cOS Stream 4.00.02 CLI Reference Guide


Table of Contents

1. Introduction
2. Command Reference
2.1. Configuration
2.1.1. activate
2.1.2. add
2.1.3. cc
2.1.4. commit
2.1.5. delete
2.1.6. reject
2.1.7. set
2.1.8. show
2.1.9. undelete
2.2. Runtime
2.2.1. appcontrol
2.2.2. arp
2.2.3. arpsnoop
2.2.4. authentication
2.2.5. bgp
2.2.6. blacklist
2.2.7. cryptostat
2.2.8. dhcpclient
2.2.9. dhcpserver
2.2.10. dns
2.2.11. dnsalg
2.2.12. flow
2.2.13. ftpalg
2.2.14. geoip
2.2.15. gtp
2.2.16. gtpinspection
2.2.17. ha
2.2.18. hwmon
2.2.19. ifeqv
2.2.20. ifstat
2.2.21. ike
2.2.22. iostat
2.2.23. ips
2.2.24. ipsec
2.2.25. ipsectunnels
2.2.26. lcdctrl
2.2.27. memory
2.2.28. natpool
2.2.29. ndp
2.2.30. ndpsnoop
2.2.31. netcon
2.2.32. netobjects
2.2.33. ospf
2.2.34. pipe
2.2.35. portmgr
2.2.36. radiussnoop
2.2.37. rfo
2.2.38. routes
2.2.39. rules
2.2.40. rulesnoop
2.2.41. sctp
2.2.42. sipalg
2.2.43. sslvpn
2.2.44. statistics
2.2.45. testmem
2.2.46. threshold
2.3. Utility
2.3.1. backup
2.3.2. certmgr
2.3.3. cloudconfig
2.3.4. crashdump
2.3.5. dconsole
2.3.6. echoserver
2.3.7. ethupdate
2.3.8. license
2.3.9. log
2.3.10. pcapdump
2.3.11. ping
2.3.12. script
2.3.13. sshserver
2.3.14. system
2.3.15. techsupport
2.3.16. time
2.3.17. top
2.3.18. traceroute
2.3.19. upgrade
2.3.20. uptime
2.4. Misc
2.4.1. about
2.4.2. alias
2.4.3. cfglog
2.4.4. clear
2.4.5. cmdview
2.4.6. echo
2.4.7. exit
2.4.8. grep
2.4.9. help
2.4.10. helpconfig
2.4.11. history
2.4.12. localconfiguration
2.4.13. quit
2.4.14. shutdown
2.5. Development
2.5.1. cfgfail
2.6. Debug
2.6.1. buffers
2.6.2. drm
2.6.3. frag
2.6.4. ruledb
2.6.5. teststatd
2.6.6. vlan
3. Configuration Reference
3.1. AccessRules
3.1.1. AccessRule
3.2. Address
3.2.1. EthernetAddress
3.2.2. EthernetAddressGroup
3.2.3. IPAddress
3.3. AppControlSettings
3.4. ARPEntries
3.4.1. ARPEntry
3.5. ARPTableSettings
3.6. ASPathAccessList
3.6.1. ASPathAccessEntry
3.7. AuthenticationProfile
3.8. BGPCommunityList
3.8.1. BGPCommunityEntry
3.9. BGPProcess
3.9.1. BGPProcessIPv6
3.9.2. BGPBestPathSettings
3.9.3. BGPDampening
3.9.4. BGPNeighbor
3.9.5. BGPPrefixAggregate
3.9.6. BGPNetwork
3.9.7. RouteExportRuleBGP
3.10. BGPSettings
3.11. CertificateStore
3.11.1. Certificate
3.12. ClassificationSettings
3.13. CMPServer
3.14. COMPortAccess
3.15. CRLDistPointList
3.15.1. CRLDistPoint
3.16. CryptoSettings
3.17. DateTime
3.17.1. TimeServer
3.18. DefaultInterface
3.19. DHCPServer
3.19.1. DHCPServerRule
3.20. DHCPServerSettings
3.21. DNS
3.21.1. DNSServer
3.22. DNSAlgProfile
3.23. DNSTranslationList
3.23.1. DNSTranslation
3.24. EthernetDevice
3.25. EthernetInterface
3.26. FlowTimeoutSettings
3.27. FragSettings
3.28. FTPAlgProfile
3.29. GeolocationFilter
3.30. GRETunnel
3.31. GTPInspectionProfile
3.32. GTPInspectionSettings
3.33. GTPTunnel
3.34. HAFlowSettings
3.35. HASettings
3.36. HASyncFragSettings
3.37. HighAvailability
3.38. HWMONMonitor
3.39. HWMONSettings
3.40. ICMPSettings
3.41. IKEProposalList
3.41.1. IKEProposal
3.42. IKESettings
3.43. InterfaceGroup
3.44. InterfaceSettings
3.45. IntrusionPrevention
3.45.1. IPSRule
3.45.2. IPSSignatureGroup
3.46. IPRuleSet
3.46.1. IPRule
3.47. IPsecManualKeyedTunnel
3.47.1. ESP
3.48. IPsecProposalList
3.48.1. IPsecProposal
3.49. IPsecPSK
3.50. IPsecTunnel
3.50.1. IPPool
3.51. IPSettings
3.52. LDAPServer
3.53. LengthLimSettings
3.54. License
3.55. LinkDevice
3.56. LocalUserDatabase
3.56.1. User
3.57. LogReceiverSNMP2c
3.57.1. LogReceiverMessageException
3.58. LogReceiverSNMP3
3.58.1. LogReceiverMessageException
3.59. LogReceiverSyslog
3.59.1. LogReceiverMessageException
3.60. MiscSettings
3.61. Modules
3.61.1. EthernetModule
3.62. NATPool
3.63. NDEntries
3.63.1. NDEntry
3.64. NDSettings
3.65. OSPFProcess
3.65.1. OSPFArea
3.65.2. RouteExportRuleOSPF
3.66. PBRRules
3.66.1. RoutingRule
3.67. Pipe
3.68. PSK
3.69. RadiusServer
3.70. RemoteMgmtNetcon
3.71. RemoteMgmtSettings
3.72. RemoteMgmtSNMP
3.73. RemoteMgmtSNMP3
3.74. RemoteMgmtSSH
3.75. RouteMap
3.75.1. RouteMapEntry
3.76. RoutePrefixList
3.76.1. RoutePrefixEntry
3.77. RouterAdvertisementProfilesTable
3.77.1. RouterAdvertisementProfile
3.78. RoutingSettings
3.79. RoutingTable
3.79.1. Route
3.79.2. HARoute
3.79.3. RouteExportRule
3.80. SCTPSettings
3.81. ServiceGroup
3.82. ServiceICMP
3.83. ServiceICMPv6
3.84. ServiceIPProto
3.85. ServiceSCTP
3.86. ServiceTCPUDP
3.87. SIPAlgProfile
3.88. SSHClientKey
3.89. SSLInspectionProfile
3.89.1. SSLServer
3.90. SSLVPNServer
3.91. SSLVPNSettings
3.92. SyslogAlgProfile
3.93. System
3.94. TCPSettings
3.95. ThresholdRules
3.95.1. ThresholdRule
3.96. TrafficMgmtSettings
3.97. TrafficProfile
3.98. TrafficShapingRules
3.98.1. TrafficShapingRule
3.99. TransparencySettings
3.100. TrapReceiverSNMP2c
3.100.1. TrapException
3.101. TrapReceiverSNMP3
3.101.1. TrapException
3.102. UDPSettings
3.103. VLAN
3.104. VLANSettings
3.105. WatchdogSettings
3.106. Whitelist
3.106.1. WhitelistRule
3.107. Zone
Alphabetical Index

Chapter 1: Introduction

[Note] Note: This document is also available in other formats

A PDF version of this document along with all current and older documentation in PDF format can be found at https://my.clavister.com.

It is also available in a framed HTML version.

This guide is a reference for all commands and configuration object types that are accessible through the Command Line Interface (CLI). This introduction gives a brief overview of the CLI help and autocompletion capabilities. CLI connection and usage is described in more depth in the separate Clavister firewall Administration Guide.

Case Sensitivity

The CLI is case-sensitive. However, the tab-completion feature of the CLI does not require the correct case to perform completion and will alter the typed case if it is required.

String Delimiters, the Escape Character and Special Characters

When entering CLI commands, literal strings can be enclosed in double quotation mark characters ("..."). For example:
add User my-user Password="pass word"
However, to include the double quotation mark itself in a string, it must be preceded by a backslash (\) which is the CLI escape character:
set User my-user Password="pass\"word"

Other special characters that might be needed are the following:

  • \r - The carriage return character.
  • \n - The new line character.
  • \t - The tab character.
  • \\ - The escape character \ itself.

For example:

set RemoteManagement RemoteMgmtSSH ssh Banner="Welcome!\r\n - Type \"help\"

Running a Command

The commands described in this guide can be run by typing the command along with any options followed by pressing the return key. Many commands require options to be set. If a mandatory option is missing, a brief syntax help will be displayed after the enter key is pressed.

CLI Function Keys

In addition to the return key there are a number of function keys that can be used with the CLI. These are listed below:

Backspace
Delete the character to the left of the cursor.
Tab
Complete current word.
Ctrl-A or Home
Move the cursor to the beginning of the line.
Ctrl-B or Left Arrow
Move the cursor one character to the left.
Ctrl-C
Clear line or cancel page view if more than one page of information is shown.
Ctrl-D or Delete
Delete the character to the right of the cursor.
Ctrl-E or End
Move the cursor to the end of the line.
Ctrl-F or Right Arrow
Move the cursor one character to the right.
Ctrl-K
Delete from the cursor to the end of the line.
Ctrl-N or Down Arrow
Show the next entry in the command history.
Ctrl-P or Up Arrow
Show the previous entry in the command history.
Ctrl-T
Transpose the current and the previous character.
Ctrl-U
Delete from the cursor to the beginning of line.
Ctrl-W
Delete word backwards.

The CLI History

Every time a command is run, the command line is added to a cached history of commands. The up and down arrow keys are used to access previous commands. The up arrow key displays the next oldest command in the history and the down arrow key returns to newer command lines.

The history command shows the entire contents of the history cache.

Example 1.1. CLI History

Using the command line history via the arrow keys:

Device:/> show Address
Device:/> (up arrow)
Device:/> show Address (the previous command is displayed)

CLI Help

There are two ways of getting help about a command. A brief help is displayed if the command name is typed followed by -?. This applies to all commands and is therefore not listed in the option list for each command in this guide.

In most cases it is possible to type the command help followed by the command name to get the detailed help for that command. To list all available commands, type help on its own and press return.

See Section 2.4.9, help for a more detailed description of the help command.

Example 1.2. CLI Help

Brief help for the activatecommand:

Device:/> activate -?

activate (ac). Activate changes.

Full help for activate:

Device:/> help activate

COMMAND
        activate (ac). Activate changes.

DESCRIPTION
        Activate the latest changes.

        This will issue a reconfiguration, using the new configuration.
        If the reconfiguration is successful a commit command must be
        issued within the configured timeout interval in order to save
        the changes to media. If not, the system will revert to using
        the previous version of the configuration.

USAGE
        activate

List all available commands:

Device:/> help

Available commands (type "help help" for more help):
		"
		"

Tab Completion

By using the tab function key in the CLI, the names of commands, options, objects and object properties can be automatically completed. If the text entered before pressing tab only matches one possible item, e.g. "activate" is the only match for "acti", and a command is expected, the name will be autocompleted.

Should there be more than one match, the part common to all matches will be completed. At this point the user can either enter more characters or press tab again, which will display a list of the possible completions. This can also be done without entering any characters, but the resulting list might be long if there are many possible completions, e.g. all commands.

Example 1.3. Tab Completion

An example of tab completion when using the add command:

Device:/> add Add (tab)
Device:/> add Address ("ress" was autocompleted)
Device:/> add Address i (tab)
Device:/> add Address IP ("IP" was autocompleted)
Device:/> add Address IPa (tab)
Device:/> add Address IPAddress ("IPAddress" was autocompleted)
Device:/> add Address IPAddress example_ip a (tab)
Device:/> add Address IPAddress example_ip Address= (autocompleted)
Device:/> add Address IPAddress example_ip Address=1.2.3.4

Mandatory Properties are Shown First

When using autocompletion, the optional object properties are not displayed until all mandatory properties have been assigned values.

For example, the Name parameter for an IP rule is optional. It will not be displayed by autocompletion until the such mandatory parameters as source/destination network/interface are emtered.

Inline Help

It is possible to also get help about available properties while a command line is being typed by typing tab. This will either result in a message to say what the next option is or show a list if there are several alternatives.

Example 1.4. Inline Help

Get inline help for all properties of an IPAddress:

Device:/> add Address IPAddress (tab)

 Enter a name for the new object.

Object Properties Help

It is possible to get information about the valid properties for an object through using the tab key:

Example 1.5. Option Properties Help

Option help for the Address= parameter of IPAddress:

Device:/> add Address IPAddress my_ip (tab)

<key-value pair>:

 Address  Comments  NoDefinedCredentials  UserAuthGroups

 Other valid options: -force, <enter>

Special Characters Used with Tab Completion

When entering the value of an object property, the tab character can be preceded by either of the following characters:

  • Entering the period "." (period) character before entering tab will insert the current value of the object property.

    For example, assume that there is already an object in the address book called my_address and it has the IPv4 address value 203.0.113.10. Now enter the following command:

    Device:/> set Address IPAddress my_address Address=.(tab)

    This will cause the current IP address to be displayed:

    Device:/> set Address IPAddress my_address Address=203.0.113.10

  • Entering the " * " (asterisk/star) character before entering tab will cause the default property value to be automatically filled in.

  • Entering the "?" (question mark) character before tab will provide information about the value that can be entered. For example:
    Device:/> set RemoteManagement RemoteMgmtSSH RemoteMgmtSSH
    			LogEnabled=?(tab)
             Type:  Boolean
      Description:  Enable logging.
          Default:  Yes
    Current Value:  Yes

User Restrictions

Certain commands and options cannot be used unless the CLI user has administrator privileges. This is indicated in this guide by a note following the command stating Requires Administrator Privilege. Individual command options may be also be labelled Admin only.

Chapter 2: Command Reference

2.1. Configuration

2.1.1. activate

Activate changes.

Description

Activate the latest changes.

This will issue a reconfiguration, using the new configuration. If the reconfiguration is successful a commit command must be issued within the configured timeout interval in order to save the changes to media. If not, the system will revert to using the previous version of the configuration.

Usage

activate [-force] 

Options

-force
Force activation, even if no changes have been made.
[Note] Note
Requires Administrator privileges.

2.1.2. add

Create a new object.

Description

Create a new object and add it to the configuration.

Specify the type of object you want to create and the identifier, if the type has one, unless the object is identified by an index. Set the properties of the object by writing the propertyname equals (=) and then the value. An optional category can be specified for some object types when using tab completion.

If a mandatory property isn't specified a list of errors will be shown after the object is created. If an invalid property or value type is specified or if the identifier is missing the command will fail and not create an object.

Adjustments can be made after the object is created by using the set command.

Example 2.1. Create a new object

Add objects with an identifier property (not index):
 gw-world:/> add Address IPAddress example_ip Address=1.2.3.4
 Comments="This is an example"
 gw-world:/> add IPAddress example_ip2 Address=2.3.4.5

Add an object with an index:
 gw-world:/RoutingTable/main> add Route Interface=lan Network=all-nets-i
p4

Usage

add [<Category>] <Type> [<Identifier>] [-force]
    [<key-value pair>]...

Options

-force
Add object, even if it has errors.
<Category>
Category that groups object types.
<Identifier>
The property that identifies the configuration object. May not be applicable depending on the specified <Type>.
<key-value pair>
One or more property-value pairs, i.e. <property name>=<value> or <property name>="<value>".
<Type>
Type of configuration object to perform operation on.
[Note] Note
Requires Administrator privileges.

2.1.3. cc

Change the current context.

Description

Change the current configuration context.

A context is a group of objects that are dependent on and grouped by a parent object. Many objects lie in the "root" context and do not have a specific parent. Other objects, e.g. User objects lie in a sub-context (or child context) of the root - in this case in a LocalUserDatabase. In order to add or modify users you have to be in the correct context, e.g. a LocalUserDatabase called "exampledb". Only objects in the current context can be accessed.

Example 2.2. Change context

Change to a sub/child context:
 gw-world:/> cc LocalUserDatabase exampledb
 gw-world:/LocalUserDatabase/exampledb>

Go back to the parent context:
 gw-world:/ospf1/area1> cc ..
 gw-world:/ospf1> cc ..
 gw-world:/>

Go back to the root context:
 gw-world:/ospf1/area1> cc
 gw-world:/>
or
 gw-world:/ospf1/area1> cc /
 gw-world:/>

Usage

cc [<Category>] <Type> <Identifier> 
Change the current context.
cc -print 
Print the current context.
cc 
Change to root context (same as "cc /").

Options

-print
Print the current context.
<Category>
Category that groups object types.
<Identifier>
The property that identifies the configuration object. May not be applicable depending on the specified <Type>.
<Type>
Type of configuration object to perform operation on.

2.1.4. commit

Save new configuration to media.

Description

Save the new configuration to media. This command can only be issued after a successful activate command.

Usage

commit 

[Note] Note
Requires Administrator privileges.

2.1.5. delete

Delete specified objects.

Description

Delete the specified object, removing it from the configuration.

Add the force flag to delete the object even if it is referenced by other objects or if it is a context that has child objects that aren't deleted. This may cause objects referring to the specified object or one of its children to get errors that must be corrected before the configuration can be activated.

See also: undelete

Example 2.3. Delete an object

Delete an unreferenced object:
 gw-world:/> delete Address IPAddress example_ip

Delete a referenced object:
(will cause error in examplerule)
 gw-world:/IPRuleSet/main> set IPRule 1(examplerule) SourceNetwork=examp
lenet
 gw-world:/> delete Address IPAddress examplenet -force
Delete a range of objects:
 gw-world:/IPRuleSet/main> delete IPRule -range=1-10

Usage

delete [<Category>] <Type> [<Identifier>] [-force]
       [-range=<Integer Range>] 

Options

-force
Force object to be deleted even if it's used by other objects or has children.
-range=<Integer Range>
One or more ranges of objects to delete, can only be used for indexed types of objects.
<Category>
Category that groups object types.
<Identifier>
The property that identifies the configuration object. May not be applicable depending on the specified <Type>.
<Type>
Type of configuration object to perform operation on.
[Note] Note
Requires Administrator privileges.

2.1.6. reject

Reject changes.

Description

Reject the changes made to the specified object by reverting to the values of the last committed configuration.

All changes made to the object will be lost. If the object is added after the last commit, it will be removed.

To reject the changes in more than one object, use either the -recursive flag to delete a context and all its children recursively or the -all flag to reject the changes in all objects in the configuration.

See also: activate, commit

Example 2.4. Reject changes

Reject changes in individual objects:
 gw-world:/> set Address IPAddress example_ip
 Comments="This comment will be rejected"
 gw-world:/> reject Address IPAddress example_ip
 gw-world:/> add Address IPAddress example_ip2 Address=1.2.3.4
 Comments="This whole object will be removed"
 gw-world:/> reject Address IPAddress example_ip2

Reject changes recursively:
(will reject changes in the user database and all users)
 gw-world:/LocalUserDatabase/exampledb> set User user1 Comments="Somethi
ng"
 gw-world:/LocalUserDatabase/exampledb> set User user2 Comments="that wi
ll be"
 gw-world:/LocalUserDatabase/exampledb> set User user3 Comments="rejecte
d"
 gw-world:/LocalUserDatabase/exampledb> cc ..
 gw-world:/> reject LocalUserDatabase exampledb -recursive

Reject all changes:
 gw-world:/anycontext> reject -all

All changes since the last commit will be rejected:
(example_ip will be removed since it is newly added)
 gw-world:/> add Address IPAddress example_ip Address=1.2.3.4
 gw-world:/> delete Address IPAddress example_ip
 gw-world:/> reject Address IPAddress example_ip

Usage

reject [<Category>] <Type> [<Identifier>] [-recursive] 
Reject changes made to the specified object.
reject -all 
Reject all changes in the configuration.

Options

-all
Reject all changes in the configuration.
-recursive
Recursively reject changes.
<Category>
Category that groups object types.
<Identifier>
The property that identifies the configuration object. May not be applicable depending on the specified <Type>.
<Type>
Type of configuration object to perform operation on.
[Note] Note
Requires Administrator privileges.

2.1.7. set

Set property values.

Description

Set property values of configuration objects.

Specify the type of object you want to modify and the identifier, if the type has one. Set the properties of the object by writing the propertyname equals (=) and then the value. An optional category can be specified for some object types when using tab completion.

If a mandatory property hasn't been specified or if a property has an error a list of errors will be shown after the specified properties have been set. If an invalid property or value type is specified the command will fail and not modify the object.

See also: add

Example 2.5. Set property values

Set properties for objects that have an identifier property:
 gw-world:/> set Address IPAddress example_ip Address=1.2.3.4
 Comments="This is an example"
 gw-world:/> set IPAddress example_ip2 Address=2.3.4.5
 Comments=comment_without_whitespace
 gw-world:/RoutingTable/main> set Route 1 Comments="A route"
 gw-world:/IPRuleSet/main> set IPRule 12 Index=1
Set properties on a range of objects:
 gw-world:/IPRuleSet/main> set IPRule -range=1-10 LogEnabled=No

Usage

set [<Category>] <Type> [<Identifier>] [-disable] [-enable]
    [-force] [-range=<Integer Range>] [<key-value pair>]...

Options

-disable
Disable object. This option is not available if the object is already disabled.
-enable
Enable object. This option is not available if the object is already enabled.
-force
Set values, even if they contain errors.
-range=<Integer Range>
One or more ranges of objects to set values on, can only be used for indexed types of objects.
<Category>
Category that groups object types.
<Identifier>
The property that identifies the configuration object. May not be applicable depending on the specified <Type>.
<key-value pair>
One or more property-value pairs, i.e. <property name>=<value> or <property name>="<value>".
<Type>
Type of configuration object to perform operation on.
[Note] Note
Requires Administrator privileges.

2.1.8. show

Show objects.

Description

Show objects.

Show the properties of a specified object. There are a number of flags that can be specified to show otherwise hidden properties. To show a list of object types and categories available in the current context, just type show. Show a table of all objects of a type by specifying a type or a category. Use the -errors or -changes flags to show what objects have been changed or have errors in the configuration.

When showing a table of all objects of a certain type, the status of each object since the last time the configuration was committed is indicated by a flag. The flags used are:

-
The object is deleted.
o
The object is disabled.
!
The object has errors.
+
The object is newly created.
*
The object is modified.

Unchanged objects are not indicated by a flag.

When listing categories and object types, categories are indicated by [] and types where objects may be contexts by /.

Example 2.6. Show objects

Show the properties of an individual object:
 gw-world:/> show Address IPAddress example_ip
 gw-world:/RoutingTable/main> show Route 1

Show a table of all objects of a type and a selection of their
properties as well as their status:
 gw-world:/> show Address IPAddress
 gw-world:/> show IPAddress

Show a table of all objects for each type in a category:
 gw-world:/> show Address

Show objects with changes and errors:
 gw-world:/> show -changes
 gw-world:/> show -errors

Show what objects use (refer to) a certain object:
 gw-world:/> show Address IPAddress example_ip -references

Usage

show 
Show the types and categories available in the current context.
show [<Category>] [<Type> [<Identifier>]] [-system] [-disabled]
     [-references] [-expand] 
Show an object or list a type or category.
show -errors [-verbose] 
Show all errors.
show -changes 
Show all changes.
show -expand 
Show objects with expanded symbolic names where supported.

Options

-changes
Show all changes in the current configuration.
-disabled
Show disabled properties.
-errors
Show all errors in the current configuration.
-expand
Show IP addresses instead of symbolic names.
-references
Show all references to this object from other objects.
-system
Show system properties.
-verbose
Show error details.
<Category>
Category that groups object types.
<Identifier>
The property that identifies the configuration object. May not be applicable depending on the specified <Type>.
<Type>
Type of configuration object to perform operation on.

2.1.9. undelete

Restore previously deleted objects.

Description

Restore a previously deleted object.

This is possible as long as the activate command has not been called.

See also: delete

Example 2.7. Undelete an object

Undelete an unreferenced object:
 gw-world:/> delete Address IPAddress example_ip
 gw-world:/> undelete Address IPAddress example_ip

Undelete a referenced object:
(will remove the error in examplerule)
 gw-world:/IPRuleSet/main> set IPRule 1(examplerule) SourceNetwork=examp
lenet
 gw-world:/> delete Address IPAddress examplenet -force
 gw-world:/> undelete Address IPAddress examplenet

Usage

undelete [<Category>] <Type> [<Identifier>] 

Options

<Category>
Category that groups object types.
<Identifier>
The property that identifies the configuration object. May not be applicable depending on the specified <Type>.
<Type>
Type of configuration object to perform operation on.
[Note] Note
Requires Administrator privileges.

2.2. Runtime

2.2.1. appcontrol

Show application control status.

Description

View general information about the Application Control system or browse the Application Control database.

Usage

appcontrol 
Show general information about application control system.
appcontrol -show-applications [-name=<String>] [-family=<String>]
           [-risk={VERY_LOW | LOW | MEDIUM | HIGH | VERY_HIGH}]
           [-tag=<String>] [-num={ALL | <n>}] [-verbose] 
Show information about supported applications.

Options

-family=<String>
Application family.
-name=<String>
Application name (wildcards allowed).
-num={ALL | <n>}
Limit display to <n> applications. (Default: 20)
-risk={VERY_LOW | LOW | MEDIUM | HIGH | VERY_HIGH}
Application risk level.
 
-show-applications
Shows applications matching certain criteria.
-tag=<String>
Application tag.
-verbose
Verbose (more information).

2.2.2. arp

Show ARP entries for given interface.

Description

List the ARP cache entries of specified interfaces.

If no interface is given the ARP cache entries of all interfaces will be presented.

The presented list can be filtered using the ip and hw options.

Usage

arp 
Show all ARP entries.
arp -show [<interface>] [-ip=<pattern>] [-hw=<pattern>] [-num=<n>]
    [-all] 
Show ARP entries.
arp -flush [<interface>] 
Flush ARP cache of specified interface.
arp -notify=<ip> <interface> [-hwsender=<String>] 
Send gratuitous ARP for IP.

Options

-all
Show all ARP entries.
-flush
Flush ARP cache of all specified interfaces. (Admin only)
-hw=<pattern>
Show only hardware addresses matching pattern.
-hwsender=<String>
Sender ethernet address.
-ip=<pattern>
Show only IP addresses matching pattern.
-notify=<ip>
Send gratuitous ARP for <ip>.
-num=<n>
Show only the first <n> entries per interface. (Default: 20)
-show
Show ARP entries for given interface(s).
<interface>
Interface name.

2.2.3. arpsnoop

Toggle snooping and displaying of ARP requests.

Description

Toggle snooping and displaying of ARP queries and responses on-screen.

Aborting the arpsnoop command can be done by calling 'arpsnoop none' or by pressing CTRL-C. Using CTRL-C will also terminate all other running CLI commands.

Usage

arpsnoop 
Show snooped interfaces.
arpsnoop {ALL | NONE | <interface>} [-verbose] 
Snoop specified interface.

Options

-verbose
Verbose.
{ALL | NONE | <interface>}
Interface name.

2.2.4. authentication

User authentication information.

Description

Show currently logged-on users and other information. Also allows logged-on users to be forcibly logged out.

Usage

authentication 
List logged in users.
authentication -num=<Integer> 
List logged in users.
authentication -all 
List all logged in users.
authentication -show <Integer> 
Show user details.
authentication -profile [<User Authentication Profile>] 
Show authentication profiles.
authentication -logout_id <Integer> 
Logout user via user ID.
authentication -logout_src <IP> <Interface>
               <User Authentication Profile> 
Logout user via source IP.
authentication -logout_name <username>
               <User Authentication Profile> 
Logout all users matching username in the profile.
authentication -privilege 
Show currently known privileges.

Options

-all
List all users.
-logout_id
Logout user. (Admin only)
-logout_name
Logout user. (Admin only)
-logout_src
Logout user. (Admin only)
-num=<Integer>
Number of users to show.
-privilege
Show privileges.
-profile
Find authentication profile.
-show
Show user information.
<Integer>
User ID.
<Interface>
Receiving Interface. (Default: any)
<IP>
Source IP.
<User Authentication Profile>
Authentication Profile.
<username>
Username.

2.2.5. bgp

BGP monitoring/control commands.

Description

Display information about BGP

Usage

bgp 
Show summary for BGP process.
bgp -neighbors [-neighbor=<neighbor>] [-prefixes-advertised]
    [-prefixes-received] 
Show neighbor information.
bgp -snoop={ON | OFF} [-category={ALL | BGP-ALL | BFD-ALL |
    ROUTE-ALL | BGP-UPD | ROUTE-ADD | ROUTE-MOD | ROUTE-DEL}]
    [-level=<0...7>] 
Enable/disable BGP snooping.
bgp -execute={RESTART-FULL | NEIGHBOR-RECONNECT}
    [-neighbor=<neighbor>] 
Execute operation.
bgp -prefixes [-num={ALL | <n>}] [-ipv6] [-network=<network>]
    [-routemap=<routemap>] [-aspath=<AS path>] 
Show prefixes.
bgp -techsupport 
Show internal technical support information.
bgp -bfd [-verbose] 
Show BFD overview.

Options

-aspath=<AS path>
Display prefixes matching the AS path regular expression.
-bfd
Show BFD overview.
-category={ALL | BGP-ALL | BFD-ALL | ROUTE-ALL | BGP-UPD | ROUTE-ADD | ROUTE-MOD | ROUTE-DEL}
Snooping categories.
 
-execute={RESTART-FULL | NEIGHBOR-RECONNECT}
Execute command. (Admin only)
 
-ipv6
IPv6.
-level=<0...7>
Snooping level (higher number equals more details).
-neighbor=<neighbor>
Display the specified neighbor only.
-neighbors
Show neighbors.
-network=<network>
Display prefixes covering the specified network.
-num={ALL | <n>}
Limit display to <n> entries. (Default: 100)
-prefixes
Show received/announced prefixes.
-prefixes-advertised
Lists prefixes advertised to neighbor.
-prefixes-received
Lists prefixes received from neighbor.
-routemap=<routemap>
Display prefixes matching the specified route-map.
-snoop={ON | OFF}
Control BGP snoop debugging.
-techsupport
Show internal technical support information.
-verbose
Verbose data.

2.2.6. blacklist

Block and unblock hosts.

Description

Block and unblock specific hosts for specific source interface(s).

If no option is chosen both blacklist and whitelist entries will be presented.

The presented list can be filtered using the show option, specifying whether blacklist, whitelist or both of the lists need to be displayed.

Usage

blacklist 
Show both blacklist and whitelist entries.
blacklist -show={BLACKLIST | WHITELIST | ALL} [-num=<number>] 
Show either blacklist,whitelist or both.
blacklist -add -srciface=<Interface> -srcip=<ip address>
          [-destip=<ip address>] [-port=<port range>] [-proto={ICMP
          | IGMP | TCP | UDP | GRE | ESP | AH | ICMPV6 | OSPF | MTP
          | L2TP | SCTP | ALL | <0...256>}] [-timeout=<number>] 
Add a blacklist entry.
blacklist -remove [-all] [-srciface=<Interface>]
          [-srcip=<ip address>] [-destip=<ip address>]
          [-port=<port range>] [-proto={ICMP | IGMP | TCP | UDP |
          GRE | ESP | AH | ICMPV6 | OSPF | MTP | L2TP | SCTP | ALL
          | <0...256>}] 
Remove a blacklist entry.
blacklist -lookup [-srciface=<Interface>] [-srcip=<ip address>]
          [-destip=<ip address>] [-port=<port range>]
          [-num=<number>] 
Lookup blacklisted entries.

Options

-add
Add blacklisted entry. (Admin only)
-all
Remove all blacklisted entries. (Admin only)
-destip=<ip address>
Destination IP address to block/unblock.
-lookup
Lookup blacklisted entries.
-num=<number>
Limit output to <n> entries. (Default: 10)
-port=<port range>
Destination port range to block/unblock. The option can only be set when 'proto' option is set to 'ICMP', 'SCTP', 'TCP' or 'UDP'.
-proto={ICMP | IGMP | TCP | UDP | GRE | ESP | AH | ICMPV6 | OSPF | MTP | L2TP | SCTP | ALL | <0...256>}
Protocol to block/unblock.
 
-remove
Remove entry from blacklist. (Admin only)
-show={BLACKLIST | WHITELIST | ALL}
Show either blacklist,whitelist or both.
-srciface=<Interface>
Source Interface to block/unblock.
-srcip=<ip address>
Source IP address to block/unblock.
-timeout=<number>
Time in seconds that the host will remain blocked. (Default: 0)

2.2.7. cryptostat

Show information about cryptographic operations.

Description

Show information about cryptographic devices and cryptographic operations.

Usage

cryptostat 
Show status of available crypto devices.
cryptostat -show [-status] [-verbose] [-poll] [-session] 
Show selected information.

Options

-poll
Show statistics related to polling crypto devices.
-session
Show statistics related to crypto device sessions.
-show
Show specified information.
-status
Show status of available crypto devices.
-verbose
Show detailed information.

2.2.8. dhcpclient

DHCP Client commands.

Description

Show interfaces using DHCP client and various information about leases.

Usage

dhcpclient 
Show DHCP Client active interfaces if no option is supplied.
dhcpclient -list 
Show DHCP Client active interfaces.
dhcpclient <interface> 
Show DHCP Client interface information.
dhcpclient -renew <interface> 
Renew lease on an interface manually.
dhcpclient -release <interface> 
Release lease on an interface that is no longer needed.
dhcpclient -snoop={ON | OFF} <interface> [-verbose] 
Enable/Disable DHCP snoop on an interface.

Options

-list
Show enabled interfaces.
-release
Release lease on an interface that is no longer needed.
-renew
Renew lease on an interface manually.
-snoop={ON | OFF}
Show troubleshooting messages on the DHCP negotiation.
-verbose
Show extended snoop output.
<interface>
Interface.

2.2.9. dhcpserver

DHCP Server commands.

Description

Show the content of the DHCP server ruleset and various information about leases and mappings.

Usage

dhcpserver 
Show all DHCP Server active leases if no option is supplied.
dhcpserver -rule=<DHCP Server Rule> [-num=<Integer>]
           [-fromentry=<Integer>] [-blacklist] 
Show DHCP Server active leases.
dhcpserver -information 
Show DHCP Server general information.
dhcpserver -statistics 
Show DHCP Server statistics.
dhcpserver -rules 
Show DHCP Server Rules.
dhcpserver -mappings [-rule=<DHCP Server Rule>] [-ip=<IP address>]
           [-num=<Integer>] [-fromentry=<Integer>] 
Show DHCP Server mappings.
dhcpserver -blacklist [-rule=<DHCP Server Rule>] [-ip=<IP address>]
           [-num=<Integer>] [-fromentry=<Integer>] 
Show DHCP Server blacklisted addresses.
dhcpserver -leases [-rule=<DHCP Server Rule>] [-ip=<IP address>]
           [-interface=<interface>] [-num=<Integer>]
           [-fromentry=<Integer>] 
Show DHCP Server active leases.
dhcpserver -releaseblacklist [-rule=<DHCP Server Rule>]
           [-ip=<IP address>] 
Release one or all blacklisted addresses.
dhcpserver -releasemappings [-rule=<DHCP Server Rule>]
           [-interface=<interface>] [-ip=<IP address>] 
Release one or all address mappings.
dhcpserver -snoop={ON | OFF} [-rule=<DHCP Server Rule>] 
Snoop specified DHCP Server Rule.

Options

-blacklist
Show DHCP server blacklsted address per rule.
-fromentry=<Integer>
Shows DHCP Server lease list from offset <n>. (Default: 1)
-information
Show DHCP server general information.
-interface=<interface>
Interface.
-ip=<IP address>
IP address.
-leases
Show DHCP server leases.
-mappings
Show DHCP server IP mappings.
-num=<Integer>
Limit list to <n> leases. (Default: 20)
-releaseblacklist
Release one or all blacklisted addresses per rule. (Admin only)
-releasemappings
Release one or all address mappings per rule. (Admin only)
-rule=<DHCP Server Rule>
Specify DHCP Server Rule with the name <n>. All rules will be included if this option is not set.
-rules
Show DHCP server rules.
-snoop={ON | OFF}
Show troubleshooting messages on the DHCP Server Rule.
-statistics
Show DHCP server statistics.

2.2.10. dns

DNS client and queries.

Description

Display information about the DNS client and perform name server lookups.

Usage

dns 
Display contents of cache.
dns -list [<String>] [-num={ALL | <n>}] 
List specific entries from cache. Wildcards can be used, e.g. "*.com".
dns <String> [-type={A | AAAA | PTR}] [-num={ALL | <n>}] 
Do a lookup. If the type is not specified, "PTR" is used for IP addresses and otherwise "A" is used.
dns -flush [<String>] 
Remove cache entries. It is possible to specify an IP address or a domain name. Wildcards can be used, e.g. "*.com".

Options

-flush
Remove cache entries. (Admin only)
-list
List cache entries.
-num={ALL | <n>}
Limit display to <n> entries. (Default: 20)
-type={A | AAAA | PTR}
Query type.
<String>
Name.

2.2.11. dnsalg

Displays the state of the DNS ALG.

Description

Displays DNS ALG runtime information.

Usage

dnsalg 
Show DNS sessions handled by the ALG.
dnsalg -show [-num={ALL | <n>}] [-profile=<DNS profile>]
       [-srciface=<Interface>] [-destiface=<Interface>]
       [-ip=<IP range>] [-clientip=<IP range>]
       [-serverip=<IP range>] 
Show DNS sessions handled by the ALG.
dnsalg -close [-all] [-session=<Integer>] [-profile=<DNS profile>]
       [-srciface=<Interface>] [-destiface=<Interface>]
       [-ip=<IP range>] [-clientip=<IP range>]
       [-serverip=<IP range>] 
Close active DNS sessions.
dnsalg -snoop={ON | OFF} [-profile=<DNS profile>]
       [-srciface=<Interface>] [-destiface=<Interface>]
       [-ip=<IP range>] [-clientip=<IP range>]
       [-serverip=<IP range>] 
Enable/disable snooping on the DNS ALG.

Options

-all
All DNS sessions.
-clientip=<IP range>
Match client IP address.
-close
Close DNS sessions.
-destiface=<Interface>
Filter on destination interface.
-ip=<IP range>
Match client or server IP address.
-num={ALL | <n>}
Limit display to <n> entries. (Default: 20)
-profile=<DNS profile>
Profile to snoop on.
-serverip=<IP range>
Match server IP address.
-session=<Integer>
DNS session ID.
-show
Show DNS sessions handled by the ALG.
-snoop={ON | OFF}
Enable/Disable snoooping on the DNS ALG.
-srciface=<Interface>
Filter on source interface.

2.2.12. flow

List current state-tracked flows.

Description

Display the current state-tracked flows.

Explanation of Flags field in verbose output

T
Tag Flow - Flow has 'tag' set
g
Agnostic Flow - Flow is forwarding traffic independently of the HA state
P
HA Private Flow - Flow is not synchronized to its HA peer since it is local to this node
R
Reject Flow - Flow is a reject flow and will not forward any traffic
!
Defunct Flow - Flow is broken; something (usually ARP/NDP resolve) went wrong and the flow is silently dropping packets
?
Optimistic Flow - Flow is is being forwarded to the last known destination, though the last update had some minor issues (typically ARP/NDP failed to resolve)
*
Maintenance - Flow is in maintenance mode; packets will be buffered until maintenance is done
A
ARP/NDP resolve in progress - Flow is currently trying to resolve the HW destination using ARP/NDP
Z
Zombie - Flow is closed and awaits being removed; it cannot be used to forward any packets
O
AppControl - Flow is classified and offloaded from the appcontrol engine

Usage

flow -show [-num=<n>] [-verbose] [-usage] [-compact] [-mtu]
     [-pipechain] [-pipe=<Pipe>] [-srciface=<Interface>]
     [-destiface=<Interface>] [-protocol={TCP | UDP | ICMP | ICMPV6
     | IGMP | GRE | ESP | SCTP | <name/num>}] [-srcport=<port>]
     [-destport=<port>] [-srcip=<ip addr>] [-destip=<ip addr>]
     [-sequence] [-sequence-info] [-rules] [-tagged] [-untagged]
     [-idle] [-ha] [-hastate={NOTSYNCED | SYNCING | SYNCED |
     SYNCFAILED | DONTSYNC}] [-disable-progress-updates] [-app]
     [-appfilter=<String>] [-state] 
List flows.
flow 
Same as "flow -show".
flow -close [-all] [-pipe=<Pipe>] [-srciface=<Interface>]
     [-destiface=<Interface>] [-protocol={TCP | UDP | ICMP | ICMPV6
     | IGMP | GRE | ESP | SCTP | <name/num>}] [-srcport=<port>]
     [-destport=<port>] [-srcip=<ip addr>] [-destip=<ip addr>]
     [-deepflush] [-tagged] [-untagged] [-idle]
     [-hastate={NOTSYNCED | SYNCING | SYNCED | SYNCFAILED |
     DONTSYNC}] [-disable-progress-updates] [-appfilter=<String>] 
Close flows.
flow -tag [-all] [-pipe=<Pipe>] [-srciface=<Interface>]
     [-destiface=<Interface>] [-protocol={TCP | UDP | ICMP | ICMPV6
     | IGMP | GRE | ESP | SCTP | <name/num>}] [-srcport=<port>]
     [-destport=<port>] [-srcip=<ip addr>] [-destip=<ip addr>]
     [-idle] [-disable-progress-updates] [-appfilter=<String>] 
Tag flows.
flow -untag [-all] [-pipe=<Pipe>] [-srciface=<Interface>]
     [-destiface=<Interface>] [-protocol={TCP | UDP | ICMP | ICMPV6
     | IGMP | GRE | ESP | SCTP | <name/num>}] [-srcport=<port>]
     [-destport=<port>] [-srcip=<ip addr>] [-destip=<ip addr>]
     [-idle] [-disable-progress-updates] [-appfilter=<String>] 
Untag flows.
flow -retag [-all] [-pipe=<Pipe>] [-srciface=<Interface>]
     [-destiface=<Interface>] [-protocol={TCP | UDP | ICMP | ICMPV6
     | IGMP | GRE | ESP | SCTP | <name/num>}] [-srcport=<port>]
     [-destport=<port>] [-srcip=<ip addr>] [-destip=<ip addr>]
     [-idle] [-disable-progress-updates] [-appfilter=<String>] 
Invert tag on flows.
flow -hainfo 
Show troubleshooting information for flow HA synchronization.

Options

-all
Mark all flows.
-app
Show the application using the flow. If -verbose is specified the whole application path is shown.
-appfilter=<String>
Show only flows matching a given application pattern.
-close
Close all flows that match the filter expression. (Admin only)
-compact
Show reduced version of the table. If -verbose is specified the values are separated for each flow direction.
-deepflush
Removes any flow setup optimization states. (Admin only)
-destiface=<Interface>
Filter on destination interface.
-destip=<ip addr>
Filter on destination IP address.
-destport=<port>
Show only given destination TCP/UDP port.
-disable-progress-updates
Prevents the command from showing its progress, even if the command takes a long time to complete. Can be helpful if the output is to be automatically processed.
-ha
Include HA information about the displayed flows.
-hainfo
Show troubleshooting information for flow HA synchronization.
-hastate={NOTSYNCED | SYNCING | SYNCED | SYNCFAILED | DONTSYNC}
Filter on HA state.
-idle
Filter on idle flows. (Advanced view)
-mtu
Show path MTU used by the flow. If -verbose is specified the values are separated for each flow direction.
-num=<n>
Limit list to <n> flows. (Default: 20)
-pipe=<Pipe>
Filter on pipe object.
-pipechain
Show pipe chain used by flow.
-protocol={TCP | UDP | ICMP | ICMPV6 | IGMP | GRE | ESP | SCTP | <name/num>}
Show only given IP protocol.
 
-retag
Invert tag on flows matching filter. (Advanced view)
-rules
Show rules associated with each flow. (Admin only)
-sequence
Show PMU sequence. (Admin only)
-sequence-info
Show PMU sequence with extended information from the PMUs. (Admin only)
-show
Show flows.
-srciface=<Interface>
Filter on source interface.
-srcip=<ip addr>
Filter on source IP address.
-srcport=<port>
Show only given source TCP/UDP port.
-state
Show the state of the flow instead of the protocol. For flows with no particular state the protocol will be shown as state.
-tag
Set tag on flows matching filter. (Advanced view)
-tagged
Filter on flows with tag set. (Advanced view)
-untag
Clear tag on flows matching filter. (Advanced view)
-untagged
Filter on flows with tag unset. (Advanced view)
-usage
Show flow usage statistics. If -verbose is specified the values are separated for each flow direction.
-verbose
Verbose (more information).

2.2.13. ftpalg

Show the state of the FTP ALG.

Description

Show runtime information about the FTP ALG.

Usage

ftpalg 
Show FTP sessions handled by the ALG.
ftpalg -show [-num={ALL | <n>}] [-profile=<FTP profile>]
       [-srciface=<Interface>] [-destiface=<Interface>]
       [-ip=<IP range>] [-clientip=<IP range>]
       [-serverip=<IP range>] 
Show FTP sessions handled by the ALG.
ftpalg -close [-all] [-session=<Integer>] [-profile=<FTP profile>]
       [-srciface=<Interface>] [-destiface=<Interface>]
       [-ip=<IP range>] [-clientip=<IP range>]
       [-serverip=<IP range>] 
Close active FTP sessions.
ftpalg -snoop={ON | OFF} [-profile=<FTP profile>]
       [-srciface=<Interface>] [-destiface=<Interface>]
       [-ip=<IP range>] [-clientip=<IP range>]
       [-serverip=<IP range>] 
Enable/disable snooping on the FTP ALG.

Options

-all
All FTP sessions.
-clientip=<IP range>
Match client IP address.
-close
Close FTP sessions.
-destiface=<Interface>
Filter on destination interface.
-ip=<IP range>
Match client or server IP address.
-num={ALL | <n>}
Limit display to <n> entries. (Default: 20)
-profile=<FTP profile>
Profile to snoop on.
-serverip=<IP range>
Match server IP address.
-session=<Integer>
FTP session ID.
-show
Show FTP sessions handled by the ALG.
-snoop={ON | OFF}
Enable/Disable snoooping on the FTP ALG.
-srciface=<Interface>
Filter on source interface.

2.2.14. geoip

Display IP geolocation related information.

Description

Display information about the systems IP geolocation databases and perform lookup of the geographical locations associated with given IP addresses.

Usage

geoip 
Display status of geolocation databases.
geoip -activate=<String> 
Activate a geolocation database file.
geoip -lookup=<IP> 
Get geographical information for a set of IP addresses.
geoip -remove=<String> 
Remove geolocation database files from storage.
geoip -status 
Display status of geolocation databases.

Options

-activate=<String>
Activate a geolocation database file. (Advanced view; Matching: *.bin)
-lookup=<IP>
Get geographical information for a set of IP addresses.
-remove=<String>
Remove geolocation database files from storage. (Advanced view; Matching: *.bin)
-status
Display status of geolocation databases.

2.2.15. gtp

Shows info about GTP such as PDP contexts, GGSN connections or other related information.

Description

The GTP command show information about PDP context or GGSN connections currently instantiated with the GTP.

Usage

gtp 
List PDP contexts for all GTP interfaces.
gtp -ggsn [-iface=<GTPTunnel>] [-num={ALL | <Integer>}]
    [-localip=<IPAddress>] [-ggsnip=<IPAddress>] 
List active GGSN connections.
gtp -listen [-localip=<IPAddress>] [-ggsnip=<IPAddress>] 
List listening GGSN connections.
gtp -pdp [-iface=<GTPTunnel>] [-verbose] [-num={ALL | <Integer>}]
    [-localendpoint=<IPAddress>] [-enduseraddress=<IPAddress>]
    [-remoteendpoint=<IPAddress>] 
List PDP contexts.

Options

-enduseraddress=<IPAddress>
Filter on end user address.
-ggsn
List active GGSN connections.
-ggsnip=<IPAddress>
Filter on GGSN IP.
-iface=<GTPTunnel>
Filter on GTP interface.
-listen
List listening GGSN connections.
-localendpoint=<IPAddress>
Filter on local endpoint.
-localip=<IPAddress>
Filter on local IP.
-num={ALL | <Integer>}
Maximum number of entries to show. (Default: 40)
-pdp
List PDP contexts.
-remoteendpoint=<IPAddress>
Filter on remote endpoint.
-verbose
Verbose information.

2.2.16. gtpinspection

Displays the state of GTP inspection.

Description

Display runtime information about GTP Inspection.

Usage

gtpinspection 
Show GTP-C/GTP-U sessions handled by GTP Inspection.
gtpinspection -show={BRIEF | FULL} [-control] [-user] [-num={ALL |
              <n>}] [-version={GTPV1 | GTPV2}]
              [-profile=<GTP Inspection Profile>]
              [-origiface=<Interface>] [-termiface=<Interface>]
              [-origip=<IP range>] [-termip=<IP range>]
              [-origteid=<Integer>] [-termteid=<Integer>]
              [-imsi=<String>] [-msisdn=<String>] [-eua=<IP range>]
              [-imei=<String>] [-apn=<String>] [-session=<Integer>]
              [-state={PENDING | ESTABLISHED | BOTH}] 
Show GTP-C/GTP-U sessions handled by GTP Inspection.
gtpinspection -close [-control] [-user] [-version={GTPV1 | GTPV2}]
              [-profile=<GTP Inspection Profile>]
              [-origiface=<Interface>] [-termiface=<Interface>]
              [-origip=<IP range>] [-termip=<IP range>]
              [-origteid=<Integer>] [-termteid=<Integer>]
              [-imsi=<String>] [-msisdn=<String>] [-eua=<IP range>]
              [-imei=<String>] [-apn=<String>] [-session=<Integer>]
              [-all] [-state={PENDING | ESTABLISHED | BOTH}] 
Close active GTP-C/GTP-U sessions.
gtpinspection -snoop={FULL | BRIEF | OFF}
              [-profile=<GTP Inspection Profile>]
              [-origiface=<Interface>] [-origip=<IP range>]
              [-termip=<IP range>] 
Enable/Disable GTP message snooping.

Options

-all
All GTP sessions.
-apn=<String>
Match the APN.
-close
Close GTP Sessions.
-control
Match control plane (GTP-C) sessions.
-eua=<IP range>
Match the end-user address.
-imei=<String>
Match the IMEI.
-imsi=<String>
Match the IMSI.
-msisdn=<String>
Match the MSISDN.
-num={ALL | <n>}
Limit display to <n> entries. (Default: 20)
-origiface=<Interface>
Filter on originating interface.
-origip=<IP range>
Match originating IP address.
-origteid=<Integer>
Match the originating Tunnel Endpoint Identifier (TEID).
-profile=<GTP Inspection Profile>
Filter on profile.
-session=<Integer>
Match the session id.
-show={BRIEF | FULL}
Show GTP-C/GTP-U sessions handled by GTP Inspection.
-snoop={FULL | BRIEF | OFF}
Enable/Disable GTP message snooping.
-state={PENDING | ESTABLISHED | BOTH}
Match the session state.
-termiface=<Interface>
Filter on terminating interface.
-termip=<IP range>
Match terminating IP address.
-termteid=<Integer>
Match the terminating Tunnel Endpoint Identifier (TEID).
-user
User plane (GTP-U) sessions.
-version={GTPV1 | GTPV2}
Match the GTP-C version.

2.2.17. ha

Control and show status of the HA system.

Description

Control and show status of the HA system.

Usage

ha 
Show the HA status of the system.
ha -status [-module] [-internal] 
Show the HA status of the system.
ha -activate [-force] 
Request that this HA node will become the active one.
ha -deactivate [-force] 
Request that this HA node will become the inactive one.
ha -recvconf [-reboot] [-force] 
Receive configuration from HA peer.
ha -sendconf [-reboot] [-force] 
Send configuration to HA peer.
ha -reboot [-local] [-peer] [-force] 
Reboot local/peer HA node.
ha -compconf 
Compare configuration with HA peer.
ha 
Show the HA status of the system.

Options

-activate
Request that this HA node will become the active one. (Admin only)
-compconf
Executed on any HA node with the purpose of manually comparing the configuration to its HA peer's configuration. (Admin only)
-deactivate
Request that this HA node will become the inactive one. (Admin only)
-force
Force requested behavior.
-internal
Show internal HA status that might be required for technical support.
-local
Local HA node. (Admin only)
-module
Show info about modules using HA.
-peer
Remote HA node. (Admin only)
-reboot
Request that the specified HA node reboots. If used with -sendconf or -recvconf, the node receiving the configuration will reboot and use the new configuration at boot-up. (Admin only)
-recvconf
Executed on any HA node with the purpose of manually synchronizing the configuration from its HA peer. The configuration is downloaded from the peer and activated and committed. (Admin only)
-sendconf
Executed on any HA node with the purpose of manually synchronizing the configuration to its HA peer. The configuration is uploaded to the peer and activated and committed. (Admin only)
-status
Show the HA status of the system.

2.2.18. hwmon

Hardware monitoring command.

Description

Retrieves sensor and sensor monitor information.

Usage

hwmon 
Show brief monitor information.
hwmon -sensorlist 
Show the system sensor list.
hwmon -show [<String>] 
Show specific monitor information.
hwmon -techsupport={DEVICESENSORS | IPMISTATUS} 
Show internal technical support information.

Options

-sensorlist
Show available system sensors.
-show
Show monitor information.
-techsupport={DEVICESENSORS | IPMISTATUS}
Show internal technical support information.
<String>
Shows information on specific monitor.

2.2.19. ifeqv

Show interface equivalence.

Description

Show interface equivalence

Usage

ifeqv 

2.2.20. ifstat

Check interface status.

Description

Prints out basic information about an interface.

Usage

ifstat 
List all ethernet interfaces.
ifstat -devicescan 
Display the currently avaliable devices in the system.
ifstat -device=<hardware port> [-per-queue-stats] 
Display information (link status, statistics) about a specific hardware port.
ifstat -type={ALL | CORE | NULL | ETHERNET | IPSEC | GRE | GTP |
       VLAN | SSLVPN | LAG | IFACEGROUP | ZONE} [-allindepth]
       [-num={ALL | <Integer>}] 
List interfaces currently configured in the system.
ifstat -allindepth [-type={ALL | CORE | NULL | ETHERNET | IPSEC |
       GRE | GTP | VLAN | SSLVPN | LAG | IFACEGROUP | ZONE}]
       [-num={ALL | <Integer>}] [-per-queue-stats] 
Display detailed information about all interfaces.
ifstat <interface> [-up] [-down] [-per-queue-stats] 
Display detailed interface information.
ifstat 
List all ethernet interfaces.

Options

-allindepth
Show details of all interfaces.
-device=<hardware port>
EthernetDevice name. (Advanced view)
-devicescan
Scan for currently available devices. (Admin only; Advanced view)
-down
Stop the interface (Ethernet interfaces only). (Admin only)
-num={ALL | <Integer>}
Maximum number of entries to show. (Default: 40)
-per-queue-stats
Include hardware statistics per queue (not supported by all Ethernet interface types and might show just zeros).
-type={ALL | CORE | NULL | ETHERNET | IPSEC | GRE | GTP | VLAN | SSLVPN | LAG | IFACEGROUP | ZONE}
Filter interface type. (Default: ethernet)
 
 
-up
Start the interface (Ethernet interfaces only). (Admin only)
<interface>
Interface name.

2.2.21. ike

Shows info about IKE SAs or performs connect/delete/rekey operations.

Description

The command gives information about the IKE SAs currently established or in negotiation. It can also be used to initiate a tunnel negotiation, tear down or rekey.

The command can also be used to give a human readable printout of IKE messages passed to/from the IKE daemon.

Usage

ike -show [-tunnel=<IPsecTunnel>] [-id=<Integer>] [-excl]
    [-state={CREATED | CONNECTING | ESTABLISHED | PASSIVE |
    REKEYING | DELETING | DESTROYING}] [-numchild={ALL |
    <Integer>}] [-localendpoint=<IP range>]
    [-remoteendpoint=<IP range>] [-localaddress=<IP range>]
    [-remoteaddress=<IP range>] [-recviface[=<Interface>]]
    [-verbose] [-num={ALL | <Integer>}] [-clone=<Integer Range>]
    [-sort={NONE | ID | NAME | LOCALADDRESS | REMOTEADDRESS |
    LOCALENDPOINT | REMOTEENDPOINT}] [-order={ASC | DESC}] 
Show established IKE SAs.
ike -connect [-tunnel=<IPsecTunnel>] [-id=<Integer>]
    [-clone=<Integer Range>] [-active=<Integer>] 
Initiate an IKE negotiation.
ike -rekey={IKE | IPSEC} [-tunnel=<IPsecTunnel>] [-id=<Integer>]
    [-verbose] [-clone=<Integer Range>] [-active=<Integer>] 
Initiate an IKE rekey.
ike -delete [-tunnel=<IPsecTunnel>] [-id=<Integer>] [-force]
    [-verbose] [-clone=<Integer Range>] 
Delete established IKE SAs.
ike -snoop={BRIEF | FULL | OFF} [-localendpoint=<IP range>]
    [-remoteendpoint=<IP range>] [-recviface[=<Interface>]]
    [-routingtable=<RoutingTable>] 
Enable/Disable IKE message snooping.
ike -certshow [-type={ANY | CERT | CRL}] [-verbose]
    [-subject=<String>] [-issuer=<String>] [-strict] [-num={ALL |
    <Integer>}] 
Show certificate cache.
ike -certflush [-type={ANY | CERT | CRL}] 
Flush certificate cache.
ike -ippool [-static] [-tunnel=<IPsecTunnel>] [-num={ALL |
    <Integer>}] 
Show IP pool information.
ike -stat [-jobs] 
Show IKE statistics.
ike 
Same as "ike -show".

Options

-active=<Integer>
Maximum number of active negotiations.
-certflush
Flush certificate cache.
-certshow
Show certificate cache.
-clone=<Integer Range>
Specifies the clone range. (Default: 0)
-connect
Initiate an IKE negotiation. (Admin only)
-delete
Delete an existing IKE SA. (Admin only)
-excl
Exclude IKE SA matching the filter. (Advanced view)
-force
Force deletion without sending notification to peer.
-id=<Integer>
Filter on IKE ID.
-ippool
Show IP pool information.
-issuer=<String>
Filter certificates by issuer.
-jobs
Show the job load on the IKE daemon.
-localaddress=<IP range>
Filter on local address used inside tunnel. (Advanced view)
-localendpoint=<IP range>
Filter on local endpoint.
-num={ALL | <Integer>}
Maximum number of entries to show. (Default: 40)
-numchild={ALL | <Integer>}
Maximum number of IPSec child SA to show (default: 0 in verbose mode, all in normal mode). (Advanced view)
-order={ASC | DESC}
Order to sort entries in. (Default: asc)
-recviface[=<Interface>]
Filter on receive interface. (Default: any)
-rekey={IKE | IPSEC}
Rekey an existing IKE/IPsec SA. (Admin only)
-remoteaddress=<IP range>
Filter on remote address used inside tunnel. (Advanced view)
-remoteendpoint=<IP range>
Filter on remote endpoint.
-routingtable=<RoutingTable>
Filter on routing table used for outbound IKE messages. If not specified, routing table membership of the receive interface will be used.
-show
Show all IKE SAs.
-snoop={BRIEF | FULL | OFF}
Enable/Disable IKE message snoooping.
-sort={NONE | ID | NAME | LOCALADDRESS | REMOTEADDRESS | LOCALENDPOINT | REMOTEENDPOINT}
Key to sort entries by. (Default: id)
 
-stat
Show IKE statistics.
-state={CREATED | CONNECTING | ESTABLISHED | PASSIVE | REKEYING | DELETING | DESTROYING}
Restrict operation(s) to IKE SA in given state. (Advanced view)
 
-static
Show static IP pool information.
-strict
Filter certificates using strict sub part matching.
-subject=<String>
Filter certificates by subject.
-tunnel=<IPsecTunnel>
Filter on tunnel interface.
-type={ANY | CERT | CRL}
Type of certificate.
-verbose
Verbose information.

2.2.22. iostat

Show statistics related packet input/output.

Description

Show statistics related packet input/output.

Usage

iostat [-cpu] 

Options

-cpu
Sort output on CPU.

2.2.23. ips

Intrusion prevention system.

Description

Intrusion Prevention System.

Show number of signatures in rules, groups or categiries. To show individual signatures use -verbose.

Command to activate and remove signature files.

Example 2.8. Show individual signatures in categury IPS_WEB_*, limiting output to 40 signatures.

ips -show=category ips_web_* -verbose -num=40

Usage

ips -num=<number> 
Show signatures by rule.
ips -show=rule [<Rule>] [-verbose] [-num=<number>] 
Show signatures by rule.
ips -show=signature <Signature ID> 
Show signature by ID.
ips -show=category [<Category>] [-verbose] [-num=<number>] 
Show signatures by category.
ips -show=group [<Group>] [-verbose] [-num=<number>] 
Show signatures by group.
ips -show=file 
Show signatures by file.
ips -activate <Filename> 
Activate IPS signature file.
ips -remove <Filename> 
Remove active IPS signature file from media.
ips -show=filewarnings [<Filename>] [-num=<number>] 
Show errors found while parsing signature files.

Options

-activate
Activate IPS signature file.
-num=<number>
Limit output to <n> entries. (Default: 20)
-remove
Remove an active IPS signature file from the media.
-show={RULE | SIGNATURE | CATEGORY | GROUP | FILEWARNINGS | FILE}
Show signatures by rule, group, category or signature id.
-verbose
Show extended output, i.e. individual signatures.
<Category>
Signature Category (wildcards * and ? allowed).
<Filename>
IPS signature file (still not activated).
<Filename>
IPS signature file (activated).
<Group>
Signature Group name.
<Rule>
IPS rule name.
<Signature ID>
IPS Signature ID.

2.2.24. ipsec

Show SAD/SPD.

Description

Show information about entries in the Security Association Database (SAD) as well as in the Security Policy Database (SPD).

Usage

ipsec -show={SAD | SPD | TUNNELS} [-verbose]
      [-tunnel=<IPsecTunnel>] [-localendpoint=<IP range>]
      [-remoteendpoint=<IP range>] [-localaddress=<IP range>]
      [-remoteaddress=<IP range>] [-excl] [-spi=<Integer>]
      [-num[=<Integer>]] 
Show IPsec SAD/SPD/Tunnels.
ipsec -verbose [-localendpoint=<IP range>]
      [-remoteendpoint=<IP range>] [-localaddress=<IP range>]
      [-remoteaddress=<IP range>] [-excl] [-spi=<Integer>]
      [-num[=<Integer>]] 
Same as "ipsec -show=tunnels -verbose".
ipsec 
Same as "ipsec -show=tunnels".

Options

-excl
Exclude tunnels matching the filter. (Advanced view)
-localaddress=<IP range>
Filter on local address inside tunnel. (Advanced view)
-localendpoint=<IP range>
Filter on local endpoint.
-num[=<Integer>]
Maximum number of entries to show. (Default: 40)
-remoteaddress=<IP range>
Filter on remote address inside tunnel. (Advanced view)
-remoteendpoint=<IP range>
Filter on remote endpoint.
-show={SAD | SPD | TUNNELS}
Show IPsec SAD/SPD.
-spi=<Integer>
Filter on SPI.
-tunnel=<IPsecTunnel>
Filter on tunnel interface.
-verbose
Verbose information.

2.2.25. ipsectunnels

Lists the current IPsec configuration.

Description

Lists the current IPsec configuration,

Usage

ipsectunnels -iface=<recv iface> 
Show specific interface.
ipsectunnels -num={ALL | <Integer>} 
Show specific number if interface.
ipsectunnels 
Show interfaces.

Options

-iface=<recv iface>
IPsec interface to show information about.
-num={ALL | <Integer>}
Maximum number of entries to show. (Default: 40)

2.2.26. lcdctrl

Debug functionality for LCD.

Description

LCD controller

Usage

lcdctrl 
...
lcdctrl -text [<String>] 
Write text to LCD display.
lcdctrl -clear 
Clear LCD display.
lcdctrl -backlight={OFF | ON} 
Set state of LCD back light.
lcdctrl -statusled={OFF | ON | BLUE/GREEN | RED | BLINK |
        BLINK-GREEN-OFF | BLINK-RED-OFF | BLINK-RED-GREEN} 
Set state of the status LED.
lcdctrl -goto [-x=<X>] [-y=<Y>] 
Move cursor on LCD display.
lcdctrl -up 
Simulate up from the keypad.
lcdctrl -down 
Simulate down from the keypad.
lcdctrl -left 
Simulate left from the keypad.
lcdctrl -right 
Simulate right from the keypad.

Options

-backlight={OFF | ON}
Set state of LCD back light.
-clear
Clear LCD display.
-down
Simulate down from the keypad.
-goto
Move cursor on LCD display.
-left
Simulate left from the keypad.
-right
Simulate right from the keypad.
-statusled={OFF | ON | BLUE/GREEN | RED | BLINK | BLINK-GREEN-OFF | BLINK-RED-OFF | BLINK-RED-GREEN}
Set state of the status LED.
-text
Write text to LCD display.
-up
Simulate up from the keypad.
-x=<X>
X-coordinate.
-y=<Y>
Y-coordinate.
<String>
Text.

2.2.27. memory

Memory.

Description

Show memory consumption.

Usage

memory -unit={KB | MB | GB} 
Show memory usage.
memory -limit=<Integer> 
Show only categories with memory usage above specified limit.
memory -verbose [-detailed] [-limit=<Integer>] [-unit={KB | MB |
       GB}] 
Show memory usage.
memory -proc 
Show memory usage for all categories.

Options

-detailed
Include extra information in the output.
-limit=<Integer>
Show only categories with memory usage above this limit in KB. (Default: 10)
-proc
Show memory usage per process.
-unit={KB | MB | GB}
Memory unit.
-verbose
Show memory usage per main category.

2.2.28. natpool

Show NAT Pool runtime information.

Description

The natpool CLI command may be used for inspecting the status of the IP address usage of NAT Pools.

Example 2.9. Review NAT Pool mynatpool

Device:/> natpool mynatpool

Example 2.10. Retrieve extended NAT Pool info (deterministic NAT Pool)

Device:/> natpool mydetnatpool -verbose
(will show a extended summary of the NAT Pool configured blocks.)
(for in detailed information use the -externalip or the -internalip opti
ons)

Example 2.11. Retrieve extended NAT Pool info for a specific translation IP

Device:/> natpool mynatpool -externalip=111.111.111.111
(the output info depends on NAT Pool type)
(for deterministic NAT will show all blocks assigned to the IP)

Example 2.12. Retrieve extended NAT Pool info for a specific internal IP (deterministic NAT Pool)

Device:/> natpool mynatpool -internalip=111.111.111.111
(will show all blocks the internal ip is using)

Example 2.13. Backward mapping for one IP (deterministic NAT Pool)

Device:/> natpool -reverse mydetnatpool -externalip=111.111.111.111 
          -externalport=12345
(the output info depends on mydetnatpool configured parameters)

Usage

natpool <pool name> [-verbose] [-internalip=<IP>]
        [-externalip=<IP>] [-num=<n>] 
Shows information on a specific NAT Pool IP.
natpool -reverse <pool name> [-externalip=<IP>]
        [-externalport=<port number>] 
Reverse maps from external IP and port to internal IP. Usable only for deterministic NAT Pools.
natpool 
Shows a summary for all configured NAT Pools.

Options

-externalip=<IP>
External (translated) IP.
-externalport=<port number>
Deterministic reverse mapping. External port to map from.
-internalip=<IP>
Internal IP.
-num=<n>
Limit list to <n> entries. (Default: 20)
-reverse
Performs a reverse map based on the deterministic NAT Pool parameters.
-verbose
Show extended information on deterministic NAT Pool.
<pool name>
NAT Pool name.

2.2.29. ndp

Show ND entries for given interface.

Description

List the ND cache entries of specified interfaces.

If no interface is given the ND cache entries of all interfaces will be presented.

The presented list can be filtered using the ip and hw options.

Usage

ndp 
Same as 'ndp -show -type=Neighbor'.
ndp -show [<interface>] [-iprange=<IP range>] [-num=<n>]
    [-type={NEIGHBOR | ROUTER | DNSSERVER}] [-state={ALL | DYNAMIC
    | NORMAL | STALE | UNRESOLVED | CRYPTO | STATIC | PUBLISH |
    XPUBLISH}] 
Show ND entries.
ndp -flush [<interface>] [-iprange=<IP range>] [-state={ALL |
    DYNAMIC | NORMAL | STALE | UNRESOLVED | CRYPTO | STATIC |
    PUBLISH | XPUBLISH}] 
Flush ND cache of specified interface.
ndp -notify <interface> -ip=<IP address> [-hwsender=<String>] 
Send gratuitous ND for IP.
ndp -releaserouter [<interface> [<String>]] 
Remove specified routers from the table of all specified interfaces.
ndp -releasedns [<interface>] 
Remove DNS servers from the table of all specified interfaces.
ndp -renew [<interface>] 
Send router solicitation.

Options

-flush
Flush ND cache of all specified interfaces. (Admin only)
-hwsender=<String>
Sender ethernet address.
-ip=<IP address>
IP address to send gratuitous IP for.
-iprange=<IP range>
Show/Flush only IP addresses in range.
-notify
Send gratuitous ND for <ip>.
-num=<n>
Show only the first <n> entries per interface. (Default: 20)
-releasedns
Remove DNS servers learned through SLAAC from the table of all specified interfaces. (Admin only)
-releaserouter
Remove specified routers from the table of all specified interfaces. (Admin only)
-renew
Send router solicitation.
-show
Show ND entries for given interface(s).
-state={ALL | DYNAMIC | NORMAL | STALE | UNRESOLVED | CRYPTO | STATIC | PUBLISH | XPUBLISH}
Specifies a category of neighbor entries, only valid for -type=Neighbor. (Default: dynamic)
 
-type={NEIGHBOR | ROUTER | DNSSERVER}
Specifies what type of ND data to operate on. (Default: Neighbor)
<interface>
Interface name.
<String>
Specifies IPv6 router.

2.2.30. ndpsnoop

Toggle snooping and displaying of NDP requests.

Description

Toggle snooping and displaying of NDP queries and responses on-screen.

Aborting the ndpsnoop command can be done by calling 'ndpsnoop none' or by pressing CTRL-C. Using CTRL-C will also terminate all other running CLI commands.

Usage

ndpsnoop 
Show snooped interfaces.
ndpsnoop {ALL | NONE | <interface>} [<Network>] [-type={NEIGHBOR |
         ROUTER | ANY}] [-verbose] 
Snoop specified interface.

Options

-type={NEIGHBOR | ROUTER | ANY}
Type of NDP traffic.
-verbose
Verbose.
<Network>
Network filter. (Default: ::/0)
{ALL | NONE | <interface>}
Interface name.

2.2.31. netcon

List current Netcon connections.

Description

Lists current Netcon connections and shows the interface, IP-address and port for each connection.

Usage

2.2.32. netobjects

List runtime values of configured network objects.

Description

Displays named network objects and their contents.

Usage

netobjects [<IP>] [-num=<num>] [-verbose] 

Options

-num=<num>
Number of entries to show. Default number of printed objects depends on screen row count. (Default: 0)
-verbose
Verbose.
<IP>
Address/address folder name.

2.2.33. ospf

Show runtime OSPF information.

Description

Show runtime information about OSPF router processes.

Usage

ospf 
Show runtime information.
ospf -process=<OSPF Router Process> 
Show runtime information for specific OSPF router process.
ospf -iface [<interface>] [-process=<OSPF Router Process>] 
Show interface information.
ospf -area [<OSPF Area>] [-process=<OSPF Router Process>] 
Show area information.
ospf -neighbor [<OSPF Neighbor>] [-process=<OSPF Router Process>] 
Show neighbor information.
ospf -route [{HA | ALT}] [-process=<OSPF Router Process>] 
Show the internal OSPF process routingtable.
ospf -database [-verbose] [-process=<OSPF Router Process>] 
Show the LSA database.
ospf -lsa <lsaID> [-process=<OSPF Router Process>] 
Show details for a specified LSA.
ospf -snoop={ON | OFF} [-verbose] [-process=<OSPF Router Process>] 
Show troubleshooting messages on the console.
ospf -ifacedown <interface> 
Take specified interface offline.
ospf -ifaceup <interface> 
Take specified interface online.
ospf -execute={STOP | START | RESTART}
     [-process=<OSPF Router Process>] 
Start/stop/restart OSPF process.

Options

-area
Show area information.
-database
Show the LSA database.
-execute={STOP | START | RESTART}
Start/stop/restart OSPF process. (Admin only)
-iface
Show interface information.
-ifacedown
Take specified interface offline. (Admin only)
-ifaceup
Take specified interface online. (Admin only)
-lsa
Show details for a specified LSA <lsaID>.
-neighbor
Show neighbor information.
-process=<OSPF Router Process>
Specify OSPF router process.
-route
Show the internal OSPF process routingtable.
-snoop={ON | OFF}
Show troubleshooting messages on the console.
-verbose
Increase amount of information to display.
<interface>
OSPF enabled interface.
<lsaID>
LSA ID.
<OSPF Area>
OSPF Area.
<OSPF Neighbor>
Neighbor.
{HA | ALT}
Show HA routingtable.

2.2.34. pipe

List pipes and display their status.

Description

Display the current status of traffic shaping.

Usage

pipe -num=<n> [-average] [-grouping] 
List pipe objects.
pipe <Pipe> [-average] [-statistics={ENABLE | DISABLE | RESET}]
     [-grouping] [-num=<n>] 
Display pipe details.
pipe -group=<String> <Pipe> [-average] [-statistics={ENABLE |
     DISABLE | RESET}] 
Display group details for a specific pipe.
pipe -reset <Pipe> 
Reset specific pipe statistics.
pipe -reset 
Reset pipe statistics.
pipe 
Same as "pipe -show".

Options

-average
Show information (average and total) since last reset.
-group=<String>
Show info about this specific group.
-grouping
Show dynamic limits and group info.
-num=<n>
Limit list to <n> pipes. (Default: 20)
-reset
Reset statistics. (Admin only; Advanced view)
-statistics={ENABLE | DISABLE | RESET}
Enable/Disable statistics for group(s) pipe must have been configured with per-group statistic support. (Admin only)
<Pipe>
Display specific pipe.

2.2.35. portmgr

Show portmanager state.

Description

The portmanager CLI command may be used for inspecting the current port usage for a specific source and destination IP pair.

The source IP address is usually a local IP address assigned to one of the gateway's interfaces and used as source address for NAT'ing. The destination address is a remote destination to where the gateway has a connection.

Usage

portmgr -srcip=<ip addr> -destip=<ip addr> [-port=<1...65535>] 

Options

-destip=<ip addr>
Destination IP address.
-port=<1...65535>
Port number.
-srcip=<ip addr>
Source IP address.

2.2.36. radiussnoop

Enable/Disable snooping on RADIUS interface.

Description

The radiussnoop command is used to view information about messages transferred on the RADIUS interface.

Using the server and user options it is possible to filter the displayed information.

Example 2.14. Display status and used filters

Device:/> radiussnoop

Usage

radiussnoop [-server=<RADIUS Server>] [-user=<String>] [-on] [-off]
            [-verbose] 

Options

-off
Turn RADIUS snooping off.
-on
Turn RADIUS snooping on.
-server=<RADIUS Server>
Name of configured RADIUS Server to snoop on.
-user=<String>
Username to snoop on. Wildcard strings are supported.
-verbose
Enable RADIUS snooping with verbose output.

2.2.37. rfo

Route monitoring commands.

Description

Display information about monitored routes

Usage

rfo 
Show monitored routes.
rfo -show [-verbose] 
Show verbose information.
rfo -forceenable <Integer> 
Force enable route.
rfo -forcedisable <Integer> 
Force disable route.

Options

-forcedisable
Force disable route.
-forceenable
Force enable route.
-show
Show monitored routes.
-verbose
Show verbose information.
<Integer>
Route monitor session ID.

2.2.38. routes

Display user space routing tables.

Description

Display information about the user space routing table(s):

-
Contents of a (named) routing table.
-
The list of routing tables, along with a total count of route entries in each table, as well as how many of the entries are single-host routes.

Note that "core" routes for interface IP addresses are not normally shown. Use the -all switch to show core routes also.

Explanation of Flags field of the routing tables:

A
Published via Proxy ARP
B
Learned via BGP
D
Dynamic (from e.g. DHCP relay, IPsec, L2TP/PPP servers, etc.)
H
HA synced from cluster peer
L
Local IP
M
Route is Monitored
O
Learned via OSPF
S
Route is stale (pending update)
P
HA Private
X
Route is Disabled
Z
Route is being updated

Usage

routes -lookup=<ip address> [<table name>] [-rawdb] 
Lookup IP address.
routes 
Show routes.
routes -show [{<ALL> | <table name>}] [-alltypes] [-num={ALL |
       <n>}] [-nonhost] [-verbose] [-rawdb] 
Show routes.
routes -tables 
Show named tables.

Options

-alltypes
Also show routes for interface addresses.
-lookup=<ip address>
Lookup the route for the given IP address.
-nonhost
Do not show single-host routes.
-num={ALL | <n>}
Limit display to <n> entries. (Default: 20)
-rawdb
Show results from slowpath routing tables. (Advanced view)
-show
Show routes in routing table.
-tables
Display list of named routing tables.
-verbose
Verbose.
<table name>
Name of routing table.
{<ALL> | <table name>}
Name of routing table.

2.2.39. rules

Show rules lists.

Description

Shows the content of the various types of rules, i.e. main ruleset.

Example 2.15. Show a range of rules.

rules 1-5,7-9 -verbose

Usage

rules 
Show IP rules.
rules -num=<n> 
Show num IP rules.
rules -verbose 
Show IP rules with verbose output.
rules -type={IP | ACCESS | PBR} [<rules>] [-verbose] [-num=<n>] 
Show rules (verbose output).
rules <rules> [-verbose] 
Show IP rules within range 'rules'.

Options

-num=<n>
Limit list to <n> rules. (Default: 40)
-type={IP | ACCESS | PBR}
Type of rules to display. (Default: IP)
-verbose
Verbose: show all parameters of the rules.
<rules>
Range of rules to display. (default: all rules)

2.2.40. rulesnoop

Toggle snooping and displaying of RULE requests.

Description

Toggle snooping and displaying of RULE queries and responses on-screen.

Aborting the rulesnoop command can be done by calling 'rulesnoop none' or by pressing CTRL-C. Using CTRL-C will also terminate all other running CLI commands.

Usage

rulesnoop 
Show snooped state.
rulesnoop {ALL | CORE | NONE | <interface>} [<destination>
          [<source>]] [-verbosity={BASIC | INFORMATIVE | EXTREME}]
          [-ratelim=<1...65535>] 
Snoop specified interface.

Options

-ratelim=<1...65535>
Ratelimit; rule operations snooped per second. (Default: 1)
-verbosity={BASIC | INFORMATIVE | EXTREME}
Verbosity level. The higher level, the more information is output about the lookup decisions. Each higher level will include output from the lower levels as well. (Default: basic)
<destination>
Destination network filter.
<source>
Source network filter.
{ALL | CORE | NONE | <interface>}
Name of receive interface.

2.2.41. sctp

List current state of SCTP associations.

Description

Display the current state of SCTP associations.

Usage

sctp 
Same as "sctp -show".
sctp -show [-num=<number>] [-initip=<ip address>]
     [-respip=<ip address>] [-initport=<port>] [-respport=<port>]
     [-initif=<Interface>] [-respif=<Interface>] [-vtag=<String>]
     [-state={INIT | INIT-ACK | COOKIE-ECHO | ESTABLISHED |
     SHUTDOWN | SHUTDOWN-WAIT}] [-showvtag] [-compact] [-showalias]
     [-linger] 
Show SCTP associations.
sctp -close [-all] [-initip=<ip address>] [-respip=<ip address>]
     [-initport=<port>] [-respport=<port>] [-initif=<Interface>]
     [-respif=<Interface>] [-vtag=<String>] [-state={INIT |
     INIT-ACK | COOKIE-ECHO | ESTABLISHED | SHUTDOWN |
     SHUTDOWN-WAIT}] 
Close an SCTP association.

Options

-all
Close all SCTP associations. (Admin only)
-close
Close an SCTP association. (Admin only)
-compact
Show reduced version of the table.
-initif=<Interface>
Receive Interface of the initiator of an SCTP association.
-initip=<ip address>
IP address of the initiator of an SCTP association.
-initport=<port>
Port of the initiator of the SCTP association.
-linger
Also display deleted associations lingering in the wait queue.
-num=<number>
Limit output to <n> entries. (Default: 10)
-respif=<Interface>
Receive Interface of the responder of an SCTP association.
-respip=<ip address>
IP address of the responder of an SCTP association.
-respport=<port>
Port of the responder of the SCTP association.
-show
Show SCTP associations.
-showalias
Show also the aliases of an association.
-showvtag
Display the verification tags used by the peers of an association.
-state={INIT | INIT-ACK | COOKIE-ECHO | ESTABLISHED | SHUTDOWN | SHUTDOWN-WAIT}
State in which an association should be in order to be displayed.
 
-vtag=<String>
Verification tag used by either the initiator or the responder of an association to filter on.

2.2.42. sipalg

SIP ALG.

Description

List running SIP-ALG configurations, SIP registration and call information.

The -flags option with -snoop allows any combination of the following values:

-
0x00000001 GENERAL
-
0x00000002 ERRORS
-
0x00000004 OPTIONS
-
0x00000008 PARSE
-
0x00000010 VALIDATE
-
0x00000020 SDP
-
0x00000040 ALLOW_CHANGES
-
0x00000080 SUPPORTED_CHANGES
-
0x00000100 2543COMPLIANCE
-
0x00000200 RECEPTION
-
0x00000400 SESSION
-
0x00000800 REQUEST
-
0x00001000 RESPONSE
-
0x00002000 TOPO_CHANGES
-
0x00004000 MEDIA
-
0x00008000 CONTACT
-
0x00010000 CONN
-
0x00020000 PING
-
0x00040000 TRANSACTION
-
0x00080000 CALLLEG
-
0x00100000 REGISTRY

Flags can be added in the usual way. The default value is 0x00000003 (GENERAL and ERRORS).

NOTE: 'verbose' option outputs a lot of information on the console which may lead to system instability. Use with caution.

Usage

sipalg -definition [<ALG>] 
Show running ALG configuration parameters.
sipalg -registration[={SHOW | FLUSH}] [<ALG>] [-num=<number>]
       [-index=<number>] [-compact] [-iface=<Interface>]
       [-user=<String>] [-ip=<ip address>] [-sort-column=<number>] 
Show or flush current registration table.
sipalg -call [<ALG>] [-num=<number>] [-sort-column=<number>] 
Show active SIP calls.
sipalg -session [<ALG>] [-num=<number>] [-sort-column=<number>] 
Show active SIP sessions.
sipalg -connection [<ALG>] [-num=<number>] 
Show SIP connections.
sipalg -statistics[={SHOW | FLUSH}] [<ALG>] 
Show or flush SIP counters.
sipalg -snoop={ON | OFF | VERBOSE} [-flags=<String>] 
Control SIP snooping. Useful for troubleshooting SIP transactions. NOTE: 'verbose' option outputs a lot of information on the console which may lead to system instability. Use with caution.

Options

-call
Show active calls table.
-compact
Show compact version of the table.
-connection
Show SIP connections.
-definition
Show running ALG configuration parameters.
-flags=<String>
SIP snooping for certain levels. Expected number in hexadecimal notation.
-iface=<Interface>
Filter on interface.
-index=<number>
Show only <index> entry. (Default: 0)
-ip=<ip address>
Filter on IP address.
-num=<number>
Limit output to <n> entries. (Default: 20)
-registration[={SHOW | FLUSH}]
Show or flush registration table. (Default: show)
-session
Show active SIP sessions.
-snoop={ON | OFF | VERBOSE}
Enable or disable SIP snooping. NOTE: 'verbose' option outputs a lot of information on the console which may lead to system instability. Use with caution. (Admin only)
-sort-column=<number>
Sort the table by the specified column.
-statistics[={SHOW | FLUSH}]
Show or flush SIP counters. (Default: show)
-user=<String>
Filter on user name.
<ALG>
SIP-ALG name.

2.2.43. sslvpn

Displays the state of SSLVPN servers.

Description

The sslvpn command is used to view information about and manage SSLVPNServer tunnel interfaces. It can be used to view and close SSL VPN sessions, and to trigger rekeying of sessions.

Usage

sslvpn -num={ALL | <n>} 
Show SSLVPN service summary.
sslvpn -show [<tunneliface>] [-remoteip=<IP range>]
       [-remoteport=<Integer Range>] [-assignedip=<IP range>]
       [-recviface[=<Interface>]] [-state={CONNECTED | CONNECTING}]
       [-num={ALL | <n>}] 
Show SSLVPN sessions.
sslvpn -snoop={OFF | BRIEF | FULL} [<tunneliface>]
       [-localip=<IP range>] [-remoteip=<IP range>]
       [-remoteport=<Integer Range>] [-recviface[=<Interface>]] 
Enable/Disable SSLVPN message snooping.
sslvpn -close [<tunneliface>] [-all] [-nohalt]
       [-remoteip=<IP range>] [-remoteport=<Integer Range>]
       [-assignedip=<IP range>] [-recviface[=<Interface>]]
       [-state={CONNECTED | CONNECTING}] 
Close SSLVPN sessions.
sslvpn -rekey [<tunneliface>] [-all] [-remoteip=<IP range>]
       [-remoteport=<Integer Range>] [-assignedip=<IP range>] 
Rekey connected SSLVPN sessions.

Options

-all
All SSLVPN sessions.
-assignedip=<IP range>
Filter on IP address assigned to client.
-close
Close SSLVPN sessions.
-localip=<IP range>
Filter on local endpoint IP address.
-nohalt
Do not send a halt message to the SSLVPN client when a session is about to be closed.
-num={ALL | <n>}
Limit display to <n> entries. (Default: 20)
-recviface[=<Interface>]
Filter on receive interface. (Default: any)
-rekey
Trigger key renegotiation for connected SSLVPN sessions.
-remoteip=<IP range>
Filter on remote endpoint IP address.
-remoteport=<Integer Range>
Filter on remote TCP/UDP port by specifying a number or range.
-show
Show SSLVPN sessions.
-snoop={OFF | BRIEF | FULL}
Enable/Disable snooping of an SSLVPN interface.
-state={CONNECTED | CONNECTING}
Filter on session state.
<tunneliface>
SSLVPN tunnel interface.

2.2.44. statistics

View statistical values generated by the system.

Description

View statistical values generated by the system.

In order to view statistical values they must first be specified by using the -add option. The list of values that have been created using -add can be reduced by using the -remove option. Running the command again will then poll the current list of values.

Example 2.16. Add statistical values

Add all interface statistics:
 statistics -add /interfacesbytes_recv

Example 2.17. Poll selected values

Using an interval of 2 seconds:
 statistics -poll -interval=2
Once:
 statistics

Usage

statistics -listall 
List available statistical values.
statistics -listpolled 
Show the poll list.
statistics -stop 
Stop interval polling of statistical values.
statistics -add <value> 
Add statistical values to the list of polled values.
statistics -remove <value> 
Remove statistical values from the list of polled values.
statistics -poll [-interval=<interval>] [-nonzero]
           [-rate[={COUNTERS | MAX | MIN | MOMENTARY | NUMERIC}]]
           [-diff-counters] [-human] [-format={HUMAN | RAW}]
           [-transferrate={BITS | BYTES}] [-numdigits=<1...10>]
           [-timefmt={DECIMAL | UNITS}] [-verbose] 
Poll values.
statistics -snapshot-counters 
Create (or update) the local snapshot of counter based values.
statistics -get <values> [-human] [-format={HUMAN | RAW}]
           [-numdigits=<1...10>] [-timefmt={DECIMAL | UNITS}] 
Directly display values of statistical counters.
statistics 
Poll values.

Options

-add
Add statistical values to the list of polled values.
-diff-counters
For counter based values; show the difference compared to the local snapshot instead of the real value.
-format={HUMAN | RAW}
Controls the formatting of the output.
-get
Directly display values of statistical counters.
-human
Output values in a human readable format, for instance, by using a prefix to the unit such as k (kilo), Ki (kibi), M (mega), Mi (mebi) etc. Short form of -format=human.
-interval=<interval>
Number of seconds between polls. (Default: 0)
-listall
List available statistical values.
-listpolled
Show the poll list.
-nonzero
Only include non-zero values in the output.
-numdigits=<1...10>
Number of digits to strive for when doing human readable formatting.
-poll
Poll values.
-rate[={COUNTERS | MAX | MIN | MOMENTARY | NUMERIC}]
Show average rate since last poll, per default, for counter based values only. (Default: counters)
-remove
Remove statistical values from the list of polled values.
-snapshot-counters
Create (or update) the local snapshot of counter based values.
-stop
Stop interval polling of statistical values.
-timefmt={DECIMAL | UNITS}
Controls how values representing time are formatted, when doing human readable formatting.
-transferrate={BITS | BYTES}
Controls which unit that is used for the rate of byte counters representing transferred data; bits per second (default) or bytes per second. This option only applies to human readable formatting.
-verbose
Show value update info in the output.
<value>
Single statistical value or a group of values.
<values>
Comma separated list of statistical values or a group of values.

2.2.45. testmem

Memory Test command.

Description

Test memory library

Usage

testmem -diff [-allocate] [-type={CHAR | UINT}] [-size=<Integer>] 
Allocate memory in 2 different locations.
testmem -allocate [-type={CHAR | UINT}] [-num=<Integer>]
        [-size=<Integer>] [-cat=<1...2>] 
Allocate memory.
testmem -free [-type={CHAR | UINT}] [-id=<Integer>] [-cat=<1...2>] 
Free memory.
testmem -list 
List allocated memory.
testmem -killme 
Exit application.
testmem -fastexit 
Exit application now.
testmem -track 
Print memory allocations.
testmem -start [-size=<Integer>] [-memleak] [-z] 
Start allocation thread.
testmem -stop 
Stop allocation thread.
testmem -usedMem 
Mem_test memory usage.

Options

-allocate
Allocate memory.
-cat=<1...2>
Category to use for allocations. (Default: 1)
-diff
Allocate from different location.
-fastexit
Exit application now.
-free
Free memory.
-id=<Integer>
Index to free.
-killme
Exit application.
-list
List memory consumption.
-memleak
Dont free allocations.
-num=<Integer>
Number of objects to allocate. (Default: 1)
-size=<Integer>
Size of object to allocate. (Default: 1)
-start
Start allocate thread.
-stop
Stop allocate thread.
-track
Print memory allocations.
-type={CHAR | UINT}
Variable type. (Default: char)
-usedMem
Memory used by testmem.
-z
Two allocate threads.

2.2.46. threshold

List current threshold state.

Description

Display the current threshold state.

Explanation of columns in the "-show" output. Group Limit, Max Current, Active Groups vs Exceeding Groups difference.

Group Limit
The effective limit per group. It is only relevant when the threshold has been configured with "shared scope", otherwise it will just be the configured limit.
Max Current
The largest value measured by any group. The currently largest value, it's not a historical value. When this group violates the threshold condition(s), the time that it has been violating the threshold condition will also be displayed. E.g. 501/3.03s, meaning 501 concurrent flows(or flows/s) measured, and this measurement has violated (exceeded) the configured threshold for 3.03s.
Active Groups
The number of groups that are considered "active".
Exceeding Groups
Those (active) groups that are violating the configured threshold condition(s). Exceeding groups are thus a subset of the Active Groups.
NOTE:
When "flow rate" is configured, any group with at least 1 flow setup attempt per configured interval (normally 1s), is considered to be an "active group". When "concurrent flows" is configured, any group with at least 1 open flow, is considered to be an "active group".

Explanation of column in "-show -grouping" output.

Duration
When a group has never violated the corresponding threshold definition(s), it will display the time that the group has been "active". If the group currently violates the threshold definition(s), it is the time that the group has been violating the threshold definition(s).
In simple words it shows the time the group is in the current state (how long has it been violating the threshold, how long since it stopped violating the threshold, how long has it been active).

Usage

threshold -reset 
Reset grouping state of threshold rules.
threshold -show [-num=<n>] [-grouping] 
List grouping state of threshold rules.
threshold -show [-num=<n>] 
Display current state of threshold rules.
threshold <rule> [-num=<n>] [-grouping] [-threshold=<String>] 
Display grouping state for a specific threshold rule.
threshold 
Same as "threshold -show".

Options

-grouping
Show dynamic limits and group info for threshold rule(s).
-num=<n>
Limit output to <n> rows/entries. (Default: 20)
-reset
Reset group state; active groups will be recreated without history. (Admin only; Advanced view)
-show
Show threshold state.
-threshold=<String>
Restrict command to this specific threshold definition.
<rule>
Specific threshold rule.

2.3. Utility

2.3.1. backup

Handles configuration/system backup.

Description

Backup, restore, or revert the status of current system.

There are different types of backups: partial system backups, which only stores system configuration data, and complete system backup, which stores both the system software and configuration data. The configuration and/or software data is stored to a single backup file on the device as they are created. Backup files may also be transferred to the device remotely.

Using the restore command option, backup files can be used to restore the configuration and/or software from a previously backed up state. Following a backup restore, it is possible to revert to the previous configuration and/or software using the revert command option. Note that performing a complete system restore or complete system revert will require the system to be restarted.

Performing a factory reset will reset the configuration and/or software to the factory defaults of the device. Please consult the administrators guide before using this option.

Example 2.18. List all backup files

Device:/> backup
(command output)
Device:/> backup -list
(command output)

Example 2.19. Perform a partial (configuration only) system backup and restore

Device:/> backup -create configuration_backup.bkp
Backup file "configuration_backup.bkp" created
(command output)
Device:/> backup -restore configuration_backup.bkp
(command output)
Backup restore successful using "configuration_backup.bkp"
Changes must be activated and committed to be applied

Example 2.20. Perform a complete system backup and restore

Device:/> backup -create complete_backup.bkp -system
Creating full system backup. This may take some time...
Backup file "complete_backup.bkp" created
(command output)
Device:/> backup -restore complete_backup.bkp -system

This will restore the system backup "complete_backup.bkp". On 
completion the system will be rebooted.
Are you sure you want to restore the system backup? [yes/no]:
(command output)

Example 2.21. Revert the system following a partial system restore

Device:/> backup -revert
(command output)
Revert successful
Changes must be activated and committed to be applied

Example 2.22. Revert the system following a complete system restore

Device:/> backup -revert
This will revert the system to the point BEFORE the last backup 
restore. On completion the system will be rebooted.
Are you sure you want to revert the system? [yes/no]
(command output)

Example 2.23. Deleting backup files

Device:/> backup -delete backupfile.bkp
Removed simplebackup.bkp successfully.
Device:/> backup -delete backupfile-???.bkp
Removed some files successfully.
Device:/> backup -delete backupfile-2015*.bkp
Removed some files successfully.
Device:/> backup -delete all
Removed all files successfully.

Example 2.24. Perform a partial factory reset (configuration only)

Device:/> backup -factoryreset
This will reset the configuration (but not the firmware) to factory 
default.
This change is not reversible.
Are you sure you want to continue? [yes/no]: 
(command output)

Example 2.25. Perform a complete factory reset

Device:/> backup -factoryreset -system
This will reset the whole system (both firmware and configuration) to 
factory default.
This change is not reversible.
Are you sure you want to continue? [yes/no]:
(command output)

Usage

backup -list 
List backup files.
backup -create [<create filename>] [-system] [-force] 
Create backup.
backup -restore <restore filename> [-force] [-reboot] 
Restore backup.
backup -delete <delete filename> 
Delete backup.
backup -revert 
Revert applied restore.
backup -factoryreset [-system] [-force] 
Reset the configuration or system to default.
backup 
List backup files.

Options

-create
Create backup.
-delete
Delete backup files ['all' deletes all files].
-factoryreset
Reset configuration and/or system to the factory defaults. Please consult the administrator guide before using this option.
-force
Force continue (never prompt).
-list
List backup files.
-reboot
Reboot the firewall and load the backup file.
-restore
Restore backup.
-revert
Revert applied restore.
-system
Full system backup.
<create filename>
Name of the backup file to create.
<delete filename>
Backup file to delete. (Matching: *.bkp)
<restore filename>
Backup file to restore. (Matching: *.bkp)
[Note] Note
Requires Administrator privileges.

2.3.2. certmgr

Certificate management.

Description

Manages certificate retrieval and updates.

An example of a "subject" string:
CN=name,O=organization,C=country

An example of a "subjectAltName" string:
172.22.36.1,fc01:2002::1,email@somewhere.com,fqdn.network.org

Usage

certmgr -initiate -clientcert=<Certificate> -username=<String>
        -password=<String> -subject=<String>
        [-subjectAltName=<String>] [-hex] 
Initiate certificate fetching from a CA.
certmgr -update -clientcert=<Certificate> 
Update an existing valid certificate.
certmgr -revoke -clientcert=<Certificate> 
Revoke an existing valid certificate.

Options

-clientcert=<Certificate>
Client certificate to install or update.
-hex
If the username and password are hex values.
-initiate
Fetch a new certificate.
-password=<String>
Password used when fetching a certificate from the CA.
-revoke
Revoke an existing valid certificate. (Admin only)
-subject=<String>
The X509 subject name for the certificate Template.
-subjectAltName=<String>
List of alternate names (FQDN, IP literal or email) for the certificate Template.
-update
Update an existing valid certificate.
-username=<String>
Username used when fetching a certificate from the CA.

2.3.3. cloudconfig

Display Openstack config drive contents. (NOTE: Command not available when running as a container)

Description

This command is used to display Openstack config drive contents.

Usage

cloudconfig -show <filename> [-nopages] 
Show config drive file contents.
cloudconfig 
Display config drive availability.

Options

-nopages
Display information without paging. (Admin only)
-show
Show config drive contents. (Admin only)
<filename>
File to display. (Admin only)

2.3.4. crashdump

Manage application crash dumps.

Description

The crashdump command is used to manage crashdump files. Crashdump files are binary files created if the system or subsystem crashes. They hold information on the state of the system at the time of the crash.

Example 2.26. List all crashdump files

Device:/> crashdump
(not shown here)
Device:/> crashdump -list
(not shown here)

Example 2.27. Delete a single crashdump file

Device:/> crashdump -delete 2016-04-21_13.54.25_dhcpserver.dump
(not shown here)

Example 2.28. Delete a crashdump file using wildcards (*?[])

Device:/> crashdump -delete 2014-11-16_12.??.??_dhcpserver.dump
(not shown here)
Device:/> crashdump -delete *_dhcpserver.dump
(not shown here)

Example 2.29. Delete all crashdump files

Device:/> crashdump -delete all
(not shown here)

Usage

crashdump 
List all crash dump files.
crashdump -list 
List all crash dump files.
crashdump -delete {ALL | <filename>} 
Delete crash dump file(s).

Options

-delete
Delete crash dump files. (Admin only)
-list
List stored crash dump files.
{ALL | <filename>}
Name of crashdump file to delete ['all' deletes all files]. (Admin only)

2.3.5. dconsole

View Diagnostic messages generated by the system.

Description

The diagnostic console is used to help troubleshooting internal problems within the firewall.

Using date, severity,app and category options it is possible to filter the diagnostic messages. Setting a date limit will only show entries from this date and forward. Setting Category(s) only will show entries with the specified Category(s).The categories will be the same as is used for logging. Setting a app(application name) will show only entries with the specified application. Setting severity will show only entries with specified severity and higher. Severity levels are (in order precedence from highest to lowest): Critical, High, Info(Informational) and Debug.

Aborting the dconsole command can be by pressing CTRL-C. Using CTRL-C will also terminate all other running CLI commands.

Usage

dconsole 
Show all Dcon log entries.
dconsole -show [-severity={CRITICAL | HIGH | INFO | DEBUG}]
         [-app=<String>] [-category=<String>] [-date=<String>] 
Show Dcon log entries.
dconsole -clean 
Clears the event message list and removes event message disk file.
dconsole -flush 
Flushes the event message list to disk.

Options

-app=<String>
Only show entries with specified application.
-category=<String>
Only show entries with the specified message category(s).
-clean
Clears the event message list and removes event message disk file.
-date=<String>
YYYY-MM-DD. Only show entries from this date and forward.
-flush
Flushes the event message list to disk.
-severity={CRITICAL | HIGH | INFO | DEBUG}
Only show entries with the specified severity and higher.
-show
Filter Dcon log entries.

2.3.6. echoserver

IP echoserver.

Description

The echo server functionality is used to receive, interpret and echo back IP packets. The rules that are set up when enabling the echo server can be listed using the 'ruledb' CLI command. These rules are among the ones named 'socket'.

IP protocols that are fully supported are the ones listed within the 'protocol' property - there protocol headers are parsed and modified accordingly when echoed back to the sender. It is however possible to set up a echo server for any IP protocol by specifying the IP protocol number and also specifying to use raw IP format.

The echo server statistics that can be listed using '-stats' show the number of received and echoed packets along with the sum of data sizes for received and sent packets. The packet data sizes are counted without packet headers. I.e. for UPD packets it the size of the UPD packet data and for any raw packet it is the size of the data without the IP header.

Usage

echoserver [-ip=<ip addr>] [-iface=<Interface>] [-stats] [-start]
           [-stop] [-verbose] [-ipv6] [-protocol={UDP | ICMP |
           ICMPV4 | ICMPV6 | ANY | <String>}] [-port=<port>]
           [-flowcnt=<n>] [-raw] 

Options

-flowcnt=<n>
Maximum number of allowed flows, 0 = unlimited.
-iface=<Interface>
Interface to listen on.
-ip=<ip addr>
Local IP address to listen on.
-ipv6
Listen on IPv6 instead of IPv4 (ip option overrides this one).
-port=<port>
Local port number to listen on.
-protocol={UDP | ICMP | ICMPV4 | ICMPV6 | ANY | <String>}
IP Protocol - supported protocols are predefined but any protocol number 1-254 can be used.
-raw
Raw IP echoing. Must be used for unlisted IP protocols.
-start
Start echo server.
-stats
View statictics.
-stop
Stop echo server.
-verbose
Verbose information.
[Note] Note
Requires Administrator privileges.

2.3.7. ethupdate

List ethernet devices and add new devices to the configuration.

Description

The ethupdate command detects available ethernet interfaces and allows for listing these as well as automatically creating the appropriate EthernetDevice configuration objects.

Usage

ethupdate 
List all ethernet devices.
ethupdate -cfgupdate 
Update the configuration by adding new ethernet devices.
ethupdate -status 
Show status of the ethernet devices configuration.

Options

-cfgupdate
Update the configuration by adding new ethernet devices. (Admin only)
-status
Ethernet devices configuration status.

2.3.8. license

Manage and show information about the license.

Description

Activate a new license, show information about the license, or remove the license.

To activate a new license file, first upload it using scp.

Usage

license 
Show information about the license.
license remove 
Remove the license.
license activate [<Filename>] 
Activate new license.

Options

<Filename>
License file. (Matching: *.lic)
{ACTIVATE | REMOVE}
Specifies which action to take. (Admin only)

2.3.9. log

View log messages generated by the system.

Description

View log messages generated by the system.

This command displays the system log messages. By specifying filter conditions (like 'category', 'action', 'srcip' etc), unwanted log messages can be filtered out. There are two modes, include and exclude mode. By default include mode is used, which means that only the log messages satisfying filter conditions will be shown. Specifying the switch 'excl' will turn on exclude mode. In this case only the log messages not satisfying the filter conditions will be displayed. If the command is already running, users can reset the filter conditions by submitting new ones.

Using 'rate' and 'num' display limits can prevent the console from message flooding. Setting a 'rate' limit will allow the system to show only the specified number of log messages per second, discarding the rest. When a 'num' limit is set, showing is automatically turned off as soon as the amount of log messages displayed reaches the specified limit.

Aborting the log command can be achieved by calling it without arguments or by pressing CTRL-C. Notice that using CTRL-C will also terminate all other running CLI commands.

Example 2.30.  Show logs with different filter conditions setup

Destination IP address ranges from 192.168.1.1 to 192.168.1.254:
System:/> log -on -destip=192.168.1.1-192.168.1.254

Actions is NOT drop:
System:/> log -on -action=drop -excl

Logs containing text "user" and limit to at most 10 logs per second:
System:/> log -on -text=user -rate=10

First 9 logs with category either "IPv4" or "ARP":
System:/> log -on -category=IPV4,ARP -num=9

Usage

log -on [-excl] [-text=<String>] [-regexp=<String>]
    [-category=<String>] [-action=<String>] [-id=<String>] [-tag]
    [-prio=<String>] [-srcip=<ip addr>] [-destip=<ip addr>]
    [-ip=<ip addr>] [-srciface=<Interface>]
    [-destiface=<Interface>] [-iface=<Interface>]
    [-srcport=<Integer Range>] [-destport=<Integer Range>]
    [-rate=<Integer>] [-num=<Integer>] [-event=<String>] 
Start displaying log messages, with specified filter conditions. If logging is already enabled, filter conditions will be changed to the new ones specified.
log -off 
Stop receiving log messages.
log 
Toggle logging on/off.

Options

-action=<String>
Filter on log action, by specifying either one or several actions, separated by ",". A successful match requires that at least one of the specified actions matches the value of the log parameter "action".
-category=<String>
Filter on log category, by specifying either one or several categories, separated by ",". A successful match requires that at least one of the specified categories matches the value of the log parameter "category".
-destiface=<Interface>
Filter on destination interface. The specified interface will be matched against the values of the log parameters "destiface" and "flowrev_recvif".
-destip=<ip addr>
Filter on destination IP address by specifying an IP address or IP address range. The specified IP address will be matched against the values of all log parameters where the name ends with "destip". Ex: "pkt_destip", "flowfwd_destip".
-destport=<Integer Range>
Filter on destination TCP/UDP port by specifying a number or a range. The port number will be matched against the values of log parameters where the name ends with "destport". Ex: "pkt_destport".
-event=<String>
Filter on log Event.
-excl
Exclude mode: Invert the result by showing only log messages that do NOT match all the filter conditions.
-id=<String>
Filter on log ID.
-iface=<Interface>
Filter on interface. The specified interface will be matched against the values of the log parameters "destiface", "flowrev_recvif", "recviface", "srciface", "pkt_recvif" and "flowfwd_recvif".
-ip=<ip addr>
Filter on IP address by specifying an IP address or IP address range. The specified IP address will be matched against the values of all log parameters where the name ends with "ip". Ex: "pkt_srcip", "serverip".
-num=<Integer>
Limit the max number of log messages to show before automatically turning logging off.
-off
Stop displaying log messages.
-on
Start displaying log messages, with specified filter conditions. If logging is already enabled, filter conditions will be changed to the new ones specified.
-prio=<String>
Filter on minimum log priority. A successful match requires the log parameter "prio" to have the same or higher priority level, as the specified priority. For detailed description of priority levels, see the Log Reference Guide.
-rate=<Integer>
Maximum display rate in log messages per second. Additional logs are discarded.
-regexp=<String>
Filter on log text content by regular expression. The specified regular expression will be matched against the entire text content of logs.
-srciface=<Interface>
Filter on source interface. The specified interface will be matched against the values of the log parameters "recviface", "srciface", "pkt_recvif" and "flowfwd_recvif".
-srcip=<ip addr>
Filter on source IP address by specifying an IP address or IP address range. The specified IP address will be matched against the values of all log parameters where the name ends with "srcip". Ex: "pkt_srctip", "flowfwd_srcip".
-srcport=<Integer Range>
Filter on source TCP/UDP port by specifying a number or a range. The port number will be matched against the values of log parameters where the name ends with "srcport". Ex: "pkt_srcport".
-tag
Filter on tagged flows. (Advanced view)
-text=<String>
Filter on log text content. The specified text will be matched against the entire text content of logs. A successful match requires that a log contains the specified text.

2.3.10. pcapdump

Packet capture utility.

Description

Capture, save and view packets.

Example 2.31. Perform packet capture on interface "if1". Packets will be written to a file with an auto-generated name when capture is stopped.

Device:/> pcapdump -start if1
Device:/> pcapdump -stop if1
Stopping packet capture: if1.
Interface  Pkts(In)  Pkts(Out)  Saved to file
---------  --------  ---------  ---------------------------
if1        26        25         if1_2015-01-01_00.00.00.cap

Example 2.32. Perform packet capture on interface "if1". Write the packets to a file called "if1.cap".

Device:/> pcapdump -start if1 -nowrite
Device:/> pcapdump -stop if1
Device:/> pcapdump -write if1 if1.cap

Example 2.33. Perform packet snoop on interface "if1" with filters.

Device:/> pcapdump -start if1 -out -nocap -ipsrc=192.168.0.1 -port=999
#1 >if1 IP 192.168.0.1->192.168.255.255  IHL:20  DataLen:48 TTL:255 Prot
o:UDP
   UDP 999->999  DataLen:40
Device:/> pcapdump -stop if1

Example 2.34. Show the capture status.

System:/> pcapdump -status
                      PCAP Status

Interface  Mode    Packets(In)  Packets(Out)  Filter
---------  ------  -----------  ------------  ------
if1        Active  27           0        
Explanation of the "Mode" column: 
  "Active" - The interface is being captured.
  "Snoop"  - Packets are being printed out but not captured.
  "Idle"   - Capture has stopped and packets can to be written to storag
e by using "pcapdump -write".

Example 2.35. List the capture files.

Device:/> pcapdump -list

Example 2.36. Show the content of a capture file in hexadecimal format.

Device:/> pcapdump -show if1_2015-01-01_00.00.00.cap -hex

Example 2.37. Remove the capture files and free the memory used by pcapdump.

Device:/> pcapdump -remove

Usage

pcapdump 
Show capture status.
pcapdump -status 
Show capture status.
pcapdump -list 
List capture files in the storage.
pcapdump -start [<interface>] [-eth=<EthernetAddress>]
         [-ethsrc=<EthernetAddress>] [-ethdest=<EthernetAddress>]
         [-ip=<IP>] [-ipsrc=<IP>] [-ipdest=<IP>] [-proto={ICMP |
         IGMP | IPV4 | TCP | UDP | IPV6 | GRE | ESP | AH | ICMPV6 |
         OSPF | MTP | L2TP | SCTP | <Integer Range>}]
         [-port={BOOTPS | BOOTPC | FTP | SSH | TELNET | SMTP | HTTP
         | NTP | SNMP | BGP | HTTPS | <Integer Range>}]
         [-portsrc={BOOTPS | BOOTPC | FTP | SSH | TELNET | SMTP |
         HTTP | NTP | SNMP | BGP | HTTPS | <Integer Range>}]
         [-portdest={BOOTPS | BOOTPC | FTP | SSH | TELNET | SMTP |
         HTTP | NTP | SNMP | BGP | HTTPS | <Integer Range>}]
         [-bufsize=<Integer>] [-count=<Integer>]
         [-snaplen=<Integer>] [-out] [-nocap] [-hex] [-k12]
         [-nowrite] [-verbose] 
Start capture with specified filters and limits. If capture is already started, the filters and limits will be changed to the new ones specified.
pcapdump -stop [<interface>] 
Stop capture.
pcapdump -show [<interface>] [-filename=<filename>] [-num[={ALL |
         <1...65535>}]] [-hex] [-k12] [-verbose] 
Show a brief of captured packets.
pcapdump -write [<interface> [<filename>]] 
Write the captured packets to storage.
pcapdump -remove [<interface>] [-filename=<filename>] 
Remove the packets captured on an interface, or remove a capture file. If interface and filename are not specified, all captured packets and files will be removed.

Options

-bufsize=<Integer>
The maximum total size (KB) of the packets can be captured on an interface before the capture is stopped automatically. (Default: 128)
-count=<Integer>
The maximum number of the packets can be captured on an interface before the capture is stopped automatically.
-eth=<EthernetAddress>
Ethernet address filter.
-ethdest=<EthernetAddress>
Ethernet destination address filter.
-ethsrc=<EthernetAddress>
Ethernet source address filter.
-filename=<filename>
File name. (Matching: *.cap)
-hex
Display the packets in hexadecimal format.
-ip=<IP>
IP address filter.
-ipdest=<IP>
Destination IP address filter.
-ipsrc=<IP>
Source IP address filter.
-k12
Display the packets in K12 format.
-list
List capture files in the storage.
-nocap
Do not store packets in the buffer.
-nowrite
Do not write the captured packets to storage automatically when the capture stops.
-num[={ALL | <1...65535>}]
Maximum number of entries to show. (Default: 20)
-out
Display realtime packet brief.
-port={BOOTPS | BOOTPC | FTP | SSH | TELNET | SMTP | HTTP | NTP | SNMP | BGP | HTTPS | <Integer Range>}
TCP/UDP port filter.
 
 
-portdest={BOOTPS | BOOTPC | FTP | SSH | TELNET | SMTP | HTTP | NTP | SNMP | BGP | HTTPS | <Integer Range>}
Destination TCP/UDP port filter.
 
 
-portsrc={BOOTPS | BOOTPC | FTP | SSH | TELNET | SMTP | HTTP | NTP | SNMP | BGP | HTTPS | <Integer Range>}
Source TCP/UDP port filter.
 
 
-proto={ICMP | IGMP | IPV4 | TCP | UDP | IPV6 | GRE | ESP | AH | ICMPV6 | OSPF | MTP | L2TP | SCTP | <Integer Range>}
IP protocol filter.
 
 
-remove
Remove packets.
-show
Show a captured packets brief.
-snaplen=<Integer>
Maximum length (in Bytes) of each packet to capture.
-start
Start capture.
-status
Show capture status.
-stop
Stop capture.
-verbose
Display more information.
-write
Write the captured packets to storage.
<filename>
Name of the file to be written to. Leave it empty to use a name automatically generated.
<interface>
Name of interface.
[Note] Note
Requires Administrator privileges.

2.3.11. ping

Ping host.

Description

Sends one or more ICMP ECHO, TCP or UDP packets to the specified IP address of a host. All datagrams are sent preloaded-style (all at once).

The data size -length given is the ICMP or UDP data size. 1472 bytes of ICMP data results in a 1500-byte IP datagram (1514 bytes ethernet).

When -srciface IS NOT specified, the outbound packet is routed using the "main" RoutingTable, unless -routingtable is specified. Once route lookup is done, the packet is always allowed to be sent out, regardless of configured rule sets.

When -srciface IS specified, the system simulates that it has received the packet from -srcip on -srciface and will perform route lookup according to the system configuration (RoutingRules, InterfaceMembership, etc.). Then the packet will be processed according to the configured rule sets.

It's possible to use -v or even -vv to show more information.

Example 2.38. Using TCP to probe network connectivity against a HTTP server.

gw-world:/> ping -tcp server_ip -port=80 -request="GET / HTTP/1.0\n\n"

Example 2.39. Using ICMP simulation to troubleshoot connectivity from an endpoint on the LAN network to a server on the WAN network.

gw-world:/> ping server_ip -srcip=ip-of-lan-endpoint -srciface=lan -vv

Usage

ping <host> [-sharedip] [-srciface=<interface>]
     [-srcip=<ip address>] [-iface=<interface>]
     [-routingtable=<table>] [-num=<1...10>] [-length=<4...59948>]
     [-v] [-verbose] [-vv] 
Send an ICMP ping.
ping -udp <host> [-sharedip] [-srciface=<interface>]
     [-srcip=<ip address>] [-routingtable=<table>] [-num=<1...10>]
     [-length=<4...59948>] [-srcport=<1...65535>]
     [-port=<1...65535>] [-v] [-verbose] [-vv] 
Send a UDP ping.
ping -tcp <host> [-iface=<interface>] [-srciface=<interface>]
     [-srcip=<ip address>] [-routingtable=<table>]
     [-port=<1...65535>] [-request=<String>] [-v] [-verbose] [-vv]
     [-num=<1...10>] [-srcport=<1...65535>] 
Send a TCP ping.

Options

-iface=<interface>
Interface to send on when using an IPv6 link-local address as destination.
-length=<4...59948>
Packet size. (Default: 4)
-num=<1...10>
Number of packets to send. (Default: 1)
-port=<1...65535>
Destination port of UDP or TCP ping. (Default: 7)
-request=<String>
Request to send to the host. It is not possible to combine this with the 'srciface' option. (Default: ping)
-routingtable=<table>
Route using named routing table. It is not possible to combine this with the 'srciface' option.
-sharedip
Send ping using shared IP/MAC (HA).
-srciface=<interface>
Pass packet through the rule set, simulating that it was received by <srciface>.
-srcip=<ip address>
Use this source IP.
-srcport=<1...65535>
Source port of UDP or TCP ping.
-tcp
Send a TCP ping. When 'srciface' is not specified, the system will try to establish a TCP connection with the host and send data through the connection. When 'srciface' is specified, the system will simulate and send a TCP SYN packet to the destination.
-udp
Send a UDP ping.
-v
Alias for 'verbose' option.
-verbose
Verbose (more information).
-vv
More verbose.
<host>
IP address of host to ping.
[Note] Note
Requires Administrator privileges.

2.3.12. script

Run and manage script files.

Description

The script command can be used to create, run and manage scripts.

Configuration script files are files that consists of CLI configuration commands, one per line. Script file comment lines begin with the character '#'. Arguments to scripts are available by variable substitution, where '$0' is replaced by the script file name and the variables $1-$N are replaced by the supplied arguments. Escaping the '$' sign is done as '\$'.

All or parts of the current running configuration that are not read-only can be created as a script file and either displayed to the console or stored to disk. When selecting to create a script of parts of the configuration this can be done with the granularity of object category e.g. [Address], object class e.g. IPAddress or a single object.

When a script is created from the configuration it will include any uncommitted objects. I.e. it is possible to create script files of changes without committing them to the system first.

Script files are transfered to and from the device by using the SCP protocol. On the device, script files must be stored in the "/scripts" folder in order for the script command to make use of them.

When adding or changing configuration objects using a script file it is possible to do the changes 'out-of-order'. I.e. if one object refers to another object, the first object can be added and refer to the second object even though that object has not yet been added. Normally when a configuration change is done through the CLI, it is immediately validated and any errors are reported back to the user. When running commands from a script file the reference validation is turned off during execution of consecutive 'add' and 'set' commands and turned back on again when any other command is executed, or the script ends.

It is not recommended running scripts while doing configuration modifications from other user sessions.

Example 2.40. Create script of all configuration objects

Device:/> script -create -filename all.sgs

Example 2.41. Create and show script of Address objects

Show script of Address category objects:
Device:/> script -create Address
(not shown here)
Show script of all IPAddress objects:
Device:/> script -create Address IPAddress
(not shown here)
Show script of a single IPAddress object:
Device:/> script -create Address IPAddress myaddress
(not shown here)

Example 2.42. View and run the example script example.sgs

Show the file:
Device:/> script -show example.sgs
(not shown here)  
Running the script:
Device:/> script -run example.sgs test 1.2.3.4   
(not shown here)

Example 2.43. Script using substitution

"script.sgs":
add Address IPAddress $1 Address=$2 Comments="$0: \$100".
Device:/> script -run script.sgs ip_test 127.0.0.1
is executed as line: 
add Address IPAddress ip_test Address=127.0.0.1 Comments="script.sgs: $1
00"

Usage

script 
List script files.
script -list 
List script files.
script -create [[<Category>] <Type> [<Identifier>]]
       [-filename=<script file>] 
Create a script containing the selected object types.
script -run <script file> [-verbose] [-force] [<arguments>]...
Run script.
script -delete <script file> 
Delete script.
script -show <script file> 
Show script in console window.

Options

-create
Create a script containing specified object types.
-delete
Delete script file.
-filename=<script file>
Name of script.
-force
Force completion of script execution despite errors.
-list
List script files.
-run
Run selected script.
-show
Show script in console window.
-verbose
Verbose mode.
<arguments>
List of input arguments.
<Category>
Category that groups object types.
<Identifier>
The property that identifies the configuration object. May not be applicable depending on the specified <Type>.
<script file>
Name of script.
<Type>
Type of configuration object to perform operation on.
[Note] Note
Requires Administrator privileges.

2.3.13. sshserver

SSH Server.

Description

Show SSH Server status, or restart SSH Server.

Usage

sshserver 
Show server status and list all connected clients.
sshserver -status [-verbose] 
Show server status and list all connected clients.
sshserver -keygen [-bits=<bits>] [-type={RSA | DSA | ECDSA}] 
Generate SSH Server private keys.
sshserver -fingerprint [-md5] 
Show the fingerprints of the SSH keys.
sshserver -restart [<ssh server>] [-full] 
Restart SSH Server.

Options

-bits=<bits>
Bitsize.
-fingerprint
Display the fingerprints of the system's SSH keys.
-full
when requiring a full restart.
-keygen
Generate SSH Server private keys. This operation may take a long time to finish, up to several minutes!
-md5
Display the fingerprint as MD5 instead of the default.
-restart
Stop and start the SSH Server.
-status
Show server status and list all connected clients.
-type={RSA | DSA | ECDSA}
Type, (default: both RSA and DSA keys will be created).
-verbose
Verbose output.
<ssh server>
SSH Server.
[Note] Note
Requires Administrator privileges.

2.3.14. system

Handles system operations and shows system information.

Description

Handles system operations and shows system information.

Usage

system -cpuinfo [-verbose] 
Show information about the CPU.
system -update-bootloader-configuration [-force] 
Update the bootloader configuration. This command should only be run when instructed to do so.

Options

-cpuinfo
Show information about the CPU.
-force
Force continue (never prompt). (NOTE: Option not available when running as a container)
-update-bootloader-configuration
Update the bootloader configuration. (NOTE: Option not available when running as a container). (Admin only)
-verbose
Verbose (more information).

2.3.15. techsupport

Stores and views Technical Support Information.

Description

Used to collect technical support information from the system. Issuing the command without options will write the information to a file stored locally on the device. Any existing file will be overwritten.

After successful storage, the file may be remotely copied over the SSH Remote Management interface (using SCP) or printed to console using the 'show' command option.

Usage

techsupport 
Store technical support information to file.
techsupport -show [-nopages] 
Display stored technical support information.
techsupport -printconf [-nopages] 
Display system configuration as XML.
techsupport 
Store technical support information to file.

Options

-nopages
Display information without paging.
-printconf
Display system configuration as XML.
-show
Display stored technical support information.
[Note] Note
Requires Administrator privileges.

2.3.16. time

Display and set current system time.

Description

Display and set the system date and time.

Usage

time -sleep=<String> 
Pause CLI session for the specified number of seconds.
time -sync [-force] 
Synchronize time with timeserver(s) (specified in settings).
time -status 
Show time synchronization status information.
time -set <date> <time> 
Set local system time: <YYYY-MM-DD> <HH:MM:SS>.
time 
Display current system time.

Options

-force
Force synchronization regardless of the MaxAdjust setting. (Admin only)
-set
Set local system time: <YYYY-MM-DD> <HH:MM:SS>. (Admin only)
-sleep=<String>
Pause CLI session for the specified number of seconds.
-status
Show runtime time synchronization status.
-sync
Synchronize time with timeserver(s) (specified in settings). (Admin only)
<date>
Date YYYY-MM-DD.
<time>
Time HH:MM:SS.

2.3.17. top

Show CPU usage of the system.

Description

Show CPU usage of the system.

Time - The time measurement uses the format S.s, MM:SS or HH:MM:SS depending on the amount of time to display.

CPU - The system CPU measurement spans from zero to a hundred percent, measuring the current amount of CPU resources not beeing idle. When measuring the CPU usage per module a value above 100% indicates that this module utilizes resources from several CPU units.

Example 2.44. Sort on name

top -list -sort=alpha

Usage

top 
List processes and show CPU utilization.
top -list [-num=<n>] [-sort={ALPHA | TIME | TOP}] 
List processes and show CPU utilization.

Options

-list
List running US applications.
-num=<n>
Number of entries to display. (Default: 20)
-sort={ALPHA | TIME | TOP}
Set display sort order.

2.3.18. traceroute

Trace the route to a destination.

Description

Print the route packets take to a network host.

Usage

traceroute <host> [-timeout=<1...60000>] [-srcip=<ip address>]
           [-iface=<interface>] [-routingtable=<table>]
           [-interval=<0...60000>] [-length=<1...8192>] [-verbose]
           [-queries=<1...10>] [-ttl=<1...255>] [-maxttl=<1...255>]
           [-noresolve] [-ipver={4 | 6}] 
Send a ICMP probe.
traceroute -udp <host> [-timeout=<1...60000>] [-srcip=<ip address>]
           [-routingtable=<table>] [-queries=<1...10>]
           [-length=<1...8192>] [-port=<1...65535>] [-verbose]
           [-interval=<0...60000>] [-ttl=<1...255>]
           [-maxttl=<1...255>] [-noresolve] [-ipver={4 | 6}] 
Send a UDP probe.
traceroute -tcp <host> [-timeout=<1...60000>] [-srcip=<ip address>]
           [-routingtable=<table>] [-queries=<1...10>]
           [-length=<1...8192>] [-port=<1...65535>] [-verbose]
           [-iface=<interface>] [-interval=<0...60000>]
           [-ttl=<1...255>] [-maxttl=<1...255>] [-noresolve]
           [-ipver={4 | 6}] 
Send a TCP probe.

Options

-iface=<interface>
Interface to send on when using an IPv6 link-local address as destination.
-interval=<0...60000>
Time in milliseconds between sending probes. (Default: 1000)
-ipver={4 | 6}
Use IPv4/IPv6.
-length=<1...8192>
Packet payload size. (Default: 32)
-maxttl=<1...255>
Maximum time-to-live value (number of hops). (Default: 32)
-noresolve
Do not resolve addresses.
-port=<1...65535>
Destination port.
-queries=<1...10>
Number of queries to send each hop. (Default: 3)
-routingtable=<table>
Route using specified routing table.
-srcip=<ip address>
Use specified source IP.
-tcp
Send TCP probes instead of default ICMP.
-timeout=<1...60000>
Time in milliseconds to wait for each response. (Default: 4000)
-ttl=<1...255>
Start time-to-live value on probes (first hop). (Default: 1)
-udp
Send UDP probes instead of default ICMP.
-verbose
Verbose (more information).
<host>
IP address or hostname of destination to trace.
[Note] Note
Requires Administrator privileges.

2.3.19. upgrade

Upgrade system. (NOTE: Command not available when running as a container)

Description

Perform system upgrades and manage upgrade files.

Upgrading the system software/firmware is performed by applying upgrade files stored on the device. Upgrade files are digitally signed software binary files created specifically for different hardware models. Apart from performing upgrades, the command also allows listing of upgrade files stored on the device as well as deleting the files.

NOTE: Make sure to select an upgrade file that matches the hardware model used.

NOTE: Upgrading the software/firmware will require a complete system restart and it is therefore highly recommended to perform a complete backup of the system before proceeding.

Example 2.45. Upgrade to a new software/firmware version

Device:/> upgrade firmware_v1_20.upg
(command output)

Example 2.46. List all upgrade files

Device:/> upgrade
(command output)
Device:/> upgrade -list
(command output)

Example 2.47. Delete upgrade files

Device:/> upgrade -delete firmware_v1_20.upg
Removed firmware_version_x.upg successfully.
Device:/> upgrade -delete firmware_v1_??.upg
Removed some files successfully.
Device:/> upgrade -delete firmware_*.upg
Removed some files successfully.
Device:/> upgrade -delete *
Removed all files successfully.

Usage

upgrade 
List upgrade files.
upgrade -list 
List upgrade files.
upgrade <upgrade filename> [-force] 
Apply upgrade.
upgrade -delete <delete filename> 
Delete upgrade file.
upgrade 
List upgrade files.

Options

-delete
Delete upgrade files.
-force
Force continue (never prompt).
-list
List upgrade files.
<delete filename>
Upgrade file to delete. (Matching: *.upg)
<upgrade filename>
Upgrade file. (Matching: *.upg)
[Note] Note
Requires Administrator privileges.

2.3.20. uptime

Display current system uptime.

Description

Display current system uptime.

Usage

uptime 

2.4. Misc

2.4.1. about

Show copyright/build information.

Description

Show copyright/build information.

Usage

about 
Show copyright/build information.

2.4.2. alias

Manage aliases.

Description

Aliases are user-defined mappings between a keyword and CLI commands, primarily intended to create shortcuts for commonly used commands that require many options. To execute an alias, prefix it with ":". Pressing tab or enter will replace the alias keyword with the corresponding mapped command.

Usage

alias 
Show active alias mappings.
alias -add=<String> -cmd=<String> [-description=<String>] 
Add alias mapping.
alias -set=<String> [-cmd=<String>] [-description=<String>] 
Set/update active alias mapping.
alias -remove=<String> 
Remove active alias mapping.
alias -show 
Show active alias mappings.
alias -import <filename_import> 
Import the active alias mappings from file.
alias -export <filename_export> 
Export the active alias mappings to a file.
alias -save 
Save the current alias mappings to persistent storage.

Options

-add=<String>
Keyword of the alias to be added.
-cmd=<String>
Command the alias transforms into.
-description=<String>
Optional description.
-export
Export the active alias mappings to a file.
-import
Import the active alias mappings from file.
-remove=<String>
Keyword of the alias to be removed.
-save
Save the active alias mappings to persistent storage.
-set=<String>
Keyword of the alias to be set/updated.
-show
Show active alias mappings.
<filename_export>
Filename of alias mappings to export.
<filename_import>
File containing alias mappings to import. (Matching: *.cfg)

2.4.3. cfglog

Show configuration log.

Description

Displays warning and error messages related to configuration of the system. By default, shows log entries from the latest reconfigure sequence.

Usage

cfglog 
Show log.
cfglog -all 
Show log.
cfglog -clear 
Clear log.

Options

-all
Show all log entries.
-clear
Clears all entries in the configuration log. (Admin only)

2.4.4. clear

Clear the console screen.

Description

Clear console screen from text.

Usage

clear 

2.4.5. cmdview

Set the command view(s).

Description

Set the command views that are used when filtering out the set of commands and options that is available in the CLI.

Besides the ordinary set of commands within the 'default' view, there are two other views named 'advanced' and 'debug'. The 'advanced' view covers commands that display extensive and detailed information about the system's runtime values. The commands within the 'advanced' view do not have any impact on the system's behavior and network traffic. The commands covered by the 'debug' view can affect system behavior and network traffic and should be used with some care. These commands are mainly intended for system/network tests and debugging.

Usage

cmdview [{DEFAULT | ADVANCED | DEBUG | SERVICE | ALL}] 

Options

{DEFAULT | ADVANCED | DEBUG | SERVICE | ALL}
Command view.

2.4.6. echo

Print text.

Description

Print text to console.

Example 2.48. Hello World

Device:/> echo Hello World

Usage

echo [<String>]...

Options

<String>
Text to print.

2.4.7. exit

End the current session.

Description

Log out and terminate the current session.

Usage

exit 

2.4.8. grep

Filter the output based on a regular expression.

Description

The grep command is a text-search utility that searches output for specified patterns, printing lines where these patterns occur. It allows for advanced searches, including inverting the search and counting matching lines. Integrate other commands with grep using a pipe (|) for enhanced text processing and data analysis.

Usage

grep <Expr> [-v] [-i] [-k] [-A=<num>] [-B=<num>] [-C=<num>] 

Options

-A=<num>
Number of lines to include after match. (Default: 0)
-B=<num>
Number of lines to include before match. (Default: 0)
-C=<num>
Number of lines to include surrounding match. (Default: 0)
-i
Ignore case.
-k
Count lines.
-v
Invert match.
<Expr>
POSIX extended regular expression search pattern.

2.4.9. help

Show help for CLI commands.

Description

The command help system contains information about commands and configuration object types.

The fastest way to get help is to simply type help followed by the topic that you want help with. A topic can be a command name (e.g. set).

When you don't know the name of what you are looking for you can use tab-completion to display a list of matching topics.

Usage

help 
List commands alphabetically.
help <Topic> 
Display help about selected topic from any category.

Options

<Topic>
Help topic.

2.4.10. helpconfig

Show help for configuration objects.

Description

The config help system contains information about configuration object types.

The fastest way to get help is to simply type helpconfig followed by the topic that you want help with. A topic can be the name of a configuration object type (e.g. User).

When you don't know the name of what you are looking for you can use tab-completion to display a list of matching topics.

Usage

helpconfig <Topic> 

Options

<Topic>
Help topic.

2.4.11. history

Show command history.

Description

List recently typed commands that have been stored in the command history.

Usage

history 

2.4.12. localconfiguration

Show management status and enable local configuration.

Description

Show management status, and regain local configuration control if the centralized management system has it.

If the centralized management system has taken control of the system, any single user may not do configuration changes to the system. In order to regain local configuration control to single users this command is used. Once local configuration is enabled, centralized management control can only be enabled by the centralized management system.

Usage

localconfiguration [-enable] 

Options

-enable
Enable local configuration.
[Note] Note
Requires Administrator privileges.

2.4.13. quit

Alias for exit.

2.4.14. shutdown

Initiates shutdown/restart of the system.

Description

Shuts the system down to restart it (or to power it off).

Usage

shutdown 
Normal shutdown/restart of the system.
shutdown -handover 
Shutdown/restart that makes an HA handover to the peer first, if the node is the active node, before shutting down.
shutdown -ignore-ha 
Shutdown/restart that shuts down even if this system is the active HA node of a cluster, without explicit handover and even if the peer is OFFLINE.
shutdown -noninteractive [-handover] [-ignore-ha] 
Normal shutdown/restart but with a behaviour more suitable for automation.
shutdown -processrestart [-handover] [-ignore-ha] [-noninteractive]
Only restart the system's processes instead of a full restart of the POD/system. (NOTE: Usage not available when running non-containerized)
shutdown -force -ignore-ha [-noninteractive] 
Shutdown using an alternative shutdown procedure skipping most of the normal shutdown activities. This should only be used if normal shutdown of the system malfunctions.
shutdown -poweroff [-handover] [-ignore-ha] 
Power down the system. (NOTE: Usage not available when running as a container)

Options

-force
Activates an alternative shutdown procedure skipping most of the normal shutdown activities. This should only be used if normal shutdown of the system malfunctions.
-handover
Make an HA handover to the peer first before shutting down if the node is the active node.
-ignore-ha
Shut down even if this system is the active HA node of a cluster, without explicit handover and even if the peer is OFFLINE.
-noninteractive
To be used when invoking the shutdown command from within scripts etc. This option will make the command skip interactive questions and instead print an error and cancel the command. This option will also change the command's behaviour to not fail in cases (like ongoing crashdumps) when it would have been beneficial to "wait a while" before re-attempting shutdown.
-poweroff
Power down the system instead of rebooting. (NOTE: Option not available when running as a container)
-processrestart
Only restart the system's processes instead of a full restart of the POD/system. (NOTE: Option not available when running non-containerized)
[Note] Note
Requires Administrator privileges.

2.5. Development

2.5.1. cfgfail

Force configuration errors at the next configuration activation.

Description

Force a configuration error at the next configuration activation.

Usage

cfgfail -validate <application> [-timeout] 
Trigger a failure in the validate event.
cfgfail -phase1 <application> [-timeout] 
Trigger a failure in the Phase-1 event.
cfgfail -phase2 <application> [-timeout] 
Trigger a failure in the Phase-2 event.
cfgfail -phase3 <application> [-timeout] 
Trigger a failure in the Phase-3 event.
cfgfail -clear 
Remove the license.

Options

-clear
Clear all failures.
-phase1
Set failure at validate CFGACT_PHASE1 event.
-phase2
Set failure at validate CFGACT_PHASE2 event.
-phase3
Set failure at validate CFGACT_PHASE3 event.
-timeout
Let the process timeout instead of returning failure.
-validate
Set failure at validate CFGACT_VALIDATE event.
<application>
Application name.

2.6. Debug

2.6.1. buffers

Show information about buffers and buffer usage.

Description

Show information about buffers and buffer usage.

Usage

buffers -show [-verbose] [-hardware] [-account] [-channel] [-blame]
List buffers.
buffers 
Same as "buffers -show".

Options

-account
Show "accounting info" for the buffers (in what system/module are my buffers).
-blame
Show "trace points" for the buffers (where was my buffers last seen in the code).
-channel
Show "userspace channel info" for the buffers (what userspace channel have received my buffers).
-hardware
Extra hardware related information.
-show
Show buffers.
-verbose
Verbose (more information).

2.6.2. drm

Show Slowpath Dynamic Rule Manager state.

Description

Shows the state of the SP Dynamic Rule Manager.

Usage

drm -show [-type={PROCESS | TRNX}] [-num=<n>] 
Show requested state table.
drm 
Same as "sdrm -show".

Options

-num=<n>
Limit list to <n> rules. (Default: 40)
-show
Shows the specified table.
-type={PROCESS | TRNX}
The state information type to show. (Default: process)

2.6.3. frag

Show information about fragment status.

Description

Show information about pseudo-reassembler fragment status.

Usage

frag -show 
List fragments.
frag -flush 
Discard fragments.
frag 
Same as "fragments -show".

Options

-flush
Discard fragments.
-show
Show fragments.

2.6.4. ruledb

Command to print slowpath rule databases.

Description

Display information about the slow path rule databases and routing tables:

-
Contents of a (named) rule database.
-
Parameters of a specific rule within a database

Explanation of Flags field of the rule databases:

Z
Zombie - Will soon be deleted.
R
Remove - Marked for removal. Will be deleted when transaction is committed.
D
Disabled - Not used in rule lookups. Will be enabled when transaction is committed.
F
Fallthrough - Rule matching will continue to match more rules even if this rule match.
S
System - Internal rule (iRules), default rules, e.g. default drop, goto etc.
P
Private - Flows set up with this rule will be using the private IP and MAC addresses.
T
Stateless - Rule configured as stateless. Will setup stateless flows.
J
Reject - Rule configured with OnDeny=Reject. Will send ICMP errors or TCP reject instead of opening new flows.
6
IPv6 - Rule database is for IPv6.
L
Limbo - Rule database is not linked to an owner. Will be removed.
W
Pending Wipe- Rule database is linked to an owner that is in the process of being wiped.

Example 2.49. Print every rule database and its rules in its own table.

System:/> ruledb

Example 2.50. Print all rule databases in one table.

System:/> ruledb -show instance

Example 2.51. Print all rules of a particular database.

System:/> ruledb -show instance -db=0x20

Example 2.52. Print the content of a rule in one particular rule database.

System:/> ruledb -show instance -db=0x20 -rule=0x21

Example 2.53. Print the content of all rules in one particular rule database.

System:/> ruledb -show rule -db=0x20

Usage

ruledb -show[={INSTANCE | ROUTES | MAIN | PREIPBLOCK | PREIP |
       PREIPSEC | PREGTP | PREGTPINSP | ACCOVERRIDE | IPBLOCK |
       ACCESS | BLACKLIST | WHITELIST | POSTPBR | PREPBR |
       PREPBRIPSEC | PBR | IFSP | RULE | SIPALG | IPS | THRESHOLD |
       TRAFFICSHAPING | OWNERSHIP | GRE}] [-iface=<interface>]
       [-ipv6] [-rule=<Integer>] [-ruleorigin] [-db=<Integer>] 
Prints the content of the rule database or the specified rule cache.
ruledb 
Show all RuleDB instances.

Options

-db=<Integer>
ID of RuleDB.
-iface=<interface>
Interface name.
-ipv6
The operation will be executed on the IPv6 rule database.
-rule=<Integer>
ID of Rule.
-ruleorigin
Show Rule Originator and SessionID.
-show[={INSTANCE | ROUTES | MAIN | PREIPBLOCK | PREIP | PREIPSEC | PREGTP | PREGTPINSP | ACCOVERRIDE | IPBLOCK | ACCESS | BLACKLIST | WHITELIST | POSTPBR | PREPBR | PREPBRIPSEC | PBR | IFSP | RULE | SIPALG | IPS | THRESHOLD | TRAFFICSHAPING | OWNERSHIP | GRE}]
Prints the content of the rule database or the specified rule cache. (Default: rules)
 
 
 
 
 

2.6.5. teststatd

Get runtime information from and test the statistical daemon.

Description

List detailed information about the statistical daemon.

Usage

teststatd -clients [-delete] 
List clients.
teststatd -requests 
List requests.
teststatd -signatures [-item=<String>] [-verbose] 
List signatures.
teststatd -values [-item=<String>] [-verbose] [-reset] 
List statistical values.
teststatd -find [-guid=<Integer>] [-oid=<String>] [-nc=<String>] 
Find a value from key.
teststatd 
List general statd information.

Options

-clients
List clients.
-delete
Delete connected clients.
-find
Find a value from key.
-guid=<Integer>
Value GUID.
-item=<String>
Specify a single item to list.
-nc=<String>
NC view ID.
-oid=<String>
Value OID.
-requests
List cache client requests.
-reset
Reset all statistical values.
-signatures
List signatures.
-values
List statistical values.
-verbose
Verbose listing.

2.6.6. vlan

VLAN.

Description

Shows the VLAN state in dataplane

Usage

vlan 

Chapter 3: Configuration Reference

3.1. AccessRules

Description

Contains the access rules

Properties

Comments
Text describing the current object. (Optional)
[Note] Note
This object type does not have an identifier and is identified by the name of the type only. There can only be one instance of this type.

3.1.1. AccessRule

Description

Use an access rule to allow or block specific source IP addresses on a specific interface

Properties

Name
Specifies a symbolic name for the object.
Action
Accept or Drop.
Interface
Interface.
Network
The IP span that the sender must belong to for this rule to be carried out.
LogEnabled
Enable logging. (Default: Yes)
Comments
Text describing the current object. (Optional)
[Note] Note
If no Index is specified when creating an instance of this type, the object will be placed last in the list and the Index will be equal to the length of the list.

3.2. Address

This is a category that groups the following object types.

3.2.1. EthernetAddress

Description

Use an Ethernet Address item to define a symbolic name for an Ethernet MAC address.

Properties

Name
Specifies a symbolic name for the network object. (Identifier)
Address
Ethernet MAC address, e.g. "12-34-56-78-ab-cd".
Comments
Text describing the current object. (Optional)

3.2.2. EthernetAddressGroup

Description

An Ethernet Address Group is used for combining several Ethernet Address objects for simplified management.

Properties

Name
Specifies a symbolic name for the network object. (Identifier)
Members
Group members.
Comments
Text describing the current object. (Optional)

3.2.3. IPAddress

Description

Use an IP Address item to define a name for a specific host, network, range or group.

Properties

Name
Specifies a symbolic name for the network object. (Identifier)
Address
Address value(s), e.g. "172.16.50.8", "1::1", "192.168.30.7,192.168.30.11", "192.168.7.0/24", "10:10::/32" or "172.16.25.10-172.16.25.50".
ActiveAddress
The dynamically set address used by e.g. DHCP enabled Ethernet interfaces. (Optional; Default: 0.0.0.0)
FQDNValidAfterTTL
Time in seconds to keep an IP address after the associated FQDN record TTL expires. (Optional)
Comments
Text describing the current object. (Optional)

3.3. AppControlSettings

Description

Application control settings.

Properties

AppControlEnabled
Controls whether the firewall should analyze the traffic to try to identify the type of application that generated the traffic. (Default: Yes)
[Note] Note
This object type does not have an identifier and is identified by the name of the type only. There can only be one instance of this type.

3.4. ARPEntries

Description

Configured ARP entries

Properties

Comments
Text describing the current object. (Optional)
[Note] Note
This object type does not have an identifier and is identified by the name of the type only. There can only be one instance of this type.

3.4.1. ARPEntry

Description

Use an ARP entry to publish additional IPv4 addresses and/or MAC addresses on a specified interface.

Properties

Mode
Static or Publish. (Default: Publish)
Interface
Indicates the interface to which the ARP entry applies; e.g. the interface the address shall be published on.
IP
The IP address to be published or statically bound to a hardware address.
MACAddress
The hardware address associated with the IP address. (Default: 00-00-00-00-00-00)
Comments
Text describing the current object. (Optional)
[Note] Note
If no Index is specified when creating an instance of this type, the object will be placed last in the list and the Index will be equal to the length of the list.

3.5. ARPTableSettings

Description

ARP (Address Resolution Protocol) Settings

Properties

ARPMatchEnetSender
The Ethernet Sender address matching the hardware address in the ARP data. (Default: DropLog)
ARPQueryNoSenderIP
If the IP source address of an ARP query (NOT response!) is 0.0.0.0. (Default: DropLog)
ARPSenderIP
The IP Source address in ARP packets. (Default: Validate)
UnsolicitedARPReplies
Unsolicited ARP Replies. (Default: DropLog)
ARPRequests
Should ARP requests automatically be added to the ARP table?. (Default: Drop)
ARPChanges
ARP packets that would cause an entry to be changed. (Default: AcceptLog)
StaticARPChanges
ARP packets that would cause static entries to be changed. (Default: DropLog)
ARPMulticast
ARP packets claiming to be multicast addresses; may need to be enabled for some load balancers / redundancy solutions. (Default: DropLog)
ARPBroadcast
ARP packets claiming to be broadcast addresses; should never need to be enabled. (Default: DropLog)
ARPExpire
Lifetime of an ARP entry in seconds. (Default: 900)
ARPOptimistTime
Time (in seconds) before a flow, whose associated ARP entry has expired, should consider 'forward progress' to have been lost and begin a new ARP resolve operation. (Default: 60)
ARPMaxQueries
Maximum ARP queries to send (one per second) before giving up address resolution. (Default: 10)
ARPMaxProbes
Maximum ARP probes to send (one per second) before giving up a resolved ARP entry that has timed out. (Default: 4)
ARPExpireUnknown
Lifetime of an unknown ARP entry in seconds. (Default: 3)
ARPCacheSize
Number of ARP entries in cache, total. (Default: 4096)
ARPIPConflict
Behavior when receiving an ARP request with a sender IP conflicting with the one used on the receive interface. (Default: Notify)
LogARPOutOfEntries
Whether to log when there are not enough free ARP entries in the firewall to perform IP address resolution (this will cause old entries to be recycled). (Default: Yes)
LogARPResolveFailure
Log when address resolution fail. (Default: Yes)
[Note] Note
This object type does not have an identifier and is identified by the name of the type only. There can only be one instance of this type.

3.6. ASPathAccessList

Description

Ruleset used to allow/deny prefixes based on AS path

Properties

Name
Specifies a symbolic name for the AS path access list. (Identifier)
Comments
Text describing the current object. (Optional)

3.6.1. ASPathAccessEntry

Description

Rule entry used to allow/deny prefixes based on AS path

Properties

Action
Specifies the action to take for matched AS path.
ASPath
Regular expression pattern to match against AS path. Examples: '_NN_' to match specific AS, '^NN_' to match paths beginning with AS, '_NN$' to match paths ending with AS and '.*' for wildcard matching.
Comments
Text describing the current object. (Optional)
[Note] Note
If no Index is specified when creating an instance of this type, the object will be placed last in the list and the Index will be equal to the length of the list.

3.7. AuthenticationProfile

Description

The Authentication Profile specifies from where users are allowed to authenticate to the system, and how.

Properties

Index
The index of the object, starting at 1. (Identifier)
Name
Specifies a symbolic name for the profile. (Identifier)
AgentType
Type of authentication agent. (Default: Basic)
LocalUserDB
Local user database that will be used to authenticate users. If both LocalUserDB and a RemoteServer are specified the AuthOrder parameter specify in which order they are consulted. (Optional)
RemoteServer
Remote authentication source(s) that will be used to authenticate users. If a list of sources are provided the first in the list will be used as primary and the rest are used for failover. Note that if the system is able to use public key authentication when an SSH client connects then RADIUS authentication will not also be attempted even though it might be configured in an associated AuthenticationProfile object. (Optional)
RadiusMethod
Specifies the authentication method used for encrypting the user password. (Default: PAP)
RemoteLoadBalance
Specifies how requests to remote servers are balanced. (Default: None)
AuthOrder
Specifies if the local user database should be queried before or after the remote servers. (Default: LocalLast)
SessionTimeout
Seconds a user session may exist before it is disconnected. (Default: Disabled)
RemotePrimaryRetryInterval
Interval in seconds after primary Radius remote authentication server is retried. (Default: 60)
UseServerTimeouts
Use timeouts received from authentication source, replaces timeouts specified in the authentication profile. (Default: No)
MultipleLogins
Specifies how multiple username logins will be handled. (Default: AllowMultiple)
ReplaceIdleTime
Replace existing user if idle for more than this number of seconds. (Default: 10)
MaxMultipleSessions
Maximum number of simultaneous user sessions for the same username. (Default: 2)
BruteForceAttackPrevention
Enable/disable brute force attack prevention. (Default: Yes)
LoginAttempts
Number of login attempts before attack prevention is activated. (Default: 3)
MaxLockoutTime
Maximum time in seconds for a lockout. (Default: 40)
EAPVerification
Enable/disable EAP header verification. (Default: Yes)
AllowAllEAPTypes
Allow all EAP types. (Default: Yes)
AllowEAP_SIM
Allow EAP-SIM. (Default: Yes)
AllowEAP_AKA
Allow EAP-AKA. (Default: Yes)
AllowEAP_MD5
Allow EAP-MD5. (Default: Yes)
Comments
Text describing the current object. (Optional)

3.8. BGPCommunityList

Description

List of attribute tags that can be applied to incoming or outgoing prefixes to achieve common goals

Properties

ID
Name or ID (numeric value prepended with 'x') of entry. (Identifier)
Comments
Text describing the current object. (Optional)

3.8.1. BGPCommunityEntry

Description

Attribute tags that can be applied to incoming or outgoing prefixes to achieve common goals

Properties

Attribute
Community attribute. (Default: Base)
Type
Specifies type of community entry. (Default: Standard)
Action
Action to take with the listed community.
Community
Community number in the form of AA:NN. (Optional)
Filter
An ordered list as a regular expression. (Optional)
Internet
Advertise routes to the internet community. (Optional)
LocalAS
Do not advertise routes to external BGP peers. (Optional)
NoAdvertise
Do not advertise routes to other BGP peers. (Optional)
NoExport
Do not advertise routes outside of Autonomous System boundary. (Optional)
RouteTarget
Route target extended community in aa:nn or IPaddr:nn format. (Optional)
SiteOfOrigin
Site-of-origin extended community in aa:nn or IPaddr:nn format. (Optional)
Comments
Text describing the current object. (Optional)
[Note] Note
If no Index is specified when creating an instance of this type, the object will be placed last in the list and the Index will be equal to the length of the list.

3.9. BGPProcess

Description

BGP is a standardized exterior gateway protocol designed to exchange routing and reachability information among autonomous systems on the Internet

Properties

Name
Specifies a symbolic name for the BGP process. (Identifier)
RouterID
Specifies the BGP router identifier IP.
ASNum
Associate the routing process with an autonomous system number.
LocalPreference
Local preference indicates the preferred path when there are multiple paths to the same destination. The path having a higher preference is preferred. (Optional)
RouteMapStatic
Specifies a generic route-map for all imported static routes. (Optional)
RouteMapOSPF
Specifies a generic route-map for all imported OSPF routes. (Optional)
RouteMapConnected
Specifies a generic route-map for all connected routes. (Optional; Default: <withhold>)
TableMap
Specifies a generic route-map to filter for suppression/modification of incoming BGP updates. (Optional)
TableMapFilter
Sets which IP version of the matched routes of the TableMap to suppress. (Default: None)
NoClientReflect
Disables client-to-client route reflection. (Optional)
ClusterID
Specifies the BGP cluster ID to be used in route reflection. (Optional)
ConfederID
Specifies the BGP confederation identifier. (Optional)
ConfederPeers
Specifies the autonomous systems (comma separated) that belong to a confederation. (Optional)
AutoSummary
Specifies if and what type of routes to advertise summarized to the neighbors. (Optional)
ScanTime
Specifies the period after which router checks the validity of the routes in its database. (Default: 60)
UpdateDelay
Specifies the maximum time a graceful-restart capable router, which is restarting, will defer route-selection and advertisements to all its graceful-restart capable neighbors. (Default: 120)
GracefulRestart
Enables BGP graceful-restart capabilities. (Optional)
GracefulReset
Set to not restart BGP daemon, so that any changes in network configurations that cause BGP reset do not affect packet forwarding. (Default: No)
GracefulRestartTime
Specifies the maximum time that a graceful-restart neighbor waits to come back up after a restart. (Default: 120)
GracefulStalePathTime
Specifies the maximum time to preserve stale paths from a gracefully restarted neighbor. (Default: 360)
LogEnabled
Enable logging. (Default: Yes)
DistanceExternal
Distance for BGP external routes. (Optional)
DistanceInternal
Distance for BGP internal routes. (Optional)
DistanceLocal
Distance for BGP local routes. (Optional)
MaxPathsExternal
Number of supported equal-cost multi path eBGP routes. (Optional)
MaxPathsInternal
Number of supported equal-cost multi path iBGP routes. (Optional)
Comments
Text describing the current object. (Optional)

3.9.1. BGPProcessIPv6

Description

IPv6 specific settings for BGP process.

Properties

DistanceExternal
Distance for BGP external routes. (Optional)
DistanceInternal
Distance for BGP internal routes. (Optional)
DistanceLocal
Distance for BGP local routes. (Optional)
MaxPathsExternal
Number of supported equal-cost multi path eBGP routes. (Optional)
MaxPathsInternal
Number of supported equal-cost multi path iBGP routes. (Optional)
[Note] Note
This object type does not have an identifier and is identified by the name of the type only. There can only be one instance of this type.

3.9.2. BGPBestPathSettings

Description

Grouped settings related to BGP best path selection

Properties

IgnoreASPathLen
Prevent considering the autonomous system path length as a factor in the algorithm for choosing a best path route. (Default: No)
CompareConfederASPathLen
Specifies that the AS confederation path length must be used when available in the BGP best path decision process. (Default: No)
CompareRouterID
Specifies to include router ID in the selection process; similar routes are compared and the route with the lowest router ID is selected. (Default: No)
DontCompareOriginatorID
Changes the default bestpath selection by not comparing an originator-ID for an identical EBGP path. (Default: No)
CompareMEDInConfederPath
Compare MED along confederation paths. (Default: No)
TreatMissingMEDAsWorst
Treat missing MED as the least preferred one. (Default: No)
RemoveRecvMED
Remove received MED attribute. (Default: No)
RemoveSendMED
Remove sent MED attribute. (Default: No)
TieBreakOnAge
Always select a preferred older route. (Default: Yes)
[Note] Note
This object type does not have an identifier and is identified by the name of the type only. There can only be one instance of this type.

3.9.3. BGPDampening

Description

Dampening minimizes the instability caused by route flapping

Properties

Enabled
Enable route dampening to minimize the instability caused by route flapping. (Optional)
HalfLifeReachable
Reachability half-life time for the penalty in minutes. The time for the penalty to decrease to one-half of its current value. Default value is 15 minutes. (Optional)
Reuse
Value to start reusing a route. When the penalty for a suppressed route decays below the reuse value, the routes become unsuppressed. Default value is 750. (Optional)
Suppress
Value to start suppressing a route. When the penalty for a route exceeds the suppress value, the route is suppressed. Default value is 2000.
Duration
Maximum duration to suppress a stable route in minutes. Default value is 60 minutes.
HalfLifeUnreachable
Un-reachability half-life time for the penalty in minutes. Default value is 4x the value of HalfLifeReachable. (Optional)
RouteMap
Route map to specify criteria for dampening. (Optional)
[Note] Note
This object type does not have an identifier and is identified by the name of the type only. There can only be one instance of this type.

3.9.4. BGPNeighbor

Description

BGP peer used for routing information exchange

Properties

Name
Specifies a symbolic name for the BGP neighbor. (Optional)
IPAddress
IP Address of the neighbor.
Port
TCP Port number of BGP neighbor. (Default: 179)
Password
MD5 message digest password. (Optional)
RemoteASNum
Neighbor autonomous system number.
RoutingTable
Specifies the routing table to use for communication with the BGP neighbor. (Default: main)
SourceInterface
The interface that the BGP traffic of the neighbor is received on. (Optional; Default: any)
AddressFamily
Address families to advertise and receive prefixes to/from. (Default: IPv4)
Addressing
Sets the IPv4 addressing types. (Default: Unicast)
TimerKeepAlive
Keepalive messages are sent by a router to inform another router that the BGP connection between the two is still active. The keepalive timer interval is the period of time, in seconds, between each keepalive message sent by the router. (Default: 180)
TimerHoldTime
The holdtime interval is the time, in seconds, the router waits to receive a keepalive message and if it does not receive a message for this period it declares the neighbor dead. (Default: 540)
TimerConnect
The connect interval is the time, in seconds, the router waits before trying to reconnect to disconnected neighbor. (Default: 120)
TimerAdvertise
Sets a minimum interval between the sending of BGP routing updates. (Optional)
TimerASOrigin
Sets the interval of sending AS origination routing updates. (Default: 15)
Passive
Set to not actively connect to the neighbor. (Optional)
ForceVersion
Controls the BGP version to use when communicating with the neighbor. (Default: Dynamic)
FalloverDetection
Specifies additional measures for faster fallover detection with the neighbor. (Optional)
BFDTransmitInterval
Specifies the transmit interval in milliseconds for the liveness detection. (Default: 250)
BFDReceiveInterval
Specifies in milliseconds the minimum time which packets are expected from the peer. (Default: 250)
BFDHelloMultiplier
Specifies the number of dropped packets before the link is declared down. (Default: 3)
BFDSlowTimerInterval
Specifies in milliseconds how often BFD control packets should be sent once the BFD session has been established. (Default: 2000)
GracefulRestartWarnLog
Generate log warning when graceful restart is required but not negotiated with neighbor. (Default: Yes)
SoftReconfInbound
Enables local storage of all the received prefixes and their attributes. This will require additional memory. (Default: No)
PrefixListIn
Specifies a prefix list for filtering of inbound BGP advertisements. Only the routes that match the prefix list are accepted. (Optional)
PrefixListOut
Specifies a prefix list for filtering of outbound BGP advertisements. Only the routes that match the prefix list are sent in updates. (Optional)
RouteMapIn
Specifies a route-map for filtering and modification of inbound BGP advertisements. Only the routes that pass the route-map are accepted in updates. (Optional)
RouteMapOut
Specifies a route-map for filtering and modification of outbound BGP advertisements. Only the routes that pass the route-map are sent in updates. (Optional)
SendCommunity
Specifies whether a community attribute should be sent to the BGP neighbor. (Optional)
RouteReflector
Specifies whether to run as a BGP route reflector and configure the specified neighbor as its client. (Optional)
Weight
Specifies a weight value to all routes learned from a neighbor. The route with the highest weight gets preference when the same prefix is learned from more than one peer. (Optional)
GracefulRestart
Specifies whether the neighbor supports the capability of graceful-restart. (Optional)
NextHopSelf
Specifies whether to force the next hop to self when redistributing the prefix to another iBGP neighbor. (Optional)
MaxPrefixes
Specifies the maximum number of prefixes to receive from neighbor. (Optional)
MaxPrefixesLimitAction
Specifies action to take when the max prefix limit is reached. (Default: Disconnect)
MaxPrefixesThreshold
Specifies at what percentage of the maximum limit to start generate warning logs. (Optional)
Comments
Text describing the current object. (Optional)
[Note] Note
If no Index is specified when creating an instance of this type, the object will be placed last in the list and the Index will be equal to the length of the list.

3.9.4.1. BGPNeighborIPv4

Description

IPv4 specific configuration for the BGP neighbor.

Properties

SendCommunity
Specifies whether a community attribute should be sent to the BGP neighbor. (Optional)
RouteReflector
Specifies whether to run as a BGP route reflector and configure the specified neighbor as its client. (Optional)
Weight
Specifies a weight value to all routes learned from a neighbor. The route with the highest weight gets preference when the same prefix is learned from more than one peer. (Optional)
GracefulRestart
Specifies whether the neighbor supports the capability of graceful-restart. (Optional)
NextHopSelf
Specifies whether to force the next hop to self when redistributing the prefix to another iBGP neighbor. (Optional)
MaxPrefixes
Specifies the maximum number of prefixes to receive from neighbor. (Optional)
MaxPrefixesLimitAction
Specifies action to take when the max prefix limit is reached. (Default: Disconnect)
MaxPrefixesThreshold
Specifies at what percentage of the maximum limit to start generate warning logs. (Optional)
[Note] Note
This object type does not have an identifier and is identified by the name of the type only. There can only be one instance of this type.

3.9.4.2. BGPNeighborIPv6

Description

IPv6 specific configuration for the BGP neighbor.

Properties

SendCommunity
Specifies whether a community attribute should be sent to the BGP neighbor. (Optional)
RouteReflector
Specifies whether to run as a BGP route reflector and configure the specified neighbor as its client. (Optional)
Weight
Specifies a weight value to all routes learned from a neighbor. The route with the highest weight gets preference when the same prefix is learned from more than one peer. (Optional)
GracefulRestart
Specifies whether the neighbor supports the capability of graceful-restart. (Optional)
NextHopSelf
Specifies whether to force the next hop to self when redistributing the prefix to another iBGP neighbor. (Optional)
MaxPrefixes
Specifies the maximum number of prefixes to receive from neighbor. (Optional)
MaxPrefixesLimitAction
Specifies action to take when the max prefix limit is reached. (Default: Disconnect)
MaxPrefixesThreshold
Specifies at what percentage of the maximum limit to start generate warning logs. (Optional)
[Note] Note
This object type does not have an identifier and is identified by the name of the type only. There can only be one instance of this type.

3.9.5. BGPPrefixAggregate

Description

Aggregation combines the characteristics of several different routes and advertises a single route

Properties

Prefix
Network prefix to aggregate.
SummaryOnly
Filter more specific routes from updates. (Default: No)
SetAS
Generate AS set path information. (Default: No)
Comments
Text describing the current object. (Optional)
[Note] Note
If no Index is specified when creating an instance of this type, the object will be placed last in the list and the Index will be equal to the length of the list.

3.9.6. BGPNetwork

Description

Networks to be advertised by the BGP routing process

Properties

Network
Network range to advertise.
Backdoor
Enables the route to be the preferred route even if it has a greater distance. (Default: No)
RouteMap
Route map used to modify attributes. (Optional)
Addressing
Sets the IPv4 addressing types. (Default: Unicast)
Comments
Text describing the current object. (Optional)
[Note] Note
If no Index is specified when creating an instance of this type, the object will be placed last in the list and the Index will be equal to the length of the list.

3.9.7. RouteExportRuleBGP

Description

A BGP export rule creates a filter to select BGP learned routes. The filtered routes can then through action rules either be exported to "route distribution services", such as OSPF, or be added to one or more routing tables.

Properties

Name
Specifies a symbolic name for the rule. (Optional)
DestinationNetworkExactly
Specifies a network range which filtered routes need to match exactly. (Optional)
DestinationNetworkIn
Specifies a network range which filtered routes need to be within. (Optional)
NextHop
Specifies the next (router) hop which filtered routes need to match. (Optional)
MetricRange
Specifies a metric interval which filtered routes need to be within. (Optional)
LogEnabled
Enable logging. (Default: Yes)
Comments
Text describing the current object. (Optional)
[Note] Note
If no Index is specified when creating an instance of this type, the object will be placed last in the list and the Index will be equal to the length of the list.

3.9.7.1. ExportToRoutingTable

Description

A routing table action is used to insert, update and remove routes to/from one or more routing tables.

Properties

Name
Specifies a symbolic name for the rule. (Optional)
Destination
Specifies to which routing table the route should be exported.
OverrideStatic
Allow matched routes to override statically configured routes. (Default: No)
OverwriteDefault
Allow matched routes to override the default route. (Default: No)
OffsetMetric
Offset to increase/decrease the metric of filtered routes. (Optional)
LimitMetricRange
Metric boundary for filtered routes. Metrics outside the boundary will be re-set to the nearest limit. (Optional)
SetForward
Sets/overrides the gateway IP for filtered routes. (Optional)
LogEnabled
Enable logging. (Default: Yes)
ProxyARPAllInterfaces
Always select all interfaces, including new ones, for publishing routes via Proxy ARP. (Default: No)
ProxyARPInterfaces
Specifies the interfaces on which the firewall should publish routes via Proxy ARP. (Optional)
Comments
Text describing the current object. (Optional)
[Note] Note
If no Index is specified when creating an instance of this type, the object will be placed last in the list and the Index will be equal to the length of the list.

3.9.7.2. ExportToOSPF

Description

An OSPF action is used to insert, update and remove routes to/from an OSPF process.

Properties

Name
Specifies a symbolic name for the rule. (Optional)
ExportToProcess
Specifies to which OSPF process the route should be exported.
SetTag
Sets tag for filtered routes. Tags can be used as filter criteria in other routers. (Optional)
OffsetMetricType2
Offset to increase/decrease the metric type 2 of filtered routes. (Optional)
SetRouteType
Sets the route type for matched routes. (Optional)
OffsetMetric
Offset to increase/decrease the metric of filtered routes. (Optional)
LimitMetricRange
Metric boundary for filtered routes. Metrics outside the boundary will be re-set to the nearest limit. (Optional)
SetForward
Sets/overrides the gateway IP for filtered routes. (Optional)
LogEnabled
Enable logging. (Default: Yes)
Comments
Text describing the current object. (Optional)
[Note] Note
If no Index is specified when creating an instance of this type, the object will be placed last in the list and the Index will be equal to the length of the list.

3.10. BGPSettings

Description

BGP specific settings.

Properties

UseExtendedASN
Specifies whether to support the four-octet AS number space (RFC 4893). (Default: No)
RFC1771PathSelect
Enables RFC 1771 compatible path selection. (Default: No)
RFC1771Strict
Sets the origin path attribute to IGP when the origin is a protocol as specified in RFC 1771. (Default: No)
[Note] Note
This object type does not have an identifier and is identified by the name of the type only. There can only be one instance of this type.

3.11. CertificateStore

Description

A certificate store is used to store and group certificates together for simplified management and configuration.

Properties

Name
Specifies a symbolic name for the certificate object. (Identifier)
Comments
Text describing the current object. (Optional)

3.11.1. Certificate

Description

An X.509 certificate is used to authenticate another entity such as a user, client, server or gateway, for example when establishing a VPN tunnel or SSL/TLS connection. A certificate can also be used to authenticate the system itself towards another party.

Properties

Name
Specifies a symbolic name for the certificate object. (Identifier)
Type
The type of the certificate.
CRLChecks
Specifies whether to check CRLs (Certificate Revocation Lists) when validating certificates. (Default: Enforced)
CRLDistPointList
Specifies the CRL distribution points to use when validating the certificate itself and issued certificates. (Optional)
CertificateData
Certificate data. (Optional)
PrivateKey
Private key. (Optional)
LDAPServer
Specifies a default LDAP-server used with LDAP. (Optional)
CMPServer
The CA server information.
Comments
Text describing the current object. (Optional)

3.12. ClassificationSettings

Description

Classification settings

Properties

RCMaxCollision
Maximum allowed number of colliding rule cache entries. A higher value will allow more policy lookup results to be cached, even though there are collisions between them, but flow maintenance will become increasingly costly. Collisions are most likely caused by many similar tunnels (many tunnels with the same user as an example), and less likely caused by lots of detailed but similar rules. The value may be beneficial to decrease if tunnel setup rates are very high, but each tunnel is only active for brief moments. Likewise the value may be beneficial to increase if there are many active tunnels, but setup rate is low. (Default: 512)
RCMaxGridSize
Maximum number of rule cache grid units. Each unit takes about 4Kb of memory; too few units will make classification slow, this will increase the load of the unit and affect flow establishing time negatively. (Default: 4096)
RCMaxCacheSize
Maximum number of rule cache entries. Each entry represents a unique classification result and takes about 256b of memory; if there are too few entries, existing entries need to be discarded. Existing flows may be torn down as a consequence of this. (Default: 400000)
LogRCLost
Whether to log when a rule cache entry (policy lookup result) is lost. (Default: Always)
ReclassifyQuota
Percent of incoming packets (potentially) allowed to update existing flows; 99% will favor connection attempts over existing connections, 1% will favor existing connections over connection attempts. (Default: 30)
UnclassifiedQuota
Percent of incoming packets (potentially) allowed to setup new flows; 99% will favor connection attempts over existing connections, 1% will favor existing connections over connection attempts. (Default: 5)
[Note] Note
This object type does not have an identifier and is identified by the name of the type only. There can only be one instance of this type.

3.13. CMPServer

Description

A CMP server is a Certificate Authority, which can provide certificates using the CMPv2 protocol.

Properties

Name
Specifies a symbolic name for the CMP server. (Identifier)
IPAddress
The IP address of the Certificate Authority. (Optional)
FQDN
The fully qualified domain name of the Certificate Authority. (Optional)
Port
The port to use on the Certificate Authority.
Path
The path to the certificate on the Certificate Authority.
CACert
The CA root certificate.
Comments
Text describing the current object. (Optional)

3.14. COMPortAccess

Description

A serial communication port, that is used for accessing the CLI.

Properties

Port
Port. (Identifier)
BitsPerSecond
Bits per second. (Default: 115200)
DataBits
Data bits. (Default: 8)
Parity
Parity. (Default: None)
StopBits
Stop bits. (Default: 1)
FlowControl
Flow control. (Default: None)
AuthProfile
Specifies the authentication profile to use when authenticating serial console access. Only profiles with a single local user database as source are supported. Not setting a profile removes local console authentication. (Optional)
ConsoleRows
Number of rows used by the console CLI. (Default: 40)
ConsoleCols
Number of columns used by the console CLI. (Default: 80)
Comments
Text describing the current object. (Optional)

3.15. CRLDistPointList

Description

A CRL distribution point list specifies one or more locations from where a certificate revocation list (CRL) can be obtained. It can be used to add distribution points to a certificate that does not provide any, or to override existing ones.

Properties

Name
Specifies a symbolic name for the CRL distribution point list. (Identifier)
Comments
Text describing the current object. (Optional)

3.15.1. CRLDistPoint

Description

A CRL distribution point (CDP) specifies a location from where a certificate revocation list (CRL) can be obtained.

Properties

URL
Specifies the URL for the CRL distribution point. For example http://www.example.com/ca.crl.
Comments
Text describing the current object. (Optional)
[Note] Note
If no Index is specified when creating an instance of this type, the object will be placed last in the list and the Index will be equal to the length of the list.

3.16. CryptoSettings

Description

Cryptographic Settings

Properties

HWAcceleration
Enable hardware acceleration of cryptographic operations. Note: Requires a reboot to take effect. (Restart-required; Default: Yes)
SWFallback
Fall back to performing cryptographic operations in software when it is not possible to offload them to hardware. (Default: Yes)
[Note] Note
This object type does not have an identifier and is identified by the name of the type only. There can only be one instance of this type.

3.17. DateTime

Description

Set the date, time and time zone information for this system.

Properties

TimeZone
Specifies the time zone. (Default: UTC+00:00)
DSTAutoAdjust
Enable Daylight Saving Time auto adjusting. (Default: Yes)
TimeSyncEnabled
Enable time synchronization. (Default: No)
TimeSyncInterval
Seconds between each resynchronization. (Default: 86400)
TimeSyncMaxAdjust
Maximum time drift in seconds that a server is allowed to adjust. (Default: 600)
StartupForceSync
Enable forced synchronization at system startup. (Default: Yes)
TimeSyncSecurity
Enable security validation for received time synchronization packets. (Default: Yes)
Comments
Text describing the current object. (Optional)
[Note] Note
This object type does not have an identifier and is identified by the name of the type only. There can only be one instance of this type.

3.17.1. TimeServer

Description

Specifies a timeserver used for time synchronization.

Properties

Name
Specifies a symbolic name for the server.
IP
IP address of the server.
Port
Port on which the server is listening. (Default: 123)
RoutingTable
Specifies the routing table to use for communication with the timeserver. (Default: main)
Comments
Text describing the current object. (Optional)
[Note] Note
If no Index is specified when creating an instance of this type, the object will be placed last in the list and the Index will be equal to the length of the list.

3.18. DefaultInterface

Description

A special interface used to represent internal mechanisms in the system as well as an abstract "any" interface.

Properties

Name
Name of this interface. (Identifier)
MTU
Specifies the size (in bytes) of the largest packet that can be forwarded. (Default: 1500)
IPAddress
The interface's IP addresses. (Default: 0)
IP4Broadcast
The interface's IPv4 broadcast address. (Optional)
RoutingTableMembership
Interface's routing table membership. (Default: <all>)
Comments
Text describing the current object. (Optional)

3.19. DHCPServer

Description

DHCP Server is a predefined set of DHCP Server Rules. There could only be one DHCPServer Object in the system.

Properties

LogEnabled
Enable logging. (Default: Yes)
Comments
Text describing the current object. (Optional)
[Note] Note
This object type does not have an identifier and is identified by the name of the type only. There can only be one instance of this type.

3.19.1. DHCPServerRule

Description

A DHCP Server Rule determines a set of IP addresses and host configuration parameters to hand out to DHCP clients attached to a given interface.

Properties

Name
Specifies a symbolic name for the DHCP Server rule. (Identifier)
AllowFurtherMatching
Determines whether DHCP Server should try to match the next rule if the current rule can't fulfill the request. (Default: Yes)
Interface
The source interface to listen for DHCP requests on. This can be a single interface or a group of interfaces.
RelayerFilter
A range, group or network that will allow specific DHCP Relayers access to the DHCP Server. (Default: 0/0)
IPAddressPool
A range, group or network that the DHCP Server will use as IP address pool to give out DHCP leases from.
Netmask
Netmask sent to the DHCP Client.
DefaultGateway
Specifies what IP should be sent to the client for use as default gateway. If unspecified or if 0.0.0.0 is specified, the IP given to the client will be sent as gateway. (Optional)
Domain
Domain name used for DNS resolution. (Optional)
LeaseTime
The time, in seconds, that a DHCP lease should be provided to a host after this the client have to renew the lease. (Default: 86400)
DNS1
IP of the primary DNS server. (Optional)
DNS2
IP of the secondary DNS server. (Optional)
NBNS1
IP of the primary Windows Internet Name Service (WINS) server that is used in Microsoft environments which uses the NetBIOS Name Servers (NBNS) to assign IP addresses to NetBIOS names. (Optional)
NBNS2
IP of the primary Windows Internet Name Service (WINS) server that is used in Microsoft environments which uses the NetBIOS Name Servers (NBNS) to assign IP addresses to NetBIOS names. (Optional)
NextServer
IP address of next server in the boot process. (Optional)
Comments
Text describing the current object. (Optional)

3.19.1.1. DHCPServerStaticHost

Description

Static DHCP Server host entry

Properties

Name
Specifies a symbolic name for the static host. (Optional)
Host
IP Address of the host.
StaticHostType
Identifier for host.
ClientIdentType
Type of client identifier specified.
ClientIdent
The client identifier for the host.
MACAddress
The hardware address of the host.
Comments
Text describing the current object. (Optional)
[Note] Note
If no Index is specified when creating an instance of this type, the object will be placed last in the list and the Index will be equal to the length of the list.

3.19.1.2. DHCPServerCustomOption

Description

Extend the DHCP Server functionality by adding custom options that will be handed out to the DHCP clients.

Properties

Name
Specifies a symbolic name for the custom option. (Optional)
Code
The DHCP option code.
Type
What type the option is, i.e. STRING, IPAddress and so on.
Param
The parameter sent with the code, this can be one parameter or a comma separated list.
Comments
Text describing the current object. (Optional)
[Note] Note
If no Index is specified when creating an instance of this type, the object will be placed last in the list and the Index will be equal to the length of the list.

3.20. DHCPServerSettings

Description

Advanced DHCP server settings.

Properties

AutoSaveLeasePolicy
Policy for saving the lease database to disk. (Default: ReconfShut)
AutoSaveLeaseInterval
Seconds between auto saving the lease database to disk. (Default: 86400)
BlacklistTimeout
Seconds before an IP is removed from the blacklist. (Default: 3600)
[Note] Note
This object type does not have an identifier and is identified by the name of the type only. There can only be one instance of this type.

3.21. DNS

Description

Configure the DNS (Domain Name System) client settings.

Properties

CacheNegativeTTL
Number of seconds after a unsuccessful DNS request, until a new request is sent. (Default: 30)
QueueSize
Maximum number of outstanding DNS requests, should be a power of two. (Default: 1024)
RepeatTime
Number of seconds after sending a request to a DNS server until it times out and a new request can be sent. (Default: 5)
RepeatCount
Number of times to try to send request to a DNS server. (Default: 3)
MinTTL
Forces the result of a successful DNS request to be cached for at least this long. (Default: 3600)
MaxTTL
Forces the result of a successful DNS request to be cached for no longer than this. (Default: 86400)
FQDNValidAfterTTLDefault
Time in seconds to keep an IP address after the associated FQDN record TTL expires. (Default: 86400)
Comments
Text describing the current object. (Optional)
[Note] Note
This object type does not have an identifier and is identified by the name of the type only. There can only be one instance of this type.

3.21.1. DNSServer

Description

Specifies a DNS server to use for lookups.

Properties

IPAddress
IP address of the DNS Server.
RoutingTable
Specifies the routing table to use for communication with the DNS server. (Default: main)
Comments
Text describing the current object. (Optional)
[Note] Note
If no Index is specified when creating an instance of this type, the object will be placed last in the list and the Index will be equal to the length of the list.

3.22. DNSAlgProfile

Description

A DNS profile configures extended processing of DNS traffic.

Properties

Name
Specifies a symbolic name for the DNS profile. (Identifier)
MaxSessions
Maximum number of concurrent sessions. (Default: 1000)
MaxUDPQueryLength
Maximum payload size in DNS queries over UDP. (Default: 512)
MaxUDPResponseLength
Maximum payload size in DNS responses over UDP. (Default: 512)
MaxTCPQueryLength
Maximum message size in DNS queries over TCP. (Default: 4096)
MaxTCPResponseLength
Maximum message size in DNS responses over TCP. (Default: 4096)
RecursionDesiredFlag
Policy for handling the Recursion Desired flag in DNS messages. (Default: Allow)
MaxQuestionEntries
Maximum number of question entries. (Default: 1)
AllowedClasses
List of allowed classes. (Default: IN)
AllowedTypes
List of allowed types. (Default: <All>)
Translations
Set to a DNSTranslationList to enable DNS translations of addresses in DNS payload. (Default: <disabled>)
TranslationsOnDNSSEC
Force DNS translations to modify addresses even if DNSSEC is detected in a DNS packet. This will invalidate the signature, but for clients not performing their own validation it can still be useful. (Default: No)
ScrambleQueryID
Mitigation against cache poisoning. Scrambles message IDs in queries sent over UDP, and de-scrambles them before delivering the reply. (Default: Yes)
Comments
Text describing the current object. (Optional)

3.23. DNSTranslationList

Description

A list of IP address pairs used to translate IP addresses in payload of DNS responses.

Properties

Name
Specifies a symbolic name for the DNS translation list. (Identifier)
Comments
Text describing the current object. (Optional)

3.23.1. DNSTranslation

Description

A pair of IP addresses used to translate IP addresses in payload of DNS responses.

Properties

FromIP
IP address to translate.
ToIP
IP address to translate to.
Comments
Text describing the current object. (Optional)
[Note] Note
If no Index is specified when creating an instance of this type, the object will be placed last in the list and the Index will be equal to the length of the list.

3.24. EthernetDevice

Description

Hardware settings for an ethernet interface.

Properties

Name
Name of this device. (Identifier)
HWIdent
Hardware dependent string, uniquely describing the physical location of the device.
LinkSpeed
Specifies if the link speed should be auto-negotiated or locked to a static speed. (Default: Auto)
Duplex
Specifies if the duplex should be auto-negotiated or locked to full or half duplex. (Default: Auto)
Comments
Text describing the current object. (Optional)

3.25. EthernetInterface

Description

An EthernetInterface represents a logical endpoint for ethernet traffic.

Properties

Name
Name of this interface. (Identifier)
EthernetAddress
Ethernet address to be used by the interface. (Optional)
HAEthernetAddressMode
Define what type of ethernet addressing should be used in HA scenarios. (Default: PrivateSharedMAC)
HAType
Controls the HA mode of the interface. (Default: Critical)
MonitorTargets
The IP addresses of the hosts to monitor for HA diagnostics. (Optional)
MonitorTargetVLANs
Delegate hosts to monitor for HA diagnostics to the following VLANs. (Optional)
HeartbeatTransport
Set to VLAN interface in order to send VLAN-tagged heartbeats. (Default: <local>)
Backplane
Defines whether the interface is a backplane interface. (Default: No)
EthernetDevice
Ethernet device that this interface should use. (Optional)
VLANOutboundPrio
Priority value to use by VLAN interfaces that inherit their priority policy from this interface. (Default: 0)
VLANOutboundPrioPolicy
Specifies an inheritable policy for how VLAN interfaces determine the value of the priority field when adding the VLAN header to outbound packets. (Default: Set)
PrivateIP
The private IP address of this high availability node. (Optional)
RouterAdvertisementProfile
The Router Advertisement profile that will be used by the interface. (Default: DefaultProfile)
LAGEnabled
Specifies whether this interface uses Link Aggregation. (Default: No)
LAGMode
Specifies the method used to aggregate links. (Default: RoundRobin)
LAGMembers
The group of Ethernet devices to aggregate.
LAGTxPolicy
Specifies the packet characteristics used to distribute outgoing traffic among the active links. (Default: L3L4)
LAGActiveBackupPrimary
Specifies the primary member device in Active Backup mode. (Optional)
LAGLinkStatePollPeriod
Specifies the interval in milliseconds at which member devices not supporting LSC interrupts are checked for link status changes. (Default: 10)
LAGLinkUpDelay
Specifies the delay in milliseconds before propagating that the link status changed to up for a member device. (Default: 0)
LAGLinkDownDelay
Specifies the delay in milliseconds before propagating that the link status changed to down for a member device. (Default: 0)
LAGFastPeriodicInterval
Specifies the interval in milliseconds between periodic transmissions using fast timeouts. (Default: 900)
LAGSlowPeriodicInterval
Specifies the interval in milliseconds between periodic transmissions using slow timeouts. (Default: 29000)
LAGShortTimeout
Specifies the interval in milliseconds before invalidating received LACPDU information when using short timeouts. (Default: 3000)
LAGLongTimeout
Specifies the interval in milliseconds before invalidating received LACPDU information when using long timeouts. (Default: 90000)
LAGAggregateWaitTimeout
Specifies the number of milliseconds to delay aggregation to allow multiple links to aggregate simultaneously. (Default: 2000)
TargetRx
Expected receive bandwidth for this interface. Requires system restart to take effect. (Restart-required; Default: Auto)
TargetTx
Expected transmit bandwidth for this interface. Requires system restart to take effect. (Restart-required; Default: FollowRx)
MTU
Specifies the size (in bytes) of the largest packet that can be forwarded. (Default: 1500)
IPAddress
The interface's IP addresses. (Default: 0)
IP4Broadcast
The interface's IPv4 broadcast address. (Optional)
RoutingTableMembership
Interface's routing table membership. (Default: <all>)
DHCPEnabled
Indicates if this interface uses DHCP. (Optional)
DHCPPreferredIP
IP address preferred by this interface. (Optional)
DHCPServerFilter
Filter for acceptable DHCP server IP addresses. (Optional)
DHCPAddressFilter
Filter for acceptable IP addresses. (Optional)
DHCPPrimaryDNS
IP address of the primary DNS server. (Optional)
DHCPSecondaryDNS
IP address of the secondary DNS server. (Optional)
DefaultGateway
IP address to the default gateway. (Optional)
DHCPNetwork
IP address to the default gateway. (Optional)
DHCPPrimaryNBNS
IP address of the primary NBNS/WINS server. (Optional)
DHCPSecondaryNBNS
IP address of the secondary NBNS/WINS server. (Optional)
DHCPValidateBcast
Require highest network address as broadcast. (Default: Yes)
DHCPAllowGlobalBcast
Allow 255.255.255.255 as Broadcast address. (Default: No)
DHCPARPOnOfferEnabled
Perform ARP resolves on offered address. (Default: Yes)
DHCPCheckIPConflicts
Check for IP collisions with static routes. (Default: Yes)
DHCPCheckNetConflicts
Check for net collisions with static routes. (Default: Yes)
DHCPReleaseOnShutdown
Release active lease on graceful shutdown. (Default: No)
SecurityEquivalentInterfaces
Security and transport equivalent interfaces. (Optional)
IPv6AddressConfiguration
Controls IPv6 address configuration mode. (Default: Static)
IPv6Network
IPv6 on-link prefixes. (Optional)
IPv6DNS
IPv6 addresses of DNS servers. (Optional)
IPv6Gateway
IPv6 address of default gateway. (Optional)
MaxSLAACAddresses
Maximum number of autoconfigured IPv6 addresses. (Default: 4)
Zone
Specifies the zone that this interface is a member of. (Optional)
Comments
Text describing the current object. (Optional)

3.26. FlowTimeoutSettings

Description

Flow timeout settings

Properties

FlowLifetimeTCPInit
Flow idle lifetime in seconds for TCP connections being formed, that is, during the handshake. (Default: 60)
FlowLifetimeTCPNoData
Flow idle lifetime in seconds for TCP connections where the handshake is finished but the data transfer has not started yet. (Default: 60)
FlowLifetimeTCPOpen
Flow idle lifetime in seconds for established TCP connections. (Default: 262144)
FlowLifetimeTCPClosing
Flow idle lifetime in seconds for TCP connections being closed. (Default: 80)
FlowLifetimeTCPStateless
Flow idle lifetime in seconds for stateless TCP connections. (Default: 130)
FlowLifetimeUDP
Flow idle lifetime in seconds for UDP connections. (Default: 130)
FlowLifetimeICMP
Flow idle lifetime in seconds for ICMP (ping) connections. (Default: 8)
FlowLifetimeSCTPStateless
Flow idle lifetime in seconds for stateless SCTP connections. (Default: 130)
FlowLifetimeSCTPStateful
Flow idle lifetime in seconds for stateful SCTP connections. (Default: 600)
FlowLifetimeOther
Flow idle lifetime in seconds to use when no other lifetime setting matches the type of the connection. (Default: 130)
[Note] Note
This object type does not have an identifier and is identified by the name of the type only. There can only be one instance of this type.

3.27. FragSettings

Description

Pseudo Fragment Reassembly Settings

Properties

PseudoReass_MaxConcurrent
Maximum number of concurrent fragment reassemblies. Set to 0 to drop all fragments. (Default: 1024)
IllegalFrags
Illegally constructed fragments; partial overlaps, bad sizes, etc. (Default: DropLog)
DuplicateFragData
On receipt of duplicate fragments, verify matching data. (Default: Check8)
FragReassemblyFail
Failed packet reassembly attempts - due to timeouts or packet losses. (Default: LogSuspectSubseq)
DroppedFrags
Fragments of packets dropped due to rule base. (Default: LogSuspect)
DuplicateFrags
Duplicate fragments received. (Default: LogSuspect)
FragmentedICMP
Fragmented ICMP messages other than Ping; normally invalid. (Default: DropLog)
IP6NopFrags
Packet is first and last fragment at the same time (and by definition not a fragment, though it have got a fragment header). Note that these packets are legal, and serves a purpose as an non-IPv6 to IPv6 connection mechanism (see rfc2460 for details). (Default: Ignore)
IP6ResvFldFrags
Fragments with a non-zero value in the reserved field (header size for all other extension headers). (Default: StripLog)
IP6ResvBitFrags
Fragments with a non-zero value in the reserved fragment bits. (Default: StripLog)
IP6MinimumFragLength
Minimum allowed payload length of non-last IPv6 fragments. (Default: 640)
MinimumFragLength
Minimum allowed payload length of non-last fragments. (Default: 8)
ReassTimeout
Timeout in seconds of a reassembly, since previous received fragment. (Default: 65)
ReassTimeLimit
Maximum life time in seconds of a reassembly, since first received fragment. (Default: 90)
ReassDoneLinger
How long (in seconds) to remember a completed reassembly (watching for old dups). (Default: 20)
ReassIllegalLinger
How long (in seconds) to remember an illegal reassembly (watching for more frags). (Default: 60)
IP6RejectBadFragLength
Send Parameter Problem error when receiving fragment with bad data length. (Default: No)
IP6SendErrorOnTimeout
Send Time Exceeded error when a fragment reassembly times out. (Default: No)
LocalReass_MaxSize
Maximum size of a locally reassembled packet. This setting applies in addition to normal length limit settings when a fragmented packet is reassembled for processing by the device rather than for forwarding. (Default: 10000)
[Note] Note
This object type does not have an identifier and is identified by the name of the type only. There can only be one instance of this type.

3.28. FTPAlgProfile

Description

A FTP profile configures extended processing of FTP traffic.

Properties

Name
Specifies a symbolic name for the FTP profile. (Identifier)
ServerPorts
Server data ports. (Default: 1024-65535)
ClientPorts
Client data ports. (Default: 1024-65535)
MaxSessions
Maximum number of concurrent sessions. (Default: 1000)
MaxCommandRate
Maximum number of commands per second. (Default: 200)
AllowUnknownCommands
Allow unknown commands. (Default: No)
AllowSITEEXEC
Allow SITE EXEC. (Default: No)
AllowCLNTCommand
Allow the CLNT FTP command. (Default: No)
MaxLineLength
Maximum length of lines sent over the control channel. (Default: 256)
TrafficProfile
Selects a traffic profile to use to shape the traffic on the data channel. (Optional)
Comments
Text describing the current object. (Optional)

3.29. GeolocationFilter

Description

A geolocation filter defines a collection of individual regions representing larger geographical or political areas like Africa, Oceania or European Union.

Properties

Name
A name to uniquely identify this GeolocationFilter. (Identifier)
Regions
List of regions (represented by ISO 3166-1 alpha-2 codes). (Optional)
MatchPrivate
Match private networks. (Default: No)
MatchUnknown
Match unknown networks. (Default: No)
Comments
Text describing the current object. (Optional)

3.30. GRETunnel

Description

A GRE interface is a Generic Routing Encapsulation (no encryption, no authentication, only encapsulation) tunnel over an existing IP network.

Properties

Name
Name of this interface. (Identifier)
LocalEndpoint
Specifies the IP address of the local endpoint.
RemoteEndpoint
Specifies the IP address of the remote endpoint.
SourceInterface
The interface that GRE traffic is received on. (Default: any)
OuterRoutingTable
The routing table to use for GRE traffic. (Default: main)
SessionKey
Session key. (Optional)
PathMTUDiscoveryEnabled
Enables path MTU discovery for the GRE traffic generated by this GRE tunnel. (Default: Yes)
MTU
Specifies the size (in bytes) of the largest packet that can be forwarded. (Default: 1500)
IPAddress
The interface's IP addresses. (Default: 0)
IP4Broadcast
The interface's IPv4 broadcast address. (Optional)
RoutingTableMembership
Interface's routing table membership. (Default: <all>)
SecurityEquivalentInterfaces
Security and transport equivalent interfaces. (Optional)
Zone
Specifies the zone that this interface is a member of. (Optional)
Comments
Text describing the current object. (Optional)

3.31. GTPInspectionProfile

Description

A GTP inspection profile is used to configure protocol validation and stateful inspection of GTP Control Plane (GTP-C) and GTP User Plane (GTP-U) traffic.

Properties

Name
Specifies a symbolic name for the profile. (Identifier)
GTPVersion
Allowed GTP-C versions. (Default: GTPv2)
SessionTimeout
The maximum number of seconds a GTP-C session can be idle before it is closed. (Default: 300)
SessionTimeoutNBIoT
The maximum number of seconds a GTP-C session with the NB-IoT RAT type can be idle before it is closed. (Default: 300)
BearerTimeout
The maximum number of seconds a GTP-U bearer can be idle before it is closed. (Default: 300)
BearerTimeoutNBIoT
The maximum number of seconds a GTP-U bearer with the NB-IoT RAT type can be idle before it is closed. (Default: 300)
MaxSessions
Maximum number of GTP-C sessions allowed. (Default: 1000)
MaxSessionsPerSourceIP
Maximum number of GTP-C sessions allowed from a single IP address. (Default: 1000)
MaxBearersPerSession
Maximum number of bearers allowed for a single GTP-C session. (Default: 1)
DownlinkSourceInterface
Source interface filter for GTP-U traffic originating from SGSN/S-GW.
DownlinkNetwork
SGSN/S-GW network filter for GTP-U traffic.
UplinkSourceInterface
Source interface filter for GTP-U traffic originating from GGSN/P-GW.
UplinkNetwork
GGSN/P-GW network filter for GTP-U traffic.
SourcePorts
Specifies the source port or port ranges applicable for GTP-U traffic. (Default: 0-65535)
DestinationPorts
Specifies the destination port or port ranges applicable for GTP-U traffic. (Default: 2152)
Comments
Text describing the current object. (Optional)

3.32. GTPInspectionSettings

Description

GTP Inspection settings.

Properties

OnBlockPiggybackMsg
GTPv2-C piggyback message being blocked. (Default: DropPacket)
GTPinGTP
GTP traffic inside a GTP tunnel detected. (Default: DropLog)
GTPUUnknownMessageType
Unknown GTP-U message received. (Default: DropLog)
GTPUUnknownIEType
Unknown or unexpected GTP-U IE type. This setting does not apply for unknown IE types below 128, they are always dropped and logged. (Default: DropLog)
GTPCUnknownMessageType
Unknown GTP-C message received. (Default: BlockLog)
GTPCUnknownIEType
Unknown or unexpected GTP-C IE type. This setting does not apply for unknown GTPv1 IE types below 128, they are always dropped and logged. (Default: BlockLog)
[Note] Note
This object type does not have an identifier and is identified by the name of the type only. There can only be one instance of this type.

3.33. GTPTunnel

Description

A GTP interface combines two different protocols: GTP Control Plane (GTP-C) and GTP Data Transfer (GTP-U), and will act as a Serving GPRS Support Node (SGSN).

Properties

Name
Name of this interface. (Identifier)
StitchInterface
Specifies the IPsec tunnel that this GTP tunnel is stitched to. (Optional)
LocalEndpoint
Specifies the outer IP address of the GTP interface. (Optional)
OuterRoutingTable
The outer Routing Table to use for the GTP-C and GTP-U traffic. (Default: main)
EndUserDNS
End User DNS that clients will use. (Optional)
FakeDHCPServer
Address to use in DHCPINFORM Responses.
ChargingCharacteristics
A set of vendor specified flags. (Optional)
OverrideGGSNEUDNS
Override any End User DNS information received from GGSN. (Default: No)
RoundRobinDNS
Use Round robin between hosts when DNS name contains multiple hosts. (Default: No)
InterceptDHCPInform
Intercept DHCPINFORM messages from clients that request P-CSCF information. (Default: No)
SeqNumCheck
Sequence Number Checking on user data packets. (Default: No)
ShortAPNDNS
Use only the first label in the APN for DSN resolving the GGSN's IP-addresses. (Default: No)
ShortAPNGGSN
Send only the first label in the APN to the GGSN. (Default: No)
SendRATType
Send the RAT-Type information element. (Default: Yes)
UsePreferredIP
Negotiate End User Address using IP address proposed by client. (Default: No)
MaxRetransmits
Maximum number of resends for a message before the system considers the link down. (Default: 30)
RetransmitInterval
Seconds between resending non-acknowledged messages. (Default: 2)
PathCheckInterval
Seconds between path checks. (Default: 60)
FailedTimeout
Seconds a failed GGSN connection is kept in memory. (Default: 0)
TunnelLimit
Maximum allowed GTP Tunnels. (Default: 100000)
MaxSeqDistance
Maximum allowed distance a sequence number can be from expected without being dropped. (Default: 5)
RecSeqSet
Number of previous accepted sequence numbers to compare against for validation. (Default: 6)
ResolveAPNInterval
Seconds between new resolve for an APN. (Default: 300)
SelectionMode
Selection mode indicates the origin of the APN. (Default: MSNotVerfied)
RATType
RAT type sent to GGSN on when establishing a tunnel. (Default: WLAN)
AllocRetPrio
Allocation/Retention Priority field of QoS sent to GGSN. (Default: Low)
TrafficClass
Traffic class. (Default: Subscribed)
TrafficHandlingPriority
Traffic handling priority. (Default: Subscribed)
MaxSDUSize
Maximum SDU size, with a granularity of ten bytes. (Default: 1500)
MaxBitRateUplink
Maximum bitrate uplink in kbps. (Default: 8640)
MaxBitRateDownlink
Maximum bitrate downlink in kbps. (Default: 16000)
DelayClass
Delay class. (Default: 4)
ReliabilityClass
Reliability class. (Default: 3)
PeakThroughput
Peak throughput. (Default: 1)
PrecedenceClass
Precedence class. (Default: 3)
MeanThroughput
Mean throughput. (Default: 0)
DeliveryErroneousSDU
Delivery of erroneous SDU. (Default: 3)
ResidualBER
Residual bit error rate (BER). (Default: 8)
SDUErrorRatio
SDU error ratio. (Default: 4)
TransferDelay
Transfer delay. (Default: 0)
GuaranteedBitRateUplink
Guaranteed bit rate uplink in kbps. (Default: 0)
GuaranteedBitRateDownlink
Guaranteed bit rate downlink in kbps. (Default: 0)
SignalingIndication
Signaling indication. (Default: 0)
SourceStatisticsDescriptor
Source statistics descriptor. (Default: 0)
DeliveryOrder
Enable Delivery order. (Default: No)
AutoInterfaceNetworkRoute
Automatically add a route for this interface using the given remote network. (Default: Yes)
UpdatePDPContextResp
Specifies how to respond to Update PDP Context Requests from a GGSN. (Default: ServiceNotSupported)
EndMarkerSupport
Enable support for End Marker messages. (Default: No)
CopyDSCP
Copy the DSCP (Differentiated Services Codepoint) value from the inner to the outer IP header of GTP-U messages. (Default: No)
HASyncInterval
The number of packets received or sent between sequence number synchronization for GTP-U. A value of 0 will cause a synchronization every 2*MaxSeqDistance. (Default: 0)
DSCP
Specifies the DSCP (Differentiated Services Codepoint) value to set in the outer IP header. This value is ignored if copying is enabled. (Default: 0)
UDPChksum
Specifies how to handle GTP-U UDP checksum. (Default: Ignore)
MTU
Specifies the size (in bytes) of the largest packet that can be forwarded. (Default: 1500)
IPAddress
The interface's IP addresses. (Default: 0)
IP4Broadcast
The interface's IPv4 broadcast address. (Optional)
RoutingTableMembership
Interface's routing table membership. (Default: <all>)
SecurityEquivalentInterfaces
Security and transport equivalent interfaces. (Optional)
Zone
Specifies the zone that this interface is a member of. (Optional)
Comments
Text describing the current object. (Optional)

3.34. HAFlowSettings

Description

High Availability flow sync delay settings

Properties

HAFlowSyncDelayTCP
Number of seconds to delay a stateful TCP flow before HA sync is considered. (Default: NoDelay)
HAFlowSyncDelayTCPStateless
Number of seconds to delay a stateless TCP flow before HA sync is considered. (Default: NoDelay)
HAFlowSyncDelayUDP
Number of seconds to delay a UDP flow before HA sync is considered. (Default: NoDelay)
HAFlowSyncDelayICMP
Number of seconds to delay a ICMP flow before HA sync is considered. (Default: NoDelay)
HAFlowSyncDelaySCTPStateless
Number of seconds to delay a stateless SCTP flow before HA sync is considered (stateful SCTP flows are never synchronized). (Default: NoDelay)
HAFlowSyncDelayOther
Number of seconds to delay a flow of a not recognized protocol before HA sync is considered. (Default: NoDelay)
[Note] Note
This object type does not have an identifier and is identified by the name of the type only. There can only be one instance of this type.

3.35. HASettings

Description

High Availability Settings

Properties

MaxHeartbeatInterval
Maximum interval between periodic HA heartbeats. The actual runtime heartbeat interval might be shorter if the system decides that more frequent heartbeats are needed for stable operation. (Default: 100ms)
PeerDead
Number of milliseconds of no heartbeats received from the HA peer node before the peer is considered dead. Will be rounded down to a multiple of the actual runtime heartbeat interval. As this is evaluated at every heartbeat interval, the peer node may have been silent for up to one extra heartbeat interval before detection. After the current node starts to take over, there is also additional headroom required up to the full desired max failover-time, to allow switches and/or other neighboring network equipment to learn what happened. It is only after they have been informed about the change, and taken action on it, that the system will be fully operational again with the current node being active. (Default: 1900)
IfaceDown
Number of milliseconds of incomplete heartbeat communication and failed queries to MonitorTargets before a critical interface will be considered down. Bi-directional communication is required. Will be rounded down to a multiple of the actual runtime heartbeat interval. (Default: Auto)
IfaceEarlyDown
Number of milliseconds of incomplete heartbeat communication over a critical interface before the system will start monitoring the MonitorTargets specified on the interface. Anything but functional bi-directional heartbeat communication is considered as incomplete. Must be set to a lower value than IfaceDown. Will be rounded down to a multiple of the actual runtime heartbeat interval. (Default: Auto)
OnDepCacheFull
Decides the action performed when a new object arrives when the dependency cache is full. (Default: Replace)
[Note] Note
This object type does not have an identifier and is identified by the name of the type only. There can only be one instance of this type.

3.36. HASyncFragSettings

Description

Settings controlling reassembly of HA sync messages

Properties

MaxConcurrentReass
Maximum number of concurrent reassemblies. Note: Requires reboot to take effect. (Restart-required; Default: 1024)
ReassTimeout
Timeout in seconds of a reassembly, since previous received fragment. (Default: 65)
ReassTimeLimit
Maximum life time in seconds of a reassembly, since first received fragment. (Default: 90)
ReassDoneLinger
How long (in seconds) to remember a completed reassembly (watching for old dups). (Default: 20)
ReassFailedLinger
How long (in seconds) to remember a failed reassembly (watching for more frags). (Default: 60)
LogReassEvents
Controls whether events regarding HA sync message reassembly are logged. (Default: Yes)
[Note] Note
This object type does not have an identifier and is identified by the name of the type only. There can only be one instance of this type.

3.37. HighAvailability

Description

High Availability settings. All these settings are private for this node and not synchronized to its peer.

Properties

Enabled
Enable High Availability. (Default: No)
AutoSyncCfg
Specifies if cluster members are to synchronize configuration data automatically after reconfigure. (Default: Yes)
ClusterID
A (network local) unique cluster ID to use in identifying this group of HA firewalls. (Default: 1)
Role
Master or Slave. (Default: Master)
Comments
Text describing the current object. (Optional)
[Note] Note
This object type does not have an identifier and is identified by the name of the type only. There can only be one instance of this type.

3.38. HWMONMonitor

Description

Hardware monitor. Reads information from system sensors and keeps track of changes and limits

Properties

Name
Specifies a symbolic name for the hardware monitor. (Identifier)
SensorID
Sensor unique identifier string.
Severity
Specifies the severity that will be set on log events generated by the monitor. (Default: warning)
LowThres
Lower value threshold. If read value on sensor is below this value a log entry will be generated. (Optional)
HighThres
Higher value threshold. If read value on sensor is above this value a log entry will be generated. (Optional)
Interval
Interval in seconds between consecutive checks for threshold violations. (Optional)
Enabled
Enable or disable the monitor. If disabled, the monitor continues to work but will not log threshold violation events. (Default: Yes)
Comments
Text describing the current object. (Optional)

3.39. HWMONSettings

Description

Settings for the HardwareMonitor

Properties

SensorRefreshInterval
Interval in seconds between consecutive sensor value polls. (Default: 5)
LogRepeatInterval
Interval in seconds between consecutive logs of the same persistent sensor event where the value does not return to within normal limits. (Default: 21600)
MonitorEnable
Turn on or off monitoring. If off, no monitoring whatsoever will be conducted. The system should be restarted after changing this setting. (Default: Yes)
[Note] Note
This object type does not have an identifier and is identified by the name of the type only. There can only be one instance of this type.

3.40. ICMPSettings

Description

ICMP (Internet Control Message Protocol) Settings

Properties

OwnIPInICMPv4Size
How much to include of the original datagram in ICMPv4 error responses generated by the firewall. (Default: Short)
ICMPSendPerSecLimit
Maximum number of ICMP responses that the gateway may send each second. (Default: 500)
ICMPErrorPerSecLimit
Maximum number of ICMP errors (per second) that may be forwarded by a virtual system. (Default: 5000)
ICMPErrorPerSecToSPLimit
Maximum number of ICMP errors (per second) that may be subject to rule lookup. Set to not zero only if you wish to forward raw ICMP errors that do not match any existing connections. (Default: 0)
ICMPMaxErrorsPerFlow
Maximum number of ICMP errors per flow and second. (Default: 50)
ICMPMaxErrorsPerRule
Maximum number of ICMP errors per rule and second. (Default: 5000)
ICMPValidateChecksum
How to handle the ICMP checksum. (Default: IfHWAssistedLogBad)
ICMP_SeqNoScramble
Add a random value to the sequence number (the same random value is used for all messages in a connection). (Default: Yes)
ICMP_SeqNoTrack
Whether to track ICMP sequence numbers. (Default: DropLog)
ICMP_DataTrack
Whether to track the data contents in ICMP 'ping' messages. (Default: Ignore)
IP4NetworkUnreachable
How to handle ICMPv4 error 'destination unreachable' (network unreachable). (Default: ObeyService)
IP4HostUnreachable
How to handle ICMPv4 error 'destination unreachable' (host unreachable). (Default: ObeyService)
IP4ProtocolUnreachable
How to handle ICMPv4 error 'destination unreachable' (protocol unreachable). (Default: ObeyService)
IP4PortUnreachable
How to handle ICMPv4 error 'destination unreachable' (port unreachable). (Default: ObeyService)
IP4FragmentationNeeded
How to handle ICMPv4 error 'destination unreachable' (fragmentation needed and DF bit set). (Default: ObeyServiceLog)
IP4SourceRouteUnreachable
How to handle ICMPv4 error 'destination unreachable' (source route unreachable). (Default: ObeyService)
IP4NetworkRouteUnreachable
How to handle ICMPv4 error 'destination unreachable' (no route to network)'. (Default: ObeyService)
IP4HostRouteUnreachable
How to handle ICMPv4 error 'destination unreachable' (no route to host). (Default: ObeyService)
IP4SourceIsolated
How to handle ICMPv4 error 'destination unreachable' (source isolated). (Default: ObeyService)
IP4NetworkProhibited
How to handle ICMPv4 error 'destination unreachable' (administratively prohibited network). (Default: ObeyService)
IP4HostProhibited
How to handle ICMPv4 error 'destination unreachable' (administratively prohibited host). (Default: ObeyService)
IP4NetworkTOSUnreachable
How to handle ICMPv4 error 'destination unreachable' (destination network unreachable for type of service). (Default: ObeyService)
IP4HostTOSUnreachable
How to handle ICMPv4 error 'destination unreachable' (destination host unreachable for type of service)'. (Default: ObeyService)
IP4CommunicationProhibited
How to handle ICMPv4 error 'destination unreachable' (communication administratively prohibited). (Default: ObeyService)
IP4PrecedenceViolation
How to handle ICMPv4 error 'destination unreachable' (host precedence violation). (Default: DropLog)
IP4PrecedenceCutoff
How to handle ICMPv4 error 'destination unreachable' (precedence cutoff in effect). (Default: DropLog)
IP4UnknownUnreachable
How to handle ICMPv4 error 'destination unreachable' (unknown code). (Default: DropLog)
IP4TimeExceeded
How to handle ICMPv4 error 'time exceeded' (TTL too low). (Default: ObeyService)
IP4FragmentExceeded
How to handle ICMPv4 error 'time exceeded' (one or more fragments not received before timeout). (Default: ObeyService)
IP4UnknownTimeExceeded
How to handle ICMPv4 error 'time exceeded' (unknown code). (Default: DropLog)
IP4ParameterProblem
How to handle ICMPv4 error 'parameter problem' (code 'problem at pointer'). (Default: DropLog)
IP4ParameterRequired
How to handle ICMPv4 error 'parameter problem' (parameter required). (Default: DropLog)
IP4ParameterBadLength
How to handle ICMPv4 error 'parameter problem' (bad length). (Default: DropLog)
IP4UnknownParameterProblem
How to handle ICMPv4 error 'parameter problem' (unknown code). (Default: DropLog)
IP4NetworkRedirect
How to handle ICMPv4 error 'redirect' (redirect network). (Default: DropLog)
IP4HostRedirect
How to handle ICMPv4 error 'redirect' (redirect host). (Default: DropLog)
IP4TypeOfServiceRedirect
How to handle ICMPv4 error 'redirect' (type of service). (Default: DropLog)
IP4HostAndServiceRedirect
How to handle ICMPv4 error 'redirect' (host and type of service). (Default: DropLog)
IP4UnknownRedirect
How to handle ICMPv4 error 'redirect' (unknown code). (Default: DropLog)
IP4ConversionError
How to handle ICMPv4 error 'conversion error'. (Default: DropLog)
IP4SourceQuench
How to handle ICMPv4 error 'source quench'. (Default: DropLog)
IP4AlternateHostAddress
How to handle ICMPv4 error 'alternate host address'. (Default: DropLog)
IP4MobileHostRedirect
How to handle ICMPv4 error 'mobile host redirect'. (Default: DropLog)
IP6RouteUnreachable
How to handle ICMPv6 error 'destination unreachable' (no route to destination). (Default: ObeyService)
IP6Rejected
How to handle ICMPv6 error 'destination unreachable' (communication with destination administratively prohibited). (Default: ObeyService)
IP6SourceRejected
How to handle ICMPv6 error 'destination unreachable' (communication with destination administratively prohibited; source address failed ingress/egress policy). (Default: ObeyService)
IP6DestinationRejected
How to handle ICMPv6 error 'destination unreachable' (communication with destination administratively prohibited; reject route to destination). (Default: ObeyService)
IP6ScopeUnreachable
How to handle ICMPv6 error 'destination unreachable' (beyond scope of source address). (Default: ObeyService)
IP6AddressUnreachable
How to handle ICMPv6 error 'destination unreachable' (destination failed address resolution). (Default: ObeyService)
IP6PortUnreachable
How to handle ICMPv6 error 'destination unreachable' (port unreachable). (Default: ObeyService)
IP6UnknownUnreachable
How to handle ICMPv6 error 'destination unreachable' (unknown code). (Default: DropLog)
IP6TimeExceeded
How to handle ICMPv6 error 'time exceeded' (HopLimit/TTL too low). (Default: ObeyService)
IP6FragmentExceeded
How to handle ICMPv6 error 'time exceeded' (one or more fragments not received before timeout). (Default: ObeyService)
IP6UnknownTimeExceeded
How to handle ICMPv6 error 'time exceeded' (unknown code). (Default: DropLog)
IP6ErroneousHeader
How to handle ICMPv6 error 'parameter problem' (erroneous header field). (Default: DropLog)
IP6NextHeaderUnrecognized
How to handle ICMPv6 error 'parameter problem' (unrecognized next header type). (Default: DropLog)
IP6OptionUnrecognized
How to handle ICMPv6 error 'parameter problem' (unrecognized IPv6 option type). (Default: DropLog)
IP6UnknownParameterProblem
How to handle ICMPv6 error 'parameter problem' (unknown code). (Default: DropLog)
IP6PacketTooBig
How to handle ICMPv6 error 'packet too big'. (Default: AlwaysAllowLog)
IP6UnknownPacketTooBig
How to handle ICMPv6 error 'packet too big' (unknown code). (Default: DropLog)
IP6UnknownError
How to handle unknown ICMPv6 errors. (Default: DropLog)
[Note] Note
This object type does not have an identifier and is identified by the name of the type only. There can only be one instance of this type.

3.41. IKEProposalList

Description

Proposal list is used during the IKE negotiation. It specifies what encryption/integrity algorithm and PRF to use for the IKE SA. In most cases its enough to specify one proposal with several algorithms. Any combination of the algorithm are then permitted for the SA. If only certain combinations of algorithms are allowed, they should be divided in several proposals where each proposal defines one combination of algorithms.

Properties

Name
Specifies the name of the IKE Proposal list. (Identifier)
Comments
Text describing the current object. (Optional)

3.41.1. IKEProposal

Description

An IKE proposal specifies a specific combination of algorithms allowed during the IKE negotiation.

Properties

EncryptionAlgorithms
Specifies the encryption algorithms to support. (Default: aes128-cbc,3des)
IntegrityAlgorithms
Specifies the integrity algorithms to support. (Default: sha256,sha384,sha512,aes-xcbc)
PRF
Specifies the pseudo random function. (Optional)
DHGroup
Specifies the Diffie-Hellman group to use when doing key exchanges in IKE. (Default: 5,14)
[Note] Note
If no Index is specified when creating an instance of this type, the object will be placed last in the list and the Index will be equal to the length of the list.

3.42. IKESettings

Description

IKE Settings

Properties

NormalizeNetworks
Normalize i.e. simplify local and remote networks by merging IP address ranges when possible. (Default: Yes)
RetransmitTimeout
Time in seconds from the first packet to the first retransmit. (Default: 0.5)
RetransmitTimeoutMax
Retransmit timeout will grow exponentially for each resend but never higher than this value. (Default: 10)
RetransmitBase
Base for exponential back-off for resending IKE messages. (Default: 1.8)
RetransmitTries
Number of times an IKE message is resent. (Default: 6)
Threads
Total number of IKE threads. (Default: 60)
MaxJobs
Maximum number of IKE jobs allowed to be queued for thread processing before new negotiations are dropped. (Default: 120)
MaxNegotiations
Maximum number of concurrent IKE negotiations allowed before new negotiations are dropped. (Default: 120)
MaxPeerNegotiations
Maximum number of concurrent IKE negotiations allowed from a single peer IP address before new negotiations are dropped. (Default: 60)
CookieThreshold
Maximum number of concurrent IKE negotiations allowed before requesting that new negotiations are retried using a provided cookie. (Default: 80)
CRLCacheTimeout
Maximum number of seconds a CRL is kept in cache, unlimited if set to 0. (Default: 0)
AutoEstablishInterval
Number of seconds to wait before restarting IKE negotiations for tunnels configured for auto-establishment. (Default: 60)
[Note] Note
This object type does not have an identifier and is identified by the name of the type only. There can only be one instance of this type.

3.43. InterfaceGroup

Description

Use an interface group to combine several interfaces for a simplified security policy.

Properties

Name
Name of this interface. (Identifier)
Members
Specifies the interfaces that are included in the interface group.
Comments
Text describing the current object. (Optional)

3.44. InterfaceSettings

Description

Interface specific settings.

Properties

InterruptMode
Specifies whether interface packet reception should use interrupts (instead of polling). Interrupt mode sacrifices performance in order to lower the CPU load. This functionality is currently only supported running dataplane on a single core with Intel 'e1000' interfaces. Requires system restart to take effect. (Restart-required; Default: Auto)
InterruptTypeIGB
Specifies the type of interrupts to use for Intel 1-gigabit adapters when running virtualized. Requires system restart to take effect. (Restart-required; Default: Auto)
CompatibilityProtection
Compatibility protection prevents interfaces with known compatibility issues from attaching. (Restart-required; Default: Yes)
PacketBufferSize
The data packet size that that the system should support. Actual allocated packet buffers will be larger. Requires system restart to take effect. (Restart-required; Default: Default)
PacketBufferCount
Number of packet buffers of the size specified by PacketBufferSize. Align the count value to the power-of-two for optimal memory usage. (Restart-required; Default: Auto)
EthMultiQueue
Controls if the system is allowed to use multiple packet queues to/from the Ethernet interfaces. Requires system restart to take effect. (Restart-required; Default: Auto)
RSSHashKeys
Controls what key is used for the RSS functionality of Ethernet interfaces. Requires system restart to take effect. (Restart-required; Default: Random)
AllowMultiQueueOnMixedLAG
Allow using multiple queue on link aggregation interfaces consisting of different types of devices. Requires system restart to take effect. (Restart-required; Default: No)
EthTxFromWorkers
Send packets directly from the worker cores to Ethernet interfaces instead of via an I/O core. Requires system restart to take effect. (Restart-required; Default: Disabled)
WorkerToIOBurstSize
Number of packet buffers each worker will gather, per interface, before sending them to an I/O core for transmission. Changing from 1 may require system restart to take effect. (Restart-required; Default: 1)
WorkerTxBurstSize
Number of packet buffers each worker will gather, per interface, before sending them directly to the NIC for transmission. (Default: 64)
EthMinPollRateRx
Sets a minimum rate for how often the system will poll incoming packets from an Ethernet interface (times per second). (Default: Auto)
EthMinPollRateTx
Sets a minimum rate for how often the system will poll for new packets to send out over an Ethernet interface (times per second). Should normally be set to a higher value than EthMinFlushRateTx. (Default: Auto)
EthMinFlushRateTx
Sets a minimum rate for how often the system will flush packets from the internal buffer to the Ethernet device's transmit queue (times per second). The internal buffer is always flushed directly when it becomes full. Should normally be set to a lower value than EthMinPollRateTx. (Default: Auto)
EthOnFullTxBatch
Controls how the transmit operation of the I/O cores will behave when it has gathered a full batch of packets to send. (Default: NewBatch)
EthFixPendingChecksums
Controls if packets received over virtual Ethernet interfaces with pending hw checksum offload will be detected and fixed. (Default: Auto)
[Note] Note
This object type does not have an identifier and is identified by the name of the type only. There can only be one instance of this type.

3.45. IntrusionPrevention

Description

Intrusion Prevention provides in-depth screening of packet content for both intruder detection and prevention purposes.

Properties

Comments
Text describing the current object. (Optional)
[Note] Note
This object type does not have an identifier and is identified by the name of the type only. There can only be one instance of this type.

3.45.1. IPSRule

Description

An IPS Rule defines a filter for matching specific network traffic. When the filter criterion is met, the IPS Rule Actions are evaluated and possible actions are taken.

Properties

Name
Specifies a symbolic name for the IPS rule. (Optional)
SourceInterface
Specifies the name of the receiving interface to be compared to the received packet.
DestinationInterface
Specifies the destination interface to be compared to the received packet.
SourceNetwork
Specifies the span of IP addresses to be compared to the source of received packet.
DestinationNetwork
Specifies the span of IP addresses to be compared to the destination of received packet.
Service
Specifies a service that will be used as a filter parameter when matching traffic with this rule.
URIInvalidUTF8
Specifies the action taken if an invalid UTF8 URI is found. (Default: DropLog)
URIInvalidHEX
Specifies the action taken if an invalid HEX encoding URI is found. (Default: DropLog)
URIDoubleEnc
Specifies the action taken if an double encoding URI is found. (Default: Ignore)
ScanLimit
Enable scan limit, i.e. stop IPS scanning after a defined number of bytes. Consult the admin guide regarding the risks of turning this option on. (Default: No)
ScanLimitBytes
Stop IPS scanning after this many bytes. (Default: 800)
Comments
Text describing the current object. (Optional)
[Note] Note
If no Index is specified when creating an instance of this type, the object will be placed last in the list and the Index will be equal to the length of the list.

3.45.1.1. IPSRuleAction

Description

An IPS Rule Action specifies what signatures to search for in the network traffic, and what action to take if those signatures are found.

Properties

Action
Specifies the action taken if a matching signature is found. (Default: Protect)
LogSeverity
Specifies the severity used for log messages if the action type allows logging. (Default: Warning)
SignatureCategory
Specifies what signature categories should be included. "*" is supported. (Optional)
SignatureGroup
Specifies the configured signature groups to be included. (Optional)
Comments
Text describing the current object. (Optional)
[Note] Note
If no Index is specified when creating an instance of this type, the object will be placed last in the list and the Index will be equal to the length of the list.

3.45.2. IPSSignatureGroup

Description

An IPS Signature Group specifies a set of signatures according to filters. The signatures are filtered in the following way: (IncludeVendorSignature OR IncludeCustomSignature OR IncludeSignatureGroup OR IncludeCategory) AND FilterByCVE AND FilterBySeverity AND FilterByString AND CreatedAfter.

Properties

Name
Specifies a symbolic name for the IPS signature group. (Identifier)
IncludeVendorSignature
Includes the signatures based on vendor signature identifier(SID). (Optional)
IncludeCustomSignature
Includes the signatures based on custom signature identifier(SID). (Optional)
IncludeSignatureGroup
Includes one or more signature groups to the group. (Optional)
IncludeCategory
Includes the signatures from the specified categories. "*" is supported. (Optional)
FilterByCVE
Filters selected signatures based on defined CVE ID. (Optional)
FilterBySeverity
Filters selected signatures based on severity level. (Optional)
FilterByString
Filters selected signatures based on searching specific string in signature message and content. (Optional)
CreatedAfter
Filters selected signatures if signature creation date is newer than defined. (Optional)
Comments
Text describing the current object. (Optional)

3.46. IPRuleSet

Description

An IP Rule Set is a self-contained set of IP Rules. Default action is Drop.

Properties

Name
A name to uniquely identify this IPRuleSet. (Identifier)
Comments
Text describing the current object. (Optional)

3.46.1. IPRule

Description

An IP rule specifies what action to perform on network traffic that matches the specified filter criteria.

Properties

Name
Specifies a symbolic name for the rule. (Optional)
SourceInterface
Specifies the name of the receiving interface to be compared to the received packet.
DestinationInterface
Specifies the destination interface to be compared to the received packet.
SourceNetwork
Specifies the sender span of IP addresses to be compared to the received packet.
DestinationNetwork
Specifies the destination span of IP addresses to be compared to the received packet.
SourceGeolocation
Specifies the sender geolocation to be compared to the received packet. (Default: any-region)
DestinationGeolocation
Specifies the destination geolocation to be compared to the received packet. (Default: any-region)
Service
Specifies a service that will be used as a filter parameter when matching traffic with this rule.
Action
Specifies what action to take for traffic matching this rule.
Stateless
Use stateless packet forwarding. Stateful protocol validation is disabled. (Default: No)
StatelessAllowNewTCP
For stateless forwarding, allow opening of new TCP streams. If disabled, only active TCP streams will open new flows. (Default: Yes)
TTLDecrease
The TTL/HopLimit should always be decremented when a router forwards an IP packet. In some very special address-translation use-cases where packets are not forwarded, but rather echoed back, it might however be desirable to not decrease the TTL/HopLimit. WARNING: Only modify this in use-cases where explicitly documented. Misuse may cause network disturbances. (Default: Enabled)
OnDeny
Specify whether any response should be sent when denying traffic. By default no response is sent, packets are silently dropped. (Default: Drop)
ProtocolTranslation
Specifies how the IP protocol is to be translated. (Default: Disabled)
Prefix
The prefix to use for ProtocolTranslation when using Prefix address translation.
SourceTranslation
Specifies how the source address/port is to be translated. (Default: Disabled)
SetSourceAddress
Specifies how to set the source address.
NewSourceIP4
The address to translate to for IPv4 traffic. (Optional)
NewSourceIP6
The address to translate to for IPv6 traffic. (Optional)
NATPool
The NAT Pool to allocate an address from when NATing using NAT Pool. The IP rule must only handle IPv4 packets, or be a rule translating from IPv6 to IPv4.
SetSourcePort
Specifies how to set the source port. (Default: Disabled)
NewSourcePort
The port to use for source port translation.
DestinationTranslation
Specifies how the destination address/port is to be translated. (Default: Disabled)
SetDestinationAddress
Specifies how to set the destination address.
NewDestinationIP4
The address to translate to for IPv4 traffic. (Optional)
NewDestinationIP6
The address to translate to for IPv6 traffic. (Optional)
SetDestinationPort
Specifies how to set the destination port. (Default: Disabled)
NewDestinationPort
The port to use for destination port translation.
AppControl
Enables deep packet inspection to identify the type of application that likely generated the traffic. (Default: Yes)
TrafficProfile
Selects a traffic profile to use to shape the traffic. (Optional)
DNSAlgProfile
Selects a DNS profile to use on this rule that configures extended processing of traffic that matches this rule and the matching service has AppProto set to DNS. (Optional)
FTPAlgProfile
Selects a FTP profile to use on this rule that configures extended processing of traffic that matches this rule and the matching service has AppProto set to FTP. (Optional)
GTPInspectionProfile
Selects a GTP inspection profile to use on this rule that configures extended processing of traffic that matches this rule and the matching service has AppProto set to GTP. (Optional)
SSLInspectionProfile
Selects an SSL Inspection profile to use on this rule that configures extended processing of traffic that matches this rule. (Optional)
SIPAlgProfile
Selects a SIP profile to use on this rule that configures extended processing of traffic that matches this rule and the matching service has AppProto set to SIP. (Optional)
SyslogAlgProfile
Selects a Syslog profile to use on this rule that configures extended processing of traffic that matches this rule and the matching service has AppProto set to Syslog. (Optional)
LogEnabled
Enable logging. (Default: Yes)
Comments
Text describing the current object. (Optional)
[Note] Note
If no Index is specified when creating an instance of this type, the object will be placed last in the list and the Index will be equal to the length of the list.

3.47. IPsecManualKeyedTunnel

Description

An IPsec manual keyed tunnel item is used to define an IPsec endpoint and will appear as a logical interface in the system.

Properties

Name
Name of this interface. (Identifier)
LocalNetwork
The network on "this side" of the IPsec tunnel. The IPsec tunnel will be established between this network and the remote network.
RemoteNetwork
The network connected to the remote gateway. The IPsec tunnel will be established between the local network and this network.
LocalEndpoint
Specifies the IP address of the local endpoint.
RemoteEndpoint
Specifies the IP address of the remote endpoint.
CopyDSCP
Copy the DSCP (Differentiated Services Codepoint) value from the inner to the outer IP header. (Default: No)
DSCP
Specifies the DSCP (Differentiated Services Codepoint) value to set in the outer IP header. This value is ignored if copying is enabled. (Default: 0)
CopyDF
Copy the DF (Don't Fragment) value from the inner to the outer IP header. (Default: No)
DF
Specifies the DF (Don't Fragment) value of the outer IP header. This value is ignored if copying is enabled. (Default: 0)
ECN
Enable support for ECN (Explicit Congestion Notification). Allows for ECN values to be propagated from the outer to the inner IP header. Indication of congestion causes packets to be dropped for non-ECN-capable transports. (Default: No)
SourceInterface
The interface that IKE and IPsec traffic is received on. (Default: any)
OuterRoutingTable
The routing table to use for IKE and IPsec traffic. (Default: main)
MTU
Specifies the size (in bytes) of the largest packet that can be forwarded. (Default: 1500)
IPAddress
The interface's IP addresses. (Default: 0)
IP4Broadcast
The interface's IPv4 broadcast address. (Optional)
RoutingTableMembership
Interface's routing table membership. (Default: <all>)
SecurityEquivalentInterfaces
Security and transport equivalent interfaces. (Optional)
Zone
Specifies the zone that this interface is a member of. (Optional)
Comments
Text describing the current object. (Optional)

3.47.1. ESP

Description

Settings for Encapsulating Security Payload (ESP). Specifies algorithm and SPI to use for the manual keyed tunnel.

Properties

Encryption
Algorithm to use for encryption/decryption.
Integrity
Algorithm to use for integrity protection.
SPIIn
Identifier of inbound packets.
EncryptionKeyIn
Shared secret to use for decryption.
IntegrityKeyIn
Shared secret to use for packet integrity verification.
SPIOut
Identifier of outbound packets.
EncryptionKeyOut
The shared secret to use for encryption.
IntegrityKeyOut
The shared secret to use for packet integrity protection.
[Note] Note
This object type does not have an identifier and is identified by the name of the type only. There can only be one instance of this type.

3.48. IPsecProposalList

Description

Proposal list is used during the IKE negotiation. It specifies what encryption/integrity algorithm and Diffie-Hellman group (if set) to use for the IPsec SA. In most cases its enough to specify one proposal with several algorithms. Any combination of the algorithm are then permitted for the SA. If only certain combinations of algorithms are allowed, they should be divided in several proposals where each proposal defines one combination of algorithms.

Properties

Name
Specifies the name of the IPsec Proposal list. (Identifier)
Comments
Text describing the current object. (Optional)

3.48.1. IPsecProposal

Description

An IPsec proposal specifies a specific combination of algorithms allowed during the IKE negotiation of the IPsec SA.

Properties

EncryptionAlgorithms
Specifies the encryption algorithms to support. (Default: aes128-cbc,3des)
IntegrityAlgorithms
Specifies the integrity algorithms to support. (Default: sha256,sha384,sha512,aes-xcbc)
DHGroup
Specifies the Diffie-Hellman group to use when doing rekey with PFS. (Optional)
Comments
Text describing the current object. (Optional)
[Note] Note
If no Index is specified when creating an instance of this type, the object will be placed last in the list and the Index will be equal to the length of the list.

3.49. IPsecPSK

Description

Pre-Shared Key bound to a local and remote ID that is used in IPsec when selecting Pre Shared Keys as authentication method.

Properties

Index
The index of the object, starting at 1. (Identifier)
Type
Specifies the type of the shared key.
PSKAscii
Specifies the PSK as a passphrase.
PSKHex
Specifies the PSK as a hexadecimal key.
LocalID
Specify the local identity of the tunnel ID.
RemoteID
Specify the remote identity of the tunnel ID.
Comments
Text describing the current object. (Optional)
[Note] Note
If no Index is specified when creating an instance of this type, the object will be placed last in the list and the Index will be equal to the length of the list.

3.50. IPsecTunnel

Description

An IPsec tunnel item is used to define IPsec endpoint and will appear as a logical interface in the system.

Properties

Name
Name of this interface. (Identifier)
IKEVersion
Specify which version of IKE to use for negotiations. (Default: IKEv2)
LocalAuthMethod
Authentication method used to authenticate the local endpoint to the remote endpoint.
RemoteAuthMethod
Authentication method used to authenticate remote endpoint. If not specified, the local authentication method will be used. (Optional)
IKEMode
Specifies which IKE mode to use: main or aggressive. (Default: Main)
XAuthClient
Disabled, Pass to peer gateway. (Default: Disabled)
XAuthUsername
Specifies the username to pass to the remote gateway vie IKE XAuth.
XAuthPassword
Specifies the password to pass to the remote gateway vie IKE XAuth.
AuthProfile
Specifies how the client should be authenticated.
IKEProposalList
Specifies the IKE Proposal list used with the tunnel. (Default: ike_high)
IPsecProposalList
Specifies the IPsec Proposal list used with the tunnel. (Default: ipsec_high)
ForceUDPEncap
Force UDP encapsulation of ESP packets. (Default: No)
CfgMode
Specifies how the tunnel will handle configuration payloads. (Default: Disabled)
CfgAddress
Client: Object to be assigned the internal local IP address. It can be used to NAT traffic into the tunnel. Server: Object containing internal remote IP addresses to hand out to a peer. Only suitable for smaller numbers of IP addresses. (Optional)
CfgDNS
Client: Object to be assigned the IP address of the internal DNS server if provided by the peer. Server: Object containing internal DNS server IP addresses to hand out to a peer. (Optional)
CfgDHCP
Client: Object to be assigned the IP address of the internal DHCP server if provided by the peer. Server: Object containing the internal DHCP server IP address to hand out to a peer. (Optional)
CfgNBNS
Client: Object to be assigned the IP address of the internal NBNS server if provided by the peer. Server: Object containing the internal NBNS server IP address to hand out to a peer. (Optional)
CfgSubnet
Client: Object to be assigned internal IP sub-networks if provided by the peer. Server Object containing the internal IP subnetworks to hand out to a peer. (Optional)
IKEDPDInterval
The interval which DPD messages are sent. Specified in seconds. (Default: 90s)
IKEReauthTimeSeconds
The lifetime (in seconds) of the IKE SA before a re-authentication is needed. (Default: Disabled)
IKELifeTimeSeconds
The lifetime of the IKE connection in seconds. Whenever it expires, a new phase-1 exchange will be performed. (Default: 8h)
IPsecLifeTimeSeconds
The lifetime of the IPsec connection in seconds. Whenever it's exceeded, a re-key will be initiated, providing new IPsec encryption and authentication session keys. (Default: 1h)
LocalID
Specify the local identity of the tunnel.
RemoteID
Specify the remote identity of the tunnel.
AddRouteToRemoteNetwork
Dynamically add route to the remote networks when a tunnel is established. (Default: No)
AddRouteToCfgSubnet
Dynamically add route to additional internal IP sub-networks when a tunnel is established. (Default: No)
Metric
Specifies the metric of dynamically added routes. (Default: 90)
ProxyARPInterfaces
Specifies the interfaces on which the firewall should publish routes via Proxy ARP. (Optional)
StitchInterface
Specifies the GTP tunnel that this IPsec tunnel is stitched to. (Optional)
NumClones
Sets the configured number of clones of the IPsec interface. (Optional)
IncLocalNetwork
Increases the LocalNetwork with one for each new clone. Only valid if LocalNetwork specifies a host address. (Default: No)
IncRemoteNetwork
Increases the RemoteNetwork with one for each new clone. Only valid if RemoteNetwork specifies a host address. (Default: Yes)
IncLocalEndpoint
Increases the LocalEndpoint with one for each new clone. Only valid if LocalEndpoint specifies a host address. (Default: Yes)
IncRemoteEndpoint
Increases the RemoteEndpoint with one for each new clone. Only valid if RemoteEndpoint specifies a host address. (Default: No)
IncLocalID
Increases the LocalID with one for each new clone. Only valid if LocalID specifies a IMSI. (Default: Yes)
IncXAuthUsername
Append number to XAuth user name. Only valid if XAuth is used. (Default: Yes)
IncXAuthPassword
Append number to XAuth password. Only valid if XAuth is used.. (Default: No)
IKEDSCP
Specifies the DSCP (Differentiated Services Codepoint) value to set in the IP header of IKE packets. (Default: 0)
SendMultipleTS
Whether to propose multiple traffic selectors when initiating an IKEv2 negotiation or rekey. (Default: Yes)
AutoEstablish
Keep this tunnel established regardless if any packets are sent through it. (Default: No)
LocalNetwork
The network on "this side" of the IPsec tunnel. The IPsec tunnel will be established between this network and the remote network.
RemoteNetwork
The network connected to the remote gateway. The IPsec tunnel will be established between the local network and this network.
LocalEndpoint
Specifies the IP address of the local endpoint.
RemoteEndpoint
Specifies the IP address of the remote endpoint.
CopyDSCP
Copy the DSCP (Differentiated Services Codepoint) value from the inner to the outer IP header. (Default: No)
DSCP
Specifies the DSCP (Differentiated Services Codepoint) value to set in the outer IP header. This value is ignored if copying is enabled. (Default: 0)
CopyDF
Copy the DF (Don't Fragment) value from the inner to the outer IP header. (Default: No)
DF
Specifies the DF (Don't Fragment) value of the outer IP header. This value is ignored if copying is enabled. (Default: 0)
ECN
Enable support for ECN (Explicit Congestion Notification). Allows for ECN values to be propagated from the outer to the inner IP header. Indication of congestion causes packets to be dropped for non-ECN-capable transports. (Default: No)
SourceInterface
The interface that IKE and IPsec traffic is received on. (Default: any)
OuterRoutingTable
The routing table to use for IKE and IPsec traffic. (Default: main)
MTU
Specifies the size (in bytes) of the largest packet that can be forwarded. (Default: 1500)
IPAddress
The interface's IP addresses. (Default: 0)
IP4Broadcast
The interface's IPv4 broadcast address. (Optional)
RoutingTableMembership
Interface's routing table membership. (Default: <all>)
SecurityEquivalentInterfaces
Security and transport equivalent interfaces. (Optional)
Zone
Specifies the zone that this interface is a member of. (Optional)
Comments
Text describing the current object. (Optional)

3.50.1. IPPool

Description

An IP Pool is a dynamic collection of IP addresses that can be used by its host process.

Properties

IPFilter
Filter for acceptable IP addresses. (Default: all-nets)
ServerFilter
Filter for acceptable servers. (Default: all-nets)
DHCPserv
List of DHCP servers to get addresses from. (Default: 127)
Iface
Specifies which interface that should be used to reach DHCP server(s). (Default: core)
Prefetch
Specifies the number of addresses to prefetch from the DHCP server at a time. (Default: 10)
MaxFree
The maximum number of prefetched (unused) addresses to keep around. (Default: 20)
MaxClients
Maximum number of addresses in active use. (Default: 100)
Comments
Text describing the current object. (Optional)
[Note] Note
This object type does not have an identifier and is identified by the name of the type only. There can only be one instance of this type.

3.51. IPSettings

Description

IP (Internet Protocol) Settings

Properties

LogCheckSumErrors
Log IP packets with bad checksums. (Default: Yes)
LogNonIP4
Log occurrences of packets that do not follow the IP standard. (Default: Yes)
MulticastIPEnetOnMismatch
What action to take when ethernet and IP multicast addresses does not match. (Default: DropLog)
BlockMulticastSrc
Block multicast source addresses (224.0.0.0--255.255.255.255). (Default: DropLog)
TrafficClass
How to handle the packets with IPv4 TOS field or IPv6 TrafficClass field set. (Default: Ignore)
TTLMin
The minimum IP unicast Time-To-Live (IPv4) or HopLimit (IPv6) value accepted on receipt. (Default: 3)
TTLOnLow
What action to take on too low unicast TTL values. (Default: DropLog)
LogReceivedTTL0
Log received packets with TTL=0; this should never happen. (Default: Yes)
TTLMinMulticast
The minimum IP multicast Time-To-Live value accepted on receipt. (Default: 3)
TTLOnLowMulticast
What action to take on too low multicast TTL values. (Default: DropLog)
DefaultTTL
The default IP Time-To-Live (IPv4) or HopLimit (IPv6) of packets originated by this firewall (1-255). (Default: 255)
LayerSizeConsistency
TCP/UDP/ICMP/etc layer data and header sizes matching lower layer size information. (Default: ValidateLogBad)
AllowIPVersion
Enable/Disable IP versions at the lowest level, regardless of configuration (warning: remote management access will not be possible via a disallowed IP version). (Default: Any)
UDPSrcPort0
How to treat UDP packets with source port 0. (Default: DropLog)
Port0
How to treat TCP/UDP packets with destination port 0 and TCP packets with source port 0. (Default: DropLog)
Block0000Src
Block 0.0.0.0 as source address. (Default: Drop)
Block0Net
Block 0.* destination addresses. (Default: DropLog)
Block127Net
Block 127.* source addresses. (Default: DropLog)
IPOptionSizes
Validity of IP header option sizes. (Default: ValidateLogBad)
IPOPT_SR
How to handle IP packets with contained source or return routes. (Default: DropLog)
IPOPT_TS
How to handle IP packets with contained Timestamps. (Default: DropLog)
IPOPT_RTRALT
How to handle IP packets with contained Route Alert. (Default: ValidateLogBad)
IPOPT_OTHER
How to handle IP options not specified above. (Default: DropLog)
DirectedBroadcasts
How to handle directed broadcasts being passed from one iface to another. (Default: DropLog)
IPRF
How to handle the IP Reserved Flag, if set; it should never be. (Default: DropLog)
AutoAddBroadcastRoute
Auto generate core route for 255.255.255.255 (needed by DHCP). (Default: Yes)
AutoAddMulticastRoute
Auto generate core route for 224.0.0.0/4 (needed by DHCP/OSPF). (Default: Yes)
AutoAddNullIPRoute
Auto generate core route for 0.0.0.0 (needed by DHCP). (Default: Yes)
StripDFOnSmall
Strip the Dont Fragment flag for packets of this size or smaller. Applies only to forwarded traffic (see also IPSettings::IP4PathMTUMin). (Default: 65535)
IP4PathMTUMin
Do not allow path-MTU discovery to decrease path-MTU to less than this value. Applies only to traffic initiated from the system (see IPSettings::StripDFOnSmall). (Default: 576)
IP4PathMTULifetime
Allow system to probe for larger path-MTU after this many minutes. Zero minutes means infinite time (note that using 1-4 minutes will violate the RFC). (Default: 10)
IP4OnPktTooBigAndDFSet
Whether to enable or disable path-MTU discovery participation for IPv4. Applies only to forwarded traffic, and only for packets where the DF flag is set. (Default: SendICMPNeedFragLog)
IP6BlockLoopbackSrc
Block the ::1 loopback address as source address. (Default: DropLog)
IP6BlockLoopbackDest
Block the ::1 loopback address as destination address. (Default: DropLog)
IP6Block0Dest
Block the unspecified address as destination address. (Default: DropLog)
IP6FL
How to handle packets with IPv6 Flow Label field set. (Default: Ignore)
IP6MaxExtHdr
Maximum combined size of all extension headers within an IPv6 packet. (Default: 256)
IP6OnMaxExtHdr
How to handle IPv6 packets with a total extension header size larger than IP6MaxExtHdr. (Default: DropLog)
IP6MaxOPH
Maximum number of options per extension header. (Default: 8)
IP6OnMaxOPH
How to handle IPv6 packets carrying an extension header with more options than specified by IP6MaxOPH. (Default: DropLog)
IP6ValidateSyntax
Validate IPv6 headers and options to be correctly formatted. (Default: ValidateLogBad)
IP6OPT_PADN
How to handle IPv6 PADN options where the pad field is non-zero. (Default: StripLog)
IP6OPT_JUMBO
How to handle IPv6 jumbograms. (Default: ValidateLogRejectBad)
IP6OPT_HA
How to handle IPv6 packets carrying Home Address option. (Default: RFC3775LogNoSupport)
IP6OPT_RA
How to handle IPv6 packets carrying Router Alert option. (Default: RFC3775LogNoSupport)
IP6OPT_Other
How to handle unknown IPv6 options. (Default: RFC2460LogNoSupport)
IP6OPT_RH0
How to handle packets with the expired Routing Header type 0. (Default: RFC5095LogNoSupport)
IP6OPT_RH2
How to handle packets with Routing Header type 2. (Default: RFC2460LogNoSupport)
IP6OPT_RHOther
How to handle packets with Routing Header type different than 0 and 2. (Default: RFC2460LogNoSupport)
IP6OnLocalUnrecognizedHdr
How to handle packets destined to the firewall with unrecognized IPV6 headers. (Default: DropLog)
IP6PathMTUMin
Do not allow path-MTU discovery to decrease path-MTU to less than this value. Applies only to traffic initiated from the system. See RFC 2460, section about "Packet Size Issues", for details. (Default: 1280)
IP6PathMTULifetime
Allow system to probe for larger path-MTU after this many minutes. Zero minutes means infinite time (note that using 1-4 minutes will violate the RFC). (Default: 10)
IP6OnPacketTooBig
Whether to enable or disable path-MTU discovery participation for IPv6. Applies only to forwarded traffic. (Default: SendICMPPktTooBigLog)
[Note] Note
This object type does not have an identifier and is identified by the name of the type only. There can only be one instance of this type.

3.52. LDAPServer

Description

An LDAP server is used as a central repository of certificates and CRLs that the firewall can download when necessary.

Properties

Name
Specifies a symbolic name for the LDAP server. (Identifier)
IPAddress
Specifies the IP address or hostname of the LDAP server.
Port
Specifies the LDAP service port number. (Default: 389)
Comments
Text describing the current object. (Optional)

3.53. LengthLimSettings

Description

Default Length limits on Sub-IP Protocols

Properties

MaxTCPLen
TCP; Sometimes has to be increased if tunneling protocols are used. (Default: 1480)
MaxUDPLen
UDP; Many interactive applications use large UDP packets, may otherwise be decreased to 1480. (Default: 60000)
MaxICMPLen
ICMP; May be decreased to 1480 if desired. (Default: 10000)
MaxGRELen
GRE/PPTP; Encapsulated (tunneled transport), used by PPTP. (Default: 2000)
MaxESPLen
IPsec ESP; Encrypted communication. (Default: 2000)
MaxAHLen
IPsec AH; Authenticated communication. (Default: 2000)
MaxSKIPLen
SKIP; Simple Key mgmt for IP, VPN protocol. (Default: 2000)
MaxOSPFLen
OSPF; Open Shortest Path First, routing protocol. (Default: 1480)
MaxIPIPLen
IPIP/FWZ; Encapsulated (tunneled) transport, used by VPN-1. (Default: 2000)
MaxIPCompLen
IPsec IPComp; Compressed communication. (Default: 2000)
MaxL2TPLen
L2TP; Layer 2 Tunneling Protocol. (Default: 2000)
MaxSCTPLen
SCTP; Stream Control Transmission Protocol, may need to be increased to support multihoming with a large number of alternative IP addresses. (Default: 8000)
MaxOtherSubIPLen
Others; Sometimes has to be increased if unknown tunneling protocols are used. (Default: 1480)
LogOversizedPackets
Log occurrences of oversized packets. (Default: Yes)
[Note] Note
This object type does not have an identifier and is identified by the name of the type only. There can only be one instance of this type.

3.54. License

Description

Specifies details about how the system is allowed to be used.

Properties

IsValid
True if the license is valid. (Default: No)
OS
Operating system that this license is valid for. (Optional)
RegisteredTo
Name of person or company that the product is registered to. (Optional)
RegistrationKey
Registration key of the license. (Optional)
OEMId
Number that identifies the OEM. (Default: 1)
DisplayModel
Model name that the license is bound to. (Optional)
RegistrationDate
Date of registration. (Optional)
LastModified
Date when the license was last modified. (Optional)
IssuedDate
Date when the license was issued. (Optional)
UpgradesValidUntil
If set, it is no longer possible to download upgrades after this date. (Optional)
MACAddress
MAC-address that the user has chosen to bind the license to when registering. (Optional)
IKETunnels
Number of concurrent active IKE SA:s allowed by the license. (Optional)
GTP
Enables/disables GTP interfaces. (Default: No)
GTPInsp
Enabled/disables GTP Inspection. (Default: Yes)
SSLInspection
Enables/disables SSL Inspection. (Default: Yes)
SSLVPNTunnels
Number of concurrent active SSLVPN sessions allowed by the license. (Optional)
BGP
Enables/disables BGP. (Default: No)
OSPF
Enables/disables OSPF. (Default: No)
CGNAT64
Enables/disables CGNAT64. (Default: No)
DetNAT
Enables/disables Deterministic NAT. (Default: No)
IPSUntil
Date after which the Intrusion Prevention System license will expire. (Optional)
Demo
Number of demo minutes allowed by the license. (Optional)
SiteLicense
Type of site license. (Optional)
AppInspUntil
Date after which the Application Inspection license will expire. (Optional)
[Note] Note
Objects of this type cannot be created or modified by the user.

3.55. LinkDevice

Description

Hardware settings for a link device.

Properties

Name
Name of link device. (Identifier)
HWIdent
Hardware dependent string, uniquely describing the physical location of the device.
Comments
Text describing the current object. (Optional)

3.56. LocalUserDatabase

Description

A local user database contains user accounts used for authentication purposes.

Properties

Name
Specifies a symbolic name for the authentication source. (Identifier)
Crypto
Specifies the type of crypto used for password security within the database. (Default: Reversible)
Comments
Text describing the current object. (Optional)

3.56.1. User

Description

User credentials may be used in User Authentication, which in turn are used in e.g. PPP, Web Authentication, etc

Properties

Name
Specifies the username to add into the user database. (Identifier)
Password
The password for this user.
Groups
Specifies the user groups that this user is a member of, e.g. Administrators. (Optional)
IPStatic
Static IP assigned to user if logging in over PPTP/L2TP. (Optional)
Networks
PPTP/L2TP networks behind the user. (Optional)
AutoAddRouteMetric
Metric for the network. (Optional)
SSHKeys
Public keys used to log in via SSH. (Optional)
Comments
Text describing the current object. (Optional)

3.57. LogReceiverSNMP2c

Description

An SNMPv2c log receiver used to receive log events from the system in the standard SNMP Trap format using one generic trap OID.

Properties

Name
Specifies a symbolic name for the log receiver. (Identifier)
Community
Specifies the name of the community to be granted rights to remotely monitor the firewall. (Default: public)
RoutingTable
Specifies the routing table to use for communication with the log receiver. (Default: main)
IPAddress
Destination IP address.
Port
Destination port. (Default: 162)
SysName
The name for this managed node. If left 'empty' the device system name will be used. (Optional)
RepeatCount
Repetition counter. (Default: 0)
LogSeverity
Specifies with what severity log events will be sent to the specified log receivers. (Optional; Default: Emergency,Alert,Critical,Error,Warning,Notice,Information)
SendRateLimit
The maximum rate of log messages that is allowed to be sent per second. (Default: 2000)
Comments
Text describing the current object. (Optional)

3.57.1. LogReceiverMessageException

Description

A log message exception is used to override the severity filter in the log receiver.

Properties

LogCategory
The Category of the log message. Supports prefixing categories with '!' to invert the match. Use '*' to explicitly match all categories. (Optional)
LogID
Log Message ID. (Default: *)
Action
EXCLUDE or INCLUDE. (Default: EXCLUDE)
LogSeverity
Specifies which log event severity/ies that will be affected by the exception. No severity means all severities. (Optional)
Comments
Text describing the current object. (Optional)
[Note] Note
If no Index is specified when creating an instance of this type, the object will be placed last in the list and the Index will be equal to the length of the list.

3.58. LogReceiverSNMP3

Description

An SNMPv3 log receiver used to receive log events from the system in the standard SNMP Trap format using one generic trap OID.

Properties

Name
Specifies a symbolic name for the log receiver. (Identifier)
RoutingTable
Specifies the routing table to use for communication with the log receiver. (Default: main)
IPAddress
Destination IP address.
Port
Destination port. (Default: 162)
SysName
The name for this managed node. If left 'empty' the device system name will be used. (Optional)
RepeatCount
Repetition counter. (Default: 0)
LogSeverity
Specifies with what severity log events will be sent to the specified log receivers. (Optional; Default: Emergency,Alert,Critical,Error,Warning,Notice,Information)
SendRateLimit
The maximum rate of log messages that is allowed to be sent per second. (Default: 2000)
UserName
SNMPv3 username.
AuthenticationPassword
SNMPv3 authentication password. (Optional)
SecurityLevel
SNMPv3 security level. (Default: AuthPriv)
AuthenticationMethod
SNMPv3 authentication method. (Default: HMAC-SHA1-96)
PrivacyPassword
SNMPv3 encryption/decryption password. (Optional)
Comments
Text describing the current object. (Optional)

3.58.1. LogReceiverMessageException

The definitions here are the same as in Section 3.57.1, LogReceiverMessageException .

3.59. LogReceiverSyslog

Description

A Syslog receiver is used to receive log events from the system in the standard Syslog format.

Properties

Name
Specifies a symbolic name for the log receiver. (Identifier)
RoutingTable
Specifies the routing table to use for communication with the log receiver. (Default: main)
IPAddress
Destination IP address.
Port
Destination port. (Default: 514)
SyslogHostname
Specifies the hostname used in syslog messages. (Default: UseSourceIP)
CustomHostname
Specifies the custom hostname used in syslog messages. (Optional)
Facility
Specifies what facility is used when logging. (Default: local0)
LogSeverity
Specifies with what severity log events will be sent to the specified log receivers. (Optional; Default: Emergency,Alert,Critical,Error,Warning,Notice,Information)
SendRateLimit
The maximum rate of log messages that is allowed to be sent per second. (Default: 2000)
Comments
Text describing the current object. (Optional)

3.59.1. LogReceiverMessageException

The definitions here are the same as in Section 3.57.1, LogReceiverMessageException .

3.60. MiscSettings

Description

Miscellaneous Settings

Properties

LocalUndelivered
How to treat (allowed) packets to the firewall that do not match open ports (netcon, snmp, etc). (Default: DropLog)
PipeDupLog
Whether to log when a pipe object is used more than once by the same flow. (Default: LogAlways)
TTL0OnFwd
What action to take when TTL is reaching zero while being forwarded by the firewall (only possible if IPSettings:TTLMin=1). (Default: DropLog)
NotLocalEnetDest
When a unicast Ethernet packet is received, whose destination is not that of the receiving interface, the packet will be dropped (unless the firewall is running in transparent mode). This is normal. This setting will allow you to log such an event. Note that the log will have priority 'debug'; make sure that the log receiver is set to receive 'debug' priority logs if this is what you want. (Default: Drop)
MaxRebootDelay
The maximum number of seconds that a reboot request can be delayed in order to complete critical tasks such as writing down crash reports. (Default: 0)
AppRestartOnError
Restart application on critical application error. (Default: Yes)
PacketOrderPreservation
Controls the system's efforts to preserve packet order as packets are processed and forwarded. The performance will be reduced when stricter packet ordering is requested. Changes to this setting will not be applied until the system is restarted. (Restart-required; Default: Performance)
HugePages
Specifies the type of huge pages to use when pre-allocating dataplane memory. Using 1GB memory pages may improve performance. (Restart-required; Default: Auto)
HugePageMapping
Specifies the type of memory mapping to use for dataplane. This should only be changed to resolve memory-related bootup-problems, as changing this may cause such problems. (Restart-required; Default: Legacy)
QuickShutdown
Perform quick shutdown by only performing the bare essential cleanup tasks. (Default: No)
ExtendedConfigDebugging
Extended debug messages during system configuration. Should only be enabled in collaboration with the support department. (Default: No)
FlowUsageEnabled
Controls if flow usage, that tracks packets and bytes forwarded on each flow, is enabled. (Default: Yes)
ReportKubeEvents
Report certain types of events to Kubernetes. (Default: Yes)
MonitorKernelMessages
Process kernel messages and record them in the diagnose console. (Default: Auto)
[Note] Note
This object type does not have an identifier and is identified by the name of the type only. There can only be one instance of this type.

3.61. Modules

Description

Ethernet expansion modules hardware status.

Properties

Comments
Text describing the current object. (Optional)
[Note] Note
This object type does not have an identifier and is identified by the name of the type only. There can only be one instance of this type.

3.61.1. EthernetModule

Description

Ethernet Expansion Module

Properties

Slot
Module Slot identifier. (Identifier)
Type
Module Type. (Optional)
Port
Number of Ethernet interface ports on module. (Default: 0)
Comments
Text describing the current object. (Optional)

3.62. NATPool

Description

A NAT Pool is used for NATing multiple concurrent connections to using different source IP addresses. A NATpool can only be used with IPv4 rules.

Properties

Name
Specifies a symbolic name for the NAT Pool. (Identifier)
Type
Specifies how NAT'ed connections are assigned a NAT IP address.
ExternalIPPool
Specifies the external IP addresses used for NAT translation. The total amount of IP addresses in the range(s) must be less than 65k.
InternalNetwork
Specifies the internal IP addresses used for Deterministic NAT translation. The total amount of IP addresses in the network must be less than 65k.
DynBlockAllocation
Specifies if IPs outside the internal address range are allowed to allocate dynamic blocks. (Default: InternalNetwork)
CompressionRatio
Specifies how many internal IPs will be mapped to each external IP. (Default: Auto)
DetBlockSize
Specifies the number of external ports in each pre-allocated deterministic port block. (Default: Auto)
DynPoolRatio
Specifies the percentage of available ports that will be used for dynamic port block allocation. Note that this percentage of available ports are always reserved for dynamic allocation. If set to 0, dynamic allocation is disabled. (Default: 0)
DynBlockSize
Specifies the size of each dynamic port block. (Default: Auto)
DynBlockAllocLimit
Specifies the number of dynamic port blocks allowed to be allocated for each internal IP. (Default: 1)
ReservedPorts
Ports from 1 to ReservedPorts will not be assigned in deterministic or dynamic blocks. (Default: 1023)
StateKeepAlive
The number of seconds that stateful NAT state will be kept in absence of new connections. (Default: 120)
MaxStates
Maximum number of states kept by this stateful NATPool. In general, one state is needed for each local host or client (internal IP) that will use the NAT pool. There is only one state table per NAT pool so that if a single pool is reused in multiple NAT IP rules, they share the same state table.
Comments
Text describing the current object. (Optional)

3.63. NDEntries

Description

Configured Neighbor entries

Properties

Comments
Text describing the current object. (Optional)
[Note] Note
This object type does not have an identifier and is identified by the name of the type only. There can only be one instance of this type.

3.63.1. NDEntry

Description

Use an ND entry to publish additional IPv6 addresses and/or MAC addresses on a specified interface.

Properties

Mode
Static or Publish. (Default: Publish)
Interface
Indicates the interface to which the ND entry applies; e.g. the interface the address shall be published on.
IP
The IP address to be published or statically bound to a hardware address.
MACAddress
The hardware address associated with the IP address. (Default: 00-00-00-00-00-00)
Comments
Text describing the current object. (Optional)
[Note] Note
If no Index is specified when creating an instance of this type, the object will be placed last in the list and the Index will be equal to the length of the list.

3.64. NDSettings

Description

ND (IPv6 Neighbor Discovery) Settings

Properties

NDMaxSolicitation
Maximum number of address resolution queries, per second and interface. (Default: 1000)
NDMaxUnreachProbe
Maximum number of Unreachability probes, per second and interface. (Default: 300)
NDMaxUnreachHost
Maximum number of replies to Unreachability probes, per host and second. (Default: 3)
NDMaxUnreachReply
Maximum number of replies to Unreachability probes, per second and interface. (Default: 300)
NDMaxResolvReply
Maximum number of replies to address resolution queries, per second and interface. (Default: 100)
NDMaxDupReply
Maximum number of replies to Duplicate Address probes, per second and interface. (Default: 1000)
NDCacheSizeEther
Maximum number of Ethernet ND entries in cache, total. (Default: 512)
NDMaxMulticastSolicit
Maximum number of Neighbor Solicitation messages before giving up address resolution. (Default: 3)
NDMaxUnicastSolicit
Maximum number of Unreachability probes before giving up on a stale ND entry. (Default: 3)
MaxAnycastDelayTime
Randomized time (0.5 - 1.5) in milliseconds to delay proxied and anycast advertisements. (Default: 100)
DelayFirstProbeTime
Time to wait (for a response) in hundred'th of seconds after any message being sent to a stale ND entry address, before it is subject to Dead Peer detection. (Default: 100)
NDBaseReachableTime
Basically the lifetime of an ND entry, in seconds. More precisely: Multiple of a random factor (0.5 - 1.5), yielding the number of seconds before an ND entry is considered stale. (Default: 30)
NDZombieTime
Maximum number of seconds before a stale ND entry is being subject to Dead Peer detection. (Default: 3600)
NDRetransTimer
Ten'th of seconds between each Neighbor Solicitation during address resolution and Dead Peer detection. (Default: 10)
NDVerifyTimer
Time in seconds after a seemingly successful address resolution, during which the system will treat later incoming and conflicting advertisements differently. The system will randomly decide whether to trust the first or the later information. In both cases the IP will be logged as suspicious. Outside of this time, conflicting advertisements will be accepted in accordance to NDChanges. (Default: 1)
NDNoiseThreshold
Treat more than this amount of advertisments for the same IP to be suspicious. (Default: 2)
NDMatchL2Sender
The hardware Sender address matching the hardware address in the ND Source/Target 'Link-layer Address' Options. (Default: DropLog)
NDValidation
What to do when a severely broken ND packet arrives. (Default: DropLog)
StaticNDChanges
ND packets that would cause static entries to be changed. (Default: DropLog)
NDChanges
ND packets that would cause an entry to be changed. (Default: FavourOldLog)
NDSenderIP
The IP Source address in ND packets. (Default: Validate)
NDDupFlavor
Send replies to Duplicate Address probes to this destination (DAD probes does not contain a source address to which replies can be sent, and the RFC does not clearly specify where to send replies). (Default: AllNodes)
NDMulticastFlavor
How to resolve IPv6 multicast into L2 multicast (note that the default is the only RFC-compliant alternative). (Default: RFC2460)
NDClearOFlag
Clear the Override Flag on proxy and anycast ND advertisements (as required by the RFC). (Default: Yes)
NDLogRatelimitDelay
Whether to log when the rate limit settings prevent outgoing ND messages from being sent. (Default: Yes)
NDLogOutOfEntries
Whether to log when there are not enough neighbor entries in the firewall to perform IP address resolution (this will cause old entries to be recycled). (Default: Yes)
NDLogResolveFailure
Log when address resolution fail. (Default: Yes)
[Note] Note
This object type does not have an identifier and is identified by the name of the type only. There can only be one instance of this type.

3.65. OSPFProcess

Description

An OSPF Router Process defines a group of routers exchanging routing information via the Open Shortest Path First routing protocol.

Properties

Name
Specifies a symbolic name for the OSPF process. (Identifier)
RouterID
Specifies the IP address that is used to identify the router. If no router ID is configured, it will be computed automatically based on the highest IP address of any interface participating in the OSPF process. (Optional)
PrivateRouterID
Specifies the HA private IP addresses that is used to identify the HA router. If no private router ID is configured, it will be computed automatically based on the highest IP address of any interface participating in the OSPF process. (Optional)
RFC1583
Enable this if the firewall will be used in a environment that consists of routers that only support RFC 1583. (Default: No)
SPFHoldTime
Specifies the minimum time, in seconds, between two SPF calculations. (Default: 10)
SPFDelayTime
Specifies the delay time, in seconds, between when OSPF receives a topology change and when it starts a SPF calculation. (Default: 5)
LSAGroupPacing
This specifies the time in seconds at which interval the OSPF LSAs are collected into a group and refreshed. (Default: 10)
RoutesHoldtime
This specifies the time in seconds that the routing table will be kept unchanged after a reconfiguration of OSPF entries or a HA failover. (Default: 45)
RefBandwidthValue
Set the reference bandwidth that is used when calculating the default interface cost for routes. (Default: 1)
RefBandwidthUnit
Sets the reference bandwidth unit. (Default: Gbps)
DebugPacket
Enables or disables logging of general packet parsing events and also specifies the details of the log. (Default: Disabled)
DebugHello
Enables or disables logging of hello packets and also specifies the details of the log. (Default: Disabled)
DebugDDesc
Enables or disables logging of database description packets and also specifies the details of the log. (Default: Disabled)
DebugExchange
Enables or disables logging of exchange packets and also specifies the details of the log. (Default: Disabled)
DebugLSA
Enables or disables logging of LSA events and also specifies the details of the log. (Default: Disabled)
DebugSPF
Enables or disables logging of SPF calculation events and also specifies the details of the log. (Default: Disabled)
DebugRoute
Enables or disables logging of routing table manipulation events and also specifies the details of the log. (Default: Disabled)
AuthType
Specifies the authentication type for the OSPF protocol exchanges. (Default: None)
AuthPassphrase
Specifies the passphrase used for authentication. (Optional)
AuthMD5ID
Specifies the MD5 key ID used for MD5 digest authentication.
AuthMD5Key
A 128-bit key used to produce the MD5 digest. (Optional)
LogEnabled
Enable logging. (Default: Yes)
Comments
Text describing the current object. (Optional)

3.65.1. OSPFArea

Description

An OSPF area is a sub-domain within the OSPF process which collects OSPF interfaces, neighbors, aggregates and virtual links.

Properties

Name
Specifies a symbolic name for the area. (Identifier)
AreaID
Specifies the area id, if 0.0.0.0 is specified this is the backbone area.
Stub
Enable to make the router automatically advertises a default route so that routers in the stub area can reach destinations outside the area. (Default: No)
StubSummarize
Become a default router for stub area (Summarize). (Default: Yes)
StubMetric
Route metric for stub area. (Optional)
FilterExternal
Specifies the network addresses allowed to be imported into this area from external routing sources. (Optional)
FilterInterArea
Specifies the network addresses allowed to be imported from other routers inside the area. (Optional)
Comments
Text describing the current object. (Optional)

3.65.1.1. OSPFInterface

Description

Select and define the properties of an interface that should be made a member of the Router Process.

Properties

Interface
Specifies which interface in the firewall will be used for this OSPF interface. (Identifier)
Type
Auto, Broadcast, Point-to-point or Point-to-multipoint. (Default: Auto)
Network
Specifies the network related to the configured OSPF interface.
MetricType
Metric value or Bandwidth. (Default: MetricValue)
Metric
Specifies the routing metric for this OSPF interface. (Default: 10)
BandwidthValue
Specifies the bandwidth for this OSPF interface.
BandwidthUnit
Specifies the bandwidth unit. (Default: Mbps)
UseDefaultAuth
Use the authentication configuration specified in the OSPF process. (Default: Yes)
AuthType
Specifies the authentication type for the OSPF protocol exchanges. (Default: None)
AuthPassphrase
Specifies the passphrase used for authentication. (Optional)
AuthMD5ID
Specifies the MD5 key ID used for MD5 digest authentication.
AuthMD5Key
A 128-bit key used to produce the MD5 digest. (Optional)
HelloInterval
Specifies the number of seconds between HELLO packets sent from the interface. (Default: 10)
RtrDeadInterval
If no HELLO packets are received from a neighbor within this interval (in seconds), that neighbor router will be declared to be down. (Default: 40)
RxmtInterval
Specifies the number of seconds between retransmissions of LSAs to neighbors on this interface. (Default: 5)
RtrPrio
Specifies the router priority, a higher number increases this routers chance of becoming DR or BDR, if 0 is specified this router will not be eligible in the DR/BDR election. (Default: 1)
InfTransDelay
Specifies the estimated transmit delay for the interface in seconds. This value represents the maximum time it takes to forward a LSA packet trough the router. (Default: 1)
WaitInterval
Specifies the number of seconds between the time when the interface brought up and the election of the DR and BDR. This value should be higher than the hello interval. (Default: 40)
Passive
Enable to make it possible to include networks into the OSPF routing process, without running OSPF on the interface connected to that network. (Default: No)
IgnoreMTU
Enable to allow OSPF MTU mismatches. (Default: No)
Comments
Text describing the current object. (Optional)

3.65.1.2. OSPFNeighbor

Description

For point-to-point and point-to-multipoint networks, specify the IP addresses of directly connected routers.

Properties

Interface
Specifies the OSPF interface of the neighbor.
IPAddress
IP Address of the neighbor.
Metric
Specifies the metric of the neighbor. (Optional)
Comments
Text describing the current object. (Optional)
[Note] Note
If no Index is specified when creating an instance of this type, the object will be placed last in the list and the Index will be equal to the length of the list.

3.65.1.3. OSPFAggregate

Description

An aggregate is used to replace any number of smaller networks belonging to the local (intra) area with one contiguous network which may then be advertised or hidden.

Properties

Network
The aggregate network used to combine several small routes.
Advertise
Advertise the aggregate. (Default: Yes)
Comments
Text describing the current object. (Optional)
[Note] Note
If no Index is specified when creating an instance of this type, the object will be placed last in the list and the Index will be equal to the length of the list.

3.65.1.4. OSPFVLink

Description

An area that does not have a direct connection to the backbone must have at least one area border router with a virtual link to a backbone router, or to another router with a link to the backbone.

Properties

Name
Specifies a symbolic name for the virtual link. (Identifier)
RouterID
The ID of the router on the other side of the virtual link.
UseDefaultAuth
Use the authentication configuration specified in the OSPF process. (Default: Yes)
AuthType
Specifies the authentication type for the OSPF protocol exchanges. (Default: None)
AuthPassphrase
Specifies the passphrase used for authentication. (Optional)
AuthMD5ID
Specifies the MD5 key ID used for MD5 digest authentication.
AuthMD5Key
A 128-bit key used to produce the MD5 digest. (Optional)
Comments
Text describing the current object. (Optional)

3.65.2. RouteExportRuleOSPF

Description

An OSPF export rule creates a filter to select OSPF learned routes. The filtered routes can then through action rules either be exported to "route distribution services", such as OSPF, or be added to one or more routing tables.

Properties

Name
Specifies a symbolic name for the rule. (Optional)
RouterID
Specifies Router ID which filtered routes need to match. (Optional)
OSPFRouteType
Specifies OSPF router type which filtered routes need to match. (Optional)
OSPFTagRange
Specifies a tag interval which filtered routes need to be within. (Optional)
DestinationInterface
Specifies an interface which filtered routes need to match. (Optional)
DestinationNetworkExactly
Specifies a network range which filtered routes need to match exactly. (Optional)
DestinationNetworkIn
Specifies a network range which filtered routes need to be within. (Optional)
NextHop
Specifies the next (router) hop which filtered routes need to match. (Optional)
MetricRange
Specifies a metric interval which filtered routes need to be within. (Optional)
LogEnabled
Enable logging. (Default: Yes)
Comments
Text describing the current object. (Optional)
[Note] Note
If no Index is specified when creating an instance of this type, the object will be placed last in the list and the Index will be equal to the length of the list.

3.65.2.1. ExportToOSPF

The definitions here are the same as in Section 3.9.7.2, ExportToOSPF .

3.65.2.2. ExportToBGP

Description

A BGP action is used to insert, update and remove routes to/from an BGP process.

Properties

Name
Specifies a symbolic name for the rule. (Optional)
ExportToProcess
Specifies to which BGP process the route should be exported.
OffsetMetric
Offset to increase/decrease the metric of filtered routes. (Optional)
LimitMetricRange
Metric boundary for filtered routes. Metrics outside the boundary will be re-set to the nearest limit. (Optional)
SetForward
Sets/overrides the gateway IP for filtered routes. (Optional)
LogEnabled
Enable logging. (Default: Yes)
Comments
Text describing the current object. (Optional)
[Note] Note
If no Index is specified when creating an instance of this type, the object will be placed last in the list and the Index will be equal to the length of the list.

3.65.2.3. ExportToRoutingTable

The definitions here are the same as in Section 3.9.7.1, ExportToRoutingTable .

3.66. PBRRules

Description

The PBR rule set. Contains RoutingRule objects.

Properties

Comments
Text describing the current object. (Optional)
[Note] Note
This object type does not have an identifier and is identified by the name of the type only. There can only be one instance of this type.

3.66.1. RoutingRule

Description

A Routing Rule forces the use of a routing table in the forward and/or return direction of traffic on a connection. The ordering parameter of the routing table determines if it is consulted before or after the main routing table.

Properties

Name
Specifies a symbolic name for the rule. (Optional)
ForwardRoutingTable
The forward routing table will be used for packets from the connection originator to the connection endpoint. (Optional)
ReturnRoutingTable
The return routing table will be used for packets traveling in the reverse direction. (Optional)
SourceNetwork
Specifies the sender span of IP addresses to be compared to the received packet.
DestinationNetwork
Specifies the span of IP addresses to be compared to the destination IP of the received packet.
SourceInterface
Specifies the name of the receiving interface to be compared to the received packet.
Service
Specifies a service that will be used as a filter parameter when matching traffic with this rule.
Comments
Text describing the current object. (Optional)
[Note] Note
If no Index is specified when creating an instance of this type, the object will be placed last in the list and the Index will be equal to the length of the list.

3.67. Pipe

Description

A pipe defines basic traffic shaping parameters. The pipes are then combined in a pipe profile that then can be selected on an IP rule to determine which traffic goes through which pipes.

Properties

Name
Specifies a symbolic name for the pipe. (Identifier)
LimitBpsTotal
Total bandwidth limit for this pipe in kilobits per second. (Optional)
LimitPpsTotal
Total packet per second limit for this pipe. (Optional)
LimitBps0
Specifies the bandwidth limit in bps (bits per second) for precedence 0 (the lowest precedence). (Optional)
LimitPps0
Specifies the packet per second limit for precedence 0 (the lowest precedence). (Optional)
LimitBps1
Specifies the bandwidth limit in bps (bits per second) for precedence 1. (Optional)
LimitPps1
Specifies the packet per second limit for precedence 1. (Optional)
LimitBps2
Specifies the bandwidth limit in bps (bits per second) for precedence 2. (Optional)
LimitPps2
Specifies the packet per second limit for precedence 2. (Optional)
LimitBps3
Specifies the bandwidth limit in bps (bits per second) for precedence 3. (Optional)
LimitPps3
Specifies the packet per second limit for precedence 3. (Optional)
LimitBps4
Specifies the bandwidth limit in bps (bits per second) for precedence 4. (Optional)
LimitPps4
Specifies the packet per second limit for precedence 4. (Optional)
LimitBps5
Specifies the bandwidth limit in bps (bits per second) for precedence 5. (Optional)
LimitPps5
Specifies the packet per second limit for precedence 5. (Optional)
LimitBps6
Specifies the bandwidth limit in bps (bits per second) for precedence 6. (Optional)
LimitPps6
Specifies the packet per second limit for precedence 6. (Optional)
LimitBps7
Specifies the bandwidth limit in bps (bits per second) for precedence 7 (the highest precedence). (Optional)
LimitPps7
Specifies the packet per second limit for precedence 7 (the highest precedence). (Optional)
UserLimitBpsTotal
Total bandwidth limit per group in the pipe in kilobits per second. (Optional)
UserLimitPpsTotal
Total throughput limit per group in the pipe in packets per second. (Optional)
UserLimitBps0
Specifies the bandwidth limit per group in bps (bits per second) for precedence 0 (the lowest precedence). (Optional)
UserLimitPps0
Specifies the throughput limit per group in pps (packets per seconds) for precedence 0 (the lowest precedence). (Optional)
UserLimitBps1
Specifies the bandwidth limit per group in bps (bits per second) for precedence 1. (Optional)
UserLimitPps1
Specifies the throughput limit per group in pps (packets per seconds) for precedence 1. (Optional)
UserLimitBps2
Specifies the bandwidth limit per group in bps (bits per second) for precedence 2. (Optional)
UserLimitPps2
Specifies the throughput limit per group in pps (packets per seconds) for precedence 2. (Optional)
UserLimitBps3
Specifies the bandwidth limit per group in bps (bits per second) for precedence 3. (Optional)
UserLimitPps3
Specifies the throughput limit per group in pps (packets per seconds) for precedence 3. (Optional)
UserLimitBps4
Specifies the bandwidth limit per group in bps (bits per second) for precedence 4. (Optional)
UserLimitPps4
Specifies the throughput limit per group in pps (packets per seconds) for precedence 4. (Optional)
UserLimitBps5
Specifies the bandwidth limit per group in bps (bits per second) for precedence 5. (Optional)
UserLimitPps5
Specifies the throughput limit per group in pps (packets per seconds) for precedence 5. (Optional)
UserLimitBps6
Specifies the bandwidth limit per group in bps (bits per second) for precedence 6. (Optional)
UserLimitPps6
Specifies the throughput limit per group in pps (packets per seconds) for precedence 6. (Optional)
UserLimitBps7
Specifies the bandwidth limit per group in bps (bits per second) for precedence 7 (the highest precedence). (Optional)
UserLimitPps7
Specifies the throughput limit per group in pps (packets per seconds) for precedence 7 (the highest precedence). (Optional)
Grouping
Grouping enables per-port/IP/network static bandwidth limits as well as dynamic balancing between groups. (Default: None)
GroupingIP4NetworkSize
If users are grouped according to source or destination network, the size of the network has to be specified by this setting. (Default: 16)
GroupingIP6NetworkSize
If users are grouped according to source or destination network, the size of the network has to be specified by this setting. (Default: 64)
Dynamic
Enable dynamic balancing of groups. When disabled, only configured user limits will apply. (Default: Yes)
PrecedenceMin
Specifies the lowest allowed precedence for traffic in this pipe. If a packet with a lower precedence enters, its precedence is raised to this value. (Default: 0)
PrecedenceDefault
Specifies the default precedence for the pipe. If a packet enters this pipe without a set precedence, it gets assigned this value. Should be higher than or equal to the minimum precedence. (Default: 0)
PrecedenceMax
Specifies the highest allowed precedence for traffic in this pipe. If a packet with a higher precedence enters, its precedence is lowered to this value. Should be higher than or equal to the default precedence. (Default: 7)
Comments
Text describing the current object. (Optional)

3.68. PSK

Description

PSK (Pre-Shared Key) authentication is based on a shared secret that is known only by the parties involved.

Properties

Name
Specifies a symbolic name for the pre-shared key. (Identifier)
Type
Specifies the type of the shared key.
PSKAscii
Specifies the PSK as a passphrase.
PSKHex
Specifies the PSK as a hexadecimal key.
Comments
Text describing the current object. (Optional)

3.69. RadiusServer

Description

External RADIUS server used to verify user names and passwords.

Properties

Name
Specifies a symbolic name for the authentication source. (Identifier)
RoutingTable
Specifies the routing table to use for communication with the RADIUS server. (Default: main)
IPAddress
The IP address of the server.
Port
The UDP port of the server. (Default: 1812)
RetryTimeout
The retry timeout, in milliseconds, used when trying to contact the RADIUS server. If no response has been given after for example 2 seconds, the firewall will try again by sending a new Request packet. (Default: 2000)
NumRetries
How many retries should be sent when trying to contact the RADIUS accounting server. If no response has been given after for example 2 seconds, the firewall will try again by sending a new Request packet. (Default: 3)
SharedSecret
The shared secret phrase for the Authenticator generation.
NASIdentifier
Value of the Radius attribute NAS-Identifier in Radius requests. (Optional)
EnableCallingStationID
Enable Calling Station ID and Called Station ID in RADIUS messages. (Default: Yes)
EnableFramedIP
Include Framed IP address in the RADIUS Access Request message. (Default: No)
LogEnabled
Enable logging. (Default: Yes)
Comments
Text describing the current object. (Optional)

3.70. RemoteMgmtNetcon

Description

Configure Netcon management to enable remote management to the system.

Properties

Name
Specifies a symbolic name for the object. (Default: NetconMgmt)
AccessLevel
The access level to grant the user or system that logs in. (Default: Admin)
Key
A 64 byte pre-shared key used for authentication.
AuthProfile
Specifies the authentication profile to use when authenticating Netcon access.
LogEnabled
Enable logging. (Default: Yes)
SourceNetwork
Specifies the source network for which remote access is granted.
DestinationNetwork
Specifies the destination network for which remote access is granted. (Default: 0)
SourceInterface
Specifies the source interface for which remote access is granted.
DestinationInterface
Specifies the destination interface for which remote access is granted. (Default: core)
Comments
Text describing the current object. (Optional)
[Note] Note
This object type does not have an identifier and is identified by the name of the type only. There can only be one instance of this type.

3.71. RemoteMgmtSettings

Description

Setup and configure methods and permissions for remote management of this system.

Properties

BiDirTimeout
Specifies the amount of seconds to wait for the administrator to log in before reverting to the previous configuration. (Default: 30)
NetconMaxChannels
The maximum number of concurrent Netcon channels. The Netcon channels consists of the following: CLI access, real time loggers, statistical polling and send/receive file sessions. (Default: 18)
SNMPv3EngineId
User defined Engine Id text. The default setting <auto> autogenerates an Engine Id based on the MAC address of the first interface. (Default: <auto>)
StatisticsPrefetchPeriod
Specifies the number of seconds to keep pre-fetching a statistics value after it has been used to shorted response times for new requests for the same value. (Default: 120)
[Note] Note
This object type does not have an identifier and is identified by the name of the type only. There can only be one instance of this type.

3.72. RemoteMgmtSNMP

Description

Configure SNMP management to enable SNMP polling.

Properties

Name
Specifies a symbolic name for the object. (Identifier)
GetCommunity
Specifies the name of the community to be granted rights to remotely monitor the firewall.
SysContact
The contact person for this managed node. (Default: N/A)
SysName
The name for this managed node. (Default: N/A)
SysLocation
The physical location of this node. (Default: N/A)
RequestLimit
Maximum number of SNMP packets that will be processed each second. (Default: 100)
UserDefinedState
User defined state. (Optional)
EntityStateAdmin
Administrative state of this entity. Refer to x.731. (Default: Unlocked)
ManagementIPAddressList
IP Address list of management interfaces. (Optional)
ServiceIPAddressList
Service IP address list. (Optional)
DateOfLastService
Date of last service. (Optional)
LogEnabled
Enable logging. (Default: Yes)
SourceNetwork
Specifies the source network for which remote access is granted.
DestinationNetwork
Specifies the destination network for which remote access is granted. (Default: all-nets)
SourceInterface
Specifies the source interface for which remote access is granted.
DestinationInterface
Specifies the destination interface for which remote access is granted. (Default: core)
Comments
Text describing the current object. (Optional)

3.73. RemoteMgmtSNMP3

Description

Configure SNMPv3 management to enable SNMPv3 polling.

Properties

Name
Specifies a symbolic name for the object. (Identifier)
LocalUserDB
Local user database that will be used to authenticate users.
SysContact
The contact person for this managed node. (Default: N/A)
SysName
The name for this managed node. (Default: N/A)
SysLocation
The physical location of this node. (Default: N/A)
RequestLimit
Maximum number of SNMP packets that will be processed each second. (Default: 100)
UserDefinedState
User defined state. (Optional)
EntityStateAdmin
Administrative state of this entity. Refer to x.731. (Default: Unlocked)
ManagementIPAddressList
IP Address list of management interfaces. (Optional)
ServiceIPAddressList
Service IP address list. (Optional)
DateOfLastService
Date of last service. (Optional)
LogEnabled
Enable logging. (Default: Yes)
SourceNetwork
Specifies the source network for which remote access is granted.
DestinationNetwork
Specifies the destination network for which remote access is granted. (Default: all-nets)
SourceInterface
Specifies the source interface for which remote access is granted.
DestinationInterface
Specifies the destination interface for which remote access is granted. (Default: core)
SecurityLevel
SNMPv3 security level. (Default: AuthPriv)
AuthenticationMethod
SNMPv3 authentication method. (Default: HMAC-SHA1-96)
PrivacyPassword
SNMPv3 encryption/decryption password. (Optional)
Comments
Text describing the current object. (Optional)

3.74. RemoteMgmtSSH

Description

Configure a Secure Shell (SSH) Server to enable remote management access to the system.

Properties

Index
The index of the object, starting at 1. (Identifier)
Name
Specifies a symbolic name for the SSH server. (Identifier)
Port
The listening port for the SSH server. (Default: 22)
AllowHostKeyDSA
Allow DSA public key algorithm. (Default: No)
AllowHostKeyRSA
Allow RSA public key algorithm. (Default: Yes)
AllowHostKeyECDSA
Allow ECDSA public key algorithm. (Default: Yes)
AllowKexDH14
Allow Diffie-Hellman Group 14 key exchange algorithm. (Default: Yes)
AllowKexDH1
Allow Diffie-Hellman Group 1 key exchange algorithm. (Default: No)
AllowAES128CBC
Allow AES-128-CBC encryption algorithm. (Default: No)
AllowAES128CTR
Allow AES-128-CTR encryption algorithm. (Default: Yes)
AllowAES128GCM
Allow AES-128-GCM encryption algorithm. (Default: Yes)
AllowAES192CBC
Allow AES-192-CBC encryption algorithm. (Default: No)
AllowAES192CTR
Allow AES-192-CTR encryption algorithm. (Default: Yes)
AllowAES256CBC
Allow AES-256-CBC encryption algorithm. (Default: No)
AllowAES256CTR
Allow AES-256-CTR encryption algorithm. (Default: Yes)
AllowAES256GCM
Allow AES-256-GCM encryption algorithm. (Default: Yes)
AllowCHACHA20
Allow Chacha20-Poly1305 encryption algorithm. (Default: Yes)
AllowBlowfish
Allow Blowfish encryption algorithm. (Default: No)
Allow3DES
Allow 3DES encryption algorithm. (Default: No)
AllowMACSHA1
Allow SHA1 integrity algorithm. (Default: Yes)
AllowMACMD5
Allow MD5 integrity algorithm. (Default: No)
AllowMACSHA196
Allow SHA1-96 integrity algorithm. (Default: No)
AllowMACMD596
Allow MD5-96 integrity algorithm. (Default: No)
AllowMACSHA2256
Allow SHA2-256 integrity algorithm. (Default: Yes)
AllowMACSHA2512
Allow SHA2-512 integrity algorithm. (Default: Yes)
Banner
Specifies the greeting message to display when the user logs in. (Default: "Welcome,\r\n\r\n - Type \"help\" to see a list of available commands.\r\n - To get help on a specific command, type \"help command\".\r\n - A summary of the options for a command is displayed with \"command -?\".\r\n\r\nUse the tab key to get a list of valid choices for the current command or option.\r\nConsult the CLI reference guide for more information.\r\n")
MaxSessions
The maximum number of clients that can be connected at the same time. (Default: 5)
SessionIdleTime
The number of seconds a user can be idle before the session is closed. (Default: 1800)
LoginGraceTime
When the user has supplied the username, the password has to be provided within this number of seconds or the session will be closed. (Default: 30)
AuthenticationRetries
The number of retries allowed before the session is closed. (Default: 3)
AccessLevel
The access level to grant the user or system that logs in. (Default: Admin)
AuthMethod
Allowed client authentication methods. (Default: Any)
AuthProfile
Specifies the authentication profile to use when authenticating SSH access.
LogEnabled
Enable logging. (Default: Yes)
SourceNetwork
Specifies the source network for which remote access is granted.
DestinationNetwork
Specifies the destination network for which remote access is granted. (Default: all-nets)
SourceInterface
Specifies the source interface for which remote access is granted.
DestinationInterface
Specifies the destination interface for which remote access is granted. (Default: core)
Comments
Text describing the current object. (Optional)

3.75. RouteMap

Description

Ruleset used to allow/deny/modify route prefixes/characteristics

Properties

Name
Specifies a symbolic name for the route-map. (Identifier)
Comments
Text describing the current object. (Optional)

3.75.1. RouteMapEntry

Description

Rule entry used to allow/deny/change route prefixes/characteristics

Properties

Action
Specifies the action to take for matched prefixes.
MatchASPath
Match entries where the prefix AS path are allowed by the AS path access list. (Optional)
MatchIP
Match entries where the prefix address are allowed by the prefix-list. (Optional)
MatchNextHop
Match entries where the next-hop address are allowed by the prefix-list. (Optional)
MatchOrigin
Match entries based on path origin. (Optional)
MatchMetric
Match entries based on route metric. (Optional)
MatchTag
Match entries based on route tag. (Optional)
MatchCommunity
Match entries based on BGP community. (Optional)
MatchCommunityExactMatch
Require exact match of community. (Optional)
SetMetric
Set metric on matched updates. (Optional)
SetTag
Set tag on matched updates. Note that tags are internal to local node, route-maps and BGP only. (Optional)
SetWeight
Set weight on matched updates. (Optional)
SetLocalPreference
Set the BGP local preference path attribute. (Optional)
SetOrigin
Set path origin on matched updates. (Optional)
SetOriginatorID
Sets the originator ID attribute on matched updates. (Optional)
SetNextHop
Sets the next-hop on matched updates. (Optional)
SetCommunity
Sets BGP community on matched updates. (Optional)
SetCommunityInternet
Specify the Internet. (Optional)
SetCommunityLocalAS
Specify no sending outside the local AS (well-known community). (Optional)
SetCommunityNoAdvertise
Specify no advertisement of this route to eBGP peers. (Optional)
SetCommunityNoExport
Specify no advertisement of this route to any peer. (Optional)
SetCommunityNone
Removes the community attribute from the prefixes that pass the route-map. (Optional)
SetCommunityNumber
Comma separated list of communities as a number or in AA:NN format. (Optional)
SetCommunityAdditive
Adds to the existing community. (Optional)
SetCommunityExt
Specifies the extended community attribute.
SetCommunityCostCompare
Specifies the method of how to compare the cost of the extended cost community.
SetCommunityID
Specifies the community ID.
SetCommunityCost
Specifies the community cost range.
SetASPathPrepend
Specifies the autonomous systems (comma separated) to append to the AS path. (Optional)
IncMetric
Increase metric by value on matched updates. (Optional)
DecMetric
Decrease metric by value on matched updates. (Optional)
Comments
Text describing the current object. (Optional)
[Note] Note
If no Index is specified when creating an instance of this type, the object will be placed last in the list and the Index will be equal to the length of the list.

3.76. RoutePrefixList

Description

Ruleset used to allow/deny route prefixes

Properties

Name
Specifies a symbolic name for the prefix list. (Identifier)
Comments
Text describing the current object. (Optional)

3.76.1. RoutePrefixEntry

Description

Rule entry used to allow/deny route prefixes

Properties

Action
Specifies the action to take for matched prefixes.
Network
IP network of prefix.
PrefixCompare
Network span specifier. (Optional)
PrefixLength
Defines the span of the prefix/network together with prefix comparer. (Default: 0)
Comments
Text describing the current object. (Optional)
[Note] Note
If no Index is specified when creating an instance of this type, the object will be placed last in the list and the Index will be equal to the length of the list.

3.77. RouterAdvertisementProfilesTable

Description

The system has a Router Advertisement Profiles table. All profiles can be declared here.

Properties

Name
Specifies a symbolic name for the Router Advertisement Profiles Table. (Identifier)
Comments
Text describing the current object. (Optional)

3.77.1. RouterAdvertisementProfile

Description

Properties that will form the structure and behavior of a Router Advertisement packet.

Properties

Name
Specifies a symbolic name for the Profile.
MaxRtrAdvInterval
The maximum time allowed between sending unsolicited multicast Router Advertisements from the interface, in seconds. (Default: 600). (Default: 600)
MinRtrAdvInterval
The minimum time allowed between sending unsolicited multicast Router Advertisements from the interface, in seconds. (Default: Depends on MaxRtrAdvInterval. Will adjust automatically). (Default: 198)
ManagedFlag
Indicates that addresses are available via DHCPv6. (Default: False). (Default: No)
OtherConfigFlag
Indicates that other configuration information is available via DHCPv6. (Default: False). (Default: No)
LinkMTU
The value to be placed in MTU options sent. A value of zero indicates that no MTU options are sent. (Default: 0). (Default: 0)
ReachableTime
The value, in seconds, to be placed in the Reachable Time field in the Router Advertisement messages sent by the firewall. The value zero means unspecified. (Default: 0s). (Default: 0)
RetransTimer
The value, in seconds, to be placed in the Retrans Time field in the Router Advertisement messages sent by the firewall. The value zero means unspecified. (Default: 0s). (Default: 0)
CurHopLimit
The default value to be placed in the Cur Hop Limit field in the Router Advertisement messages sent by the firewall. The value zero means unspecified. (Default: 64). (Default: 0)
DefaultLifetime
The value to be placed in the Router Lifetime field of Router Advertisements sent from the firewall, in seconds. (Default: Depends on MaxRtrAdvInterval. Will adjust automatically). (Default: 1800)
Comments
Text describing the current object. (Optional)
[Note] Note
If no Index is specified when creating an instance of this type, the object will be placed last in the list and the Index will be equal to the length of the list.

3.78. RoutingSettings

Description

Routing settings.

Properties

HostMonitorInterval
Default delay in milliseconds between each route host monitor attempt. (Default: 1000)
GatewayMonitorInterval
Default delay in milliseconds between each gateway monitor attempt. (Default: 1000)
GracePeriod
Default delay in seconds after system start before starting to monitor the route. (Default: 30)
[Note] Note
This object type does not have an identifier and is identified by the name of the type only. There can only be one instance of this type.

3.79. RoutingTable

Description

The system has a predefined main routing table. Alternate routing tables can be defined by the user.

Properties

Name
Specifies a symbolic name for the routing table. (Identifier)
AllowHARoutes
Defines if the routing table is allowed to contain HA node local routes. (Default: No)
Ordering
Specifies how a route lookup is done in a named routing table. (Default: Only)
Comments
Text describing the current object. (Optional)

3.79.1. Route

Description

A route defines what interface and gateway to use in order to reach a specified network.

Properties

Name
Specifies a symbolic name for the object. (Optional)
Interface
Specifies which interface packets destined for this route shall be sent through.
Gateway
Specifies the IP address of the next router hop used to reach the destination network. If the network is directly connected to the firewall interface, no gateway address is specified. (Optional)
LocalIP
The IP address specified here will be automatically published on the corresponding interface. This address will also be used as the sender address in ARP queries. If no address is specified, the firewall's interface IP address will be used. (Optional)
MTU
Specifies the size (in bytes) of the largest packet excluding any Ethernet headers, that can be passed using the route. (Default: InheritFromInterface)
AdvertiseIP6
Enable IPv6 Router Advertisement announcing for this route. (Default: No)
AdvertisedValidLifetime
The value to be placed in the Valid Lifetime in the Prefix Information option, in seconds. The designated value of all 1's (0xffffffff) represents infinity. (Default: 2592000)
AdvertisedAsOnLinkFlag
The value to be placed in the on-link flag (L-bit) field in the Prefix Information option. Indicated that this prefix can be used for on-link determination. (Default: Yes)
AdvertisedPreferredLifetime
The value to be placed in the Preferred Lifetime in the Prefix Information option, in seconds. The designated value of all 1's (0xffffffff) represents infinity. (Default: 604800)
AdvertisedAsAutonomousFlag
The value to be placed in the Autonomous Flag field in the Prefix Information option. Indicates that the advertised prefix can be used for stateless address configuration. (Default: Yes)
RouteMonitor
Control the status (enabled/disabled) of the route through the use of various monitoring methods. (Default: No)
MonitorHosts
Monitor route through the availability of a set of hosts. (Default: No)
MonitorGateway
Monitor the gateway of the route. (Default: No)
GatewayMonitorInterval
Delay in milliseconds between each attempt to monitor the gateway. (Optional)
MinReachability
Minimum number of hosts required to be reachable for the route to be enabled. (Default: One)
GracePeriod
Delay in seconds after system start before starting to monitor the route. (Optional)
GratuitousARPNDOnChange
Send gratuitous ARP/ND on failover to alert hosts about changed interface Ethernet and IP addresses. (Default: Yes)
Network
Specifies the network address for this route.
Metric
Specifies the metric for this route. (Default: 100)
ProxyARPAllInterfaces
Always select all interfaces, including new ones, for publishing routes via Proxy ARP. (Default: No)
ProxyARPInterfaces
Specifies the interfaces on which the firewall should publish routes via Proxy ARP. (Optional)
Comments
Text describing the current object. (Optional)
[Note] Note
If no Index is specified when creating an instance of this type, the object will be placed last in the list and the Index will be equal to the length of the list.

3.79.1.1. MonitoredHost

Description

Specify a host and a monitoring method.

Properties

MonitoringMethod
Monitoring method. (Default: ICMP)
IPAddress
IP address of host.
OriginatorIP
Originator/source IP when monitoring the host. (Optional)
HostMonitorInterval
Delay in milliseconds between each monitor attempt. (Optional)
Samples
Required number of monitoring samples/attempts before determining the status of the host. (Default: 10)
MaxFailedSamples
The maximum number of failed samples/attempts before the host is marked as unreachable. (Default: 2)
MaxLatency
Maximum average latency before the host is marked as unreachable. (Default: 800)
ReachabilityRequired
Specifies whether the host is required to be reachable for host monitoring to be successful. (Default: No)
Comments
Text describing the current object. (Optional)
[Note] Note
If no Index is specified when creating an instance of this type, the object will be placed last in the list and the Index will be equal to the length of the list.

3.79.2. HARoute

Description

A HA enabled route. Can be set individually for each HA node.

Properties

Name
Specifies a symbolic name for the object. (Optional)
MasterInterface
Specifies which interface, on the Master node of an HA cluster, packets destined for this route shall be sent through.
SlaveInterface
Specifies which interface, on the Slave node of an HA cluster, packets destined for this route shall be sent through.
Gateway
Specifies the IP address of the next router hop used to reach the destination network. If the network is directly connected to the firewall interface, no gateway address is specified. (Optional)
LocalIP
The IP address specified here will be automatically published on the corresponding interface. This address will also be used as the sender address in ARP queries. If no address is specified, the firewall's interface IP address will be used. (Optional)
MTU
Specifies the size (in bytes) of the largest packet excluding any Ethernet headers, that can be passed using the route. (Default: InheritFromInterface)
Network
Specifies the network address for this route.
Metric
Specifies the metric for this route. (Default: 100)
ProxyARPAllInterfaces
Always select all interfaces, including new ones, for publishing routes via Proxy ARP. (Default: No)
ProxyARPInterfaces
Specifies the interfaces on which the firewall should publish routes via Proxy ARP. (Optional)
Comments
Text describing the current object. (Optional)
[Note] Note
If no Index is specified when creating an instance of this type, the object will be placed last in the list and the Index will be equal to the length of the list.

3.79.3. RouteExportRule

Description

A routing table export rule creates a filter to select statically configured routes. The filtered routes can then through action rules be exported to "route distribution services" such as OSPF.

Properties

Name
Specifies a symbolic name for the rule. (Optional)
DestinationInterface
Specifies an interface which filtered routes need to match. (Optional)
DestinationNetworkExactly
Specifies a network range which filtered routes need to match exactly. (Optional)
DestinationNetworkIn
Specifies a network range which filtered routes need to be within. (Optional)
NextHop
Specifies the next (router) hop which filtered routes need to match. (Optional)
MetricRange
Specifies a metric interval which filtered routes need to be within. (Optional)
LogEnabled
Enable logging. (Default: Yes)
Comments
Text describing the current object. (Optional)
[Note] Note
If no Index is specified when creating an instance of this type, the object will be placed last in the list and the Index will be equal to the length of the list.

3.79.3.1. ExportToOSPF

The definitions here are the same as in Section 3.9.7.2, ExportToOSPF .

3.79.3.2. ExportToBGP

The definitions here are the same as in Section 3.65.2.2, ExportToBGP .

3.80. SCTPSettings

Description

SCTP Settings

Properties

SCTPEnabled
Whether to enable SCTP support. When set to "No", IP services such as the "all_services" may setup flows for SCTP; these will be handled like an unknown (but allowed) IP protocol and be forwarded without any SCTP-specific handling or validation. (Default: Yes)
SCTPMinInitWindowCredit
Minimum allowed advertised window credit during the initial negotiation. This represents the maximum amount of user data that can be received (in bytes). Lower values than 1500 will break RFC 4960. (Default: 1500)
SCTPMaxHandshake
Maximum allowed state-tracked concurrent attempts to setup new SCTP associations; including association restarts. (Default: 1500)
SCTPMaxAssocLinks
Maximum allowed concurrent state-tracked SCTP association links. This is the not the same as the maximum number of state-tracked SCTP association; rather the possible combinations of IP tuples that all state-tracked associations are maintaining together. Depending on the number of IP aliases used per association, the value ranges from 1 to 1024 per state-tracked association. (Default: 1048576)
SCTPHandshakeLifetime
Maximum lifetime (in seconds) of the setup phase for a state-tracked SCTP association. This should be the maximum time needed for the INIT/INIT-ACK/COOKIE-ECHO/COOKIE-ACK handshake. (Default: 4)
SCTPShutdownLifetime
Maximum lifetime (in seconds) of the shutdown phase for a state-tracked SCTP association. See "T5-shutdown-guard" in Section 9.2 of RFC 4960 for details. (Default: 80)
SCTPIdleLifetime
Maximum idle lifetime (in seconds) for an established state-tracked SCTP association. The association is idle when it has no flows. (Default: 604800)
SCTPNonZeroPadding
Decides how to handle non-zero padding. (Default: StripLog)
SCTPPaddingInsideChunk
Decides how to handle padding inside a chunk. (Default: Log)
SCTPPaddingChunk
Decides how to handle padding chunk. (Default: Log)
SCTPValidateChecksum
How to handle the SCTP checksum. (Default: KeyPacketsOnly)
SCTPUnknownAddressType
What to do when the "supported address types" parameter contains unknown address types. (Default: StripLog)
SCTPLogFormatError
Decides how the device will log SCTP packets with incorrect structure or with wellknown chunk and parameter types that has invalid length (the packet will always be dropped). (Default: ObeyRule)
SCTPLogUnknownMandChunk
Decides how the device will log unknown but mandatory SCTP chunk types. (Default: ObeyRule)
SCTPLogUnknownOptChunk
Decides how the device will log unknown and optional SCTP chunk types. (Default: ObeyRule)
SCTPLogUnknownMandParam
Decides how the device will log unknown but mandatory SCTP chunk parameter types. (Default: ObeyRule)
SCTPLogUnknownOptParam
Decides how the device will log unknown and optional SCTP chunk parameter types. (Default: ObeyRule)
SCTPUnknownMandChunk
Decides how to handle unknown but mandatory SCTP chunk types; what RFC 4960 mentions as the "highest-order type bits 00" in Section 3.2. The behavior stated in the RFC roughly translates into "silently ignore the remaining chunks of this packet". (Default: Allow)
SCTPUnknownMandChunkNotify
Decides how to handle unknown but mandatory SCTP chunk types where the peer demands to be notified on failure; what RFC 4960 mentions as the "highest-order type bits 01" in Section 3.2. The behavior stated in the RFC roughly translates into "ignore the remaining chunks of this packet and send error notification about this to peer". (Default: Allow)
SCTPUnknownOptChunk
Decides how to handle unknown and optional SCTP chunk types; what RFC 4960 mentions as the "highest-order type bits 10" in Section 3.2. The behavior stated in the RFC roughly translates into "silently ignore this chunk". (Default: Allow)
SCTPUnknownOptChunkNotify
Decides how to handle unknown and optional SCTP chunk types where the peer demands to be notified on failure; what RFC 4960 mentions as the "highest-order type bits 11" in Section 3.2. The behavior stated in the RFC roughly translates into "ignore this particular chunk and send error notification about this to peer". (Default: Allow)
SCTPUnknownMandParam
Decides how to handle unknown but mandatory SCTP chunk parameter types; what RFC 4960 mentions as the "highest-order type bits 00" in Section 3.2.1. The behavior stated in the RFC roughly translates into "ignore the remaining parameters of this chunk". (Default: Allow)
SCTPUnknownMandParamNotify
Decides how to handle unknown but mandatory SCTP chunk parameter types where the peer demands to be notified on failure; what RFC 4960 mentions as the "highest-order type bits 01" in Section 3.2.1. The behavior stated in the RFC roughly translates into "ignore the remaining parameters of this chunk and send error notification about this to peer". (Default: Allow)
SCTPUnknownOptParam
Decides how to handle unknown and optional SCTP chunk parameter types; what RFC 4960 mentions as the "highest-order type bits 10" in Section 3.2.1. The behavior stated in the RFC roughly translates into "silently ignore this particular parameter". (Default: Allow)
SCTPUnknownOptParamNotify
Decides how to handle unknown and optional SCTP chunk parameter types where the peer demands to be notified on failure; what RFC 4960 mentions as the "highest-order type bits 11" in Section 3.2.1. The behavior stated in the RFC roughly translates into "ignore this particular parameter and send error notification about this to peer". (Default: Allow)
SCTPMultihoming
Decides how to handle 'IPv4' and 'IPv6' address parameters for multihoming purposes when stateless SCTP is in use. In case of stateful SCTP the 'IPv4' or 'IPv6' address parameters that do not match the IP rule used or that exceed the maximum limit of IP aliases set on the SCTP service used will always be stripped. (Default: UnrestrictLog)
SCTPHostNameAddressParam
Decides how to handle 'DNS' Host Name address parameters for multihoming purposes (note that a 'DNS' address is resolved by an external entity whose integrity is unknown). (Default: AllowLog)
[Note] Note
This object type does not have an identifier and is identified by the name of the type only. There can only be one instance of this type.

3.81. ServiceGroup

Description

A Service Group is a collection of service objects, which can then be used by different policies in the system.

Properties

Name
Specifies a symbolic name for the service. (Identifier)
Members
Group members.
Comments
Text describing the current object. (Optional)

3.82. ServiceICMP

Description

An ICMP Service is an object definition representing ICMP traffic with specific parameters.

Properties

Name
Specifies a symbolic name for the service. (Identifier)
MessageTypes
Specifies the ICMP message types that are applicable to this service. (Default: All)
EchoRequest
Enable matching of Echo Request messages. (Default: No)
EchoRequestCodes
Specifies which Echo Request message codes should be matched. (Default: 0-255)
DestinationUnreachable
Enable matching of Destination Unreachable messages. (Default: No)
DestinationUnreachableCodes
Specifies which Destination Unreachable message codes should be matched. (Default: 0-255)
Redirect
Enable matching of Redirect messages. (Default: No)
RedirectCodes
Specifies which Redirect message codes should be matched. (Default: 0-255)
ParameterProblem
Enable matching of Parameter Problem messages. (Default: No)
ParameterProblemCodes
Specifies which Parameter Problem message codes should be matched. (Default: 0-255)
EchoReply
Enable matching of Echo Reply messages. (Default: No)
EchoReplyCodes
Specifies which Echo Reply message codes should be matched. (Default: 0-255)
SourceQuenching
Enable matching of Source Quenching messages. (Default: No)
SourceQuenchingCodes
Specifies which Source Quenching message codes should be matched. (Default: 0-255)
TimeExceeded
Enable matching of Time Exceeded messages. (Default: No)
TimeExceededCodes
Specifies which Time Exceeded message codes should be matched. (Default: 0-255)
ConversionError
Enable matching of Conversion Error messages. (Default: No)
ConversionErrorCodes
Specifies which Conversion Error message codes should be matched. (Default: 0-255)
PassICMPReturn
Enable passing an ICMP error message only if it is related to an existing connection using this service. (Default: No)
AppProto
Specifies the application protocol than controls what extended processing/validation that is available for traffic using this service. (Optional)
Comments
Text describing the current object. (Optional)

3.83. ServiceICMPv6

Description

An ICMPv6 Service is an object definition representing ICMPv6 traffic with specific parameters.

Properties

Name
Specifies a symbolic name for the service. (Identifier)
MessageTypes
Specifies the ICMP message types that are applicable to this service. (Default: All)
EchoRequest
Enable matching of IPv6 Echo Request messages. (Default: No)
EchoRequestCodes
Specifies which Echo Request message codes should be matched. (Default: 0-255)
DestinationUnreachable
Enable matching of Destination Unreachable IPv6 messages. (Default: No)
DestinationUnreachableCodes
Specifies which Destination Unreachable message codes should be matched. (Default: 0-255)
ParameterProblem
Enable matching of Parameter Problem IPv6 messages. (Default: No)
ParameterProblemCodes
Specifies which Parameter Problem message codes should be matched. (Default: 0-255)
EchoReply
Enable matching of Echo Reply messages. (Default: No)
EchoReplyCodes
Specifies which Echo Reply message codes should be matched. (Default: 0-255)
PacketTooBig
Enable matching of Packet TooBig IPv6 messages. (Default: No)
PacketTooBigCodes
Specifies which Packet TooBig message codes should be matched. (Default: 0-255)
TimeExceeded
Enable matching of Time Exceeded messages. (Default: No)
TimeExceededCodes
Specifies which Time Exceeded message codes should be matched. (Default: 0-255)
PassICMPReturn
Enable passing an ICMP error message only if it is related to an existing connection using this service. (Default: No)
AppProto
Specifies the application protocol than controls what extended processing/validation that is available for traffic using this service. (Optional)
Comments
Text describing the current object. (Optional)

3.84. ServiceIPProto

Description

An IP Protocol Service is a definition of an IP protocol with specific parameters.

Properties

Name
Specifies a symbolic name for the service. (Identifier)
IPProto
IP protocol number or range, e.g. "1-4,7" will match the protocols ICMP, IGMP, GGP, IP-in-IP and CBT. (Default: 0-255)
PassICMPReturn
Enable passing an ICMP error message only if it is related to an existing connection using this service. (Default: No)
AppProto
Specifies the application protocol than controls what extended processing/validation that is available for traffic using this service. (Optional)
Comments
Text describing the current object. (Optional)

3.85. ServiceSCTP

Description

A SCTP Service is a definition of a SCTP protocol with specific parameters.

Properties

Name
Specifies a symbolic name for the service. (Identifier)
DestinationPorts
Specifies the destination port or the port ranges applicable to this service.
SourcePorts
Specifies the source port or the port ranges applicable to this service. (Default: 0-65535)
MaxOutboundStreams
The configured value will be used to clamp the value for the number of Outbound Streams in an INIT chunk, and the value for the number of Inbound Streams in an INIT ACK chunk. (Default: 10)
MaxInboundStreams
The configured value will be used to clamp the value for the number of Inbound Streams in an INIT chunk, and the value for the number of Outbound Streams in an INIT ACK chunk. (Default: 10)
MaxDataChunks
The maximum allowed number of SCTP DATA chunks in each SCTP packet. Packets violating this are dropped. Can be set to 1 to disable DATA chunk bundling support. (Default: 50)
MaxControlChunks
The maximum allowed number of SCTP control chunks in each SCTP packet. Packets violating this are dropped. (Default: 5)
MaxSourceAddresses
Maximum number of IP addresses an initiator of an association can use including the primary IP. IP addresses that exceed this limit shall be stripped. (Default: 2)
MaxDestAddresses
Maximum number of IP addresses a responder of an association can use including the primary IP. IP addresses that exceed this limit shall be stripped. (Default: 2)
PPIDFiltering
Specifies whether blacklisting or whitelisting should be considered for Payload Protocol Identifier (PPID) validation of an SCTP DATA chunk. (Default: Blacklist)
Whitelist
Whitelist filter on Payload Protocol Identifier (PPID). If configured only DATA chunks with these PPIDs will be allowed. SCTP associations carrying disallowed DATA chunks will be closed. Note: Whitelist and Blacklist are exclusive; Only one of them can be configured at the same time. (Optional)
Blacklist
Blacklist filter on Payload Protocol Identifier (PPID). If configured, DATA chunks with these PPIDs will be disallowed, and all others allowed. SCTP associations carrying disallowed DATA chunks will be closed. Note: Whitelist and Blacklist are exclusive; Only one of them can be configured at the same time. For whitelist to be selectable blacklist must be disabled. (Optional)
PassICMPReturn
Enable passing an ICMP error message only if it is related to an existing connection using this service. (Default: No)
AppProto
Specifies the application protocol than controls what extended processing/validation that is available for traffic using this service. (Optional)
Comments
Text describing the current object. (Optional)

3.86. ServiceTCPUDP

Description

A TCP/UDP Service is a definition of an TCP or UDP protocol with specific parameters.

Properties

Name
Specifies a symbolic name for the service. (Identifier)
DestinationPorts
Specifies the destination port or the port ranges applicable to this service.
Type
Specifies whether this service uses the TCP or UDP protocol or both. (Default: TCP)
SourcePorts
Specifies the source port or the port ranges applicable to this service. (Default: 0-65535)
PassICMPReturn
Enable passing an ICMP error message only if it is related to an existing connection using this service. (Default: No)
AppProto
Specifies the application protocol than controls what extended processing/validation that is available for traffic using this service. (Optional)
Comments
Text describing the current object. (Optional)

3.87. SIPAlgProfile

Description

A SIP profile configures extended processing of SIP traffic.

Properties

Name
Specifies a symbolic name for the SIP profile. (Identifier)
MaxSessions
Maximum number of concurrent sessions. (Default: 1000)
MaxSessionsPerId
Maximum number of sessions per SIP URI. (Default: 5)
MaxRegistrationTime
The maximum allowed time in seconds between registration requests. (Default: 3600)
SipSignalTimeout
Timeout value for last seen SIP message (in seconds). (Default: 14400)
Comments
Text describing the current object. (Optional)

3.88. SSHClientKey

Description

The public key of the client connecting to the SSH server.

Properties

Name
Specifies a symbolic name for the key. (Identifier)
PublicKey
Specifies the public key data.
Comments
Text describing the current object. (Optional)

3.89. SSLInspectionProfile

Description

An SSL Inspection profile enables SSL/TLS traffic to be decrypted and inspected. The data can either be re-encrypted or sent as cleartext in order to offload the server.

Properties

Name
Specifies a symbolic name for the SSL Inspection profile. (Identifier)
AllowedCipherSuites
Acceptable cipher suites. (Default: TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA)
MinTLSVersion
Minimum allowed TLS version. (Default: TLSv1.2)
ServerConnection
Specifies whether or not to encrypt traffic on the internal protected side. (Default: SSL/TLS)
ServerCertMatching
Specifies whether the server certificate should match the configured certificate. (Default: Strict)
DetectOpportunisticTLS
Enable scanning of client data to detect when plaintext communication is upgraded to TLS encrypted communication. (Default: No)
Comments
Text describing the current object. (Optional)

3.89.1. SSLServer

Description

An SSL server specifies how to identify the system to the client.

Properties

Name
Specifies a symbolic name for the SSL server. (Optional)
ServerNameIndication
A string against which the Server Name Indication (SNI) will be matched.
Certificate
The certificate and private key for the server.
IntermediateCerts
The intermediate certificates between the server certificate and the root certificate. (Optional)
[Note] Note
If no Index is specified when creating an instance of this type, the object will be placed last in the list and the Index will be equal to the length of the list.

3.90. SSLVPNServer

Description

An SSL VPN tunnel item is used to define an SSL VPN endpoint and will appear as a logical interface in the system.

Properties

Name
Name of this interface. (Identifier)
ClientIPAddresses
The pool of IP addresses to assign to clients.
LocalEndpoint
Specifies the IP addresses clients are connecting to.
RemoteEndpoint
Specifies the IP addresses clients are connecting from. (Default: all-nets)
LocalNetwork
The network on "this side" of the SSL VPN tunnel. The SSL VPN tunnel will be established between this network and the clients. A route to this network is pushed to clients.
TransportProtocol
Transport protocol for SSL VPN. (Default: TCPUDP)
UDPPort
UDP port on which the server is listening. (Default: 1194)
TCPPort
TCP port on which the server is listening. (Default: 443)
KeepAliveInterval
Keepalive messages are sent through the SSL tunnel to inform peers that the VPN connection is still active. The keepalive timer interval is the period of time, in seconds, between each keepalive message. (Default: 10)
KeepAliveTimeout
The keepalive timeout is the period of time, in seconds, after which the server closes a connection where no keepalive messages from the client has been seen. (Default: 120)
ReplayWindow
Size of window used to store previously seen packet IDs, used in replay protection for data channel. (Default: 512)
DataChannelCipher
Cipher to use on data channel. (Default: AES-256-GCM)
ControlChannelCipher
Cipher to use on control channel. (Default: ECDHE-RSA-AES256-GCM-SHA384, ECDHE-ECDSA-AES256-GCM-SHA384, DHE-RSA-AES256-GCM-SHA384)
DNS1
IP of the primary DNS server. (Optional)
DNS2
IP of the secondary DNS server. (Optional)
SourceInterface
The interface that SSL VPN traffic is received on. (Default: any)
AuthProfile
Specifies which authentication profile the client should be authenticated with.
ClientGeolocation
Specifies the valid geolocation of the connecting clients. (Default: any-region)
ServerCert
Certificate used by SSL VPN server.
ServerIntermediateCert
Intermediate certificates to send to client with server certificate. (Optional)
ClientCACert
Client certificates must be signed by this CA. (Optional)
ProxyARPInterfaces
Specifies the interfaces on which the system should publish routes via Proxy ARP. (Optional)
ChallengeText
Specifies the challenge text that shall be sent to SSLVPN clients during MFA. This text will override any text received from a remote authentication source like RADIUS. Setting this to 'empty' will disable challenge text override. (Optional)
Metric
Specifies the metric of dynamically added routes. (Default: 90)
MTU
Specifies the size (in bytes) of the largest packet that can be forwarded. (Default: 1500)
IPAddress
The interface's IP addresses. (Default: 0)
IP4Broadcast
The interface's IPv4 broadcast address. (Optional)
RoutingTableMembership
Interface's routing table membership. (Default: <all>)
LogEnabled
Enable logging. (Default: Yes)
SecurityEquivalentInterfaces
Security and transport equivalent interfaces. (Optional)
Zone
Specifies the zone that this interface is a member of. (Optional)
Comments
Text describing the current object. (Optional)

3.91. SSLVPNSettings

Description

SSLVPN settings

Properties

RateLimitCtrlChan
Packets per second allowed on control channel, per client. A value of 0 disables the rate limiting. (Default: 50)
RateLimitWindowCtrlChan
Time period over which the rate limit is measured. This allows for transient peaks in traffic, without triggering the limit. (Default: 2)
RekeyTransitionWindow
The time in seconds that an old key is still valid after new key negotiation has begun. (Default: 3600)
RekeyInterval
The interval in seconds at which key renegotiation is initiated. (Default: 3600)
HandshakeTimeout
Maximum allowed duration in seconds that a TLS-based key exchange over the SSL VPN control channel is allowed to take. (Default: 60)
[Note] Note
This object type does not have an identifier and is identified by the name of the type only. There can only be one instance of this type.

3.92. SyslogAlgProfile

Description

A Syslog profile configures extended processing of Syslog traffic.

Properties

Name
Specifies a symbolic name for the Syslog profile. (Identifier)
MaxSessions
Maximum number of concurrent sessions. (Default: 1000)
AppendTag
Append the name of the receiving interface to syslog message. (Default: Disabled)
TagPrefix
Optional text to prefix the tagged value. E.g. prefix 'Iface=' would give the result Iface="if0" messages arriving on interface "if0". (Optional)
DenyProhibitedKeywords
Drop syslog messages containing prohibited keywords. (Default: No)
ProhibitedKeywords
List of prohibited keywords in syslog payload.
MaxSyslogLength
Maximum payload size in received syslog messages. (Default: 4096)
Comments
Text describing the current object. (Optional)

3.93. System

Description

Global parameters for this system.

Properties

Name
The name of the system (device). (Default: System)
VSID
A non-negative number that uniquely identifies the virtual system. (Default: 1)
ConfigVersion
Configuration version. (Default: 1)
ConfigDate
Date when the current configuration was committed. (Optional)
ControlPlaneCPUCores
The number of full CPU cores that are reserved for control plane processes. With hyper-threading (HT) enabled, each full CPU core include all its HT lcores. (Requires restart to take effect.). (Restart-required; Default: Auto)
DataPlaneIOThreads
The number of threads used by dataplane to move packets to/from Ethernet interfaces. (Requires restart to take effect.). (Restart-required; Default: Auto)
ControlPlaneMemory
The amount of memory, in mega bytes, that will be available to control plane. (Requires restart to take effect.). (Restart-required; Default: Auto)
HWModel
Hardware model of this device. (Default: virtual-x64-generic)
ProductName
Product name of this device. (Optional)
HWSerial
Hardware serial number of this device. (Optional)
ProductionDate
Production date of this device. (Optional)
ServiceTag
Service Tag of this device. (Optional)
BaseMAC
Ethernet address of the first interface in this device. (Optional)
Comments
Text describing the current object. (Optional)
[Note] Note
This object type does not have an identifier and is identified by the name of the type only. There can only be one instance of this type.

3.94. TCPSettings

Description

TCP Settings

Properties

TCPLogInvalidHeaderLen
Controls if TCP packets with invalid header length are logged and dropped or just dropped silently. (Default: Yes)
TCPChecksumVerification
Controls if the TCP checksum should be verified. (Default: AutoDropLogBad)
TCPUnusedNonZeroAckField
Force unused ACK fields to zero; helps prevent connection spoofing. (Default: Strip)
TCPUnusedNonZeroUrgField
Force unused URG fields to zero; prevents small information leak. (Default: Strip)
TCPNonZeroHeaderPadding
Force unused space between the header and the data to zero; prevents small information leak. (Default: Strip)
TCPSynUrg
The TCP URG flag together with SYN; normally invalid (strip=strip URG). (Default: DropLog)
TCPSynPsh
The TCP PSH flag together with SYN; normally invalid but always used by some IP stacks (strip=strip PSH). (Default: Strip)
TCPSynRst
The TCP RST flag together with SYN; normally invalid. (Default: DropLog)
TCPSynFin
The TCP FIN flag together with SYN; normally invalid (strip=strip FIN). (Default: DropLog)
TCPRstFin
The TCP FIN flag together with RST; normally invalid (strip=strip FIN). (Default: DropLog)
TCPFinUrg
The TCP URG flag together with FIN; normally invalid (strip=strip URG). (Default: DropLog)
TCPFinNoAck
The TCP FIN flag without ACK flag; normally invalid. (Default: DropLog)
TCPUrg
The TPC URG flag; many operating systems cannot handle this correctly. (Default: StripLog)
TCPECN
The Explicit Congestion Notification (ECN) flags. Previously known as the "XMAS" / "YMAS" flags. Also used in OS fingerprinting. (Default: StripLog)
TCPRF
The TCP Reserved field; should be zero. Used in OS fingerprinting. (Default: StripLog)
TCPNULL
TCP "NULL" packets without SYN, ACK, FIN or RST; normally invalid, used by scanners. (Default: DropLog)
TCPBadOptionLengths
Decides how the device will handle TCP packet's with incorrect structure of the options area or with wellknown options that has invalid length. (Default: DropLog)
TCPMSSMin
Minimum allowed TCP MSS (Maximum Segment Size). (Default: 100)
TCPMSSOnLow
How to handle too low MSS values. (Default: DropLog)
TCPMSSMax
Maximum allowed TCP MSS (Maximum Segment Size). (Default: 1460)
TCPMSSOnHigh
How to handle too high MSS values. (Default: Adjust)
TCPMSSLogLevel
When to log regarding too high TCP MSS, if not logged by TCPMSSOnHigh. Packets with an MSS that exceeds this level will be logged. (Default: 7000)
TCPMSSAutoClamping
Automatically clamp TCP MSS according to MTU of involved interfaces - in addition to TCPMSSMax. (Default: Yes)
TCPInconsistentSACK
Controls how segments with inconsistent sequence number in the SACK option should be handled. (Default: StripLog)
TCPSynOptInNonSyn
Controls how the device acts when it finds a TCP option, that only should occur in packets with the SYN flag set, in a packet with the SYN flag cleared. (Default: DropLog)
TCPOPT_WSOPT
The WSOPT (Window Scale) option (common). (Default: Allow)
TCPOPT_SACK
The SACK/SACKPERMIT (Selective ACK) options (common). (Default: Allow)
TCPOPT_TSOPT
The TSOPT (Timestamp) option (common). (Default: Allow)
TCPOPT_ALTCHK
The Alternate Checksum options (request and data). (Default: StripLog)
TCPOPT_CC
The CC (Connection Count) option series (semi common). (Default: Strip)
TCPOPT_OTHER
How to handle TCP options not specified above. (Default: StripLog)
TCPScrambleSequenceNumbers
Controls if TCP sequence numbers will be modified on their way through the device. (Default: Yes)
TCPLogStateViolations
Log packets that violate stateful tracking rules. (Default: Yes)
TCPSeqNumValidationMode
Validation of TCP sequence numbers. (Default: StrictLog)
TCPSeqTooLowLogLevel
Packets with a slightly too low sequence number to fall within the strict window are often quite harmless. They can be caused by, for instance, retransmissions and network delays. This setting sets a limit on how much too low the sequence number must be to be logged to avoid unnecessary logs of harmless packets. The value is a percentage of the maximal window that can be used on the flow. (Default: 125)
TCPAllowReopen
Allow clients to re-open TCP flow states that are either new or in the closed state. (Default: Never)
TCPMaxWindow
Upper limit on window announcements. (Default: 16776960)
TCPOversizedWindow
How to handle packets with too large windows. (Default: AdjustLog)
TCPOversizedSegment
How to handle packets that violates the announced MSS. (Default: DropLog)
TCPTruncHeaderInICMP
Determines how the device will handle ICMP messages with a truncated TCP header in the encapsulated packet. (Default: Allow8BytesLogBad)
[Note] Note
This object type does not have an identifier and is identified by the name of the type only. There can only be one instance of this type.

3.95. ThresholdRules

Description

The threshold rules are a self-contained set of rules meant to broadly define how to apply threshold actions. The major purpose of such threshold actions is to prevent excessive amounts of flows to be opened, though other usages are also possible.

Properties

Comments
Text describing the current object. (Optional)
[Note] Note
This object type does not have an identifier and is identified by the name of the type only. There can only be one instance of this type.

3.95.1. ThresholdRule

Description

A threshold rule specifies a filter for matching specific network traffic, how to evaluate the traffic, and what actions to take if the traffic exceeds given threshold definitions.

Properties

Name
Specifies a symbolic name for the rule. (Optional)
SourceInterface
Specifies the name of the receiving interface to be compared to the received packet.
DestinationInterface
Specifies the destination interface to be compared to the received packet.
SourceNetwork
Specifies the sender span of IP addresses to be compared to the received packet.
DestinationNetwork
Specifies the destination span of IP addresses to be compared to the received packet.
Service
Specifies a service that will be used as a filter parameter when matching traffic with this rule.
Comments
Text describing the current object. (Optional)
[Note] Note
If no Index is specified when creating an instance of this type, the object will be placed last in the list and the Index will be equal to the length of the list.

3.95.1.1. ThresholdSet

Description

A threshold set specifies what action to take if all the threshold definitions within the set are exceeded.

Properties

Name
Specifies a symbolic name for the threshold set. (Optional)
Action
Specifies the action to take when a threshold set is triggered.
ActionLog
Specifies the log behavior when a threshold set is triggered. (Default: ObeyRule)
ActionLogSeverity
Specifies with what severity log events will be sent to the specified log receivers. (Default: Warning)
Probability
Static probability (1-100 percent), that the flow open attempt will be dropped.
Timeout
Seconds before an IP is removed from the blacklist. In case 0 is chosen the blacklist rule will be in effect until a shutdown of the firewall or until it is manually removed via CLI.
Comments
Text describing the current object. (Optional)
[Note] Note
If no Index is specified when creating an instance of this type, the object will be placed last in the list and the Index will be equal to the length of the list.
ThresholdDefinition

Description

A threshold definition specifies how to evaluate network traffic, a threshold limit for that measurement and for how long the limit can be exceeded before the action specified for the threshold set is taken. Note that, if multiple threshold definitions are configured for the threshold set, the limits of all definitions must be exceeded before the action is executed.

Properties

Name
Specifies a symbolic name for the threshold. (Optional)
Type
Specifies the type of measurement for the threshold.
Limit
Maximum threshold limit.
Interval
Interval during which the threshold limit applies. (Optional)
Duration
Duration that the threshold limit may be exceeded without triggering. (Optional)
Grouping
Grouping is a way to partition the traffic matched by the threshold rule into smaller equally-sized units. (Default: None)
GroupingIP4NetworkSize
If users are grouped according to source or destination network, the size of the network has to be specified by this setting. (Default: 16)
GroupingIP6NetworkSize
If users are grouped according to source or destination network, the size of the network has to be specified by this setting. (Default: 64)
Scope
Enable dynamic balancing of groups. (Default: Group)
ThresholdLog
Enable log messages when the threshold definition triggers and when it stops triggering. (Default: Yes)
ThresholdLogSeverity
Specifies with what severity log events will be sent to the specified log receivers. (Default: Default)
Comments
Text describing the current object. (Optional)
[Note] Note
If no Index is specified when creating an instance of this type, the object will be placed last in the list and the Index will be equal to the length of the list.

3.96. TrafficMgmtSettings

Description

Traffic Management Settings

Properties

MaxBlacklistEntries
Maximum number of simultaneous blacklist entries. If the limit is reached, random blacklist entries are replaced when new ones are added. Note: If the limit is decreased, restarting the system is recommended. (Default: Auto)
MaxThresholdMemUsage
Percent of the total memory that may be used by threshold rules. (Default: 10)
ThresholdLingerTime
Maximal time (in seconds) that inactive threshold groups are allowed to linger, before the system will remove them. (Default: 86400)
FlowRateTrigger
Specifies which packets that are counted by the flow rate threshold type. Note that regardless of this setting, flow rate will only count packets that attempt to setup a new flow (when no flow exists). (Default: InitialHandshake)
MaxPipesMemUsage
Percent of the total memory that may be used by traffic shaping. (Default: 10)
[Note] Note
This object type does not have an identifier and is identified by the name of the type only. There can only be one instance of this type.

3.97. TrafficProfile

Description

A pipe profile combines pipe objects into a traffic shaping profile that can be referenced from an IP rule to determine how the traffic matching that rule should be managed.

Properties

Name
Specifies a symbolic name for the pipe profile. (Identifier)
ForwardChain
Specifies one or more pipes to be used for forward traffic. (Optional)
ReturnChain
Specifies one or more pipes to be used for return traffic. (Optional)
UpdateDSCP
Update the Type of Service field in the IP header with the precedence assigned to the packet by the last pipe object it passes through. (Default: No)
PrecedenceMethod
Specifies what precedence should be assigned to the packets before sent into a pipe. (Default: PipeDefault)
PrecedenceLevel
Specifies what precedence level to assign to the packets in the forward flow, before being processed by the pipe(s).
ReversePrecedenceLevel
Specifies what precedence level to assign to the packets in the return flow, before being processed by the pipe(s). (Default: Uniform)
Comments
Text describing the current object. (Optional)

3.98. TrafficShapingRules

Description

The Traffic shaping rules are a self-contained set of rules meant to broadly define how to apply traffic shaping. Default action is to apply no traffic shaping.

Properties

Comments
Text describing the current object. (Optional)
[Note] Note
This object type does not have an identifier and is identified by the name of the type only. There can only be one instance of this type.

3.98.1. TrafficShapingRule

Description

A traffic shaping rule associates the specified traffic shaping profile with network traffic that matches the specified filter criteria.

Properties

Name
Specifies a symbolic name for the rule. (Optional)
SourceInterface
Specifies the name of the receiving interface to be compared to the received packet.
DestinationInterface
Specifies the destination interface to be compared to the received packet.
SourceNetwork
Specifies the sender span of IP addresses to be compared to the received packet.
DestinationNetwork
Specifies the destination span of IP addresses to be compared to the received packet.
Service
Specifies a service that will be used as a filter parameter when matching traffic with this rule.
TrafficProfile
Selects a traffic profile to use to shape the traffic.
LogEnabled
Enable logging. (Default: Yes)
Comments
Text describing the current object. (Optional)
[Note] Note
If no Index is specified when creating an instance of this type, the object will be placed last in the list and the Index will be equal to the length of the list.

3.99. TransparencySettings

Description

Settings related to transparent mode

Properties

Transp_CAMToL3CDestLearning
Do L3 Cache learning based on destination IPs and MACs in combination with CAM table contents. (Default: Yes)
Transp_DecrementTTL
Decrement TTL on packets forwarded between transparent interfaces. (Default: No)
NullEnetSender
If sender MAC in ethernet header is a nulled out ethernet address (0000:0000:0000). (Default: DropLog)
BroadcastEnetSender
If sender MAC in ethernet header is the broadcast ethernet address (FFFF:FFFF:FFFF). (Default: DropLog)
MulticastEnetSender
If sender MAC in ethernet header is a multicast ethernet address. (Default: DropLog)
Transparency_ATSExpire
Lifetime of an unanswered ATS entry in seconds. (Default: 3)
Transparency_ATSSize
Number of ATS entries, total. (Default: 4096)
RelaySTP
Relay Spanning-Tree Protocol BPDUs between switched interfaces. (Default: Drop)
[Note] Note
This object type does not have an identifier and is identified by the name of the type only. There can only be one instance of this type.

3.100. TrapReceiverSNMP2c

Description

A SNMPv2c Trap receiver used to receive trap events from the system using standard SNMP Trap format and standard trap OIDs.

Properties

Name
Specifies a symbolic name for the log receiver. (Identifier)
Community
Specifies the name of the community to be granted rights to remotely monitor the firewall. (Default: public)
TrapCategory
The Category of the trap. Use '*' to explicitly match all categories. (Default: STARTUP,LINK,SNMP)
RoutingTable
Specifies the routing table to use for communication with the log receiver. (Default: main)
IPAddress
Destination IP address.
Port
Destination port. (Default: 162)
SysName
The name for this managed node. If left 'empty' the device system name will be used. (Optional)
RepeatCount
Repetition counter. (Default: 0)
SendRateLimit
The maximum rate of log messages that is allowed to be sent per second. (Default: 2000)
Comments
Text describing the current object. (Optional)

3.100.1. TrapException

Description

A trap exception is used to override the trap category filter in the trap receiver.

Properties

LogID
Log Message ID. (Default: *)
Action
EXCLUDE or INCLUDE. (Default: EXCLUDE)
Comments
Text describing the current object. (Optional)
[Note] Note
If no Index is specified when creating an instance of this type, the object will be placed last in the list and the Index will be equal to the length of the list.

3.101. TrapReceiverSNMP3

Description

A SNMPv3 Trap receiver used to receive trap events from the system using standard SNMP Trap format and standard trap OIDs.

Properties

Name
Specifies a symbolic name for the log receiver. (Identifier)
TrapCategory
The Category of the trap. Use '*' to explicitly match all categories. (Default: STARTUP,LINK,SNMP)
RoutingTable
Specifies the routing table to use for communication with the log receiver. (Default: main)
IPAddress
Destination IP address.
Port
Destination port. (Default: 162)
SysName
The name for this managed node. If left 'empty' the device system name will be used. (Optional)
RepeatCount
Repetition counter. (Default: 0)
SendRateLimit
The maximum rate of log messages that is allowed to be sent per second. (Default: 2000)
UserName
SNMPv3 username.
AuthenticationPassword
SNMPv3 authentication password. (Optional)
SecurityLevel
SNMPv3 security level. (Default: AuthPriv)
AuthenticationMethod
SNMPv3 authentication method. (Default: HMAC-SHA1-96)
PrivacyPassword
SNMPv3 encryption/decryption password. (Optional)
Comments
Text describing the current object. (Optional)

3.101.1. TrapException

The definitions here are the same as in Section 3.100.1, TrapException .

3.102. UDPSettings

Description

UDP Settings

Properties

UDP4ChecksumVerification
Controls if the UDP checksum should be verified for IPv4 packets. (Default: IfHWAssistedLogBad)
UDP6ChecksumVerification
Controls if the UDP checksum should be verified for IPv6 packets. (Default: IfHWAssistedLogBad)
[Note] Note
This object type does not have an identifier and is identified by the name of the type only. There can only be one instance of this type.

3.103. VLAN

Description

A VLAN interface represents a logical endpoint for VLAN-tagged Ethernet traffic (802.1Q) or Ethernet traffic with a VLAN tag (802.1ad) that can contain additional nested tags/VLANs.

Properties

Name
Name of this interface. (Identifier)
MTU
Specifies the size (in bytes) of the largest packet that can be forwarded. (Default: Auto)
IPAddress
The interface's IP addresses. (Default: <inherit>)
IP4Broadcast
The interface's IPv4 broadcast address. (Optional; Default: <inherit>)
PrivateIP
The private IP address of this high availability node. (Optional; Default: <inherit>)
MonitorTargets
The IP addresses of the hosts to monitor for HA diagnostics. (Optional)
RoutingTableMembership
Interface's routing table membership. (Default: <inherit>)
VLANID
Specifies the VLAN ID used for this VLAN interface. Two VLANs on the same base interface cannot have the same VLAN ID.
BaseInterface
Interface where this VLAN is being tunneled.
Type
Select VLAN type. (Default: 8100)
OutboundPrio
Specifies the priority value to use in the VLAN header (when not copying from the packet). (Default: 0)
OutboundPrioPolicy
Specifies how the value of the priority field is determined when adding the VLAN header to outbound packets. (Default: Inherit)
RouterAdvertisementProfile
The Router Advertisement profile that will be used by the interface. (Default: DefaultProfile)
DHCPEnabled
Indicates if this interface uses DHCP. (Optional)
DHCPPreferredIP
IP address preferred by this interface. (Optional)
DHCPServerFilter
Filter for acceptable DHCP server IP addresses. (Optional)
DHCPAddressFilter
Filter for acceptable IP addresses. (Optional)
DHCPPrimaryDNS
IP address of the primary DNS server. (Optional)
DHCPSecondaryDNS
IP address of the secondary DNS server. (Optional)
DefaultGateway
IP address to the default gateway. (Optional)
DHCPNetwork
IP address to the default gateway. (Optional)
DHCPPrimaryNBNS
IP address of the primary NBNS/WINS server. (Optional)
DHCPSecondaryNBNS
IP address of the secondary NBNS/WINS server. (Optional)
DHCPValidateBcast
Require highest network address as broadcast. (Default: Yes)
DHCPAllowGlobalBcast
Allow 255.255.255.255 as Broadcast address. (Default: No)
DHCPARPOnOfferEnabled
Perform ARP resolves on offered address. (Default: Yes)
DHCPCheckIPConflicts
Check for IP collisions with static routes. (Default: Yes)
DHCPCheckNetConflicts
Check for net collisions with static routes. (Default: Yes)
DHCPReleaseOnShutdown
Release active lease on graceful shutdown. (Default: No)
IPv6AddressConfiguration
Controls IPv6 address configuration mode. (Default: Static)
IPv6Network
IPv6 on-link prefixes. (Optional)
IPv6DNS
IPv6 addresses of DNS servers. (Optional)
IPv6Gateway
IPv6 address of default gateway. (Optional)
MaxSLAACAddresses
Maximum number of autoconfigured IPv6 addresses. (Default: 4)
SecurityEquivalentInterfaces
Security and transport equivalent interfaces. (Optional)
Zone
Specifies the zone that this interface is a member of. (Optional)
Comments
Text describing the current object. (Optional)

3.104. VLANSettings

Description

Settings for IEEE 802.1Q and IEEE 802.1ad based Virtual LAN interfaces.

Properties

UnknownVLANID
Policy for handling VLAN packets tagged with an unknown ID. (Default: DropLog)
[Note] Note
This object type does not have an identifier and is identified by the name of the type only. There can only be one instance of this type.

3.105. WatchdogSettings

Description

Watchdog settings

Properties

WatchdogTimeout
Specifies the number of seconds until an unresponsive system is rebooted. (Default: 60)
DPTimeoutStartup
Specifies the maximum number of seconds to wait for dataplane to start. (Default: 50)
DPTimeoutRuntime
Specifies the maximum number of seconds to wait for dataplane responses during runtime. (Default: 20)
CPTimeoutStartup
Specifies the maximum number of seconds to wait for monitored processes in control-plane to start. (Default: Disabled)
CPTimeoutRuntime
Specifies the maximum number of seconds to wait for responses from monitored processes in control-plane during runtime. (Default: 20)
TimeoutShutdownProcess
Specifies the maximum number of seconds to wait for a process to shutdown. (Default: 20)
TimeoutShutdownTotal
Specifies the maximum number of seconds to wait for all processes to shutdown. (Default: 30)
[Note] Note
This object type does not have an identifier and is identified by the name of the type only. There can only be one instance of this type.

3.106. Whitelist

Description

A Whitelist Rule Set is a manually configured list of exceptions that introduces IP addresses and services that should never be blacklisted i.e even if another subsystem such as threshold rules adds an IP address and service to the blacklist, the whitelist will take priority and still allow the IP address to communicate over that service.

Properties

Comments
Text describing the current object. (Optional)
[Note] Note
This object type does not have an identifier and is identified by the name of the type only. There can only be one instance of this type.

3.106.1. WhitelistRule

Description

A whitelist rule specifies IP addresses and services that should never be blacklisted i.e even if another subsystem such as threshold rules adds an IP address and service to the blacklist, the whitelist will take priority and still allow the IP address to communicate over that service.

Properties

Name
Specifies a symbolic name for the whitelist rule. (Optional)
SourceInterface
Specifies the receiving interface to be compared to the received packet.
SourceIP
Specifies the source IP address to be compared to the received packet.
DestinationIP
Specifies the destination IP address to be compared to the received packet.
Service
Specifies a service that will be used as a filter when matching traffic with this rule.
Comments
Text describing the current object. (Optional)
[Note] Note
If no Index is specified when creating an instance of this type, the object will be placed last in the list and the Index will be equal to the length of the list.

3.107. Zone

Description

Use a zone to group several interfaces for a simplified security policy.

Properties

Name
Name of this interface. (Identifier)
Comments
Text describing the current object. (Optional)