HP TippingPoint Next Generation Firewall Command Reference Guide

HP TippingPoint Next Generation Firewall Command Line

Interface Reference Guide

Version1.0.1

Abstract

This reference manual describes the Next Generation Firewall Command Line Interface (CLI) and the commands you can use to configure and manage a NGFW appliance.

*5998-4803*

Part number: 5998-4803 Edition: August 2013, First

Legal and notice information

Hewlett-Packard Company makes no warranty of any kind with regard to this material, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose. Hewlett-Packard shall not be liable for errors contained herein or for incidental or consequential damages in connection with the furnishing, performance, or use of this material.

This document contains proprietary information, which is protected by copyright. No part of this document may be photocopied, reproduced, or translated into another language without the prior written consent of Hewlett-Packard. The information is provided “as is” without warranty of any kind and is subject to change without notice. The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein.

TippingPoint® , the TippingPoint logo, and Digital Vaccine® are registered trademarks of Hewlett-Packard All other company and product names may be trademarks of their respective holders. All rights reserved. This document contains confidential information, trade secrets or both, which are the property of Hewlett-Packard No part of this documentation may be reproduced in any form or by any means or used to make any derivative work (such as translation, transformation, or adaptation) without written permission from Hewlett-Packard or one of its subsidiaries.

Adobe® and Acrobat® are trademarks of Adobe Systems Incorporated.

Intel and Itanium are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries.

Microsoft, Windows, Windows NT, and Windows XP are U.S. registered trademarks of Microsoft Corporation.

Oracle® is a registered U.S. trademark of Oracle Corporation, Redwood City, California.

UNIX® is a registered trademark of The Open Group.

Printed in US or Puerto Rico

Next Generation Firewall Command Line Interface Reference Guide

Publication Part Number: 5998-4803

Table of Contents

About This Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

Target Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

Related Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

Document Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

Typefaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

Document Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

Customer Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Contact Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

1 Command Line Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Command Line Interface Syntax. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Shortcut Navigation Keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Hierarchical Menu and Prompt display . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Help. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Command Modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Root Command Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Edit Configuration Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Configuration File Versions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Utilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Display . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

2 Global Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

commit. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

exit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

help. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

more . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

display . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

3 Root Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

boot . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

clear . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

date . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

edit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

flush . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

help. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

high-availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

list. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

log-configure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

logout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

master-key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

ping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

ping6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

reboot . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

save-config. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

service-access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

set. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

show aaa. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

show agglink . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

show arp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

show ndp. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

CLI Reference Guide i

show autoconf dhcpv4 client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

show autoconf dhcpv6 client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

show autoconf ra . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

show cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

show date . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

show dhcp relay . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

show dhcp server lease . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

show dhcpv6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

show dns . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

show firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

show high-availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

show interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

show ip bgp. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

show ip igmp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

show ip mroute. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

show ip ospf . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

show ip pim-sm. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

show ip rip. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

show ip route . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

show ip smr . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

show ipv6 mld . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

show ipv6 mroute . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

show ipv6 ospfv3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

show ipv6 pim-sm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

show ipv6 ripng . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

show ipv6 route ospfv3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

show ipv6 route ripng . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

show (ip|ipv6) route . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

show key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

show l2tp. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

show license. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

show log-file. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

show log-file FILE_NAME . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

show log-file FILE_NAME stat . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

show log-file summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

show log-file boot . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

show mfg-info. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

show np engine . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

show np general statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

show np protocol-mix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

show np reassembly . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

show np rule-stats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

show np softlinx . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

show np tier-stats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

show quarantine-list. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42

show reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42

show service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42

show sms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

show snmp. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

show system buffers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

show system connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . 43

show system processes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44

show system statistics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

show system usage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

show system virtual-memory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

show system xms memory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

show terminal. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46

show traffic-file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46

show tse connection-table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46

show tse . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

show user-disk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

show users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

show version . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

shutdown . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48

sms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48

snapshot create . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48

snapshot list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48

snapshot remove. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

snapshot restore . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

tcpdump . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

traceroute. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50

traceroute6. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50

user-disk. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50

4 Log Configure Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53

display . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53

email. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53

log-file-size . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54

log-storage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54

log-test. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54

rotate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55

5 Edit Running Configuration Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57

Configuration Contexts by Function . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57

Monitor/System. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57

Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57

Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58

Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59

Routing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59

VPN. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59

Edit Context Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59

aaa. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59

actionsets. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60

addressgroups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61

application-filter-mgmt . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61

application-groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61

application-visibility. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62

autodv . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62

blockedStreams . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63

captive-portal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63

certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64

cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64

delete . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65

dhcp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66

dns . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66

dst-nat . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67

firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67

gen . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68

global-inspection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69

high-availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69

interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70

ip . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71

ips . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72

ipv6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73

l2tp-serverX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73

log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74

multicast-registration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75

notifycontacts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75

CLI Reference Guide iii

ntp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76

reputation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77

route-map . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77

router . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78

schedules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78

segmentX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79

services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80

snmp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80

src-nat . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81

vpn . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81

zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82

Contexts and Related Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83

running-aaa Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83

running-aaa-ldap-group-X Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85

running-aaa-radius-group-X Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87

running-actionsets Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88

running-actionsets-X Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89

running-addressgroups Context Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93

running-addressgroups-X Context Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93

running-agglinkX Context Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94

running-app-filter-mgmt Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100

running-app-groups Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100

running-app-groups-X Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101

running-autodv Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101

running-autodv-calendar Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103

running-autodv-periodic Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104

running-bgp-X Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104

running-blockedStreams Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109

running-bridgeX Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109

running-captive-portal Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114

running-captive-portal-rule-X Context Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115

running-certificates Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117

running-certificates-crl Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120

running-cluster Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121

running-cluster-tct Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123

running-dhcp-relay Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126

running-dhcp-server Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127

running-dhcp-server-X Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128

running-dnat Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131

running-dnat-rule-X Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132

running-dns Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134

running-ethernetX Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136

running-firewall Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143

running-firewall-rule-X Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143

running-gen Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148

running-global-inspection Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151

running-greX Context Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152

running-high-availability Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156

running-ips Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157

running-ips-X Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160

running-ipsec Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161

running-ipsec-policy-X Context Commands and their Usage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165

running-ipsec-vpn-X Context Commands and their Usage. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166

running-l2tp-serverX Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169

running-l2tpX Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170

running-log Context Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176

running-loopbackX Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180

running-manual-sa Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182

running-mgmt Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184

running-multicast-registration Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186

running-notifycontacts (email) Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186

running-notifycontacts-X (SNMP) Context Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188

running-ntp Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189

running-phase1-proposal-X Context Commands and their Usage . . . . . . . . . . . . . . . . . . . . . . . . . 190

running-phase1-proposal-X Context Commands and their Usage . . . . . . . . . . . . . . . . . . . . . . . . . 191

running-ospf Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192

running-ospfv3 Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195

running-pim-smv4 Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198

running-pim-smv6 Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200

running-pppoeX Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202

running-pptpX Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208

running-rep Context Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214

running-rep-X (group X) Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215

running-rep-X (profile X) Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216

running-rip Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218

running-ripng Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221

running-route-map Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224

running-schedules Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225

running-schedules-X Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225

running-segmentX Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226

running-services Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227

running-services-X Context Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228

running-smr Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 230

running-snat Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231

running-snat-rule-X Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232

running-snmp Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234

running-vlanX Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237

running-zones Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 243

running-zones-X Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 244

CLI Reference Guide v

About This Guide

The Next Generation Firewall command line interface enables you to configure and manage the NGFW Appliance from a command line. The NGFW commands can be used in custom scripts to automate tasks.

This section covers the following topics:

• Target Audience, page 1

• Related Documentation, page 1

• Document Conventions, page 2

• Customer Support, page 3

Target Audience

This guide is intended for security network administrators and specialists that have the responsibility of monitoring, managing, and improving system security. The audience for this material is expected to be familiar with the HP TippingPoint Next Generation Firewall.

Document Conventions

This guide uses the following document conventions.

• Typefaces, page 2

• Document Messages, page 2

Typefaces

HP TippingPoint publications use the following typographic conventions for structuring information:

Table 1-1 Document Typographic conventions

Convention Element

Medium blue text: Figure 1

Blue, underlined text (http://www.hp.com

Bold font • Key names

Italics font Text emphasis, important terms, variables, and publication titles.

Monospace font • File and directory names

Monospace, italic font • Code variables

Monospace, bold font Emphasis of file and directory names, system output, code, and text

Document Messages

Document messages are special text that is emphasized by font, format, and icons. This reference guide contains the following types of messages:

Cross-reference links and e-mail addresses

)

Web site addresses

• Text typed into a GUI element, such as into a box

• GUI elements that are clicked or selected, such as menu and list

items, buttons, and check boxes. Example: Click

• System output

• Code

• Text typed at the command-line

• Command-line variables

typed at the command line

OK to accept.

• Warning

• Caution

• Note

• Tip

WARNING! Warning notes alert you to potential danger of bodily harm or other potential harmful

consequences.

CAUTION: Caution notes provide information to help minimize risk, for example, when a failure to follow

directions could result in damage to equipment or loss of data.

NOTE: Notes provide additional information to explain a concept or complete a task. Notes of specific

importance in clarifying information or instructions are denoted as such.

IMPORTANT: Another type of note that provides clarifying information or specific instructions.

TIP: Tips provide helpful hints and shortcuts, such as suggestions about how you can perform a task more

easily or more efficiently.

Customer Support

HP is committed to providing quality customer support to all of its customers. Each customer is provided with a customized support agreement that provides detailed customer and support contact information. When you need technical support, use the following information to contact Customer Support.

Contact Information

For additional information or assistance, contact the HP Networking Support:

http://www.hp.com/networking/support

Before contacting HP, collect the following information:

• Product model names and numbers

• Technical support registration number (if applicable)

• Product serial numbers

• Error messages

• Operating system type and revision level

• Detailed questions

HP Contact Information

For the name of the nearest HP authorized reseller, see the contact HP worldwide web site:

http://www.hp.com/country/us/en/wwcontact.html

CLI reference guide 3

1 Command Line Interface

In addition to the Local System Manager (LSM) and the Centralized Management Capability of the Security Management System (SMS), a Command-line Interface (CLI) can be used to configure and manage the NGFW Appliance. The CLI is accessed directly through the console or remotely through SSH. Non-secure connections, such as Telnet, are not permitted. For the initial set up, the "superuser" account is set for the appliance. Once that is set, you can login from the console and set the management port IP address. SSH and HTTPS are then accessible at the management port IP address.

NOTE: To access the most recent updates to the NGFW product documentation, go to

http://www.hp.com/support/manuals.

This chapter covers the following topics:

•”Overview” on page 5

•”Command Modes” on page 7

•”Configuration File Versions” on page 9

Overview

This chapter covers the hierarchical structure of the CLI, the command line syntax, and an overview on how to edit, save and manage configuration files. Also provided, are a list of unix like utilities for monitoring and troubleshooting the system. The

display command displays sections of the running configuration file, or can be used to list a preview of

your configuration file edits before making a commitment to save.

show command provides easy to read sections from log files. The

Access to the NGFW is through the console to initially configure management access. The management port is enabled by default for SSH and LSM management access. All access is determined by group membership and the management of their roles. To configure granular levels of access, the aaa (Authentication and Authorization and Auditing) context has the necessary utilities to modify users, groups, roles, and their capabilities.

Command Line Interface Syntax

The following syntax is used in the CLI.

Table 1-1 Command Line Syntax

Syntax Convention Explanation

UPPERCASE Uppercase replaced by a value that you supply

(x) Parentheses indicate a mandatory argument.

[x] Brackets indicate an optional argument.

| A vertical bar indicates a logical OR - such as alternatives within

Example:

NGFW{}traceroute ? (displays help information) NGFW{}traceroute (A.B.C.D|HOSTNAME) [from A.B.C.D] [mgmt]

In the above example, arguments for the Traceroute command must either use a IP address or the hostname. An optional argument can either be “from” a source IP address or the argument “mgmt”.

parentheses or brackets.

NGFW{}traceroute 198.162.0.1 from 198.162.0.2 NGFW{}traceroute 198.162.0.1 mgmt

NGFW Command Line Interface Reference 5

Shortcut Navigation Keys

The CLI has the ability to store typed commands in a circular memory. Typed commands can be recalled with the UP and DOWN arrow keys.

The TAB key may be used to complete partial commands. If the partial command is ambiguous, pressing the TAB key twice gives a list of possible commands.

Following is a list of shortcuts.

Table 1-2 Shortcut Keys

Shortcut Description

ENTER Run the command

TAB Complete partial command

? Question mark at the root prompt or after a command (separated by

! Exclamation mark before a command allows you to execute the

UP ARROW Show the previous command

space) will list next valid sub-commands or command arguments. Question mark can also be used after sub-commands for more information. A question mark immediately following a character(s) (no space) will list commands beginning with those characters.

command from any feature context or sub-level. For example,

NGFW{running-gen}!ping 203.0.113.0

DOWN ARROW Show the next command

Ctrl + P Show the previous command

Ctrl + N Show the next command

Ctrl + L Clear the screen, does not clear history

Ctrl + A Return to the start of the command you are typing

Ctrl + E Go to the end of the command you are typing

Ctrl + U Cut the whole line to a special clipboard

Ctrl + K Cut everything after the cursor to a special clipboard

Ctrl + Y Paste from the special clipboard used by Ctrl + U and Ctrl + K

Hierarchical Menu and Prompt display

Prompts will be displayed based on the context level as shown in the following table.

Table 1-3 Root, Edit and Log configuration modes

Command Line prompt Description

NGFW{}

NGFW{}edit

Top level root command mode

From the root command line mode, enter the edit command to access configuration mode.

NGFW{running}

NGFW{running}firewall

NGFW{running}display

NGFW{running}commit

NGFW{running}exit

6 Command Line Interface

Configuration mode - indicated with the prompt change

Enters the firewall configuration context

View current configuration and your changes

Commits changes to the running configuration

Leaves the current context mode

Table 1-3 Root, Edit and Log configuration modes

Command Line prompt Description

NGFW{}log-configure

NGFW{log-configure}

NGFW{log-configure}help

NGFW{log-configure}exit

Help

The help command provides a list of commands within the current context and the command line usage. The help command can be executed with or without an argument.

•Enter help or ? to see a list of all commands. (question mark at any context level generates a list of available commands within the context, along with a brief description)

•Enter help

•Enter

commandname commandname string

? to show the commands or keywords that match the string. For example, s?.

Command Modes

From the root command line mode, enter the log-configure command to access the log configuration mode.

log configuration mode

display list of valid commands and syntax usage

leave the log configuration mode

to see the syntax for a command.

? to list the options for a command. For example, ping ?.

The NGFW uses a hierarchical menu structure. Within this structure, commands are grouped by functional area within one of three command modes: Root Command mode, Edit Configuration mode (edit), and Log Configuration mode (log-configure). At the top of the hierarchy is the Root command mode.

NGFW{} Root command line mode NGFW{running} Edit configuration mode NGFW{log-configure} Log configuration mode

A context is an environment in which a set of parameters can be configured for a feature or named object. A context can be the name of an instance of an object set by the administrator, or can be the feature itself. The current context is indicated in the command prompt, and it’s visibility is determined by the user’s role.

Administrative access allows the ability to modify the configuration of the NGFW appliance. Not all contexts may be visible.

The

help and display commands are useful in becoming familiar with the context options. The question

mark (?) lists the next valid entry and help for this entry.

If the appliance is controlled by SMS, only read-only access will be available to the system resources. To determine if the SMS controls the unit, or to change the control, see the

Root Command Mode

When you initially enter the NGFW Appliance, either through the console or SSH, you will be placed at the top level root command line mode with the NGFW{} prompt. The commands at this level are used for managing and monitoring system operations for the various subsystems. From the root command mode, you can access the configuration mode, and the available operational commands that apply to the unit as a whole. To view the commands available at this level, type prompt.

sms command usage.

help[full|COMMAND] at the command

NGFW{}help

The default NGFW{} command prompt can be changed using the host name command in the interface

mgmt

context of the edit mode. For example:

NGFW Command Line Interface Reference 7

NGFW{}edit NGFW{running}interface mgmt NGFW{running-mgmt}help host (displays valid entries for configuring management port host settings) NGFW{running-mgmt}host ? (displays valid entries for host command) NGFW{running-mgmt}host name yourhostname

For a list of root commands and their usage see the Root Commands section.

NOTE: Your membership role determines your command line interface.

Edit Configuration Mode

The configuration mode enables administrators with the appropriate credentials to write configuration changes to the active (running) configuration. The logon account used to configure the device must either be associated with the Superuser role or the Administrator role to edit the configuration context. The configuration mode has different context levels that provide access to a specific set of configuration commands. To enter the configuration mode, use the edit command. Once you have executed the edit command the CLI prompt will indicate that you are in the Edit mode, and can make configuration changes. Configuration options, and sub contexts are available for use until you exit. To exit the edit configuration mode, type exit.

When exiting the configuration mode, the following warning appears:

“WARNING: Modifications will be lost. Are you sure to exit (y/n)? [n]”

will discard any uncommitted changes you made to the configuration file, and n will keep you in the

edit context.

The display command is a helpful utility to view the current running configuration and to review your configuration changes before you save the changes.

NGFW{running} display

A commit command must be used to save your changes to the running configuration.

The command hierarchy has two types of statements. The Container statement, which contain objects and the Object statement, which are actual commands with options.

For example:

• Container statement in edit mode:

NGFW{running}log NGFW{running-log}? (help will list all the available entries)

• Object statement:

NGFW{running} application-visibility enable|disable (help will display command options)

A brief overview of what you can do within the edit configuration mode:

• Issue a command that configures a setting in the candidate configuration setting. The candidate configuration allows you to make configuration changes without causing changes to the active configuration until you can review your changes and issue the

commit command.

• Enter into a container context to access additional configuration settings.

•Run the modifications you make can be viewed using the

•Run the

display command to see your candidate configuration settings for a context. Any

display command.

Commit command to save any changes from your candidate configuration to the running

configuration.

•

Exit from a context.

8 Command Line Interface

NOTE: As you move through the context menu hierarchies, the command prompt changes accordingly.

The

help or display command can be entered at any level.

Configuration File Versions

When troubleshooting or needing to rollback a configuration, the current configuration setup can be viewed. Reviewing network configuration files should be a necessary step to becoming knowledgeable about your current system setup. When the device is initially configured, make sure the settings are saved to the persistent configuration with the snapshot using the following command:

NGFW{}snapshot create orig_conf

Snapshots capture the configuration of a device, which can then be delivered to technical support for troubleshooting. Users can also use snapshots to save and re-apply configurations. Snapshots include the currently installed OS version, and cannot be restored on a device that is not running the same version of the OS. If a snapshot restore needs to be completed, use the following command:

NGFW{}snapshot restore orig_conf

A warning message is displayed, followed by an automatic reboot when snapshot restore is completed.

The NGFW Appliance CLI uses the deferred-commit model. In this capacity, the architecture maintains a set of configuration files to ensure that a working configuration is persistently maintained. This configuration set includes the following configuration files.

NGFW{}save-config command. It’s also advisable to create a

Utilities

• Running configuration — this version is currently executing on the system. Any changes that administrators make from the will take effect once they have been committed, by issuing the committed, all modifications are discarded on administrators are on the system, the version that was last committed is used as the current running configuration and is visible to other administrators, once they have exited the prompt is displayed if the committed changes would overwrite configuration that was made by another administrator since the configuration was edited.

• Saved (persistent) configuration — this is the running configuration that was last committed prior to executing the configuration when the system reboots.

• Start configuration — This is a backup copy of the configuration file saved at the time of system startup, and is loaded at the next system bootup. The persistent and running configuration that was the last known good configuration.

NOTE: Future versions of the product will support multiple named saved configuration sets.

The Display and Show commands are helpful for troubleshooting and monitoring the operational status of the system. Command line usage can be found in Root Commands.

save-config command. NGFW copies the saved configuration to the start

edit mode (except for IPS features, action sets and notification contacts)

Commit command. If changes are not

exit from the running context. If multiple

edit mode. A warning

rollback-config command can be used to rollback to a

Display

Enter display to see your candidate configuration settings for a context. Any modifications you make can be viewed using the command is executed. If executed at the configuration level, it displays the entire configuration of the unit. Executing the display command with a configuration name parameter, or from within a context displays the contents of that particular configuration.

display command. The output of the display command depends on where the

NGFW Command Line Interface Reference 9

Show

The show command is most efficient in providing critical information, such as traffic usage, router platform type, operating system revision, amount of memory, and the number of interfaces. The

show command can

also be used to evaluate logging, troubleshooting, tracking resources, sessions, and security settings. To view all the available

show utilities, enter the help show command at the root command level. All the

available commands along with the correct command line usage are displayed.

10 Command Line Interface

2 Global Commands

Global commands can be used in any context.

commit

Initiates all pending configuration changes in the edit mode.

NOTE: This command does not write the modifications to the startup configuration file. However, the

save-config command can be run from the edit configuration context by using the exclamation mark.

Syntax

commit

Example

NGFW{running}commit NGFW{running}!save-config

exit

Exits the current context.

help

Syntax

exit

Example

NGFW{running-aaa}exit NGFW{running}

Displays help information.

Syntax

help [full|COMMAND]

Example

NGFW{running}help log Enter log context Syntax: log log Enter log context

Example

NGFW{running-firewall}help Valid commands are: default-block-rule DEFACTIONSET delete rule all|XRULEID help [full|COMMAND] rename rule XRULEID NEWRULEID rule (auto|RULEID) [POSITION_VALUE]

NGFW Command Line Interface Reference 11

display

Set session to display output page by page.

Syntax

more (enable|disable)

Example

NGFW{running}more enable

Displays the current configuration, or the candidate configuration before a commit is issued. Display options vary by context, enter the "help display" command in a context to view the available options.

Syntax

display display [xml]

Example

NGFW{running-aaa-user-myuser1}display # USER ID user myuser1

12 Global Commands

3 Root Commands

The top level root command line mode displays the NGFW{} prompt. Commands at this level are used for managing and monitoring system operations for the various subsystems. From the root command mode, you can access the configuration mode, and the available commands that apply to the appliance as a

boot

whole. Enter commands or help on a specific command.

NGFW{}help

The default NGFW{} command prompt can be changed using the host name command in the interface

mgmt

context of the edit mode. For example:

Manages software packages.

Syntax

boot (list-image|rollback)

help full or help COMMANDNAME at the command prompt to display a list of available

clear

Example

NGFW{}boot list-image Index Version

------------------------------------------------------

0 1.0.0.3935 1 1.0.0.2923 2 1.0.0.3932 3 1.0.0.3917 Oldest Index is 2 Factory Reset Index is 3

Clears system information.

Syntax

clear np engine filter clear np engine packet clear np engine parse clear np engine reputation dns clear np engine reputation ip clear np engine rule clear np reassembly ip clear np reassembly tcp clear np rule-stats

NGFW Command Line Interface Reference 13

date

clear np softlinx clear np tier-stats clear counter policy clear rate-limit streams clear users all [locked|ip-locked] clear users (NAME|A.B.C.D|X:X::X:X) [locked]

Example

NGFW{}clear log-file vpn

Example

NGFW{}clear ip bgp 10.10.10.10 soft in Not cleared BGP is not active

Example

NGFW{}clear ip bgp external soft

Example

NGFW{}clear users fred

Used alone to display the current date, or with arguments to configure the date in a 24 hour format. The date command shows the current time in the time zone configured on the device and the "gmt" argument shows the time in GMT (UTC).

edit

flush

Syntax

date [MMDDhhmm[[CC]YY][.ss]]) date gmt

Example

NGFW{}date 071718202013.59 (sets date to July 17 2013 6:20PM 59 seconds)

The edit context modifies the configuration that identifies the security policy and interfaces that you can configure for your firewall.

Edit takes an instance of the running configuration file. This instance is your

version. After making modifications to this candidate configuration version, you have the option of saving it to the running configuration, or discarding any changes you made. To discard, simply your candidates configuration, enter the

commit command before exiting the edit context. To see

exit. To save

commands under the edit context, see edit configuration.

NGFW{} NGFW{}edit NGFW{running} NGFW{running}commit NGFW{running}exit NGFW{}

Flushes the following configuration items.

Syntax

flush (arp|ndp) flush ipsec sa policy NAME [id ID] flush ike sa [policy NAME [id ID]] flush bgp [ip] A.B.C.D [(in prefix-filter)|in|out|(soft [in|out])|rsclient]

14 Root Commands

flush bgp ip A.B.C.D [ipv4 (unicast|multicast) (in prefix-filter)|in|out|(soft [in|out])]

flush bgp ip A.B.C.D [vpnv4 unicast in|out|(soft [in|out])] flush bgp ipv6 X:X::X:X [(in prefix-filter)|in|out|(soft [in|out])|rsclient] flush bgp [ip] dampening [A.B.C.D/M|(A.B.C.D [A.B.C.D])] flush bgp [ip] external [(in prefix-filter)|in|out|(soft [in|out])] flush bgp ip external [ipv4 (unicast|multicast) (in prefix-filter)|in|out|(soft

[in|out])] flush bgp ip PEERAS [vpnv4 unicast in|out|(soft [in|out])] flush bgp [ip|ipv6] all [(in prefix-filter)|in|out|(soft [in|out])|rsclient] flush bgp ip all [ipv4 (unicast|multicast) (in prefix-filter)|in|out|(soft

[in|out])] flush bgp ip all [vpnv4 unicast in|out|(soft [in|out])] flush bgp [ip|ipv6] peer-group [(in prefix-filter)|in|out|(soft [in|out])] flush firewall-session (all|ID) [family (ipv4|ipv6)]

Example

NGFW{}flush firewall-session 134217756 Success NGFW{}flush ipsec sa policy mytunnel

help

Displays help information at any context level.

high-availability

Manage high-availability devices.

Syntax

high-availability force (active|passive) high-availability segment force (normal|fallback)

Example

NGFW{}high-availability segment force normal Status: OK

list

Displays traffic capture file list.

Syntax

list traffic-file

Example

NGFW{}list traffic-file

log-configure

Enter log configuration context.

NGFW Command Line Interface Reference 15

Syntax

log-configure

Example

Related Commands

Log Configure Commands

logout

Logs you out of the system.

Syntax

logout

Example

NGFW{} logout

master-key

The system master-key is used to encrypt the removable user-disk (the external CFast), and the system keystore. The user-disk holds traffic logs, packet capture data, and system snapshots. The keystore retains data such as device certificates and private keys.

NGFW{}log-configure NGFW{log-configure}help NGFW{log-configure}show log-file summary

The master-key has the following complexity requirements:

• Must be between 9 and 32 characters in length.

• Combination of upper and lower case alpha and numbers.

• Must contain at least one “special” char (eg: !@#$%)

• Set or clear the master key for keystore and external Cfast user-disk encryption.

Syntax

master-key (clear|get|set)

Example

Get the master key for keystore and user-disk encryption

NGFW{}master-key set

WARNING: Master key will be used to encrypt the keystore and external user disk. Do you want to continue (y/n)? [n]: y Enter Master Key : **************** Re-enter Master Key: **************** Success: Master key has been set.

Example

NGFW{}master-key get Success: My.1.MasterKey!!

Example

NGFW{}master-key clear

WARNING: Clearing master key will remove encryption from the keystore and external user disk.

Do you want to continue (y/n)? [n]: y Success: Master key has been cleared.

16 Root Commands

ping

Test connectivity with ICMP traffic. The mgmt option uses the management interface.

Syntax

ping (A.B.C.D|HOSTNAME) [count INT] [maxhop INT] [from A.B.C.D] [mgmt] [datasize INT] ping (A.B.C.D|HOSTNAME) [count (1-900000)] [maxhop (1-800)] [from A.B.C.D] [mgmt]

[datasize (64-65468)] ping6 (X:X::X:X|HOSTNAME) [count INT] [maxhop INT] [interface INTERFACE] [from

X:X::X:X] [datasize INT] ping6 (X:X::X:X|HOSTNAME) [count (1-900000)] [maxhop (1-800)] [interface INTERFACE]

[from X:X::X:X] [datasize (64-65468)]

Example

NGFW{}ping 192.168.1.1 mgmt ping using mgmt port PING 192.168.1.1 (192.168.1.1): 56 data bytes 64 bytes from 192.168.1.1: icmp_seq=1 ttl=64 vrfid=500 time=0.4 ms 64 bytes from 192.168.1.1: icmp_seq=2 ttl=64 vrfid=500 time=0.1 ms 64 bytes from 192.168.1.1: icmp_seq=3 ttl=64 vrfid=500 time=0.1 ms 64 bytes from 192.168.1.1: icmp_seq=4 ttl=64 vrfid=500 time=0.1 ms

--- 192.168.1.1 ping statistics ---

4 packets transmitted, 4 packets received, 0% packet loss round-trip min/avg/max = 0.1/0.1/0.4 ms

ping6

reboot

Test connectivity with ICMPv6 traffic

Syntax

ping6 (X:X::X:X|HOSTNAME) [count (1-900000)] [maxhop (1-800)] [interface INTERFACE] [from X:X::X:X] [datasize (64-65468)]

Example

NGFW{}ping6 100:0:0:0:0:0:0:1 ping using data ports PING 100:0:0:0:0:0:0:1 (100:0:0:0:0:0:0:1): 56 data bytes 64 bytes from 100:0:0:0:0:0:0:1: icmp_seq=1 ttl=64 vrfid=0 time=0.3 ms 64 bytes from 100:0:0:0:0:0:0:1: icmp_seq=2 ttl=64 vrfid=0 time=0.1 ms 64 bytes from 100:0:0:0:0:0:0:1: icmp_seq=3 ttl=64 vrfid=0 time=0.1 ms 64 bytes from 100:0:0:0:0:0:0:1: icmp_seq=4 ttl=64 vrfid=0 time=0.1 ms

--- 100:0:0:0:0:0:0:1 ping statistics ---

4 packets transmitted, 4 packets received, 0% packet loss round-trip min/avg/max = 0.1/0.1/0.3 ms

Reboots the system.

Syntax

reboot

Example

NGFW{}reboot WARNING: Are you sure you want to reboot the system (y/n) [n]:

NGFW Command Line Interface Reference 17

Reports

Configure data collection for on-box reports.

Syntax

Valid entries: reset Delete report data enable Start data collection for reports disable Stop data collection for reports all All reports (default) cpu CPU utilization report disk Disk utilization report fan Fan speed report memory Memory utilization report network Network bandwidth report rate-limiter Rate Limiter report temperature Temperature report traffic-profile Traffic Profile report vpn VPN report

Example

NGFW{}reports enable cpu NGFW{}reports reset cpu WARNING: Are you sure you want to reset cpu reports (y/n)? [n]:

Related Commands

show reports

save-config

Saves the running configuration to a persistent configuration.

Syntax

save-config

Example

NGFW{}save-config WARNING: Saving will apply this configuration at the next system start. Continue

(y/n)? [n]:

service-access

Enable or disable service access.

Syntax

service-access (enable|disable)

Example

NGFW{}service-access enable Serial: X-NGF-S1020F-GENERIC-001 Salt: Zk0lenyg NGFW{}service-access disable

18 Root Commands

set

show

Syntax

set cli filtering rule (auto-comment|no-auto-comment|(last-auto-comment-value INT))

Example

NGFW{}set cli filtering rule auto-comment NGFW{}set cli filtering rule no-auto-comment

The show command enables you to view current system configuration, status, and statistics.

Table 3-1 Show command

Command Description

show aaa show AAA information

show agglink Show agglink status

show arp Show Address Resolution Protocol entries

show autoconf dhcpv4 client IPv4 Dynamic Host Configuration Protocol

show autoconf dhcpv6 client IPv6 Dynamic Host Configuration Protocol

show autoconf ra Show autoconfig Router Advertisement information

show cluster Show cluster status

show date Show the current router date and time

show dhcp relay Show DHCPv4 Relay information

show dhcp server lease Display DHCP server leases history

show dhcpv6 Show DHCPv6 client lease

show dns Show Domain Name Service

show firewall Displays firewall rules and sessions.

show high-availability Show high-availability status

show interface Show network interface

show ip bgp Show the Border Gateway Protocol information

show ip igmp Show Internet Group Management Protocol

show ip mroute Show Multicast Static IP route

show ip ospf Show Open Shortest Path First (OSPF) information

show ip pim-sm Show PIM-SM routing information

show ip rip Show the RIP routes

show ip route Show the unicast routes

show ip smr Show SMR routing information

show ipv6 mld Show IPv6 routing information for MLD group or

interface

show ipv6 mroute Show IPv6 routing information for multicast routes

show ipv6 ospfv3 Show the OSPFv3 unicast routes

NGFW Command Line Interface Reference 19

Table 3-1 Show command

Command Description

show ipv6 pim-sm Show ipv6 Protocol Independent Multicast - Sparse

Mode (PIM-SM) routing information

show ipv6 ripng Show RIPng routing information

show ipv6 route ripng Show ripng route information

show (ip|ipv6) route Show the unicast routes

show key Show local server SSH key information

show l2tp Show Layer 2 Tunneling Protocol information

show license Shows the license number and status

show log-file Shows the logfiles

show log-file boot Shows the boot file

show mfg-info Show manufacturing information

show ndp Show Neighbor Discovery Protocol

show np engine Show net processor statistics

show np general statistics Show general network processor information

show np protocol-mix Show network processor protocol-level statistics

show np reassembly Show network processor reassembly statistics

show np rule-stats Show network processor rules, number of flows,

successful matches

show np softlinx Show network processor softlinx statistics

show np tier-stats Show network processor throughput and utilization for

each tier

show quarantine-list Show quarantine list information

show reports Show status of data collection for reports

show service Show network service information

show sms Show status of SMS control

show snmp Show SNMP information

show system buffers Show Forwarding buffer state

show system connections Show active socket information

show system processes Show system processes

show system statistics Show system-wide protocol-related statistics

show system usage Show system usage

show system virtual-memory Show system virtual memory

show system xms memory Show xms memory usage

show terminal Show terminal settings

show traffic-file Show network traffic from file

show tse connection-table Show TSE connection-table information

20 Root Commands

Table 3-1 Show command

Command Description

show users Show users information

show version Show device version information

show aaa

Syntax

show aaa capabilities USER

Example

show aaa capabilities fred NGFW{}show aaa capabilities fred ID NAME STATE

--------------------------------------------1 NGFW full 2 SECURITY full 3 FIREWALLRULES full 4 SECURITYZONES full 5 APPLICATIONGROUPS full 6 ADDRESSGROUPS full 7 SERVICES full 8 SCHEDULES full 9 INSPECTIONPROFILES full 10 IPS full 11 IPREPUTATION full 12 PROFILEGROUPS full 13 CAPTIVEPORTALRULES full 14 NATRULES full 15 ACTIONSETS full 16 SYSTEM full 17 SMSMANAGED full 18 MANAGEMENT full 19 DNS full 20 IPFILTERS full 21 UPGRADE full 22 NOTIFICATION full 23 LOGGING full 24 HIGHAVAILABILITY full 25 HACONFIGURATION full 26 HASTATE full 27 SNMP full 28 TIME full 29 FIPS full 30 UPDATE full 31 PACKAGES full 32 AUTODV full 33 SNAPSHOT full 34 USERAUTH full 35 LOCALUSER full 36 USERGROUP full 37 ROLES full 38 RADIUS full 39 LDAP full

NGFW Command Line Interface Reference 21

40 CAPTIVEPORTAL full 41 GENERAL full 42 X509CERT full 43 VPN full 44 IKE full 45 IKECONFIGURATION full 46 IKESTATUS full 47 IPSEC full 48 IPSECCONFIGURATION full 49 IPSECSTATUS full 50 L2TP full 51 L2TPCONFIGURATION full 52 L2TPSTATUS full 53 REPORTING full 54 LOG full 55 FIREWALLLOG full 56 IPSLOG full 57 REPUTATIONLOG full 58 VPNLOG full 59 SYSTEMLOG full 60 AUDITLOG full 61 SECURITYREPORTS full 62 NETWORKREPORTS full 63 DEBUGTOOLS full 64 REBOOT full 65 SHUTDOWN full 66 SERVICEACCESS full 67 NETWORK full 68 INTERFACES full 69 SEGMENTS full 70 DHCPSERVER full 71 DHCPRELAY full 72 ARPNDP full 73 STATICROUTES full 74 STATICMONITOREDROUTES full 75 DYNAMICROUTING full 76 ACCESSLISTS full 77 ROUTEMAPS full 78 OSPF full 79 RIP full 80 BGP full 81 MULTICAST full 82 ROUTINGTABLE full 83 COMPACTFLASH full 84 CUSTOMCATEGORIES full 85 APPLICATIONVISIBILITY full 86 GLOBALINSPECTIONPROFILE full 87 DEBUGNP full

show agglink

Displays information about whether or not the member ports are up in the aggregated link.

Syntax

show (agglink|INTERFACE)

22 Root Commands

+ 222 hidden pages

HP TippingPoint Next Generation Firewall Command Reference Guide

Specifications and Main Features

Frequently Asked Questions

User Manual

About This Guide

Target Audience

Related Documentation

Document Conventions

Customer Support

Overview

Command Modes

Configuration File Versions

2 Global Commands

3 Root Commands