [-force]Apply upgrade.
upgrade -delete <delete filename>Delete upgrade file.
upgradeList upgrade files.
Options
Note | |
---|---|
Requires Administrator privileges. |
Show copyright/build information.
Description
Show copyright/build information.Usage
aboutShow copyright/build information.
Manage aliases.
Description
Aliases are user-defined mappings between a keyword and CLI commands, primarily intended to create shortcuts for commonly used commands that require many options. To execute an alias, prefix it with ":". Pressing tab or enter will replace the alias keyword with the corresponding mapped command.Usage
aliasShow active alias mappings.
alias -add=<String> -cmd=<String> [-description=<String>]Add alias mapping.
alias -set=<String> [-cmd=<String>] [-description=<String>]Set/update active alias mapping.
alias -remove=<String>Remove active alias mapping.
alias -showShow active alias mappings.
alias -import <filename_import>Import the active alias mappings from file.
alias -export <filename_export>Export the active alias mappings to a file.
alias -saveSave the current alias mappings to persistent storage.
Options
Show configuration log.
Description
Displays warning and error messages related to configuration of the system. By default, shows log entries from the latest reconfigure sequence.Usage
cfglogShow log.
cfglog -allShow log.
cfglog -clearClear log.
Options
Set the command view(s).
Description
Set the command views that are used when filtering out the set of commands and options that is available in the CLI.Besides the ordinary set of commands within the 'default' view, there are two other views named 'advanced' and 'debug'. The 'advanced' view covers commands that display extensive and detailed information about the system's runtime values. The commands within the 'advanced' view do not have any impact on the system's behavior and network traffic. The commands covered by the 'debug' view can affect system behavior and network traffic and should be used with some care. These commands are mainly intended for system/network tests and debugging.
Usage
cmdview [{DEFAULT | ADVANCED | DEBUG | SERVICE | ALL}]
Options
Print text.
Description
Print text to console.Usage
echo [<String>]...
Options
Filter the output based on a regular expression.
Description
The grep command is a text-search utility that searches output for specified patterns, printing lines where these patterns occur. It allows for advanced searches, including inverting the search and counting matching lines. Integrate other commands with grep using a pipe (|) for enhanced text processing and data analysis.Usage
grep <Expr> [-v] [-i] [-k] [-A=<num>] [-B=<num>] [-C=<num>]
Options
Show help for CLI commands.
Description
The command help system contains information about commands and configuration object types.The fastest way to get help is to simply type help followed by the topic that you want help with. A topic can be a command name (e.g. set).
When you don't know the name of what you are looking for you can use tab-completion to display a list of matching topics.
Usage
helpList commands alphabetically.
help <Topic>Display help about selected topic from any category.
Options
Show help for configuration objects.
Description
The config help system contains information about configuration object types.The fastest way to get help is to simply type helpconfig followed by the topic that you want help with. A topic can be the name of a configuration object type (e.g. User).
When you don't know the name of what you are looking for you can use tab-completion to display a list of matching topics.
Usage
helpconfig <Topic>
Options
Show command history.
Description
List recently typed commands that have been stored in the command history.Usage
history
Show management status and enable local configuration.
Description
Show management status, and regain local configuration control if the centralized management system has it.If the centralized management system has taken control of the system, any single user may not do configuration changes to the system. In order to regain local configuration control to single users this command is used. Once local configuration is enabled, centralized management control can only be enabled by the centralized management system.
Usage
localconfiguration [-enable]
Options
Note | |
---|---|
Requires Administrator privileges. |
Initiates shutdown/restart of the system.
Description
Shuts the system down to restart it (or to power it off).Usage
shutdownNormal shutdown/restart of the system.
shutdown -handoverShutdown/restart that makes an HA handover to the peer first, if the node is the active node, before shutting down.
shutdown -ignore-haShutdown/restart that shuts down even if this system is the active HA node of a cluster, without explicit handover and even if the peer is OFFLINE.
shutdown -noninteractive [-handover] [-ignore-ha]Normal shutdown/restart but with a behaviour more suitable for automation.
shutdown -processrestart [-handover] [-ignore-ha] [-noninteractive]Only restart the system's processes instead of a full restart of the POD/system. (NOTE: Usage not available when running non-containerized)
shutdown -force -ignore-ha [-noninteractive]Shutdown using an alternative shutdown procedure skipping most of the normal shutdown activities. This should only be used if normal shutdown of the system malfunctions.
shutdown -poweroff [-handover] [-ignore-ha]Power down the system. (NOTE: Usage not available when running as a container)
Options
Note | |
---|---|
Requires Administrator privileges. |
Force configuration errors at the next configuration activation.
Description
Force a configuration error at the next configuration activation.Usage
cfgfail -validate <application> [-timeout]Trigger a failure in the validate event.
cfgfail -phase1 <application> [-timeout]Trigger a failure in the Phase-1 event.
cfgfail -phase2 <application> [-timeout]Trigger a failure in the Phase-2 event.
cfgfail -phase3 <application> [-timeout]Trigger a failure in the Phase-3 event.
cfgfail -clearRemove the license.
Options
Show information about buffers and buffer usage.
Description
Show information about buffers and buffer usage.Usage
buffers -show [-verbose] [-hardware] [-account] [-channel] [-blame]List buffers.
buffersSame as "buffers -show".
Options
Show Slowpath Dynamic Rule Manager state.
Description
Shows the state of the SP Dynamic Rule Manager.Usage
drm -show [-type={PROCESS | TRNX}] [-num=<n>]Show requested state table.
drmSame as "sdrm -show".
Options
Show information about fragment status.
Description
Show information about pseudo-reassembler fragment status.Usage
frag -showList fragments.
frag -flushDiscard fragments.
fragSame as "fragments -show".
Options
Command to print slowpath rule databases.
Description
Display information about the slow path rule databases and routing tables:Explanation of Flags field of the rule databases:
Example 2.52. Print the content of a rule in one particular rule database.
System:/> ruledb -show instance -db=0x20 -rule=0x21
Example 2.53. Print the content of all rules in one particular rule database.
System:/> ruledb -show rule -db=0x20
Usage
ruledb -show[={INSTANCE | ROUTES | MAIN | PREIPBLOCK | PREIP | PREIPSEC | PREGTP | PREGTPINSP | ACCOVERRIDE | IPBLOCK | ACCESS | BLACKLIST | WHITELIST | POSTPBR | PREPBR | PREPBRIPSEC | PBR | IFSP | RULE | SIPALG | IPS | THRESHOLD | TRAFFICSHAPING | OWNERSHIP | GRE}] [-iface=<interface>] [-ipv6] [-rule=<Integer>] [-ruleorigin] [-db=<Integer>]Prints the content of the rule database or the specified rule cache.
ruledbShow all RuleDB instances.
Options
Get runtime information from and test the statistical daemon.
Description
List detailed information about the statistical daemon.Usage
teststatd -clients [-delete]List clients.
teststatd -requestsList requests.
teststatd -signatures [-item=<String>] [-verbose]List signatures.
teststatd -values [-item=<String>] [-verbose] [-reset]List statistical values.
teststatd -find [-guid=<Integer>] [-oid=<String>] [-nc=<String>]Find a value from key.
teststatdList general statd information.
Options
Description
Contains the access rulesProperties
Note | |
---|---|
This object type does not have an identifier and is identified by the name of the type only. There can only be one instance of this type. |
Description
Use an access rule to allow or block specific source IP addresses on a specific interfaceProperties
Note | |
---|---|
If no Index is specified when creating an instance of this type, the object will be placed last in the list and the Index will be equal to the length of the list.
|
This is a category that groups the following object types.
Description
Use an Ethernet Address item to define a symbolic name for an Ethernet MAC address.Properties
Description
An Ethernet Address Group is used for combining several Ethernet Address objects for simplified management.Properties
Description
Use an IP Address item to define a name for a specific host, network, range or group.Properties
Description
Application control settings.Properties
Note | |
---|---|
This object type does not have an identifier and is identified by the name of the type only. There can only be one instance of this type. |
Description
Configured ARP entriesProperties
Note | |
---|---|
This object type does not have an identifier and is identified by the name of the type only. There can only be one instance of this type. |
Description
Use an ARP entry to publish additional IPv4 addresses and/or MAC addresses on a specified interface.Properties
Note | |
---|---|
If no Index is specified when creating an instance of this type, the object will be placed last in the list and the Index will be equal to the length of the list.
|
Description
ARP (Address Resolution Protocol) SettingsProperties
Note | |
---|---|
This object type does not have an identifier and is identified by the name of the type only. There can only be one instance of this type. |
Description
Ruleset used to allow/deny prefixes based on AS pathProperties
Description
Rule entry used to allow/deny prefixes based on AS pathProperties
Note | |
---|---|
If no Index is specified when creating an instance of this type, the object will be placed last in the list and the Index will be equal to the length of the list.
|
Description
The Authentication Profile specifies from where users are allowed to authenticate to the system, and how.Properties
Description
List of attribute tags that can be applied to incoming or outgoing prefixes to achieve common goalsProperties
Description
Attribute tags that can be applied to incoming or outgoing prefixes to achieve common goalsProperties
Note | |
---|---|
If no Index is specified when creating an instance of this type, the object will be placed last in the list and the Index will be equal to the length of the list.
|
Description
BGP is a standardized exterior gateway protocol designed to exchange routing and reachability information among autonomous systems on the InternetProperties
Description
IPv6 specific settings for BGP process.Properties
Note | |
---|---|
This object type does not have an identifier and is identified by the name of the type only. There can only be one instance of this type. |
Description
Grouped settings related to BGP best path selectionProperties
Note | |
---|---|
This object type does not have an identifier and is identified by the name of the type only. There can only be one instance of this type. |
Description
Dampening minimizes the instability caused by route flappingProperties
Note | |
---|---|
This object type does not have an identifier and is identified by the name of the type only. There can only be one instance of this type. |
Description
BGP peer used for routing information exchangeProperties
Note | |
---|---|
If no Index is specified when creating an instance of this type, the object will be placed last in the list and the Index will be equal to the length of the list.
|
Description
IPv4 specific configuration for the BGP neighbor.Properties
Note | |
---|---|
This object type does not have an identifier and is identified by the name of the type only. There can only be one instance of this type. |
Description
IPv6 specific configuration for the BGP neighbor.Properties
Note | |
---|---|
This object type does not have an identifier and is identified by the name of the type only. There can only be one instance of this type. |
Description
Aggregation combines the characteristics of several different routes and advertises a single routeProperties
Note | |
---|---|
If no Index is specified when creating an instance of this type, the object will be placed last in the list and the Index will be equal to the length of the list.
|
Description
Networks to be advertised by the BGP routing processProperties
Note | |
---|---|
If no Index is specified when creating an instance of this type, the object will be placed last in the list and the Index will be equal to the length of the list.
|
Description
A BGP export rule creates a filter to select BGP learned routes. The filtered routes can then through action rules either be exported to "route distribution services", such as OSPF, or be added to one or more routing tables.Properties
Note | |
---|---|
If no Index is specified when creating an instance of this type, the object will be placed last in the list and the Index will be equal to the length of the list.
|
Description
A routing table action is used to insert, update and remove routes to/from one or more routing tables.Properties
Note | |
---|---|
If no Index is specified when creating an instance of this type, the object will be placed last in the list and the Index will be equal to the length of the list.
|
Description
An OSPF action is used to insert, update and remove routes to/from an OSPF process.Properties
Note | |
---|---|
If no Index is specified when creating an instance of this type, the object will be placed last in the list and the Index will be equal to the length of the list.
|
Description
BGP specific settings.Properties
Note | |
---|---|
This object type does not have an identifier and is identified by the name of the type only. There can only be one instance of this type. |
Description
A certificate store is used to store and group certificates together for simplified management and configuration.Properties
Description
An X.509 certificate is used to authenticate another entity such as a user, client, server or gateway, for example when establishing a VPN tunnel or SSL/TLS connection. A certificate can also be used to authenticate the system itself towards another party.Properties
Description
Classification settingsProperties
Note | |
---|---|
This object type does not have an identifier and is identified by the name of the type only. There can only be one instance of this type. |
Description
A CMP server is a Certificate Authority, which can provide certificates using the CMPv2 protocol.Properties
Description
A serial communication port, that is used for accessing the CLI.Properties
Description
A CRL distribution point list specifies one or more locations from where a certificate revocation list (CRL) can be obtained. It can be used to add distribution points to a certificate that does not provide any, or to override existing ones.Properties
Description
A CRL distribution point (CDP) specifies a location from where a certificate revocation list (CRL) can be obtained.Properties
Note | |
---|---|
If no Index is specified when creating an instance of this type, the object will be placed last in the list and the Index will be equal to the length of the list.
|
Description
Cryptographic SettingsProperties
Note | |
---|---|
This object type does not have an identifier and is identified by the name of the type only. There can only be one instance of this type. |
Description
Set the date, time and time zone information for this system.Properties
Note | |
---|---|
This object type does not have an identifier and is identified by the name of the type only. There can only be one instance of this type. |
Description
Specifies a timeserver used for time synchronization.Properties
Note | |
---|---|
If no Index is specified when creating an instance of this type, the object will be placed last in the list and the Index will be equal to the length of the list.
|
Description
A special interface used to represent internal mechanisms in the system as well as an abstract "any" interface.Properties
Description
DHCP Server is a predefined set of DHCP Server Rules. There could only be one DHCPServer Object in the system.Properties
Note | |
---|---|
This object type does not have an identifier and is identified by the name of the type only. There can only be one instance of this type. |
Description
A DHCP Server Rule determines a set of IP addresses and host configuration parameters to hand out to DHCP clients attached to a given interface.Properties
Description
Static DHCP Server host entryProperties
Note | |
---|---|
If no Index is specified when creating an instance of this type, the object will be placed last in the list and the Index will be equal to the length of the list.
|
Description
Extend the DHCP Server functionality by adding custom options that will be handed out to the DHCP clients.Properties
Note | |
---|---|
If no Index is specified when creating an instance of this type, the object will be placed last in the list and the Index will be equal to the length of the list.
|
Description
Advanced DHCP server settings.Properties
Note | |
---|---|
This object type does not have an identifier and is identified by the name of the type only. There can only be one instance of this type. |
Description
Configure the DNS (Domain Name System) client settings.Properties
Note | |
---|---|
This object type does not have an identifier and is identified by the name of the type only. There can only be one instance of this type. |
Description
Specifies a DNS server to use for lookups.Properties
Note | |
---|---|
If no Index is specified when creating an instance of this type, the object will be placed last in the list and the Index will be equal to the length of the list.
|
Description
A DNS profile configures extended processing of DNS traffic.Properties
Description
A list of IP address pairs used to translate IP addresses in payload of DNS responses.Properties
Description
A pair of IP addresses used to translate IP addresses in payload of DNS responses.Properties
Note | |
---|---|
If no Index is specified when creating an instance of this type, the object will be placed last in the list and the Index will be equal to the length of the list.
|
Description
Hardware settings for an ethernet interface.Properties
Description
An EthernetInterface represents a logical endpoint for ethernet traffic.Properties
Description
Flow timeout settingsProperties
Note | |
---|---|
This object type does not have an identifier and is identified by the name of the type only. There can only be one instance of this type. |
Description
Pseudo Fragment Reassembly SettingsProperties
Note | |
---|---|
This object type does not have an identifier and is identified by the name of the type only. There can only be one instance of this type. |
Description
A FTP profile configures extended processing of FTP traffic.Properties
Description
A geolocation filter defines a collection of individual regions representing larger geographical or political areas like Africa, Oceania or European Union.Properties
Description
A GRE interface is a Generic Routing Encapsulation (no encryption, no authentication, only encapsulation) tunnel over an existing IP network.Properties
Description
A GTP inspection profile is used to configure protocol validation and stateful inspection of GTP Control Plane (GTP-C) and GTP User Plane (GTP-U) traffic.Properties
Description
GTP Inspection settings.Properties
Note | |
---|---|
This object type does not have an identifier and is identified by the name of the type only. There can only be one instance of this type. |
Description
A GTP interface combines two different protocols: GTP Control Plane (GTP-C) and GTP Data Transfer (GTP-U), and will act as a Serving GPRS Support Node (SGSN).Properties
Description
High Availability flow sync delay settingsProperties
Note | |
---|---|
This object type does not have an identifier and is identified by the name of the type only. There can only be one instance of this type. |
Description
High Availability SettingsProperties
Note | |
---|---|
This object type does not have an identifier and is identified by the name of the type only. There can only be one instance of this type. |
Description
Settings controlling reassembly of HA sync messagesProperties
Note | |
---|---|
This object type does not have an identifier and is identified by the name of the type only. There can only be one instance of this type. |
Description
High Availability settings. All these settings are private for this node and not synchronized to its peer.Properties
Note | |
---|---|
This object type does not have an identifier and is identified by the name of the type only. There can only be one instance of this type. |
Description
Hardware monitor. Reads information from system sensors and keeps track of changes and limitsProperties
Description
Settings for the HardwareMonitorProperties
Note | |
---|---|
This object type does not have an identifier and is identified by the name of the type only. There can only be one instance of this type. |
Description
ICMP (Internet Control Message Protocol) SettingsProperties
Note | |
---|---|
This object type does not have an identifier and is identified by the name of the type only. There can only be one instance of this type. |
Description
Proposal list is used during the IKE negotiation. It specifies what encryption/integrity algorithm and PRF to use for the IKE SA. In most cases its enough to specify one proposal with several algorithms. Any combination of the algorithm are then permitted for the SA. If only certain combinations of algorithms are allowed, they should be divided in several proposals where each proposal defines one combination of algorithms.Properties
Description
An IKE proposal specifies a specific combination of algorithms allowed during the IKE negotiation.Properties
Note | |
---|---|
If no Index is specified when creating an instance of this type, the object will be placed last in the list and the Index will be equal to the length of the list.
|
Description
IKE SettingsProperties
Note | |
---|---|
This object type does not have an identifier and is identified by the name of the type only. There can only be one instance of this type. |
Description
Use an interface group to combine several interfaces for a simplified security policy.Properties
Description
Interface specific settings.Properties
Note | |
---|---|
This object type does not have an identifier and is identified by the name of the type only. There can only be one instance of this type. |
Description
Intrusion Prevention provides in-depth screening of packet content for both intruder detection and prevention purposes.Properties
Note | |
---|---|
This object type does not have an identifier and is identified by the name of the type only. There can only be one instance of this type. |
Description
An IPS Rule defines a filter for matching specific network traffic. When the filter criterion is met, the IPS Rule Actions are evaluated and possible actions are taken.Properties
Note | |
---|---|
If no Index is specified when creating an instance of this type, the object will be placed last in the list and the Index will be equal to the length of the list.
|
Description
An IPS Rule Action specifies what signatures to search for in the network traffic, and what action to take if those signatures are found.Properties
Note | |
---|---|
If no Index is specified when creating an instance of this type, the object will be placed last in the list and the Index will be equal to the length of the list.
|
Description
An IPS Signature Group specifies a set of signatures according to filters. The signatures are filtered in the following way: (IncludeVendorSignature OR IncludeCustomSignature OR IncludeSignatureGroup OR IncludeCategory) AND FilterByCVE AND FilterBySeverity AND FilterByString AND CreatedAfter.Properties
Description
An IP Rule Set is a self-contained set of IP Rules. Default action is Drop.Properties
Description
An IP rule specifies what action to perform on network traffic that matches the specified filter criteria.Properties
Note | |
---|---|
If no Index is specified when creating an instance of this type, the object will be placed last in the list and the Index will be equal to the length of the list.
|
Description
An IPsec manual keyed tunnel item is used to define an IPsec endpoint and will appear as a logical interface in the system.Properties
Description
Settings for Encapsulating Security Payload (ESP). Specifies algorithm and SPI to use for the manual keyed tunnel.Properties
Note | |
---|---|
This object type does not have an identifier and is identified by the name of the type only. There can only be one instance of this type. |
Description
Proposal list is used during the IKE negotiation. It specifies what encryption/integrity algorithm and Diffie-Hellman group (if set) to use for the IPsec SA. In most cases its enough to specify one proposal with several algorithms. Any combination of the algorithm are then permitted for the SA. If only certain combinations of algorithms are allowed, they should be divided in several proposals where each proposal defines one combination of algorithms.Properties
Description
An IPsec proposal specifies a specific combination of algorithms allowed during the IKE negotiation of the IPsec SA.Properties
Note | |
---|---|
If no Index is specified when creating an instance of this type, the object will be placed last in the list and the Index will be equal to the length of the list.
|
Description
Pre-Shared Key bound to a local and remote ID that is used in IPsec when selecting Pre Shared Keys as authentication method.Properties
Note | |
---|---|
If no Index is specified when creating an instance of this type, the object will be placed last in the list and the Index will be equal to the length of the list.
|
Description
An IPsec tunnel item is used to define IPsec endpoint and will appear as a logical interface in the system.Properties
Description
An IP Pool is a dynamic collection of IP addresses that can be used by its host process.Properties
Note | |
---|---|
This object type does not have an identifier and is identified by the name of the type only. There can only be one instance of this type. |
Description
IP (Internet Protocol) SettingsProperties
Note | |
---|---|
This object type does not have an identifier and is identified by the name of the type only. There can only be one instance of this type. |
Description
An LDAP server is used as a central repository of certificates and CRLs that the firewall can download when necessary.Properties
Description
Default Length limits on Sub-IP ProtocolsProperties
Note | |
---|---|
This object type does not have an identifier and is identified by the name of the type only. There can only be one instance of this type. |
Description
Specifies details about how the system is allowed to be used.Properties
Note | |
---|---|
Objects of this type cannot be created or modified by the user. |
Description
Hardware settings for a link device.Properties
Description
A local user database contains user accounts used for authentication purposes.Properties
Description
User credentials may be used in User Authentication, which in turn are used in e.g. PPP, Web Authentication, etcProperties
Description
An SNMPv2c log receiver used to receive log events from the system in the standard SNMP Trap format using one generic trap OID.Properties
Description
A log message exception is used to override the severity filter in the log receiver.Properties
Note | |
---|---|
If no Index is specified when creating an instance of this type, the object will be placed last in the list and the Index will be equal to the length of the list.
|
Description
An SNMPv3 log receiver used to receive log events from the system in the standard SNMP Trap format using one generic trap OID.Properties
The definitions here are the same as in Section 3.57.1, LogReceiverMessageException .
Description
A Syslog receiver is used to receive log events from the system in the standard Syslog format.Properties
The definitions here are the same as in Section 3.57.1, LogReceiverMessageException .
Description
Miscellaneous SettingsProperties
Note | |
---|---|
This object type does not have an identifier and is identified by the name of the type only. There can only be one instance of this type. |
Description
Ethernet expansion modules hardware status.Properties
Note | |
---|---|
This object type does not have an identifier and is identified by the name of the type only. There can only be one instance of this type. |
Description
A NAT Pool is used for NATing multiple concurrent connections to using different source IP addresses. A NATpool can only be used with IPv4 rules.Properties
Description
Configured Neighbor entriesProperties
Note | |
---|---|
This object type does not have an identifier and is identified by the name of the type only. There can only be one instance of this type. |
Description
Use an ND entry to publish additional IPv6 addresses and/or MAC addresses on a specified interface.Properties
Note | |
---|---|
If no Index is specified when creating an instance of this type, the object will be placed last in the list and the Index will be equal to the length of the list.
|
Description
ND (IPv6 Neighbor Discovery) SettingsProperties
Note | |
---|---|
This object type does not have an identifier and is identified by the name of the type only. There can only be one instance of this type. |
Description
An OSPF Router Process defines a group of routers exchanging routing information via the Open Shortest Path First routing protocol.Properties
Description
An OSPF area is a sub-domain within the OSPF process which collects OSPF interfaces, neighbors, aggregates and virtual links.Properties
Description
Select and define the properties of an interface that should be made a member of the Router Process.Properties
Description
For point-to-point and point-to-multipoint networks, specify the IP addresses of directly connected routers.Properties
Note | |
---|---|
If no Index is specified when creating an instance of this type, the object will be placed last in the list and the Index will be equal to the length of the list.
|
Description
An aggregate is used to replace any number of smaller networks belonging to the local (intra) area with one contiguous network which may then be advertised or hidden.Properties
Note | |
---|---|
If no Index is specified when creating an instance of this type, the object will be placed last in the list and the Index will be equal to the length of the list.
|
Description
An area that does not have a direct connection to the backbone must have at least one area border router with a virtual link to a backbone router, or to another router with a link to the backbone.Properties
Description
An OSPF export rule creates a filter to select OSPF learned routes. The filtered routes can then through action rules either be exported to "route distribution services", such as OSPF, or be added to one or more routing tables.Properties
Note | |
---|---|
If no Index is specified when creating an instance of this type, the object will be placed last in the list and the Index will be equal to the length of the list.
|
Description
A BGP action is used to insert, update and remove routes to/from an BGP process.Properties
Note | |
---|---|
If no Index is specified when creating an instance of this type, the object will be placed last in the list and the Index will be equal to the length of the list.
|
The definitions here are the same as in Section 3.9.7.1, ExportToRoutingTable .
Description
The PBR rule set. Contains RoutingRule objects.Properties
Note | |
---|---|
This object type does not have an identifier and is identified by the name of the type only. There can only be one instance of this type. |
Description
A Routing Rule forces the use of a routing table in the forward and/or return direction of traffic on a connection. The ordering parameter of the routing table determines if it is consulted before or after the main routing table.Properties
Note | |
---|---|
If no Index is specified when creating an instance of this type, the object will be placed last in the list and the Index will be equal to the length of the list.
|
Description
A pipe defines basic traffic shaping parameters. The pipes are then combined in a pipe profile that then can be selected on an IP rule to determine which traffic goes through which pipes.Properties
Description
PSK (Pre-Shared Key) authentication is based on a shared secret that is known only by the parties involved.Properties
Description
External RADIUS server used to verify user names and passwords.Properties
Description
Configure Netcon management to enable remote management to the system.Properties
Note | |
---|---|
This object type does not have an identifier and is identified by the name of the type only. There can only be one instance of this type. |
Description
Setup and configure methods and permissions for remote management of this system.Properties
Note | |
---|---|
This object type does not have an identifier and is identified by the name of the type only. There can only be one instance of this type. |
Description
Configure SNMP management to enable SNMP polling.Properties
Description
Configure SNMPv3 management to enable SNMPv3 polling.Properties
Description
Configure a Secure Shell (SSH) Server to enable remote management access to the system.Properties
Description
Ruleset used to allow/deny/modify route prefixes/characteristicsProperties
Description
Rule entry used to allow/deny/change route prefixes/characteristicsProperties
Note | |
---|---|
If no Index is specified when creating an instance of this type, the object will be placed last in the list and the Index will be equal to the length of the list.
|
Description
Ruleset used to allow/deny route prefixesProperties
Description
Rule entry used to allow/deny route prefixesProperties
Note | |
---|---|
If no Index is specified when creating an instance of this type, the object will be placed last in the list and the Index will be equal to the length of the list.
|
Description
The system has a Router Advertisement Profiles table. All profiles can be declared here.Properties
Description
Properties that will form the structure and behavior of a Router Advertisement packet.Properties
Note | |
---|---|
If no Index is specified when creating an instance of this type, the object will be placed last in the list and the Index will be equal to the length of the list.
|
Description
Routing settings.Properties
Note | |
---|---|
This object type does not have an identifier and is identified by the name of the type only. There can only be one instance of this type. |
Description
The system has a predefined main routing table. Alternate routing tables can be defined by the user.Properties
Description
A route defines what interface and gateway to use in order to reach a specified network.Properties
Note | |
---|---|
If no Index is specified when creating an instance of this type, the object will be placed last in the list and the Index will be equal to the length of the list.
|
Description
Specify a host and a monitoring method.Properties
Note | |
---|---|
If no Index is specified when creating an instance of this type, the object will be placed last in the list and the Index will be equal to the length of the list.
|
Description
A HA enabled route. Can be set individually for each HA node.Properties
Note | |
---|---|
If no Index is specified when creating an instance of this type, the object will be placed last in the list and the Index will be equal to the length of the list.
|
Description
A routing table export rule creates a filter to select statically configured routes. The filtered routes can then through action rules be exported to "route distribution services" such as OSPF.Properties
Note | |
---|---|
If no Index is specified when creating an instance of this type, the object will be placed last in the list and the Index will be equal to the length of the list.
|
Description
SCTP SettingsProperties
Note | |
---|---|
This object type does not have an identifier and is identified by the name of the type only. There can only be one instance of this type. |
Description
A Service Group is a collection of service objects, which can then be used by different policies in the system.Properties
Description
An ICMP Service is an object definition representing ICMP traffic with specific parameters.Properties
Description
An ICMPv6 Service is an object definition representing ICMPv6 traffic with specific parameters.Properties
Description
An IP Protocol Service is a definition of an IP protocol with specific parameters.Properties
Description
A SCTP Service is a definition of a SCTP protocol with specific parameters.Properties
Description
A TCP/UDP Service is a definition of an TCP or UDP protocol with specific parameters.Properties
Description
A SIP profile configures extended processing of SIP traffic.Properties
Description
The public key of the client connecting to the SSH server.Properties
Description
An SSL Inspection profile enables SSL/TLS traffic to be decrypted and inspected. The data can either be re-encrypted or sent as cleartext in order to offload the server.Properties
Description
An SSL server specifies how to identify the system to the client.Properties
Note | |
---|---|
If no Index is specified when creating an instance of this type, the object will be placed last in the list and the Index will be equal to the length of the list.
|
Description
An SSL VPN tunnel item is used to define an SSL VPN endpoint and will appear as a logical interface in the system.Properties
Description
SSLVPN settingsProperties
Note | |
---|---|
This object type does not have an identifier and is identified by the name of the type only. There can only be one instance of this type. |
Description
A Syslog profile configures extended processing of Syslog traffic.Properties
Description
Global parameters for this system.Properties
Note | |
---|---|
This object type does not have an identifier and is identified by the name of the type only. There can only be one instance of this type. |
Description
TCP SettingsProperties
Note | |
---|---|
This object type does not have an identifier and is identified by the name of the type only. There can only be one instance of this type. |
Description
The threshold rules are a self-contained set of rules meant to broadly define how to apply threshold actions. The major purpose of such threshold actions is to prevent excessive amounts of flows to be opened, though other usages are also possible.Properties
Note | |
---|---|
This object type does not have an identifier and is identified by the name of the type only. There can only be one instance of this type. |
Description
A threshold rule specifies a filter for matching specific network traffic, how to evaluate the traffic, and what actions to take if the traffic exceeds given threshold definitions.Properties
Note | |
---|---|
If no Index is specified when creating an instance of this type, the object will be placed last in the list and the Index will be equal to the length of the list.
|
Description
A threshold set specifies what action to take if all the threshold definitions within the set are exceeded.Properties
Note | |
---|---|
If no Index is specified when creating an instance of this type, the object will be placed last in the list and the Index will be equal to the length of the list.
|
Description
A threshold definition specifies how to evaluate network traffic, a threshold limit for that measurement and for how long the limit can be exceeded before the action specified for the threshold set is taken. Note that, if multiple threshold definitions are configured for the threshold set, the limits of all definitions must be exceeded before the action is executed.Properties
Note | |
---|---|
If no Index is specified when creating an instance of this type, the object will be placed last in the list and the Index will be equal to the length of the list.
|
Description
Traffic Management SettingsProperties
Note | |
---|---|
This object type does not have an identifier and is identified by the name of the type only. There can only be one instance of this type. |
Description
A pipe profile combines pipe objects into a traffic shaping profile that can be referenced from an IP rule to determine how the traffic matching that rule should be managed.Properties
Description
The Traffic shaping rules are a self-contained set of rules meant to broadly define how to apply traffic shaping. Default action is to apply no traffic shaping.Properties
Note | |
---|---|
This object type does not have an identifier and is identified by the name of the type only. There can only be one instance of this type. |
Description
A traffic shaping rule associates the specified traffic shaping profile with network traffic that matches the specified filter criteria.Properties
Note | |
---|---|
If no Index is specified when creating an instance of this type, the object will be placed last in the list and the Index will be equal to the length of the list.
|
Description
Settings related to transparent modeProperties
Note | |
---|---|
This object type does not have an identifier and is identified by the name of the type only. There can only be one instance of this type. |
Description
A SNMPv2c Trap receiver used to receive trap events from the system using standard SNMP Trap format and standard trap OIDs.Properties
Description
A trap exception is used to override the trap category filter in the trap receiver.Properties
Note | |
---|---|
If no Index is specified when creating an instance of this type, the object will be placed last in the list and the Index will be equal to the length of the list.
|
Description
A SNMPv3 Trap receiver used to receive trap events from the system using standard SNMP Trap format and standard trap OIDs.Properties
Description
UDP SettingsProperties
Note | |
---|---|
This object type does not have an identifier and is identified by the name of the type only. There can only be one instance of this type. |
Description
A VLAN interface represents a logical endpoint for VLAN-tagged Ethernet traffic (802.1Q) or Ethernet traffic with a VLAN tag (802.1ad) that can contain additional nested tags/VLANs.Properties
Description
Settings for IEEE 802.1Q and IEEE 802.1ad based Virtual LAN interfaces.Properties
Note | |
---|---|
This object type does not have an identifier and is identified by the name of the type only. There can only be one instance of this type. |
Description
Watchdog settingsProperties
Note | |
---|---|
This object type does not have an identifier and is identified by the name of the type only. There can only be one instance of this type. |
Description
A Whitelist Rule Set is a manually configured list of exceptions that introduces IP addresses and services that should never be blacklisted i.e even if another subsystem such as threshold rules adds an IP address and service to the blacklist, the whitelist will take priority and still allow the IP address to communicate over that service.Properties
Note | |
---|---|
This object type does not have an identifier and is identified by the name of the type only. There can only be one instance of this type. |
Description
A whitelist rule specifies IP addresses and services that should never be blacklisted i.e even if another subsystem such as threshold rules adds an IP address and service to the blacklist, the whitelist will take priority and still allow the IP address to communicate over that service.Properties
Note | |
---|---|
If no Index is specified when creating an instance of this type, the object will be placed last in the list and the Index will be equal to the length of the list.
|