3.2. CLI Access

Home Prev	NetShield 500 Series Getting Started Guide	Next

The cOS Stream CLI is accessible using either of the following two methods:

Using the Local Console

Using a management computer running a console emulator connected directly to the local console port on the NetShield 500 Series. This connection is described in Section 2.4, RJ45 Console Port Connection and Section 2.5, Micro-USB Console Port Connection.

Initially, there is no requirement to enter any login credentials when accessing the CLI through the local console port. Local console access is controlled by a predefined configuration object called ComPortAccess. A password can be set by defining an appropriate AuthenticationProfile object and associating it with ComPortAccess.
Using a Network Connection

Using an external management computer running an SSH (Secure Shell) client. The computer connects via its Ethernet interface across an IP network to the IPv4 address 192.168.1.1 on the default management Ethernet interface. For the 500 Series, this default interface is G1.

Setting up the physical network connection for the computer running the SSH client is described in Section 2.3, Management Computer Connection. Network access to the management CLI also needs to be enabled in cOS Stream using the local console CLI.

First, enable the predefined RemoteMgmtSSH rule:
```
Device:/> set RemoteManagement RemoteMgmtSSH RemoteMgmtSSH -enable
```
Then the allowed interface and network must be set:
```
Device:/> set RemoteManagement RemoteMgmtSSH RemoteMgmtSSH
			SourceInterface=G1
			SourceNetwork=G1_net
```
Authentication is controlled by the AuthProfile property of the RemoteMgmtSSH rule. By default, this is set to a predefined AuthenticationProfile object called MgmtAuthProfile.

Confirming the CLI Connection

Once connection is made to the CLI, pressing the Enter key should get a response from cOS Stream. The response will be a normal CLI prompt if connecting directly through the local console port and a username/password combination will not be required (a password for this console can be set later).

Device:/>

If connecting remotely through an SSH client, an administration username/password must first be entered and the initial default values for these are:

Username: admin
Password: admin

When these are accepted by cOS Stream, a normal CLI prompt will appear and CLI commands can be entered.

Changing the admin Password

It is strongly recommended to change the password of the admin user as the first task in cOS Stream setup. To do this, use the set command to change the current CLI object category (also referred to as the context) to be the LocalUserDatabase called AdminUsers.

Device:/> cc LocalUserDatabase AdminUsers
Device:/AdminUsers>

	Tip: Using tab completion with the CLI
	The tab key can be pressed at any time so that cOS Stream gives a list of possible options in a command.

Next, set a new password for the administrator. Both are case sensitive. In the example below, the the password is set to the value my_new_password.

Device:/AdminUsers> set User admin Password=my_new_password

The next step is to return back to the default CLI context:

Device:/AdminUsers> cc
Device:/>

Setting the Date and Time

Many cOS Stream functions, such as event logging and certificate handling, rely on an accurate date and time. It is therefore important that this is set correctly using the time command. A typical usage of this command might be:

Device:/> time -set 2021-03-24 14:43:00

Notice that the date is entered in yyyy-mm-dd format and the time is stated in 24 hour hh:mm:ss format.

The Management Ethernet Interface

Network connection to the firewall is via the various Ethernet interfaces provided by the 500 Series. On first-time startup, cOS Stream scans for all Ethernet interfaces, determines which are available then allocates their names.

All Ethernet interfaces are logically equal in cOS Stream and although their physical capabilities may be different, any interface can perform any logical function. One of the interfaces will be automatically assigned as the default management interface (this management interface can be changed later). This is the G1 interface on the 500 Series.

On the 500 Series, this default management interface is enabled as an IPv4 DHCP server and will automatically assign an IPv4 address to a connecting client. The interface is also enabled to send out IPv6 router advertisements so that a connecting IPv6 client can be assigned an IPv6 address automatically.

Note that a DNS server address for clients is also usually automatically allocated. However, if the client interface is IPV6 only (not in dual-stack mode) then the DNS address will have to be manually assigned to the address object called WAN_ip6_dns.