HP TippingPoint
Next Generation Firewall Command Line
Interface Reference Guide
Version1.0.1
Abstract
This reference manual describes the Next Generation Firewall Command Line Interface (CLI) and the commands you
can use to configure and manage a NGFW appliance.
*5998-4803*
Part number: 5998-4803
Edition: August 2013, First
Hewlett-Packard Company makes no warranty of any kind with regard to this material, including, but not limited to, the implied warranties of
merchantability and fitness for a particular purpose. Hewlett-Packard shall not be liable for errors contained herein or for incidental or consequential
damages in connection with the furnishing, performance, or use of this material.
This document contains proprietary information, which is protected by copyright. No part of this document may be photocopied, reproduced, or
translated into another language without the prior written consent of Hewlett-Packard. The information is provided “as is” without warranty of any
kind and is subject to change without notice. The only warranties for HP products and services are set forth in the express warranty statements
accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for
technical or editorial errors or omissions contained herein.
TippingPoint® , the TippingPoint logo, and Digital Vaccine® are registered trademarks of Hewlett-Packard All other company and product names
may be trademarks of their respective holders. All rights reserved. This document contains confidential information, trade secrets or both, which are
the property of Hewlett-Packard No part of this documentation may be reproduced in any form or by any means or used to make any derivative
work (such as translation, transformation, or adaptation) without written permission from Hewlett-Packard or one of its subsidiaries.
Adobe® and Acrobat® are trademarks of Adobe Systems Incorporated.
Intel and Itanium are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries.
Microsoft, Windows, Windows NT, and Windows XP are U.S. registered trademarks of Microsoft Corporation.
Oracle® is a registered U.S. trademark of Oracle Corporation, Redwood City, California.
UNIX® is a registered trademark of The Open Group.
Printed in US or Puerto Rico
Next Generation Firewall Command Line Interface Reference Guide
The Next Generation Firewall command line interface enables you to configure and manage the NGFW
Appliance from a command line. The NGFW commands can be used in custom scripts to automate tasks.
This section covers the following topics:
• Target Audience, page 1
• Related Documentation, page 1
• Document Conventions, page 2
• Customer Support, page 3
Target Audience
This guide is intended for security network administrators and specialists that have the responsibility of
monitoring, managing, and improving system security. The audience for this material is expected to be
familiar with the HP TippingPoint Next Generation Firewall.
Related Documentation
ccess the documentation at http://www.hp.com/support/manuals . For the most recent updates for your
products, check the HP Networking Support web site at
http://www.hp.com/networking/support.
CLI reference guide1
Document Conventions
This guide uses the following document conventions.
• Typefaces, page 2
• Document Messages, page 2
Typefaces
HP TippingPoint publications use the following typographic conventions for structuring information:
Table 1-1Document Typographic conventions
ConventionElement
Medium blue text: Figure 1
Blue, underlined text (http://www.hp.com
Bold font• Key names
Italics fontText emphasis, important terms, variables, and publication titles.
Monospace font• File and directory names
Monospace, italic font• Code variables
Monospace, bold fontEmphasis of file and directory names, system output, code, and text
Document Messages
Document messages are special text that is emphasized by font, format, and icons. This reference guide
contains the following types of messages:
Cross-reference links and e-mail addresses
)
Web site addresses
• Text typed into a GUI element, such as into a box
• GUI elements that are clicked or selected, such as menu and list
items, buttons, and check boxes. Example: Click
• System output
• Code
• Text typed at the command-line
• Command-line variables
typed at the command line
OK to accept.
• Warning
• Caution
• Note
• Tip
WARNING!Warning notes alert you to potential danger of bodily harm or other potential harmful
consequences.
CAUTION: Caution notes provide information to help minimize risk, for example, when a failure to follow
directions could result in damage to equipment or loss of data.
NOTE: Notes provide additional information to explain a concept or complete a task. Notes of specific
importance in clarifying information or instructions are denoted as such.
2
IMPORTANT: Another type of note that provides clarifying information or specific instructions.
TIP:Tips provide helpful hints and shortcuts, such as suggestions about how you can perform a task more
easily or more efficiently.
Customer Support
HP is committed to providing quality customer support to all of its customers. Each customer is provided
with a customized support agreement that provides detailed customer and support contact information.
When you need technical support, use the following information to contact Customer Support.
Contact Information
For additional information or assistance, contact the HP Networking Support:
http://www.hp.com/networking/support
Before contacting HP, collect the following information:
• Product model names and numbers
• Technical support registration number (if applicable)
• Product serial numbers
• Error messages
• Operating system type and revision level
• Detailed questions
HP Contact Information
For the name of the nearest HP authorized reseller, see the contact HP worldwide web site:
http://www.hp.com/country/us/en/wwcontact.html
CLI reference guide3
4
1Command Line Interface
In addition to the Local System Manager (LSM) and the Centralized Management Capability of the
Security Management System (SMS), a Command-line Interface (CLI) can be used to configure and
manage the NGFW Appliance. The CLI is accessed directly through the console or remotely through SSH.
Non-secure connections, such as Telnet, are not permitted. For the initial set up, the "superuser" account is
set for the appliance. Once that is set, you can login from the console and set the management port IP
address. SSH and HTTPS are then accessible at the management port IP address.
NOTE: To access the most recent updates to the NGFW product documentation, go to
http://www.hp.com/support/manuals.
This chapter covers the following topics:
•”Overview” on page 5
•”Command Modes” on page 7
•”Configuration File Versions” on page 9
Overview
This chapter covers the hierarchical structure of the CLI, the command line syntax, and an overview on how
to edit, save and manage configuration files. Also provided, are a list of unix like utilities for monitoring
and troubleshooting the system. The
display command displays sections of the running configuration file, or can be used to list a preview of
your configuration file edits before making a commitment to save.
show command provides easy to read sections from log files. The
Access to the NGFW is through the console to initially configure management access. The management
port is enabled by default for SSH and LSM management access. All access is determined by group
membership and the management of their roles. To configure granular levels of access, the aaa
(Authentication and Authorization and Auditing) context has the necessary utilities to modify users, groups,
roles, and their capabilities.
Command Line Interface Syntax
The following syntax is used in the CLI.
Table 1-1Command Line Syntax
Syntax ConventionExplanation
UPPERCASEUppercase replaced by a value that you supply
(x)Parentheses indicate a mandatory argument.
[x]Brackets indicate an optional argument.
|A vertical bar indicates a logical OR - such as alternatives within
Example:
NGFW{}traceroute ? (displays help information)
NGFW{}traceroute (A.B.C.D|HOSTNAME) [from A.B.C.D] [mgmt]
In the above example, arguments for the Traceroute command must either use a IP address or the
hostname. An optional argument can either be “from” a source IP address or the argument “mgmt”.
parentheses or brackets.
NGFW{}traceroute 198.162.0.1 from 198.162.0.2
NGFW{}traceroute 198.162.0.1 mgmt
NGFW Command Line Interface Reference5
Shortcut Navigation Keys
The CLI has the ability to store typed commands in a circular memory. Typed commands can be recalled
with the UP and DOWN arrow keys.
The TAB key may be used to complete partial commands. If the partial command is ambiguous, pressing
the TAB key twice gives a list of possible commands.
Following is a list of shortcuts.
Table 1-2Shortcut Keys
Shortcut Description
ENTERRun the command
TAB Complete partial command
?Question mark at the root prompt or after a command (separated by
!Exclamation mark before a command allows you to execute the
UP ARROW Show the previous command
space) will list next valid sub-commands or command arguments.
Question mark can also be used after sub-commands for more
information. A question mark immediately following a character(s)
(no space) will list commands beginning with those characters.
command from any feature context or sub-level. For example,
NGFW{running-gen}!ping 203.0.113.0
DOWN ARROW Show the next command
Ctrl + P Show the previous command
Ctrl + N Show the next command
Ctrl + L Clear the screen, does not clear history
Ctrl + A Return to the start of the command you are typing
Ctrl + E Go to the end of the command you are typing
Ctrl + U Cut the whole line to a special clipboard
Ctrl + K Cut everything after the cursor to a special clipboard
Ctrl + Y Paste from the special clipboard used by Ctrl + U and Ctrl + K
Hierarchical Menu and Prompt display
Prompts will be displayed based on the context level as shown in the following table.
Table 1-3Root, Edit and Log configuration modes
Command Line promptDescription
NGFW{}
NGFW{}edit
Top level root command mode
From the root command line mode, enter the edit command to access configuration mode.
NGFW{running}
NGFW{running}firewall
NGFW{running}display
NGFW{running}commit
NGFW{running}exit
6Command Line Interface
Configuration mode - indicated with the prompt change
Enters the firewall configuration context
View current configuration and your changes
Commits changes to the running configuration
Leaves the current context mode
Table 1-3Root, Edit and Log configuration modes
Command Line promptDescription
NGFW{}log-configure
NGFW{log-configure}
NGFW{log-configure}help
NGFW{log-configure}exit
Help
The help command provides a list of commands within the current context and the command line usage.
The help command can be executed with or without an argument.
•Enter help or ? to see a list of all commands. (question mark at any context level generates a list of
available commands within the context, along with a brief description)
•Enter help
•Enter
•Enter
commandname
commandname
string
? to show the commands or keywords that match the string. For example, s?.
Command Modes
From the root command line mode, enter the log-configure command to access the log configuration mode.
log configuration mode
display list of valid commands and syntax usage
leave the log configuration mode
to see the syntax for a command.
? to list the options for a command. For example, ping ?.
The NGFW uses a hierarchical menu structure. Within this structure, commands are grouped by functional
area within one of three command modes: Root Command mode, Edit Configuration mode (edit), and Log Configuration mode (log-configure). At the top of the hierarchy is the Root command mode.
A context is an environment in which a set of parameters can be configured for a feature or named
object. A context can be the name of an instance of an object set by the administrator, or can be the
feature itself. The current context is indicated in the command prompt, and it’s visibility is determined by
the user’s role.
Administrative access allows the ability to modify the configuration of the NGFW appliance. Not all
contexts may be visible.
The
help and display commands are useful in becoming familiar with the context options. The question
mark (?) lists the next valid entry and help for this entry.
If the appliance is controlled by SMS, only read-only access will be available to the system resources. To
determine if the SMS controls the unit, or to change the control, see the
Root Command Mode
When you initially enter the NGFW Appliance, either through the console or SSH, you will be placed at
the top level root command line mode with the NGFW{} prompt. The commands at this level are used for
managing and monitoring system operations for the various subsystems. From the root command mode,
you can access the configuration mode, and the available operational commands that apply to the unit as
a whole. To view the commands available at this level, type
prompt.
sms command usage.
help[full|COMMAND] at the command
NGFW{}help
The default NGFW{} command prompt can be changed using the host name command in the interface
mgmt
context of the edit mode. For example:
NGFW Command Line Interface Reference7
NGFW{}edit
NGFW{running}interface mgmt
NGFW{running-mgmt}help host (displays valid entries for configuring management port host settings)
NGFW{running-mgmt}host ? (displays valid entries for host command)
NGFW{running-mgmt}host name yourhostname
For a list of root commands and their usage see the Root Commands section.
NOTE: Your membership role determines your command line interface.
Edit Configuration Mode
The configuration mode enables administrators with the appropriate credentials to write configuration
changes to the active (running) configuration. The logon account used to configure the device must either
be associated with the Superuser role or the Administrator role to edit the configuration context. The
configuration mode has different context levels that provide access to a specific set of configuration
commands. To enter the configuration mode, use the edit command. Once you have executed the edit
command the CLI prompt will indicate that you are in the Edit mode, and can make configuration
changes. Configuration options, and sub contexts are available for use until you exit. To exit the edit
configuration mode, type exit.
When exiting the configuration mode, the following warning appears:
“WARNING: Modifications will be lost. Are you sure to exit (y/n)? [n]”
will discard any uncommitted changes you made to the configuration file, and n will keep you in the
y
edit context.
The display command is a helpful utility to view the current running configuration and to review your
configuration changes before you save the changes.
NGFW{running} display
A commit command must be used to save your changes to the running configuration.
The command hierarchy has two types of statements. The Container statement, which contain objects and
the Object statement, which are actual commands with options.
For example:
• Container statement in edit mode:
NGFW{running}log
NGFW{running-log}? (help will list all the available entries)
• Object statement:
NGFW{running} application-visibility enable|disable (help will display command options)
A brief overview of what you can do within the edit configuration mode:
• Issue a command that configures a setting in the candidate configuration setting. The candidate
configuration allows you to make configuration changes without causing changes to the active
configuration until you can review your changes and issue the
commit command.
• Enter into a container context to access additional configuration settings.
•Run the
modifications you make can be viewed using the
•Run the
display command to see your candidate configuration settings for a context. Any
display command.
Commit command to save any changes from your candidate configuration to the running
configuration.
•
Exit from a context.
8Command Line Interface
NOTE: As you move through the context menu hierarchies, the command prompt changes accordingly.
The
help or display command can be entered at any level.
Configuration File Versions
When troubleshooting or needing to rollback a configuration, the current configuration setup can be
viewed. Reviewing network configuration files should be a necessary step to becoming knowledgeable
about your current system setup. When the device is initially configured, make sure the settings are saved
to the persistent configuration with the
snapshot using the following command:
NGFW{}snapshot create orig_conf
Snapshots capture the configuration of a device, which can then be delivered to technical support for
troubleshooting. Users can also use snapshots to save and re-apply configurations. Snapshots include the
currently installed OS version, and cannot be restored on a device that is not running the same version of
the OS. If a snapshot restore needs to be completed, use the following command:
NGFW{}snapshot restore orig_conf
A warning message is displayed, followed by an automatic reboot when snapshot restore is completed.
The NGFW Appliance CLI uses the deferred-commit model. In this capacity, the architecture maintains a
set of configuration files to ensure that a working configuration is persistently maintained. This
configuration set includes the following configuration files.
NGFW{}save-config command. It’s also advisable to create a
Utilities
• Running configuration — this version is currently executing on the system. Any changes that
administrators make from the
will take effect once they have been committed, by issuing the
committed, all modifications are discarded on
administrators are on the system, the version that was last committed is used as the current running
configuration and is visible to other administrators, once they have exited the
prompt is displayed if the committed changes would overwrite configuration that was made by
another administrator since the configuration was edited.
• Saved (persistent) configuration — this is the running configuration that was last committed prior to
executing the
configuration when the system reboots.
• Start configuration — This is a backup copy of the configuration file saved at the time of system startup, and is loaded at the next system bootup. The
persistent and running configuration that was the last known good configuration.
NOTE: Future versions of the product will support multiple named saved configuration sets.
The Display and Show commands are helpful for troubleshooting and monitoring the operational status of
the system. Command line usage can be found in Root Commands.
save-config command. NGFW copies the saved configuration to the start
edit mode (except for IPS features, action sets and notification contacts)
Commit command. If changes are not
exit from the running context. If multiple
edit mode. A warning
rollback-config command can be used to rollback to a
Display
Enter display to see your candidate configuration settings for a context. Any modifications you make can
be viewed using the
command is executed. If executed at the configuration level, it displays the entire configuration of the unit.
Executing the display command with a configuration name parameter, or from within a context displays
the contents of that particular configuration.
display command. The output of the display command depends on where the
NGFW Command Line Interface Reference9
Show
The show command is most efficient in providing critical information, such as traffic usage, router platform
type, operating system revision, amount of memory, and the number of interfaces. The
show command can
also be used to evaluate logging, troubleshooting, tracking resources, sessions, and security settings. To
view all the available
show utilities, enter the help show command at the root command level. All the
available commands along with the correct command line usage are displayed.
10Command Line Interface
2Global Commands
Global commands can be used in any context.
commit
Initiates all pending configuration changes in the edit mode.
NOTE: This command does not write the modifications to the startup configuration file. However, the
save-config command can be run from the edit configuration context by using the exclamation mark.
Syntax
commit
Example
NGFW{running}commit
NGFW{running}!save-config
exit
Exits the current context.
help
Syntax
exit
Example
NGFW{running-aaa}exit
NGFW{running}
Displays help information.
Syntax
help [full|COMMAND]
Example
NGFW{running}help log
Enter log context
Syntax: log
log Enter log context
Displays the current configuration, or the candidate configuration before a commit is issued. Display
options vary by context, enter the "help display" command in a context to view the available options.
Syntax
display
display [xml]
Example
NGFW{running-aaa-user-myuser1}display
# USER ID
user myuser1
12Global Commands
3Root Commands
The top level root command line mode displays the NGFW{} prompt. Commands at this level are used for
managing and monitoring system operations for the various subsystems. From the root command mode,
you can access the configuration mode, and the available commands that apply to the appliance as a
boot
whole. Enter
commands or help on a specific command.
NGFW{}help
The default NGFW{} command prompt can be changed using the host name command in the interface
mgmt
context of the edit mode. For example:
NGFW{}edit
NGFW{running}interface mgmt
NGFW{running-mgmt}help host (displays valid entries for configuring management port host settings)
NGFW{running-mgmt}host ? (displays valid entries for host command)
NGFW{running-mgmt}host name yourhostname
Manages software packages.
Syntax
boot (list-image|rollback)
help full or help COMMANDNAMEat the command prompt to display a list of available
NGFW{}clear ip bgp 10.10.10.10 soft in
Not cleared BGP is not active
Example
NGFW{}clear ip bgp external soft
Example
NGFW{}clear users fred
Used alone to display the current date, or with arguments to configure the date in a 24 hour format. The
date command shows the current time in the time zone configured on the device and the "gmt" argument
shows the time in GMT (UTC).
edit
flush
Syntax
date [MMDDhhmm[[CC]YY][.ss]])
date gmt
Example
NGFW{}date 071718202013.59 (sets date to July 17 2013 6:20PM 59 seconds)
The edit context modifies the configuration that identifies the security policy and interfaces that you can
configure for your firewall.
Edit takes an instance of the running configuration file. This instance is your
version. After making modifications to this candidate configuration version, you have the option of saving
it to the running configuration, or discarding any changes you made. To discard, simply
your candidates configuration, enter the
commit command before exiting the edit context. To see
exit. To save
commands under the edit context, see edit configuration.
flush (arp|ndp)
flush ipsec sa policy NAME [id ID]
flush ike sa [policy NAME [id ID]]
flush bgp [ip] A.B.C.D [(in prefix-filter)|in|out|(soft [in|out])|rsclient]
14Root Commands
flush bgp ip A.B.C.D [ipv4 (unicast|multicast) (in prefix-filter)|in|out|(soft
[in|out])]
[in|out])]
flush bgp ipv6 external [(in prefix-filter)|(soft [in|out])]
flush bgp ipv6 external [peer WORD (in|out)]
flush bgp [ip] view WORD [soft [in|out]]
flush bgp [ip|ipv6] view WORD (A.B.C.D|X:X::X:X|all) rsclient
flush bgp ip view WORD [ipv4 (unicast|multicast)] (in prefix-filter)|(soft [in|out])
flush bgp [ip|ipv6] PEERAS [(in prefix-filter)|in|out|(soft [in|out])]
flush bgp ip PEERAS [ipv4 (unicast|multicast) (in prefix-filter)|in|out|(soft
[in|out])]
flush bgp ip PEERAS [vpnv4 unicast in|out|(soft [in|out])]
flush bgp [ip|ipv6] all [(in prefix-filter)|in|out|(soft [in|out])|rsclient]
flush bgp ip all [ipv4 (unicast|multicast) (in prefix-filter)|in|out|(soft
NGFW{}flush firewall-session 134217756
Success
NGFW{}flush ipsec sa policy mytunnel
help
Displays help information at any context level.
high-availability
Manage high-availability devices.
Syntax
high-availability force (active|passive)
high-availability segment force (normal|fallback)
Example
NGFW{}high-availability segment force normal
Status: OK
list
Displays traffic capture file list.
Syntax
list traffic-file
Example
NGFW{}list traffic-file
log-configure
Enter log configuration context.
NGFW Command Line Interface Reference15
Syntax
log-configure
Example
Related Commands
Log Configure Commands
logout
Logs you out of the system.
Syntax
logout
Example
NGFW{} logout
master-key
The system master-key is used to encrypt the removable user-disk (the external CFast), and the system
keystore. The user-disk holds traffic logs, packet capture data, and system snapshots. The keystore retains
data such as device certificates and private keys.
The master-key has the following complexity requirements:
• Must be between 9 and 32 characters in length.
• Combination of upper and lower case alpha and numbers.
• Must contain at least one “special” char (eg: !@#$%)
• Set or clear the master key for keystore and external Cfast user-disk encryption.
Syntax
master-key (clear|get|set)
Example
Get the master key for keystore and user-disk encryption
NGFW{}master-key set
WARNING: Master key will be used to encrypt the keystore and external user disk.
Do you want to continue (y/n)? [n]: y
Enter Master Key : ****************
Re-enter Master Key: ****************
Success: Master key has been set.
Example
NGFW{}master-key get
Success: My.1.MasterKey!!
Example
NGFW{}master-key clear
WARNING: Clearing master key will remove encryption from the keystore and
external user disk.
Do you want to continue (y/n)? [n]: y
Success: Master key has been cleared.
16Root Commands
ping
Test connectivity with ICMP traffic. The mgmt option uses the management interface.
NGFW{}ping 192.168.1.1 mgmt
ping using mgmt port
PING 192.168.1.1 (192.168.1.1): 56 data bytes
64 bytes from 192.168.1.1: icmp_seq=1 ttl=64 vrfid=500 time=0.4 ms
64 bytes from 192.168.1.1: icmp_seq=2 ttl=64 vrfid=500 time=0.1 ms
64 bytes from 192.168.1.1: icmp_seq=3 ttl=64 vrfid=500 time=0.1 ms
64 bytes from 192.168.1.1: icmp_seq=4 ttl=64 vrfid=500 time=0.1 ms
--- 192.168.1.1 ping statistics ---
4 packets transmitted, 4 packets received, 0% packet loss
round-trip min/avg/max = 0.1/0.1/0.4 ms
NGFW{}ping6 100:0:0:0:0:0:0:1
ping using data ports
PING 100:0:0:0:0:0:0:1 (100:0:0:0:0:0:0:1): 56 data bytes
64 bytes from 100:0:0:0:0:0:0:1: icmp_seq=1 ttl=64 vrfid=0 time=0.3 ms
64 bytes from 100:0:0:0:0:0:0:1: icmp_seq=2 ttl=64 vrfid=0 time=0.1 ms
64 bytes from 100:0:0:0:0:0:0:1: icmp_seq=3 ttl=64 vrfid=0 time=0.1 ms
64 bytes from 100:0:0:0:0:0:0:1: icmp_seq=4 ttl=64 vrfid=0 time=0.1 ms
--- 100:0:0:0:0:0:0:1 ping statistics ---
4 packets transmitted, 4 packets received, 0% packet loss
round-trip min/avg/max = 0.1/0.1/0.3 ms
Reboots the system.
Syntax
reboot
Example
NGFW{}reboot
WARNING: Are you sure you want to reboot the system (y/n) [n]:
Valid entries:
reset Delete report data
enable Start data collection for reports
disable Stop data collection for reports
all All reports (default)
cpu CPU utilization report
disk Disk utilization report
fan Fan speed report
memory Memory utilization report
network Network bandwidth report
rate-limiter Rate Limiter report
temperature Temperature report
traffic-profile Traffic Profile report
vpn VPN report
Example
NGFW{}reports enable cpu
NGFW{}reports reset cpu
WARNING: Are you sure you want to reset cpu reports (y/n)? [n]:
Related Commands
show reports
save-config
Saves the running configuration to a persistent configuration.
Syntax
save-config
Example
NGFW{}save-config
WARNING: Saving will apply this configuration at the next system start. Continue
The show command enables you to view current system configuration, status, and statistics.
Table 3-1Show command
CommandDescription
show aaashow AAA information
show agglinkShow agglink status
show arpShow Address Resolution Protocol entries
show autoconf dhcpv4 clientIPv4 Dynamic Host Configuration Protocol
show autoconf dhcpv6 clientIPv6 Dynamic Host Configuration Protocol
show autoconf raShow autoconfig Router Advertisement information
show clusterShow cluster status
show dateShow the current router date and time
show dhcp relayShow DHCPv4 Relay information
show dhcp server leaseDisplay DHCP server leases history
show dhcpv6Show DHCPv6 client lease
show dnsShow Domain Name Service
show firewallDisplays firewall rules and sessions.
show high-availabilityShow high-availability status
show interfaceShow network interface
show ip bgpShow the Border Gateway Protocol information
show ip igmpShow Internet Group Management Protocol
show ip mrouteShow Multicast Static IP route
show ip ospfShow Open Shortest Path First (OSPF) information
show ip pim-smShow PIM-SM routing information
show ip ripShow the RIP routes
show ip routeShow the unicast routes
show ip smrShow SMR routing information
show ipv6 mldShow IPv6 routing information for MLD group or
interface
show ipv6 mrouteShow IPv6 routing information for multicast routes
show ipv6 ospfv3Show the OSPFv3 unicast routes
NGFW Command Line Interface Reference19
Table 3-1Show command
CommandDescription
show ipv6 pim-smShow ipv6 Protocol Independent Multicast - Sparse
Mode (PIM-SM) routing information
show ipv6 ripngShow RIPng routing information
show ipv6 route ripngShow ripng route information
show (ip|ipv6) routeShow the unicast routes
show keyShow local server SSH key information
show l2tpShow Layer 2 Tunneling Protocol information
show licenseShows the license number and status
show log-fileShows the logfiles
show log-file bootShows the boot file
show mfg-infoShow manufacturing information
show ndpShow Neighbor Discovery Protocol
show np engineShow net processor statistics
show np general statisticsShow general network processor information
show np protocol-mixShow network processor protocol-level statistics
show np reassemblyShow network processor reassembly statistics
show np rule-statsShow network processor rules, number of flows,
successful matches
show np softlinxShow network processor softlinx statistics
show np tier-statsShow network processor throughput and utilization for
each tier
show quarantine-listShow quarantine list information
show reportsShow status of data collection for reports
show serviceShow network service information
show smsShow status of SMS control
show snmpShow SNMP information
show system buffersShow Forwarding buffer state
show system connectionsShow active socket information
show system processesShow system processes
show system statisticsShow system-wide protocol-related statistics
show system usageShow system usage
show system virtual-memoryShow system virtual memory
show system xms memoryShow xms memory usage
show terminalShow terminal settings
show traffic-fileShow network traffic from file
show tse connection-tableShow TSE connection-table information
20Root Commands
Table 3-1Show command
CommandDescription
show usersShow users information
show versionShow device version information
show aaa
Syntax
show aaa capabilities USER
Example
show aaa capabilities fred
NGFW{}show aaa capabilities fred
ID NAME STATE
--------------------------------------------1 NGFW full
2 SECURITY full
3 FIREWALLRULES full
4 SECURITYZONES full
5 APPLICATIONGROUPS full
6 ADDRESSGROUPS full
7 SERVICES full
8 SCHEDULES full
9 INSPECTIONPROFILES full
10 IPS full
11 IPREPUTATION full
12 PROFILEGROUPS full
13 CAPTIVEPORTALRULES full
14 NATRULES full
15 ACTIONSETS full
16 SYSTEM full
17 SMSMANAGED full
18 MANAGEMENT full
19 DNS full
20 IPFILTERS full
21 UPGRADE full
22 NOTIFICATION full
23 LOGGING full
24 HIGHAVAILABILITY full
25 HACONFIGURATION full
26 HASTATE full
27 SNMP full
28 TIME full
29 FIPS full
30 UPDATE full
31 PACKAGES full
32 AUTODV full
33 SNAPSHOT full
34 USERAUTH full
35 LOCALUSER full
36 USERGROUP full
37 ROLES full
38 RADIUS full
39 LDAP full
NGFW Command Line Interface Reference21
40 CAPTIVEPORTAL full
41 GENERAL full
42 X509CERT full
43 VPN full
44 IKE full
45 IKECONFIGURATION full
46 IKESTATUS full
47 IPSEC full
48 IPSECCONFIGURATION full
49 IPSECSTATUS full
50 L2TP full
51 L2TPCONFIGURATION full
52 L2TPSTATUS full
53 REPORTING full
54 LOG full
55 FIREWALLLOG full
56 IPSLOG full
57 REPUTATIONLOG full
58 VPNLOG full
59 SYSTEMLOG full
60 AUDITLOG full
61 SECURITYREPORTS full
62 NETWORKREPORTS full
63 DEBUGTOOLS full
64 REBOOT full
65 SHUTDOWN full
66 SERVICEACCESS full
67 NETWORK full
68 INTERFACES full
69 SEGMENTS full
70 DHCPSERVER full
71 DHCPRELAY full
72 ARPNDP full
73 STATICROUTES full
74 STATICMONITOREDROUTES full
75 DYNAMICROUTING full
76 ACCESSLISTS full
77 ROUTEMAPS full
78 OSPF full
79 RIP full
80 BGP full
81 MULTICAST full
82 ROUTINGTABLE full
83 COMPACTFLASH full
84 CUSTOMCATEGORIES full
85 APPLICATIONVISIBILITY full
86 GLOBALINSPECTIONPROFILE full
87 DEBUGNP full
show agglink
Displays information about whether or not the member ports are up in the aggregated link.
Syntax
show (agglink|INTERFACE)
22Root Commands
Example
NGFW{}show agglink
#AGGLINK TABLES
Service ETHGRP is inactive
show arp
Syntax
show arp
Example
NGFW{}show arp
IP Address Mac-Address Interface State
15.226.140.254 3c:e5:a6:13:7f:2a mgmt delay
show ndp
Syntax
show ndp
Example
NGFW{}show ndp
IP Address Mac-Address Interface State
fe80::3ee5:a6ff:fe13:7f2a 3c:e5:a6:13:7f:2a mgmt stale
show autoconf dhcpv4 client
Syntax
show autoconf dhcpv4 client (current|history)
Example
NGFW{}show autoconf dhcpv4 client
Example
NGFW{}show autoconf dhcpv4 client history
# DHCPCLIENT LEASES HISTORY
Service DHCP is inactive
show autoconf dhcpv6 client
Syntax
Show autoconf dhcpv6 client
Example
NGFW{}show autoconf dhcpv6 client
Service DHCPv6 client is inactive
show autoconf ra
Syntax
show autoconf ra (INTERFACE|all)
Example
NGFW{}show autoconf all
NGFW Command Line Interface Reference23
no data
show cluster
Syntax
show cluster
Example
cluster.3-device23{} show cluster
Cluster Status
-------------Name: cluster
Identifier: 3
State: Enabled
Segment HA: Normal
Master: cluster.3-device23
Members
------Name: cluster.3-device23
HA State: Active
show date
This command shows the GMT time or the local time and timezone for the appliance.
Syntax
show date [gmt]
Example
NGFW{}show date
Sun Sept 15 04:29:59 2013 GMT
NGFW{}show date gmt
Wed Aug 21 21:51:13 2013 GMT
NGFW{}show date
Wed Aug 21 14:51:16 2013 America/Los_Angeles
show dhcp relay
Shows DHCPv4 Relay information.
Syntax
show dhcp relay
Example
NGFW{}show dhcp relay
DHCP Relay is not running
show dhcp server lease
Syntax
show dhcp server lease (current | history)
Example
NGFW{}show dhcp server lease current
Status: Inactive
24Root Commands
IP Address Mac Address Start date & time End date & time
show dhcpv6
Syntax
show dhcpv6
Example
NGFW{}show dhcpv6
Service DHCPv6 client is inactive
show dns
Syntax
show dns
Example
NGFW{}show dns
# DNS PROXY
Proxy Disabled
# STATIC DNS
# DYNAMIC V4 DNS
# DYNAMIC V6 DNS
NGFW{}show high-availability state-sync firewall
HA Synchronization State
NGFW Command Line Interface Reference25
----------------------- Name: firewall
State: enabled
Synchronization State: Not initialized
Reason: Unable to determine synchronization state
Total Entries: 353
Added Entries: 324
Deleted Entries: 0
Related Commands
high-availability force (active|passive)
high-availability segment force (normal|fallback)
show interface
Syntax
show interface [INTERFACE [statistics [update INT]]]
show interface [INTERFACE] multicast-registration
Examples
NGFW{}show interface ha
Interface ha
MAC Address 00:10:f3:2c:81:df
Enabled Yes
Link Down
Speed 10Mbps
Auto Negotiate Enabled
Duplex Half
MTU 9216
NGFW{}show interface mgmt
Interface mgmt
IP Address A.B.C.D/24
IPv6 Address fe80::210:f3ff:fe2c:81de/64 (Link Local)
MAC Address 00:10:f3:2c:81:de
Enabled Yes
Link Up
Speed 1000Mbps
Auto Negotiate Enabled
Duplex Full
MTU 1500
NGFW{}show interface bridge1
Interface bridge1
IPv6 Address fe80::210:f3ff:fe2c:81e2/64 (Link Local)
MAC Address 00:10:f3:2c:81:e2
Enabled Yes
Link Up
MTU 1500
show ip bgp
show ip bgp debug
show ip bgp A.B.C.D/M
show ip bgp summary
show ip bgp neighbors
show ip bgp neighbors A.B.C.D
show ip bgp neighbors A.B.C.D (advertised-routes|routes)
show ip bgp filter-list FILTER-LIST-NAME
show ip bgp prefix-list PREFIX-LIST-NAME
show ip bgp route-map ROUTE-MAP-NAME
show ip bgp community-list COMMUNITY-LIST-NAME
show ip bgp community AA:NN|internet|local-as|no-export|no-advertise
Example
NGFW{}show ip bgp
BGP Router Default Instance (ASN 230)
BGP table version is 0, local router ID is 172.16.30.230
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale, R Removed
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
*> 99.1.0.0/24 172.16.30.99 11 32768 ?
*> 99.2.0.98/32 172.16.30.99 11 32768 ?
*> 172.16.40.0/24 172.16.20.98 0 0 98 i
Total number of prefixes 3
show ip igmp
Shows IGMP interface information or group information.
Syntax
show ip igmp (interface|groups)
Example
NGFW{}show ip igmp interface
ethernet2 is up
Interface address: 172.16.30.230/24
IGMP on this interface: enabled
Multicast routing on this interface: enabled
Multicast TTL threshold: 1
Current IGMP router version: 3
IGMP query interval: 125 seconds
IGMP max query response time: 100 deciseconds
Last member query response interval: 10 deciseconds
IGMP Querier: 172.16.30.230
Robustness: 2
Require Router Alert: enabled
Startup Query Interval: 312 deciseconds
Startup Query Count: 2
General Query Timer Expiry: 00:00:07
Startup Query Timer Expiry: 00:00:07
Multicast groups joined:
NGFW Command Line Interface Reference27
show ip mroute
Shows the multicast routes.
Syntax
show ip mroute
Example
NGFW{}show ip mroute
Source Group In-interface Out-interface(s)
152.168.1.2 239.255.255.2 pimreg ethernet1
show ip ospf
Displays general information about Open Shortest Path First (OSPF) routing processes.
Syntax
show ip ospf ?
show ip ospf (database|interface[IFACE]|neighbor [debug]|redistribute|route[debug])
Example
NGFW{}show ip ospf
OSPF Router with ID (15.255.125.122)
OSPF Routing Process 0 [VRF 0], Router ID: 15.255.125.122
Supports only single TOS (TOS0) routes
This implementation conforms to RFC2328
RFC1583Compatibility flag is disabled
OpaqueCapability flag is enabled
SPF schedule delay 200 secs, Hold time between two SPFs 1000 secs
Refresh timer 10 secs
Kernel delay 50 ms
This router is an ASBR (injecting external routing information)
Redistribute Configuration
Maximum-Prefix is not configured
Number of external LSA 0. Checksum Sum 0x00000000
Number of opaque AS LSA 0. Checksum Sum 0x00000000
Number of areas attached to this router: 1
Area ID: 0.0.0.0 (Backbone)
Number of interfaces in this area: Total: 1, Active: 1
Number of fully adjacent neighbors in this area: 1
Area has no authentication
SPF algorithm executed 8 times (in 0 ms)
Number of LSA 3
Number of router LSA 2. Checksum Sum 0x00015328
Number of network LSA 1. Checksum Sum 0x00000b59
Number of summary LSA 0. Checksum Sum 0x00000000
Number of ASBR summary LSA 0. Checksum Sum 0x00000000
Number of NSSA LSA 0. Checksum Sum 0x00000000
Number of opaque link LSA 0. Checksum Sum 0x00000000
Number of opaque area LSA 0. Checksum Sum 0x00000000
show ip pim-sm
Syntax
show ip pim-sm (interface|neighbor|rp|bsr-router)
28Root Commands
Example
NGFW{}show ip pim-sm interface
Address Interface Mode Neighbor Hello DR DR Address
Count Intvl Pri
182.168.1.10 ethernet5 sparse 1 30 1 182.168.1.20
Example
ngfw{}show ip pim-sm neighbor
Interface Address
ethernet5 182.168.1.20
ngfw{}show ip pim-sm bsr-router
PIMv2 Bootstrap information
This system is the Bootstrap Router (BSR)
BSR address: 182.168.1.10
Uptime: 00:00:26, BSR Priority: 10, Hash mask length: 30
Next bootstrap message in 00:00:34
ngfw{}show ip pim-sm rp
The PIM RP Set
Group: 239.255.255.2/32
RP: 182.168.1.10
Uptime: 00:00:51, Expires: 00:01:39, Priority: 10
show ip rip
Shows the RIP routes.
Syntax
show ip rip
Example
NGFW{}show ip rip
RIP Router Default Instance
Routing Protocol is "rip"
Sending updates every 30 seconds with +/-50%, next due in 29 seconds
Timeout after 180 seconds, garbage collect after 120 seconds
Mesage load balancing using 1 time slots
Default redistribution metric is 1
Redistributing:
Default version control: send version 2, receive any version
Interface Send Recv Pri RIPv1BorderGW RIPv1IngrSumy Key-chain
ethernet1 2 1 2 7 Enable Enable
Split horizon
No authentication
Routing for Networks:
ethernet1
Routing Information Sources:
Gateway BadPackets BadRoutes Distance Last Update
Distance: (default is 120)
show ip route
Syntax
show ip route (bgp|connected|debug|mgmt|ospf|rip|smr|static)
NGFW Command Line Interface Reference29
Example
NGFW{}show ip route debug
Codes: K - kernel route, C- connected, S - static, R - RIP, O - OSPF,
B - BGP, > - selected route, * - FIB route
K * 127.0.0.0/8 is directly connected, unknown(0) inactive, rej
C>* 127.0.0.0/8 is directly connected, lo
C>* 192.168.1.0/24 is directly connected, ethernet13
C>* 192.168.100.0/24 is directly connected, ethernet14
K>* 224.0.0.2/32 is directly connected, lo501
S>* 0.0.0.0/0 [1/0] [vrf 500] via 15.220.140.254, mgmt
C>* 15.220.140.0/24 [vrf 500] is directly connected, mgmt
C>* 127.0.0.0/8 [vrf 500] is directly connected, lo500
C>* 127.0.0.0/8 [vrf 501] is directly connected, lo501
C>* 169.254.0.0/24 [vrf 501] is directly connected, ha
NGFW{} show ip smr status
3 route(s) active
1 route(s) inactive
Global round-trip avg/max 0.5/29.2 msec
10 packets/640 bytes sent last second
show ipv6 mld
Shows IPv6 routing information for MLD group or interface.
Syntax
show ipv6 mld (interface|groups)
Example
NGFW{}show ipv6 mld interface
ethernet1 is up
Interface address: fe80::210:f3ff:fe24:5b7e%ethernet1/64
MLD on this interface: enabled
Multicast routing on this interface: disabled
Current MLD router version: 2
MLD query interval: 125 seconds
MLD max query response time: 10 seconds
Last member query response interval: 10 deciseconds
MLD Querier: fe80::210:f3ff:fe24:5b7e%ethernet1
Robustness: 2
Require Router Alert: enabled
Startup Query Interval: 312 deciseconds
30Root Commands
Startup Query Count: 2
General Query Timer Expiry: 00:01:19
Multicast groups joined:
NGFW{}show ipv6 mld groups
MLD Connected Group Membership
Group Address InterfaceUptimeExpiresLast Reporter
ff1e:11::1ethernet100:00:0400:04:16fe80::215:17ff:fe3c:edea%ethernet1
show ipv6 mroute
Shows IPv6 routing information for multicast routes.
show ipv6 ospfv3 (database|interface[IFACE]|neighbor[debug]|route)
Example
NGFW{}show ipv6 ospfv3
OSPFv3 Router with ID (172.16.30.230)
OSPFv3 Routing Process 0 [VRF 0] with Router-ID 172.16.30.230
Running 00:00:07
Graceful Restart: Enabled with interval 120
Status: restarting (left time 113s)
Graceful Restart Helper: Enabled
Redistribute Configuration
Maximum-Prefix is not configured
Number of AS scoped LSAs is 0
Number of AS scoped LSAs is 0
Number of areas in this router is 2
Area 0.0.0.0
Number of Area scoped LSAs is 0
Interface attached to this area: ethernet1
Area 0.0.0.9
Number of Area scoped LSAs is 0
Interface attached to this area:
show ipv6 pim-sm
Protocol Independent Multicast - Sparse Mode (PIM-SM) provides efficient communication between
members of sparsely distributed groups that are common. PIM-SM is designed to limit multicast traffic so
only switches interested in receiving traffic for a particular group receive the traffic
Syntax
show ipv6 pim-sm (interface|neighbor|rp|bsr-router)
.
NGFW Command Line Interface Reference31
Example
NGFW{}show ipv6 pim-sm interface
Interface Mode Neighbor Hello DR
Count Interval Priority
ethernet5 sparse 1 30 1
Address: fe80::210:f3ff:fe24:5b82
DR Address: this system
PIM6v2 Bootstrap information
This system is the Bootstrap Router (BSR)
BSR address: 2001:200::10
Uptime: 00:20:00, BSR Priority: 10, Hash mask length: 126
Next bootstrap message in 00:00:00
NGFW{}show ipv6 pim-sm rp
The PIM6 RP Set
Group: ff1e:11::1/128
RP: 2001:200::10
Uptime: 00:20:22, Expires: 00:01:59, Priority: 0
show ipv6 ripng
Shows the RIPng routes.
Syntax
show ipv6 ripng
Example
NGFW{}show ipv6 ripng
RIPng Router Default Instance
Routing Protocol is "RIPng"
Sending updates every 30 seconds with +/-50%, next due in 37 seconds
Timeout after 180 seconds, garbage collect after 120 seconds
Default redistribution metric is 1
Redistributing:
Default version control: send version 1, receive version 1
Interface Send Recv
ethernet1 1 1
Split horizon
Routing for Networks:
ethernet1
Routing Information Sources:
Gateway ReceivedPackets BadPackets BadRoutes Distance Last Update
Distance: (default is 120)
show ipv6 route ospfv3
Shows the OSPFv3 unicast routes.
Syntax
show ipv6 route ospfv3
Example
NGFW{}show ipv6 route ospfv3
32Root Commands
Codes: O - ospfv3, > - selected route, * - FIB route
O>* 1:1::/64 [110/2] via fe80::20c:29ff:fee0:c919, ethernet2, 00:00:28
O>* 2:2::2:2/128 [110/1] via fe80::72ca:9bff:fe76:16b1, ethernet2, 00:00:28
O>* 2100::/64 [110/2] via fe80::72ca:9bff:fe76:16b1, ethernet2, 00:00:28
O>* 2100::2/128 [110/1] via fe80::72ca:9bff:fe76:16b1, ethernet2, 00:00:28
show ipv6 route ripng
Shows the RIPng routes.
Syntax
show ipv6 route ripng
Example
NGFW{}show ipv6 route ripng
Codes: K - kernel route, C - connected, S - static, R - RIPng, O - OSPFv3,
I - ISIS, B - BGP, N - NAT-PT, D - Delegated Prefix, > - selected route,
* - FIB route, b - Backup route, < - delayed route, Q - Untyped route
R>* 4100::/64 [120/2] via fe80::210:f3ff:fe26:f375, ethernet2, 00:00:07
show (ip|ipv6) route
Syntax
show (ip|ipv6) route (debug|mgmt|static|connected)
-------- ------ ------- ---------- -------License OK Allow 10/3/2013 Using the transitional license.
Update TOS OK Allow 10/3/2013
Update DV OK Allow 10/3/2013
Auxiliary DV Info Deny Never Not licensed to use feature.
ReputationDV Info Deny Never Not licensed to use feature.
show log-file
The following log files are available:
•system
•audit
•fwAlert
•fwBlock
•vpn
•ipsAlert
•ipsBlock
•reputationAlert
•reputationBlock
•quarantine
show log-file FILE_NAME
Syntax
show log-file audit [raw|tab|csv|rawcsv] [addUUID] [ASC|DESC|(tail [COUNT])]
[seqnum] [more]
show log-file fwAlert [raw|tab|csv|rawcsv] [addUUID] [ASC|DESC|(tail [COUNT])]
[seqnum] [more]
show log-file fwBlock [raw|tab|csv|rawcsv] [addUUID] [ASC|DESC|(tail [COUNT])]
[seqnum] [more]
show log-file ipsAlert [raw|tab|csv|rawcsv] [addUUID] [ASC|DESC|(tail [COUNT])]
[seqnum] [more]
show log-file ipsBlock [raw|tab|csv|rawcsv] [addUUID] [ASC|DESC|(tail [COUNT])]
[seqnum] [more]
show log-file quarantine [raw|tab|csv|rawcsv] [addUUID] [ASC|DESC|(tail [COUNT])]
[seqnum] [more]
show log-file reputationAlert [raw|tab|csv|rawcsv] [addUUID] [ASC|DESC|(tail
[COUNT])] [seqnum] [more]
show log-file reputationBlock [raw|tab|csv|rawcsv] [addUUID] [ASC|DESC|(tail
[COUNT])] [seqnum] [more]
34Root Commands
show log-file summary [raw|tab|csv|rawcsv] [addUUID] [ASC|DESC|(tail [COUNT])]
[seqnum] [more]
show log-file system [raw|tab|csv|rawcsv] [addUUID] [ASC|DESC|(tail [COUNT])]
[seqnum] [more]
show log-file vpn [raw|tab|csv|rawcsv] [addUUID] [ASC|DESC|(tail [COUNT])] [seqnum]
[more]
show log-file boot [raw|tab|csv|rawcsv] [addUUID] [ASC|DESC|(tail [COUNT])] [seqnum]
[more]
show log-file audit [raw|tab|csv|rawcsv] [addUUID] follow [seqnum] [more]
show log-file fwAlert [raw|tab|csv|rawcsv] [addUUID] follow [seqnum] [more]
show log-file fwBlock [raw|tab|csv|rawcsv] [addUUID] follow [seqnum] [more]
show log-file ipsAlert [raw|tab|csv|rawcsv] [addUUID] follow [seqnum] [more]
show log-file ipsBlock [raw|tab|csv|rawcsv] [addUUID] follow [seqnum] [more]
show log-file quarantine [raw|tab|csv|rawcsv] [addUUID] follow [seqnum] [more]
show log-file reputationAlert [raw|tab|csv|rawcsv] [addUUID] follow [seqnum] [more]
show log-file reputationBlock [raw|tab|csv|rawcsv] [addUUID] follow [seqnum] [more]
show log-file summary [raw|tab|csv|rawcsv] [addUUID] follow [seqnum] [more]
show log-file system [raw|tab|csv|rawcsv] [addUUID] follow [seqnum] [more]
show log-file vpn [raw|tab|csv|rawcsv] [addUUID] follow [seqnum] [more]
show log-file boot [raw|tab|csv|rawcsv] [addUUID] follow [seqnum] [more]
show log-file audit stat
show log-file fwAlert stat
show log-file fwBlock stat
show log-file ipsAlert stat
show log-file ipsBlock stat
show log-file quarantine stat
show log-file reputationAlert stat
show log-file reputationBlock stat
show log-file summary stat
show log-file system stat
show log-file vpn stat
show log-file boot stat
show log-file summary [verbose]
show log-file boot [tail COUNT] [more]
show log-file boot [search [(options)]{0,2} PATTERN] [count COUNT] [more]
Example
NGFW{}show log ipsAlert
36Root Commands
Example
NGFW{}show log quarantine
show log-file FILE_NAME stat
Shows the beginning sequence number, ending sequence number, and number of messages for the given
log file.
Syntax
show log-file FILE_NAME stat
Example
NGFW{}show log ipsBlock stat
Display limited to 500 lines...
1
241097
241097
show log-file summary
Syntax
show log-file summary [verbose]
Example
NGFW{}show log-file summary
File Total Entries First Entry Last Entry Allocated Used Location
show log-file boot [tail [COUNT]] [more]
show log-file boot [search [<options>]{0,2} PATTERN] [count COUNT] [more]
If using the more option, the colon will display in the output, to indicate more information is available.
Press the Enter key for the scroll to continue, or enter a ‘q’ to exit and return to the
NGFW{} prompt.
Example
NGFW{} show log-file audit more
2013-07-05 ...(log info is displayed)
2013-07-05 ...
...
ADDRCONF(NETDEV_UP): ethernet7: link is not ready
device ethernet7 entered promiscuous mode
Example
To tail the last 5 lines of the boot log file:
NGFW{}show log-file boot tail 5
bridge1: port 8(ethernet7) entering disabled state
bridge1: port 8(ethernet7) entering disabled state
ADDRCONF(NETDEV_UP): ethernet7: link is not ready
device ethernet8 left promiscuous mode
device ethernet7 left promiscuous mode
show mfg-info
Shows manufacturing information.
Syntax
show mfg-info
Example
NGFW{}show mfg-info
device34{}show mfg-info
ECO Version : 40AA
Manufacturer S/N : TBBC10021827
PCBA Assembly Date : 01/11/2012
Chassis Version : 00
Mfg System Revision : A905
HP Base Unit P/N : 5066-2732
HP Base Unit Revision : A1
Number of MACs : 12
MAC Address : 00:10:F3:2C:81:DE
Mgmt Port MAC Address : 00:10:F3:2C:81:DE
Ethernet1 MAC Address : 00:10:F3:2C:81:E2
HP Base Unit S/N : PR2AFQY003
Internal Disk Model : 4GB SATA Flash Drive
Internal Disk S/N : 11001420994500582125
External Disk Model : 4GB SATA Flash Drive
External Disk S/N : 00224192122400702578
BIOS Version : Z513-021
IPM Version : 1.d (working)
show np engine
Shows network processor information.
Syntax
show np engine(filter|packet|parse|reputation(ip|dns)|rule)
filter - Show filter-level statistics
packet - Show packet-layer statistics
parse - Show packet parsing statistics
reputation - Show reputation statistics on either IP or DNS
rule - Show rule statistics
NGFW{}show np softlinx
SoftLinx Statistics:
Matched both softlinx and a rule = 0
Matched softlinx, but not a rule = 0
Matched a rule, but not softlinx = 0
40Root Commands
Sleuth inspected packets = 0
Sleuth matched packets = 0
Matched HW (Sleuth) but not softLinx = 0
Sleuth gave up = 0
Sleuth bypassed = 0
Sleuth bypassed zero payload length = 0
Sleuth overflow = 0
Matched nothing = 281567607
Linx rules created = 0
Linx rules deleted = 0
Discarded by the softlinx = 0
Total packets sent to softlinx = 80
Embedded Trigger matches = 0
Engine Trigger matches = 0
Trigger matches = 0
False pkt matches = 80
Good pkt matches = 0
SoftLinx trigger match roll over = 0
Highest flow based trigger match = 0
Show the status of the data collection for reports.
Syntax
show reports
Example
NGFW{}show reports
CPU Utilization: enabled
Disk Utilization: enabled
Fan Speed: enabled
Memory Utilization: enabled
Network Bandwidth: enabled
Rate Limiter: enabled
Temperature: enabled
Traffic Profile: enabled
VPN: enabled
show service
Shows the state of all the services.
Syntax
show service
Example
NGFW{}show service
Service SSH is active
Service TELNET is inactive
Service HTTP is active
Service IP Forwarding is active
Service IPv6 Forwarding is active
Service SNMP is inactive
Service DNS-PROXY is inactive
Service RIP is inactive
Service RIPng is inactive
Service OSPFv2 is inactive
Service OSPFv3 is inactive
Service BGP is inactive
Service SMR is inactive
Service PIM4SM is inactive
Service PIM6SM is inactive
Service VRRP is inactive
Service Multicast-proxy is inactive
Service DHCPSERVER is inactive
Service DHCP is inactive
Service DHCP RELAY is inactive
Service DHCPv6-CLIENT is inactive
42Root Commands
show sms
Syntax
show sms
Example
NGFW{}show sms
Device is not under SMS control
show snmp
Syntax
show snmp
Example
NGFW{}show snmp
Service NTP is inactive
Service PPP-CtrlPlane is inactive
Service ETHGRP-LACP is inactive
#SNMP Status
Enabled : Yes
Version : 2c, 3
Engine ID : 0x800029ee030010f327fe2e
Auth. Traps : Yes
System Name : S8020F
System Object ID : .1.3.6.1.4.1.10734.1.9.7
System ID : NGFW
System Contact : Administrator
System Location : Data Center
#SNMP Trap Sessions
Host: A.B.C.D
Version: 3
Port: 162
Security Name: trap
Level: authPriv
Authentication: SHA
Privacy: AES
Inform: Yes
show system buffers
Shows forwarding buffer state information, if you have administrator privileges.
Syntax
show system buffers
Example
NGFW{}show system buffers
show system connections
Syntax
show system connection [ipv4|ipv6|sctp|unix]
NGFW Command Line Interface Reference43
Example
NGFW{}show system connections ipv4
Active Internet connections (servers and established)
vrfid Proto Recv-Q Send-Q Local Address Foreign Address State
0 tcp 0 0 127.0.0.1:60000 0.0.0.0:* LISTEN
0 tcp 0 0 127.0.0.1:616 0.0.0.0:* LISTEN
Example
NGFW{}show system connections unix
Active UNIX domain sockets (servers and established)
Proto RefCnt Flags Type State I-Node Path
unix 2 [ ACC ] STREAM LISTENING 40709
show system processes [LEVEL]
brief Brief process information
detail Detailed process information
extensive Extensive process information
summary Active process information
PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
3656 root 20 0 11.1g 4.6g 3.7g R 1200 16.7 3691:24 n0
3731 root 20 0 0 0 0 R 100 0.0 307:25.33 dpvi-task3
3730 root 20 0 0 0 0 R 98 0.0 303:42.33 dpvi-task2
3729 root 20 0 0 0 0 R 96 0.0 300:14.52 dpvi-task1
2941 root 20 0 84516 3976 2852 R 2 0.0 4:18.44 syslog-ng
4436 root 20 0 0 0 0 D 2 0.0 1:44.56 fpm-nfct-hf-tas
4216 root 20 0 21496 1112 772 D 0 0.0 0:21.46 sensormond
17380 root 20 0 13084 1292 800 R 0 0.0 0:00.01 top
44Root Commands
show system statistics
Syntax
show system statistics [PROTO] [non-zero]
Example
NGFW{}show system statistics
show system usage
Show system usage displays the overall system usage. You can run once, or display an updated version
every INT seconds. Ctrl-C will exit a re-occurring update.
Syntax
show system usage [update INT]
Example
NGFW{} show system usage update 12
show system virtual-memory
Shows the system’s kernel memory usage in a table with the following column headings.
•name
•active_objs
•num_objs
•objsize
•objperslab
• pagesperslab
•tunables
• limit
• batchcount
•sharedfactor
• slabdata
• active_slabs
• num_slabs
•sharedavail
Syntax
show system virtual-memory
Example
NGFW{}show system virtual-memory
show system xms memory
Shows xms memory statistics.
Syntax
show system xms memory (all| SERVICE)
Example
NGFW{}show system xms memory captive-portals
xmsd memory usage:
NGFW Command Line Interface Reference45
+ Service: captive-portals
+ captive-portal-config: 48 Bytes
Maximum amounts: 175 Bytes
Calls to alloc : 1 times
+ Service: misc
+ miscellaneous: 1383 Bytes
Maximum amounts: 1585 Bytes
Calls to alloc : 10 times
+ xmlMem: 4341373 Bytes
Maximum amounts: 85010535 Bytes
Calls to alloc : 53906 times
show terminal
Shows terminal type information.
Syntax
show terminal
Example
NGFW{}show terminal
=============
Terminal configuration:
type 6wind
columns 164
lines 46
traffic-file Show network traffic from file
FILENAME Capture file name
verbose Configure verbosity level
INT Verbosity level (0: minimum verbosity)
proto Configure captured packets protocol
PROTO Protocol name (default: all)
without Configure excluded packets protocol
PROTO Protocol name (default: all)
pcap Configure pcap-syntax filter
FILTER Pcap filter string (e.g. "src port 22")
pager Show all messages
Example
NGFW{}show traffic-file myfilename
show tse connection-table
Syntax
show tse connection-table TYPE
Example:
This example displays the basic IPS state synchronization by viewing the connection table on the active
and passive device.
46Root Commands
NGFW{}show tse connection-table blocks
Second device:
NGFW{}show tse connection-table blocks
The ‘TRHA’ indicates this is a connection created by state synchronization.
show tse
Shows threat suppression engine information.
Syntax
show tse (connection-table(blocks|trusts)|rate-limit)
NGFW{}show user-disk
External User Disk
Status: Mounted
Encryption: None
Capacity: 3952263168 bytes
Used: 784158720 bytes
Free: 2907357184 bytes
show users
Syntax
show users [locked|ip-locked]
Example
NGFW{}show users
USER IDLE INTERFACE LOGIN IP ADDRESSTYPE
myadminuser 00:00 SSH 2013-07-19 23:42:56 198.51.100.139 LOCAL
show version
Syntax
show version
Example
NGFW{}show version
Serial: X-NGF-S8020F-GENERIC-0001
Software: 1.0.0.3911 Build Date: "Apr 12 2013 02:13:12" Production
Digital Vaccine: 3.2.0.15172
Model: S8020F
HW Serial: PR2AFQ300P
HW Revision: A603
NGFW Command Line Interface Reference47
Failsafe: 1.0.0.1801
System Boot Time: Sun Sept 15 21:14:57 2013
Uptime: 05:17:01
shutdown
Allows you to shutdown the system.
Syntax
shutdown
Example
NGFW{}shutdown
You are about to shutdown the device.
Please use the front panel buttons to restart the device manually.
Make sure you have Committed all your changes, and clicked the Save
Configuration button if you wish these changes to be applied when the
device is restarted.
WARNING: Are you sure you want to shutdown the system (y/n) [n]:
sms
Allows you to configure SMS settings and release SMS.
snapshot create NAME [(reputation|manual|network)]
Default is do not include the following:
manualInclude manually defined reputation entries in snapshot
networkInclude Management port configuration in snapshot
reputationInclude reputation package in snapshot
nonetDoes not restore management port configuration if present in snapshot
Example
NGFW{}snapshot create s_041713
snapshot list
Syntax
snapshot list
48Root Commands
Example
NGFW{}snapshot list
Name Date OS Version DV Version Model Restore
Allows you to capture network traffic to the terminal or a file. You can specify a maximum packet count or
a maximum capture file size. If you record the capture to a file you must specify a maximum packet count
or maximum capture file size. Maxsize is the maximum size of the capture file in millions of bytes, which is
limited by the currently available disk allocation.
100 packets captured
100 packets received by filter
0 packets dropped by kernel
NGFW{}tcpdump stop
All tcpdump processes stopped.
NGFW Command Line Interface Reference49
traceroute
Traceroute shows you the path a packet of information takes from your computer to your designation. It
lists all the routers it passes through until it reaches its destination, or fails. Traceroute tells you how long
router to router hops take.
NGFW{}traceroute 192.168.140.254
traceroute: Warning: ip checksums disabled
traceroute to 192.168.140.254 (192.168.140.254), 30 hops max, 46 byte packets
1 192.168.140.254 (192.168.140.254) 0.256 ms 0.249 ms 0.233 ms
traceroute6
Trace IPv6 network routes.
Example
NGFW{}traceroute6 192.168.140.1
user-disk
The external user-disk is available to mount, unmount, and format. Only a user-disk that the user manually
formats and mounts will be “auto-mounted” by the device at boot. The one exception to this is after an
initial install, the external cfast present in the box at the time of install will be “auto-mounted”.
The user-disk can be encrypted, but only if the system
status on the user-disk causes a ‘format’ to occur and erases any existing data.
User-disk encryption can also be enabled and disabled from the LSM at System->Settings->Log Configuration.
Modify settings for the external user-disk.
Syntax
user-disk (encryption (enable|disable) | format | mount | unmount)
Example
NGFW{}user-disk unmount
WARNING: Unmounting the external user disk will disable snapshot and packet capture,
and traffic related logs will be stored in memory only.
Do you want to continue (y/n)? [n]: y
Success: User disk unmounted.
Example
NGFW{}user-disk mount
Note: The external user disk will be used for snapshots, packet captures and traffic
related logs. The external user disk will be automatically mounted on rebooted.
Do you want to continue (y/n)? [n]: y
Success: User disk mounted.
master-key has been set. Changing the encryption
Example
NGFW{}user-disk format
WARNING: This action will erase all existing data on the external user disk!
Do you want to continue (y/n)? [n]: y
Success: User disk format completed.
50Root Commands
Example
NGFW{}user-disk encryption enable
WARNING: Changing the encryption status of the user disk will erase all traffic log,
snapshot, and packet capture data on the disk.
Do you want to continue (y/n)? [n]: y
Success: User disk encryption enabled.
Related commands
show user-disk
master-key
NGFW Command Line Interface Reference51
52Root Commands
4Log Configure Commands
Enter the log-configure command to access the log configuration context. Enter a question mark (?) at
the NGFW{log-configure} prompt to display a list of valid command entries. Then enter help commandname to display help for a specific command.
display
Displays log configuration settings.
Syntax
display [log-sessions] [xml|verbose]
Example
NGFW{log-configure}display
# LOG EMAIL SETTINGS
email set sleepSeconds 300
email set maxRequeue 2016
# LOG ROTATE SETTINGS
rotate set sleepSeconds 600
rotate set defaultFiles 5
rotate set defaultCheckRecords 500
rotate set maxFileSize 100 MB
system and audit log files are kept on the internal disk
fwAlert, fwBlock, ipsAlert, ipsBlock, quarantine, reputationAlert, reputationBlock,
visibility, and vpn log files are kept on the external or ramdisk drive
Example
NGFW{log-configure}log-file-size system 50
NGFW{log-configure}log-file-size fwAlert 20
NGFW{log-configure}log-file-size audit 60
ERROR: This would over allocate (110%) the Internal log disk!
log-storage
Set local log file allocation of external CFast disk space. Usage value can range from 50 to 99 percent.
Valid entries:
all All log systems
audit Audit system
vpn VPN (IPsec) system
quarantine Quarantine system
logID LogID system
LOGID Log-session ID to test
SEVERITY Set Severity level for log message (default: INFO)
Possible values for SEVERITY are:
sleepSeconds Logrotation sleep time between checks
SLEEPSEC Number of seconds logrotation waits between checks
defaultFiles Default number of logrotation files
NUMFILES Number of logrotation files (2 - 20)
defaultCheckRecords Default number of records between log daemon size checks
NUMRECORDS Number of records between log daemon size checks (100 - 65535)
NGFW Command Line Interface Reference55
maxFileSize Max size a 'rotated' log file
MAXFILESIZE Max log rotation file size in MB (10 - 500)
MB Megabytes
FILE_NAME Local log file name
Files Number of logrotation files
Records Number of records between log daemon size checks
delete Delete the logrotation parameter
Example
NGFW{log-configure}rotate set sleepSeconds 10
NGFW{log-configure}rotate set visibility Files 5 Records 500
NGFW{log-configure}rotate set vpn Files 5 Records 500
NGFW{log-configure}rotate delete vpn Records
NGFW{log-configure}rotate delete vpn Files
NGFW{log-configure}rotate delete visibility
NGFW{log-configure}rotate set defaultCheckRecords 500
NGFW{log-configure}rotate set defaultFiles 5
56Log Configure Commands
5Edit Running Configuration Commands
Enter the edit command to access the configuration mode. In edit mode, you can perform numerous
configurations, such as firewall rules and policies, and authentication. Once you have executed the edit
command the CLI prompt will appear as
available until you exit. To exit the edit configuration mode, enter exit.
The configuration mode enables administrators with the appropriate credentials to write configuration
changes to the active (running) configuration. The logon account used to configure the device must either
be associated with the Superuser role or the Administrator role to edit the configuration context. The
configuration mode has different context levels that provide access to a specific set of configuration
commands.
Configuration Contexts by Function
Monitor/System
Table 5-1Monitor and System Commands
NGFW{running}. Configuration options, and sub contexts are
NGFW{running-actionsets}actionset myactionset
NGFW{running-actionsets-myactionset}help
NGFW{running-actionsets-myactionset}?
Valid entries at this position are:
action Set action type, available value: permit, rate-limit, block, trust
allow-accessAllow quarantined host to access defined IP
bytes-to-captureSet bytes to capture for packet trace
contactAdd a notify contact
deleteDelete file or configuration item
displayDisplay file or configuration item
helpDisplay help information
http-blockSet quarantine option to block HTTP traffic
http-customSet or clear HTTP custom text display option
http-redirectSet redirect URL for HTTP redirect option
http-showdescSet or clear HTTP show desc display option
http-shownameSet or clear HTTP show name display option
limit-quarantineAdd IP for limit quarantine
limit-rateSet the rate value for rate-limit action
no-quarantineAdd IP for no quarantine
nonhttp-blockSet quarantine option to block non-HTTP traffic
packet-traceEnable/disable packet trace option
prioritySet packet trace priority
quarantineSet quarantine option, available value: no, immediate, threshold
tcp-resetSet tcp reset option for block action, can be disable, source,
dest or both
60Edit Running Configuration Commands
thresholdSet quarantine threshold value
verbositySet packet trace verbosity
Related commands
running-actionsets Context Commands
addressgroups
Enters address group context.
Syntax
addressgroups
Example
NGFW{running}addressgroups
NGFW{running-addressgroups}help
NGFW{running-addressgroups}?
Valid entries at this position are:
addressgroup Create or enter an address group context
delete Delete address group parameters
help Display help information
rename Rename address group
Enters the application-group context mode. Application groups can be associated with firewall rules and
can only be defined by the LSM not the CLI. There are CLI commands that are similar in syntax to security
categories, but the criteria parameter is deliberately obfuscated. Also, like security categories, application
group queries are not editable from the CLI.
NGFW Command Line Interface Reference61
NOTE: Attempting to create an application group from the CLI will result in an error while parsing the
CRITERIASTRING parameter.
The CRITERIASTRING format is deliberately obfuscated and not supported to prevent users from creating
or editing application group criteria from the CLI. Support for setting and getting criteria through the
obfuscated format is included so that users can still copy output of CLI display commands and paste them
back in.
display
enable
help [full|COMMAND]
list
periodic
proxy ADDR port PORT
proxy-password PASSWD
proxy-username USER
update
NGFW{running-autodv}?
Valid entries at this position are:
calendar Enter Calender Style
delete Delete file or configuration item
disable Disable service
display Display file or configuration item
enable Enable service
help Display help information
list List Installed DVs
periodic Enter Periodic Style
proxy Configure proxy
proxy-password Proxy password
proxy-username Proxy username
update Update AutoDV
Related commands
running-autodv Context Commands
blockedStreams
Enters blockedStreams context mode.
Syntax
blockedStreams
Example
NGFW{running}blockedStreams
NGFW{running-blockedStreams}help
Valid commands are:
flushallstreams
flushstreams
help [full|COMMAND]
list
delete rule all|RULEID
help [full|COMMAND]
rename rule RULEID NEWRULEID
rule (auto|RULEID) [POSITION_VALUE]
set max-session-time MINUTES
set inactive-timeout MINUTES
set port PORT
set certificate CERTNAME
set login-page|status-page foreground-color|background-color HEX|COLOR
set login-page header-HTML|footer-HTML|failed-HTML
set status-page foreground-color|background-color HEX|COLOR
set status-page main-HTML
reset max-session-time|inactive-timeout|port|certificate
reset login-page|status-page foreground-color|background-color
reset login-page header-HTML|footer-HTML|failed-HTML
reset status-page main-HTML
Related commands
running-captive-portal Context Commands
certificates
Enters certificates context mode.
Syntax
certificates
Example
NGFW{running}certificates
NGFW{running-certificates}help
Valid commands are:
# Enter context
crl
NGFW{running}cluster
NGFW{running-cluster}help
Valid commands are:
check CHECK_TYPE enable|disable
cluster-name NAME
delete standby
enable|disable
help [full|COMMAND]
member-id ID
member-name NAME
standby
tct
NGFW{running-cluster}?
Valid entries at this position are:
check Perform consistency check
cluster-name Apply Cluster Name
delete Delete file or configuration item
disable Disable clustering
enable Enable clustering
help Display help information
member-id Cluster Member ID
member-name Cluster member name
standby Set the device on standby
tct Enter cluster traffic context
delete proxy cache maximum negative ttl
delete proxy cache maximum ttl
delete proxy cache size
domain-name NAME
domain-search primary NAME
help [full|COMMAND]
name-server A.B.C.D|X:X::X:X
proxy cache cleaning interval cache cleaning interval in minutes
proxy cache forwarder A.B.C.D|X:X::X:X
proxy cache maximum negative ttl cache maximum negative TTL in minutes
proxy cache maximum ttl cache maximum TTL in minutes
proxy cache size cache size in megabytes
proxy enable|disable
NGFW{running-dns}?
Valid entries at this position are:
delete Delete file or configuration item
domain-name Configure domain name
domain-search Configure domain search
help Display help information
name-server Configure DNS server
proxy Configure proxy
proxy Enable or disable proxy
NGFW{running-dnat}?
Valid entries at this position are:
delete Delete destination NAT rule(s)
help Display help information
rename Rename destination NAT rule
rule Create or enter a rule context
NGFW{running-firewall}?
Valid entries at this position are:
default-block-rule Apply action set for default block rule
delete Delete firewall rule
help Display help information
rename Rename a firewall rule
rule Create or enter a rule context
# Other commands
arp A.B.C.D INTERFACE MAC
auto-restart enable|disable
delete arp all|(ENTRY INTERFACE)
delete host NAME|all
delete ndp all|(ENTRY INTERFACE)
ephemeral-port-range default|(LOWRANGE HIGHRANGE)
forwarding ipv4|ipv6 enable|disable
help [full|COMMAND]
host NAME A.B.C.D|X:X::X:X
https enable|disable
inband-management enable|disable
management-service all|dns|email|ldap|ntp|radius|remote-syslog|snmp management
ndp X:X::X:X INTERFACE MAC
ssh enable|disable
xmsd remote (port PORT [address A.B.C.D])|disable
|network
NGFW{running-gen}?
Valid entries at this position are:
68Edit Running Configuration Commands
arpConfigure static ARP entry
auto-restartEnable/disable automatic restart on detection of critical
deleteDelete file or configuration item
displayDisplay general context
ephemeral-port-range Set the range of the ephemeral port (default is 32768-61000)
forwardingEnable or disable IPv4/IPv6 forwarding
helpDisplay help information
hostConfigure static address to host name association
httpsEnable or disable WEB server configuration
inband-managementInband Management
management-serviceManagement of a service to use management port or network port
ndpConfigure static NDP entry
sshEnable or disable ssh service
timezoneDisplay or configure time zone
unknown-app (ips-profile IPSPROFILE|none)|(reputation-profile REPPROFILE|none)
display [xml]
help [full|COMMAND]
NGFW{running-global-inspection}?
Valid entries at this position are:
default-inspectionApply default inspection profile
displayDisplay global inspection profile configuration
helpDisplay help information
unknown-appApply inspection profile during application detection phase
delete failover-group name
enable|disable
failover-group base-mac X:X:X:X:X:X
failover-group name NAME
help [full|COMMAND]
state-sync (global [enable|disable])|(FEATURE [enable|disable|(log-level SEVERITY)])
NGFW{running-high-availability}?
Valid entries at this position are:
deleteDelete file or configuration item
disableDisable high-availability
enableEnable high-availability
failover-groupFailover Group
helpDisplay help information
state-syncState synchronization
state-sync State synchronization
global Turn state synchronization on or off
enable Enable state synchronization
disable Disable state synchronization
FEATURE Specify a state synchronization table
Possible values for FEATURE are:
firewall Firewall state synchronization table
ips IPS state synchronization table
routing Routing state synchronization table
log-level Specify logging level
SEVERITY Log service severity
Possible values for SEVERITY are:
emergency Panic condition messages
alert Immediate problem condition messages
critical Critical condition messages
error Error messages
warning Warning messages
notice Special condition messages
info Informational messages
debug Debug messages
none Turn off messages
SEVERITY)])
NGFW{running-high-availability}state-sync ?
Valid entries at this position are:
firewall Firewall state synchronization table
ips IPS state synchronization table
routing Routing state synchronization table
global Turn state synchronization on or off
Related commands
running-high-availability Context Commands
interface
Enters interface context mode. The X represents a number to be entered, such as bridge2.
NGFW{running}interface bridge2
NGFW{running-bridge2}?
Valid entries at this position are:
arp/ndp Enable or disable ARP and NDP on interface
autoconfv6 Enable or disable IPv6 autoconfiguration on interface
bind Bind bridged network interface over ethernet/VLAN/agglink
delete Delete file or configuration item
description Enter description for the interface
help Display help information
ip Configure IP settings
ipaddress Configure IP address
ipv6 Configure IPv6 settings
mtu Configure interface MTU
prefix Configure IPv6 prefix
ra-autoconf-level Modify IPv6 Router Advertisement autoconfiguration level
ra-interval Modify IPv6 Router Advertisement interval value
ra-interval-transmit Modify IPv6 Router Advertisement interval transmit
ra-lifetime Modify IPv6 Router Advertisement prefix lifetime
ra-mtu Modify IPv6 Router Advertisement MTU value
ra-transmit-mode Modify IPv6 Router Advertisement transmit mode
router-advert Configure IPv6 Router Advertisement parameters
shutdown Shutdown logical interface state
tcp4mss Configure interface TCP MSS for IPv4
tcp6mss Configure interface TCP MSS for IPv6
ip
NGFW{running-bridge2}help
Related commands
running-agglinkX Context Commands
running-bridgeX Context Commands
running-ethernetX Context Commands
running-greX Context Commands
running-l2tpX Context Commands
running-loopbackX Context Commands
running-mgmt Context Commands
running-pppoeX Context Commands
running-pptpX Context Commands
running-vlanX Context Commands
IP configuration mode.
NGFW Command Line Interface Reference71
Syntax
ip access-list NAME (permit|deny) A.B.C.D/M
ip as-path access-list NAME (permit|deny) ASN_FILTER
delete ip as-path access-list NAME (permit|deny) ASN_FILTER
ip community-list NAME (permit|deny)
delete ip community-list NAME (permit|deny)
ip prefix-list NAME (permit|deny) A.B.C.D/M [ge GE-VALUE] [le LE-VALUE]
ip route A.B.C.D/M A.B.C.D|INTERFACE [DISTANCE]
ipv6 route X:X::X:X/M (X:X::X:X[%INTERFACE])|INTERFACE [DISTANCE]
display ip route
Valid entries:
access-list Access list
as-path AS Path access list
community-list Community list
prefix-list Prefix list
route Add an IPv4 static route
NGFW{running-ips}?
Valid entries at this position are:
afc-mode AFC mode
afc-severity AFC severity
connection-table Connection table timeout
delete Delete a profile
deployment-choices Get deployment choices
display Display all ips configuration and profiles
display-categoryrules Display category rules for all profiles
gzip-decompression GZIP decompression mode
help Display help information
profile Create/enter a IPS profile
quarantine-duration Quarantine duration
rename Rename a profile
NGFW{running-l2tp-server0}?
Valid entries at this position are:
auth Authenticated configuration
bind Configure bind service of L2TP server
delete Delete file or configuration item
help Display help information
hiding Enable or disable hiding configuration
sequencing Enable or disable sequence configuration
Related commands
running-l2tp-serverX Context Commands
Enters log context mode. Note that the 'Management Console' notification contact for the Audit log can
not be modified.
NGFW{running-log}?
Valid entries at this position are:
delete Delete file or configuration item
help Display help information
log Add a Notification Contact to a log service
log-option Add service log option
sub-system set sub-system log level
74Edit Running Configuration Commands
NGFW{running-log}display
# LOG SERVICES
log system "Management Console" notice
#log audit "Management Console" ALL
log vpn "Management Console" info
log quarantine "Management Console" ALL
# SUB-SERVICES
sub-system INIT info
sub-system XMS notice
sub-system TOS info
sub-system HTTPD notice
sub-system GATED none
sub-system LOGIN notice
sub-system PACEMAKER error
sub-system COROSYNC notice
sub-system CRMADMIN none
NGFW{running-multicast-registration}?
Valid entries at this position are:
help Display help information
igmp-version Configure system IGMP version
mld-version Configure system MLD version
NGFW{running-multicast-registration}igmp-version mode ?
Valid entry at this position is:
MODE Define IGMP mode (force or default)
Related commands
running-multicast-registration Context Commands
notifycontacts
Enters notify contacts context mode.
Syntax
notifycontacts
Example
NGFW{running}notifycontacts
NGFW Command Line Interface Reference75
Entering Immediate Commit Feature. Changes take effect immediately.
NGFW{running-notifycontacts}help
Valid commands are:
contact CONTACTNAME
contact NEWNAME email
contact NEWNAME snmp COMMUNITY IP [PORT]
delete contact XCONTACTNAME
display
email-from-address EMAIL
email-from-domain DOMAIN
email-server IP
email-threshold THRESHOLD
email-to-default-address EMAIL
help [full|COMMAND]
rename contact XCONTACTNAME NEWNAME
NGFW{running-notifycontacts}?
Valid entries at this position are:
contact Create or edit a notify contact
delete Delete file or configuration item
display Display all available contacts
email-from-address From email address
email-from-domain From domain name
email-server Set mail server IP
email-threshold Set email threshold
email-to-default-address Default to email address
help Display help information
rename Rename contact with new name
ntp
Related commands
running-notifycontacts (email) Context Commands
Enters NTP context mode.
Syntax
ntp
Example
NGFW{running}ntp
NGFW{running-ntp}help
Valid commands are:
delete key all|ID
delete server all|HOST
help [full|COMMAND]
key (1-65535) VALUE
ntp enable|disable
polling-interval SECONDS
server dhcp|NAME [key ID] [prefer]
NGFW{running-ntp}?
Valid entries at this position are:
delete Delete file or configuration item
help Display help information
key Configure NTP authentication key
ntp Enable or disable NTP
polling-interval Configure minimum polling interval
76Edit Running Configuration Commands
server Configure remote NTP server
Related commands
running-ntp Context Commands
reputation
Enters Reputation context mode.
Syntax
reputation
Example
NGFW{running}reputation
Entering Immediate Commit Feature. Changes take effect immediately.
NGFW{running-rep}help
Valid commands are:
delete group USERGROUP
delete profile XPROFILENAME
display
group USERGROUP
help [full|COMMAND]
profile PROFILENAME
rename group USERGROUP NEWUSERGROUP
rename profile XPROFILENAME NEWPROFILENAME
NGFW{running-rep}?
Valid entries at this position are:
deleteDelete file or configuration item
displayDisplay all reputation profiles and groups
groupCreate/enter reputation group context
helpDisplay help information
profileCreate/enter reputation profile context
renameRename a reputation profile or group
NGFW{running}help route-map
Enter the route-map context
Syntax: route-map ROUTE-MAP-NAME permit|deny ENTRY-POSITION
route-map Enter the route-map context
ROUTE-MAP-NAME Route-map name
permit Permit the network prefix
deny Deny the network prefix
ENTRY-POSITION Position of the route-map entry (1-65535)
Valid entries:
bgp Enter the BGP context
ASNUMBER The autonomous system number (1-2147483647)
ospf Enter the OSPF context
ospfv3 Enter the OSPFv3 context
pim-smv4 Enter the PIM-SM IPv4 context
pim-smv6 Enter the PIM-SM IPv6 context
rip Enter the RIP context
ripng Enter the RIPng context
smr Enter the SMR context
NGFW{running-schedules}?
Valid entries at this position are:
delete Delete a schedule
help Display help information
rename Rename a schedule
schedule Create or enter a schedule context
Related commands
running-schedules Context Commands
segmentX
Enters Segment context mode. The X represents a segment number, for example segment0.
# Other commands
description TEXT
help [full|COMMAND]
NGFW{running-segment0}?
Valid entries at this position are:
bind Bind ethernet port pairs to segment
delete Delete file or configuration item
description Enter description for the segment
help Display help information
high-availability Intrinsic HA Layer 2 Fallback action
link-down Link down synchronization mode
restart Restart both Ethernet ports of segment
NGFW{running-segment0}help bind
Bind ethernet port pairs to segment
Syntax: bind bind
bind Bind ethernet port pairs to segment
bind ethernet port pairs
Related commands
running-segmentX Context Commands
NGFW Command Line Interface Reference79
services
Enters services context mode.
Syntax
services
Example
NGFW{running}services
NGFW{running-services}help
Valid commands are:
delete service all|USERSERVICENAME
help [full|COMMAND]
rename service USERSERVICENAME NEWSERVICENAME
restore-default
service SERVICENAME
NGFW{running-services}?
Valid entries at this position are:
delete Delete service(s)
help Display help information
rename Rename service
restore-default Restore default services
service Create or enter a service context
Related commands
running-services Context Commands
snmp
Enters SNMP context mode.
Syntax
snmp
Example
NGFW{running}snmp
NGFW{running-snmp}help
Valid commands are:
authtrap enable|disable
community COMMUNITY SOURCE
delete community COMMUNITY|all
delete trapsession (HOST ver VERSION)|all
delete username (USERNAME|all)
engineID ENGINE-ID
help [full|COMMAND]
snmp enable|disable
trapsession HOST [port PORT] ver 2c COMMUNITY [inform]
trapsession HOST [port PORT] ver 3 USERNAME level noAuthNoPriv [inform]
trapsession HOST [port PORT] ver 3 USERNAME level authNoPriv authtype AUTHTYPE
Valid entries at this position are:
authtrap Configure SNMP authentication failure trap
community Configure SNMP read-only community
delete Delete file or configuration item
engineID Configure SNMPv3 engine ID
help Display help information
snmp Enable or disable SNMP
trapsession Configure a trap/inform
username Configure SNMPv3 USM read-only user
NGFW{running-snat}?
Valid entries at this position are:
delete Delete source NAT rule(s)
help Display help information
rename Rename source NAT rule
rule Create or enter a rule context
delete vpn (all|NAME)
help [full|COMMAND]
ipsec enable|disable
log vpn CONTACT-NAME [SEVERITY]
manual
phase1 VERSION proposal NAME
phase2 VERSION proposal NAME
policy NAME [PRIORITY]
pre-shared-key local A.B.C.D|X:X::X:X|LFQDN remote A.B.C.D|X:X::X:X|RFQDN|any
retransmit-timeout TIMEOUT
retransmit-tries COUNT
trust CANAME
user
vpn NAME
NGFW{running-ipsec}?
Valid entries at this position are:
deleteDelete file or configuration item
helpDisplay help information
ipsecEnable or disable IPsec
logAdd a Notification Contact to a log service
manualEnter manual Security Association context
phase1Enter Phase1 proposal context
phase2Enter Phase2 proposal context
policyEnter IPSec Policy context
pre-shared-keyConfigure pre-shared key (start with 0x for hexadecimal key)
retransmit-timeout Configure IKEv2 Dead Peer Detection retransmission timeout in
retransmit-triesConfigure IKEv2 Dead Peer Detection maximum retransmission
NGFW{running}zones
NGFW{running-zones}help
Valid commands are:
delete zone all|ZONENAME
help [full|COMMAND]
rename zone ZONENAME NEWZONENAME
zone ZONENAME
NGFW{running-zones}?
Valid entries at this position are:
deleteDelete security zone(s)
helpDisplay help information
renameRename a specified zone
zoneEnter security zone context
82Edit Running Configuration Commands
Related commands
running-zones Context Commands
Contexts and Related Commands
running-aaa Context Commands
NGFW{running-aaa}delete
Delete file or configuration item.
Syntax
delete ldap-group (LDAPNAME|all)
delete radius-group (RADIUSNAME|all)
delete role (ROLE|all)
delete user (USER|all)
delete user-group (USERGROUP|all)
Example
NGFW{running}aaa
NGFW{running-aaa}delete ldap-group group1
NGFW{running-aaa}delete radius-group group1
NGFW{running-aaa}delete role myrole1
NGFW{running-aaa}delete user myuser1
NGFW{running-aaa}delete user-group group1