HP TippingPoint Next Generation Firewall Command Reference Guide

HP TippingPoint Next Generation Firewall Command Line

Interface Reference Guide

Version1.0.1

Abstract

This reference manual describes the Next Generation Firewall Command Line Interface (CLI) and the commands you can use to configure and manage a NGFW appliance.

*5998-4803*

Part number: 5998-4803 Edition: August 2013, First

Legal and notice information

Hewlett-Packard Company makes no warranty of any kind with regard to this material, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose. Hewlett-Packard shall not be liable for errors contained herein or for incidental or consequential damages in connection with the furnishing, performance, or use of this material.

This document contains proprietary information, which is protected by copyright. No part of this document may be photocopied, reproduced, or translated into another language without the prior written consent of Hewlett-Packard. The information is provided “as is” without warranty of any kind and is subject to change without notice. The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein.

TippingPoint® , the TippingPoint logo, and Digital Vaccine® are registered trademarks of Hewlett-Packard All other company and product names may be trademarks of their respective holders. All rights reserved. This document contains confidential information, trade secrets or both, which are the property of Hewlett-Packard No part of this documentation may be reproduced in any form or by any means or used to make any derivative work (such as translation, transformation, or adaptation) without written permission from Hewlett-Packard or one of its subsidiaries.

Adobe® and Acrobat® are trademarks of Adobe Systems Incorporated.

Intel and Itanium are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries.

Microsoft, Windows, Windows NT, and Windows XP are U.S. registered trademarks of Microsoft Corporation.

Oracle® is a registered U.S. trademark of Oracle Corporation, Redwood City, California.

UNIX® is a registered trademark of The Open Group.

Printed in US or Puerto Rico

Next Generation Firewall Command Line Interface Reference Guide

Publication Part Number: 5998-4803

Table of Contents

About This Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

Target Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

Related Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

Document Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

Typefaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

Document Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

Customer Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Contact Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

1 Command Line Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Command Line Interface Syntax. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Shortcut Navigation Keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Hierarchical Menu and Prompt display . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Help. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Command Modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Root Command Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Edit Configuration Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Configuration File Versions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Utilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Display . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

2 Global Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

commit. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

exit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

help. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

more . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

display . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

3 Root Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

boot . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

clear . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

date . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

edit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

flush . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

help. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

high-availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

list. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

log-configure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

logout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

master-key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

ping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

ping6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

reboot . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

save-config. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

service-access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

set. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

show aaa. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

show agglink . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

show arp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

show ndp. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

CLI Reference Guide i

show autoconf dhcpv4 client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

show autoconf dhcpv6 client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

show autoconf ra . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

show cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

show date . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

show dhcp relay . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

show dhcp server lease . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

show dhcpv6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

show dns . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

show firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

show high-availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

show interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

show ip bgp. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

show ip igmp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

show ip mroute. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

show ip ospf . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

show ip pim-sm. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

show ip rip. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

show ip route . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

show ip smr . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

show ipv6 mld . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

show ipv6 mroute . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

show ipv6 ospfv3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

show ipv6 pim-sm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

show ipv6 ripng . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

show ipv6 route ospfv3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

show ipv6 route ripng . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

show (ip|ipv6) route . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

show key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

show l2tp. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

show license. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

show log-file. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

show log-file FILE_NAME . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

show log-file FILE_NAME stat . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

show log-file summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

show log-file boot . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

show mfg-info. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

show np engine . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

show np general statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

show np protocol-mix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

show np reassembly . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

show np rule-stats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

show np softlinx . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

show np tier-stats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

show quarantine-list. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42

show reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42

show service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42

show sms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

show snmp. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

show system buffers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

show system connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . 43

show system processes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44

show system statistics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

show system usage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

show system virtual-memory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

show system xms memory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

show terminal. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46

show traffic-file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46

show tse connection-table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46

show tse . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

show user-disk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

show users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

show version . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

shutdown . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48

sms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48

snapshot create . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48

snapshot list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48

snapshot remove. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

snapshot restore . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

tcpdump . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

traceroute. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50

traceroute6. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50

user-disk. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50

4 Log Configure Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53

display . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53

email. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53

log-file-size . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54

log-storage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54

log-test. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54

rotate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55

5 Edit Running Configuration Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57

Configuration Contexts by Function . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57

Monitor/System. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57

Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57

Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58

Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59

Routing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59

VPN. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59

Edit Context Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59

aaa. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59

actionsets. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60

addressgroups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61

application-filter-mgmt . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61

application-groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61

application-visibility. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62

autodv . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62

blockedStreams . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63

captive-portal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63

certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64

cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64

delete . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65

dhcp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66

dns . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66

dst-nat . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67

firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67

gen . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68

global-inspection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69

high-availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69

interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70

ip . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71

ips . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72

ipv6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73

l2tp-serverX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73

log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74

multicast-registration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75

notifycontacts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75

CLI Reference Guide iii

ntp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76

reputation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77

route-map . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77

router . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78

schedules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78

segmentX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79

services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80

snmp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80

src-nat . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81

vpn . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81

zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82

Contexts and Related Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83

running-aaa Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83

running-aaa-ldap-group-X Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85

running-aaa-radius-group-X Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87

running-actionsets Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88

running-actionsets-X Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89

running-addressgroups Context Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93

running-addressgroups-X Context Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93

running-agglinkX Context Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94

running-app-filter-mgmt Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100

running-app-groups Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100

running-app-groups-X Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101

running-autodv Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101

running-autodv-calendar Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103

running-autodv-periodic Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104

running-bgp-X Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104

running-blockedStreams Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109

running-bridgeX Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109

running-captive-portal Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114

running-captive-portal-rule-X Context Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115

running-certificates Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117

running-certificates-crl Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120

running-cluster Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121

running-cluster-tct Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123

running-dhcp-relay Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126

running-dhcp-server Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127

running-dhcp-server-X Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128

running-dnat Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131

running-dnat-rule-X Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132

running-dns Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134

running-ethernetX Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136

running-firewall Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143

running-firewall-rule-X Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143

running-gen Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148

running-global-inspection Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151

running-greX Context Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152

running-high-availability Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156

running-ips Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157

running-ips-X Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160

running-ipsec Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161

running-ipsec-policy-X Context Commands and their Usage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165

running-ipsec-vpn-X Context Commands and their Usage. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166

running-l2tp-serverX Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169

running-l2tpX Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170

running-log Context Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176

running-loopbackX Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180

running-manual-sa Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182

running-mgmt Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184

running-multicast-registration Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186

running-notifycontacts (email) Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186

running-notifycontacts-X (SNMP) Context Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188

running-ntp Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189

running-phase1-proposal-X Context Commands and their Usage . . . . . . . . . . . . . . . . . . . . . . . . . 190

running-phase1-proposal-X Context Commands and their Usage . . . . . . . . . . . . . . . . . . . . . . . . . 191

running-ospf Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192

running-ospfv3 Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195

running-pim-smv4 Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198

running-pim-smv6 Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200

running-pppoeX Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202

running-pptpX Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208

running-rep Context Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214

running-rep-X (group X) Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215

running-rep-X (profile X) Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216

running-rip Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218

running-ripng Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221

running-route-map Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224

running-schedules Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225

running-schedules-X Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225

running-segmentX Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226

running-services Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227

running-services-X Context Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228

running-smr Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 230

running-snat Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231

running-snat-rule-X Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232

running-snmp Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234

running-vlanX Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237

running-zones Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 243

running-zones-X Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 244

CLI Reference Guide v

About This Guide

The Next Generation Firewall command line interface enables you to configure and manage the NGFW Appliance from a command line. The NGFW commands can be used in custom scripts to automate tasks.

This section covers the following topics:

• Target Audience, page 1

• Related Documentation, page 1

• Document Conventions, page 2

• Customer Support, page 3

Target Audience

This guide is intended for security network administrators and specialists that have the responsibility of monitoring, managing, and improving system security. The audience for this material is expected to be familiar with the HP TippingPoint Next Generation Firewall.

Document Conventions

This guide uses the following document conventions.

• Typefaces, page 2

• Document Messages, page 2

Typefaces

HP TippingPoint publications use the following typographic conventions for structuring information:

Table 1-1 Document Typographic conventions

Convention Element

Medium blue text: Figure 1

Blue, underlined text (http://www.hp.com

Bold font • Key names

Italics font Text emphasis, important terms, variables, and publication titles.

Monospace font • File and directory names

Monospace, italic font • Code variables

Monospace, bold font Emphasis of file and directory names, system output, code, and text

Document Messages

Document messages are special text that is emphasized by font, format, and icons. This reference guide contains the following types of messages:

Cross-reference links and e-mail addresses

)

Web site addresses

• Text typed into a GUI element, such as into a box

• GUI elements that are clicked or selected, such as menu and list

items, buttons, and check boxes. Example: Click

• System output

• Code

• Text typed at the command-line

• Command-line variables

typed at the command line

OK to accept.

• Warning

• Caution

• Note

• Tip

WARNING! Warning notes alert you to potential danger of bodily harm or other potential harmful

consequences.

CAUTION: Caution notes provide information to help minimize risk, for example, when a failure to follow

directions could result in damage to equipment or loss of data.

NOTE: Notes provide additional information to explain a concept or complete a task. Notes of specific

importance in clarifying information or instructions are denoted as such.

IMPORTANT: Another type of note that provides clarifying information or specific instructions.

TIP: Tips provide helpful hints and shortcuts, such as suggestions about how you can perform a task more

easily or more efficiently.

Customer Support

HP is committed to providing quality customer support to all of its customers. Each customer is provided with a customized support agreement that provides detailed customer and support contact information. When you need technical support, use the following information to contact Customer Support.

Contact Information

For additional information or assistance, contact the HP Networking Support:

http://www.hp.com/networking/support

Before contacting HP, collect the following information:

• Product model names and numbers

• Technical support registration number (if applicable)

• Product serial numbers

• Error messages

• Operating system type and revision level

• Detailed questions

HP Contact Information

For the name of the nearest HP authorized reseller, see the contact HP worldwide web site:

http://www.hp.com/country/us/en/wwcontact.html

CLI reference guide 3

1 Command Line Interface

In addition to the Local System Manager (LSM) and the Centralized Management Capability of the Security Management System (SMS), a Command-line Interface (CLI) can be used to configure and manage the NGFW Appliance. The CLI is accessed directly through the console or remotely through SSH. Non-secure connections, such as Telnet, are not permitted. For the initial set up, the "superuser" account is set for the appliance. Once that is set, you can login from the console and set the management port IP address. SSH and HTTPS are then accessible at the management port IP address.

NOTE: To access the most recent updates to the NGFW product documentation, go to

http://www.hp.com/support/manuals.

This chapter covers the following topics:

•”Overview” on page 5

•”Command Modes” on page 7

•”Configuration File Versions” on page 9

Overview

This chapter covers the hierarchical structure of the CLI, the command line syntax, and an overview on how to edit, save and manage configuration files. Also provided, are a list of unix like utilities for monitoring and troubleshooting the system. The

display command displays sections of the running configuration file, or can be used to list a preview of

your configuration file edits before making a commitment to save.

show command provides easy to read sections from log files. The

Access to the NGFW is through the console to initially configure management access. The management port is enabled by default for SSH and LSM management access. All access is determined by group membership and the management of their roles. To configure granular levels of access, the aaa (Authentication and Authorization and Auditing) context has the necessary utilities to modify users, groups, roles, and their capabilities.

Command Line Interface Syntax

The following syntax is used in the CLI.

Table 1-1 Command Line Syntax

Syntax Convention Explanation

UPPERCASE Uppercase replaced by a value that you supply

(x) Parentheses indicate a mandatory argument.

[x] Brackets indicate an optional argument.

| A vertical bar indicates a logical OR - such as alternatives within

Example:

NGFW{}traceroute ? (displays help information) NGFW{}traceroute (A.B.C.D|HOSTNAME) [from A.B.C.D] [mgmt]

In the above example, arguments for the Traceroute command must either use a IP address or the hostname. An optional argument can either be “from” a source IP address or the argument “mgmt”.

parentheses or brackets.

NGFW{}traceroute 198.162.0.1 from 198.162.0.2 NGFW{}traceroute 198.162.0.1 mgmt

NGFW Command Line Interface Reference 5

Shortcut Navigation Keys

The CLI has the ability to store typed commands in a circular memory. Typed commands can be recalled with the UP and DOWN arrow keys.

The TAB key may be used to complete partial commands. If the partial command is ambiguous, pressing the TAB key twice gives a list of possible commands.

Following is a list of shortcuts.

Table 1-2 Shortcut Keys

Shortcut Description

ENTER Run the command

TAB Complete partial command

? Question mark at the root prompt or after a command (separated by

! Exclamation mark before a command allows you to execute the

UP ARROW Show the previous command

space) will list next valid sub-commands or command arguments. Question mark can also be used after sub-commands for more information. A question mark immediately following a character(s) (no space) will list commands beginning with those characters.

command from any feature context or sub-level. For example,

NGFW{running-gen}!ping 203.0.113.0

DOWN ARROW Show the next command

Ctrl + P Show the previous command

Ctrl + N Show the next command

Ctrl + L Clear the screen, does not clear history

Ctrl + A Return to the start of the command you are typing

Ctrl + E Go to the end of the command you are typing

Ctrl + U Cut the whole line to a special clipboard

Ctrl + K Cut everything after the cursor to a special clipboard

Ctrl + Y Paste from the special clipboard used by Ctrl + U and Ctrl + K

Hierarchical Menu and Prompt display

Prompts will be displayed based on the context level as shown in the following table.

Table 1-3 Root, Edit and Log configuration modes

Command Line prompt Description

NGFW{}

NGFW{}edit

Top level root command mode

From the root command line mode, enter the edit command to access configuration mode.

NGFW{running}

NGFW{running}firewall

NGFW{running}display

NGFW{running}commit

NGFW{running}exit

6 Command Line Interface

Configuration mode - indicated with the prompt change

Enters the firewall configuration context

View current configuration and your changes

Commits changes to the running configuration

Leaves the current context mode

Table 1-3 Root, Edit and Log configuration modes

Command Line prompt Description

NGFW{}log-configure

NGFW{log-configure}

NGFW{log-configure}help

NGFW{log-configure}exit

Help

The help command provides a list of commands within the current context and the command line usage. The help command can be executed with or without an argument.

•Enter help or ? to see a list of all commands. (question mark at any context level generates a list of available commands within the context, along with a brief description)

•Enter help

•Enter

commandname commandname string

? to show the commands or keywords that match the string. For example, s?.

Command Modes

From the root command line mode, enter the log-configure command to access the log configuration mode.

log configuration mode

display list of valid commands and syntax usage

leave the log configuration mode

to see the syntax for a command.

? to list the options for a command. For example, ping ?.

The NGFW uses a hierarchical menu structure. Within this structure, commands are grouped by functional area within one of three command modes: Root Command mode, Edit Configuration mode (edit), and Log Configuration mode (log-configure). At the top of the hierarchy is the Root command mode.

NGFW{} Root command line mode NGFW{running} Edit configuration mode NGFW{log-configure} Log configuration mode

A context is an environment in which a set of parameters can be configured for a feature or named object. A context can be the name of an instance of an object set by the administrator, or can be the feature itself. The current context is indicated in the command prompt, and it’s visibility is determined by the user’s role.

Administrative access allows the ability to modify the configuration of the NGFW appliance. Not all contexts may be visible.

The

help and display commands are useful in becoming familiar with the context options. The question

mark (?) lists the next valid entry and help for this entry.

If the appliance is controlled by SMS, only read-only access will be available to the system resources. To determine if the SMS controls the unit, or to change the control, see the

Root Command Mode

When you initially enter the NGFW Appliance, either through the console or SSH, you will be placed at the top level root command line mode with the NGFW{} prompt. The commands at this level are used for managing and monitoring system operations for the various subsystems. From the root command mode, you can access the configuration mode, and the available operational commands that apply to the unit as a whole. To view the commands available at this level, type prompt.

sms command usage.

help[full|COMMAND] at the command

NGFW{}help

The default NGFW{} command prompt can be changed using the host name command in the interface

mgmt

context of the edit mode. For example:

NGFW Command Line Interface Reference 7

NGFW{}edit NGFW{running}interface mgmt NGFW{running-mgmt}help host (displays valid entries for configuring management port host settings) NGFW{running-mgmt}host ? (displays valid entries for host command) NGFW{running-mgmt}host name yourhostname

For a list of root commands and their usage see the Root Commands section.

NOTE: Your membership role determines your command line interface.

Edit Configuration Mode

The configuration mode enables administrators with the appropriate credentials to write configuration changes to the active (running) configuration. The logon account used to configure the device must either be associated with the Superuser role or the Administrator role to edit the configuration context. The configuration mode has different context levels that provide access to a specific set of configuration commands. To enter the configuration mode, use the edit command. Once you have executed the edit command the CLI prompt will indicate that you are in the Edit mode, and can make configuration changes. Configuration options, and sub contexts are available for use until you exit. To exit the edit configuration mode, type exit.

When exiting the configuration mode, the following warning appears:

“WARNING: Modifications will be lost. Are you sure to exit (y/n)? [n]”

will discard any uncommitted changes you made to the configuration file, and n will keep you in the

edit context.

The display command is a helpful utility to view the current running configuration and to review your configuration changes before you save the changes.

NGFW{running} display

A commit command must be used to save your changes to the running configuration.

The command hierarchy has two types of statements. The Container statement, which contain objects and the Object statement, which are actual commands with options.

For example:

• Container statement in edit mode:

NGFW{running}log NGFW{running-log}? (help will list all the available entries)

• Object statement:

NGFW{running} application-visibility enable|disable (help will display command options)

A brief overview of what you can do within the edit configuration mode:

• Issue a command that configures a setting in the candidate configuration setting. The candidate configuration allows you to make configuration changes without causing changes to the active configuration until you can review your changes and issue the

commit command.

• Enter into a container context to access additional configuration settings.

•Run the modifications you make can be viewed using the

•Run the

display command to see your candidate configuration settings for a context. Any

display command.

Commit command to save any changes from your candidate configuration to the running

configuration.

•

Exit from a context.

8 Command Line Interface

NOTE: As you move through the context menu hierarchies, the command prompt changes accordingly.

The

help or display command can be entered at any level.

Configuration File Versions

When troubleshooting or needing to rollback a configuration, the current configuration setup can be viewed. Reviewing network configuration files should be a necessary step to becoming knowledgeable about your current system setup. When the device is initially configured, make sure the settings are saved to the persistent configuration with the snapshot using the following command:

NGFW{}snapshot create orig_conf

Snapshots capture the configuration of a device, which can then be delivered to technical support for troubleshooting. Users can also use snapshots to save and re-apply configurations. Snapshots include the currently installed OS version, and cannot be restored on a device that is not running the same version of the OS. If a snapshot restore needs to be completed, use the following command:

NGFW{}snapshot restore orig_conf

A warning message is displayed, followed by an automatic reboot when snapshot restore is completed.

The NGFW Appliance CLI uses the deferred-commit model. In this capacity, the architecture maintains a set of configuration files to ensure that a working configuration is persistently maintained. This configuration set includes the following configuration files.

NGFW{}save-config command. It’s also advisable to create a

Utilities

• Running configuration — this version is currently executing on the system. Any changes that administrators make from the will take effect once they have been committed, by issuing the committed, all modifications are discarded on administrators are on the system, the version that was last committed is used as the current running configuration and is visible to other administrators, once they have exited the prompt is displayed if the committed changes would overwrite configuration that was made by another administrator since the configuration was edited.

• Saved (persistent) configuration — this is the running configuration that was last committed prior to executing the configuration when the system reboots.

• Start configuration — This is a backup copy of the configuration file saved at the time of system startup, and is loaded at the next system bootup. The persistent and running configuration that was the last known good configuration.

NOTE: Future versions of the product will support multiple named saved configuration sets.

The Display and Show commands are helpful for troubleshooting and monitoring the operational status of the system. Command line usage can be found in Root Commands.

save-config command. NGFW copies the saved configuration to the start

edit mode (except for IPS features, action sets and notification contacts)

Commit command. If changes are not

exit from the running context. If multiple

edit mode. A warning

rollback-config command can be used to rollback to a

Display

Enter display to see your candidate configuration settings for a context. Any modifications you make can be viewed using the command is executed. If executed at the configuration level, it displays the entire configuration of the unit. Executing the display command with a configuration name parameter, or from within a context displays the contents of that particular configuration.

display command. The output of the display command depends on where the

NGFW Command Line Interface Reference 9

Show

The show command is most efficient in providing critical information, such as traffic usage, router platform type, operating system revision, amount of memory, and the number of interfaces. The

show command can

also be used to evaluate logging, troubleshooting, tracking resources, sessions, and security settings. To view all the available

show utilities, enter the help show command at the root command level. All the

available commands along with the correct command line usage are displayed.

10 Command Line Interface

2 Global Commands

Global commands can be used in any context.

commit

Initiates all pending configuration changes in the edit mode.

NOTE: This command does not write the modifications to the startup configuration file. However, the

save-config command can be run from the edit configuration context by using the exclamation mark.

Syntax

commit

Example

NGFW{running}commit NGFW{running}!save-config

exit

Exits the current context.

help

Syntax

exit

Example

NGFW{running-aaa}exit NGFW{running}

Displays help information.

Syntax

help [full|COMMAND]

Example

NGFW{running}help log Enter log context Syntax: log log Enter log context

Example

NGFW{running-firewall}help Valid commands are: default-block-rule DEFACTIONSET delete rule all|XRULEID help [full|COMMAND] rename rule XRULEID NEWRULEID rule (auto|RULEID) [POSITION_VALUE]

NGFW Command Line Interface Reference 11

display

Set session to display output page by page.

Syntax

more (enable|disable)

Example

NGFW{running}more enable

Displays the current configuration, or the candidate configuration before a commit is issued. Display options vary by context, enter the "help display" command in a context to view the available options.

Syntax

display display [xml]

Example

NGFW{running-aaa-user-myuser1}display # USER ID user myuser1

12 Global Commands

3 Root Commands

The top level root command line mode displays the NGFW{} prompt. Commands at this level are used for managing and monitoring system operations for the various subsystems. From the root command mode, you can access the configuration mode, and the available commands that apply to the appliance as a

boot

whole. Enter commands or help on a specific command.

NGFW{}help

The default NGFW{} command prompt can be changed using the host name command in the interface

mgmt

context of the edit mode. For example:

Manages software packages.

Syntax

boot (list-image|rollback)

help full or help COMMANDNAME at the command prompt to display a list of available

clear

Example

NGFW{}boot list-image Index Version

------------------------------------------------------

0 1.0.0.3935 1 1.0.0.2923 2 1.0.0.3932 3 1.0.0.3917 Oldest Index is 2 Factory Reset Index is 3

Clears system information.

Syntax

clear np engine filter clear np engine packet clear np engine parse clear np engine reputation dns clear np engine reputation ip clear np engine rule clear np reassembly ip clear np reassembly tcp clear np rule-stats

NGFW Command Line Interface Reference 13

date

clear np softlinx clear np tier-stats clear counter policy clear rate-limit streams clear users all [locked|ip-locked] clear users (NAME|A.B.C.D|X:X::X:X) [locked]

Example

NGFW{}clear log-file vpn

Example

NGFW{}clear ip bgp 10.10.10.10 soft in Not cleared BGP is not active

Example

NGFW{}clear ip bgp external soft

Example

NGFW{}clear users fred

Used alone to display the current date, or with arguments to configure the date in a 24 hour format. The date command shows the current time in the time zone configured on the device and the "gmt" argument shows the time in GMT (UTC).

edit

flush

Syntax

date [MMDDhhmm[[CC]YY][.ss]]) date gmt

Example

NGFW{}date 071718202013.59 (sets date to July 17 2013 6:20PM 59 seconds)

The edit context modifies the configuration that identifies the security policy and interfaces that you can configure for your firewall.

Edit takes an instance of the running configuration file. This instance is your

version. After making modifications to this candidate configuration version, you have the option of saving it to the running configuration, or discarding any changes you made. To discard, simply your candidates configuration, enter the

commit command before exiting the edit context. To see

exit. To save

commands under the edit context, see edit configuration.

NGFW{} NGFW{}edit NGFW{running} NGFW{running}commit NGFW{running}exit NGFW{}

Flushes the following configuration items.

Syntax

flush (arp|ndp) flush ipsec sa policy NAME [id ID] flush ike sa [policy NAME [id ID]] flush bgp [ip] A.B.C.D [(in prefix-filter)|in|out|(soft [in|out])|rsclient]

14 Root Commands

flush bgp ip A.B.C.D [ipv4 (unicast|multicast) (in prefix-filter)|in|out|(soft [in|out])]

flush bgp ip A.B.C.D [vpnv4 unicast in|out|(soft [in|out])] flush bgp ipv6 X:X::X:X [(in prefix-filter)|in|out|(soft [in|out])|rsclient] flush bgp [ip] dampening [A.B.C.D/M|(A.B.C.D [A.B.C.D])] flush bgp [ip] external [(in prefix-filter)|in|out|(soft [in|out])] flush bgp ip external [ipv4 (unicast|multicast) (in prefix-filter)|in|out|(soft

[in|out])] flush bgp ip PEERAS [vpnv4 unicast in|out|(soft [in|out])] flush bgp [ip|ipv6] all [(in prefix-filter)|in|out|(soft [in|out])|rsclient] flush bgp ip all [ipv4 (unicast|multicast) (in prefix-filter)|in|out|(soft

[in|out])] flush bgp ip all [vpnv4 unicast in|out|(soft [in|out])] flush bgp [ip|ipv6] peer-group [(in prefix-filter)|in|out|(soft [in|out])] flush firewall-session (all|ID) [family (ipv4|ipv6)]

Example

NGFW{}flush firewall-session 134217756 Success NGFW{}flush ipsec sa policy mytunnel

help

Displays help information at any context level.

high-availability

Manage high-availability devices.

Syntax

high-availability force (active|passive) high-availability segment force (normal|fallback)

Example

NGFW{}high-availability segment force normal Status: OK

list

Displays traffic capture file list.

Syntax

list traffic-file

Example

NGFW{}list traffic-file

log-configure

Enter log configuration context.

NGFW Command Line Interface Reference 15

Syntax

log-configure

Example

Related Commands

Log Configure Commands

logout

Logs you out of the system.

Syntax

logout

Example

NGFW{} logout

master-key

The system master-key is used to encrypt the removable user-disk (the external CFast), and the system keystore. The user-disk holds traffic logs, packet capture data, and system snapshots. The keystore retains data such as device certificates and private keys.

NGFW{}log-configure NGFW{log-configure}help NGFW{log-configure}show log-file summary

The master-key has the following complexity requirements:

• Must be between 9 and 32 characters in length.

• Combination of upper and lower case alpha and numbers.

• Must contain at least one “special” char (eg: !@#$%)

• Set or clear the master key for keystore and external Cfast user-disk encryption.

Syntax

master-key (clear|get|set)

Example

Get the master key for keystore and user-disk encryption

NGFW{}master-key set

WARNING: Master key will be used to encrypt the keystore and external user disk. Do you want to continue (y/n)? [n]: y Enter Master Key : **************** Re-enter Master Key: **************** Success: Master key has been set.

Example

NGFW{}master-key get Success: My.1.MasterKey!!

Example

NGFW{}master-key clear

WARNING: Clearing master key will remove encryption from the keystore and external user disk.

Do you want to continue (y/n)? [n]: y Success: Master key has been cleared.

16 Root Commands

ping

Test connectivity with ICMP traffic. The mgmt option uses the management interface.

Syntax

ping (A.B.C.D|HOSTNAME) [count INT] [maxhop INT] [from A.B.C.D] [mgmt] [datasize INT] ping (A.B.C.D|HOSTNAME) [count (1-900000)] [maxhop (1-800)] [from A.B.C.D] [mgmt]

[datasize (64-65468)] ping6 (X:X::X:X|HOSTNAME) [count INT] [maxhop INT] [interface INTERFACE] [from

X:X::X:X] [datasize INT] ping6 (X:X::X:X|HOSTNAME) [count (1-900000)] [maxhop (1-800)] [interface INTERFACE]

[from X:X::X:X] [datasize (64-65468)]

Example

NGFW{}ping 192.168.1.1 mgmt ping using mgmt port PING 192.168.1.1 (192.168.1.1): 56 data bytes 64 bytes from 192.168.1.1: icmp_seq=1 ttl=64 vrfid=500 time=0.4 ms 64 bytes from 192.168.1.1: icmp_seq=2 ttl=64 vrfid=500 time=0.1 ms 64 bytes from 192.168.1.1: icmp_seq=3 ttl=64 vrfid=500 time=0.1 ms 64 bytes from 192.168.1.1: icmp_seq=4 ttl=64 vrfid=500 time=0.1 ms

--- 192.168.1.1 ping statistics ---

4 packets transmitted, 4 packets received, 0% packet loss round-trip min/avg/max = 0.1/0.1/0.4 ms

ping6

reboot

Test connectivity with ICMPv6 traffic

Syntax

ping6 (X:X::X:X|HOSTNAME) [count (1-900000)] [maxhop (1-800)] [interface INTERFACE] [from X:X::X:X] [datasize (64-65468)]

Example

NGFW{}ping6 100:0:0:0:0:0:0:1 ping using data ports PING 100:0:0:0:0:0:0:1 (100:0:0:0:0:0:0:1): 56 data bytes 64 bytes from 100:0:0:0:0:0:0:1: icmp_seq=1 ttl=64 vrfid=0 time=0.3 ms 64 bytes from 100:0:0:0:0:0:0:1: icmp_seq=2 ttl=64 vrfid=0 time=0.1 ms 64 bytes from 100:0:0:0:0:0:0:1: icmp_seq=3 ttl=64 vrfid=0 time=0.1 ms 64 bytes from 100:0:0:0:0:0:0:1: icmp_seq=4 ttl=64 vrfid=0 time=0.1 ms

--- 100:0:0:0:0:0:0:1 ping statistics ---

4 packets transmitted, 4 packets received, 0% packet loss round-trip min/avg/max = 0.1/0.1/0.3 ms

Reboots the system.

Syntax

reboot

Example

NGFW{}reboot WARNING: Are you sure you want to reboot the system (y/n) [n]:

NGFW Command Line Interface Reference 17

Reports

Configure data collection for on-box reports.

Syntax

Valid entries: reset Delete report data enable Start data collection for reports disable Stop data collection for reports all All reports (default) cpu CPU utilization report disk Disk utilization report fan Fan speed report memory Memory utilization report network Network bandwidth report rate-limiter Rate Limiter report temperature Temperature report traffic-profile Traffic Profile report vpn VPN report

Example

NGFW{}reports enable cpu NGFW{}reports reset cpu WARNING: Are you sure you want to reset cpu reports (y/n)? [n]:

Related Commands

show reports

save-config

Saves the running configuration to a persistent configuration.

Syntax

save-config

Example

NGFW{}save-config WARNING: Saving will apply this configuration at the next system start. Continue

(y/n)? [n]:

service-access

Enable or disable service access.

Syntax

service-access (enable|disable)

Example

NGFW{}service-access enable Serial: X-NGF-S1020F-GENERIC-001 Salt: Zk0lenyg NGFW{}service-access disable

18 Root Commands

set

show

Syntax

set cli filtering rule (auto-comment|no-auto-comment|(last-auto-comment-value INT))

Example

NGFW{}set cli filtering rule auto-comment NGFW{}set cli filtering rule no-auto-comment

The show command enables you to view current system configuration, status, and statistics.

Table 3-1 Show command

Command Description

show aaa show AAA information

show agglink Show agglink status

show arp Show Address Resolution Protocol entries

show autoconf dhcpv4 client IPv4 Dynamic Host Configuration Protocol

show autoconf dhcpv6 client IPv6 Dynamic Host Configuration Protocol

show autoconf ra Show autoconfig Router Advertisement information

show cluster Show cluster status

show date Show the current router date and time

show dhcp relay Show DHCPv4 Relay information

show dhcp server lease Display DHCP server leases history

show dhcpv6 Show DHCPv6 client lease

show dns Show Domain Name Service

show firewall Displays firewall rules and sessions.

show high-availability Show high-availability status

show interface Show network interface

show ip bgp Show the Border Gateway Protocol information

show ip igmp Show Internet Group Management Protocol

show ip mroute Show Multicast Static IP route

show ip ospf Show Open Shortest Path First (OSPF) information

show ip pim-sm Show PIM-SM routing information

show ip rip Show the RIP routes

show ip route Show the unicast routes

show ip smr Show SMR routing information

show ipv6 mld Show IPv6 routing information for MLD group or

interface

show ipv6 mroute Show IPv6 routing information for multicast routes

show ipv6 ospfv3 Show the OSPFv3 unicast routes

NGFW Command Line Interface Reference 19

Table 3-1 Show command

Command Description

show ipv6 pim-sm Show ipv6 Protocol Independent Multicast - Sparse

Mode (PIM-SM) routing information

show ipv6 ripng Show RIPng routing information

show ipv6 route ripng Show ripng route information

show (ip|ipv6) route Show the unicast routes

show key Show local server SSH key information

show l2tp Show Layer 2 Tunneling Protocol information

show license Shows the license number and status

show log-file Shows the logfiles

show log-file boot Shows the boot file

show mfg-info Show manufacturing information

show ndp Show Neighbor Discovery Protocol

show np engine Show net processor statistics

show np general statistics Show general network processor information

show np protocol-mix Show network processor protocol-level statistics

show np reassembly Show network processor reassembly statistics

show np rule-stats Show network processor rules, number of flows,

successful matches

show np softlinx Show network processor softlinx statistics

show np tier-stats Show network processor throughput and utilization for

each tier

show quarantine-list Show quarantine list information

show reports Show status of data collection for reports

show service Show network service information

show sms Show status of SMS control

show snmp Show SNMP information

show system buffers Show Forwarding buffer state

show system connections Show active socket information

show system processes Show system processes

show system statistics Show system-wide protocol-related statistics

show system usage Show system usage

show system virtual-memory Show system virtual memory

show system xms memory Show xms memory usage

show terminal Show terminal settings

show traffic-file Show network traffic from file

show tse connection-table Show TSE connection-table information

20 Root Commands

Table 3-1 Show command

Command Description

show users Show users information

show version Show device version information

show aaa

Syntax

show aaa capabilities USER

Example

show aaa capabilities fred NGFW{}show aaa capabilities fred ID NAME STATE

--------------------------------------------1 NGFW full 2 SECURITY full 3 FIREWALLRULES full 4 SECURITYZONES full 5 APPLICATIONGROUPS full 6 ADDRESSGROUPS full 7 SERVICES full 8 SCHEDULES full 9 INSPECTIONPROFILES full 10 IPS full 11 IPREPUTATION full 12 PROFILEGROUPS full 13 CAPTIVEPORTALRULES full 14 NATRULES full 15 ACTIONSETS full 16 SYSTEM full 17 SMSMANAGED full 18 MANAGEMENT full 19 DNS full 20 IPFILTERS full 21 UPGRADE full 22 NOTIFICATION full 23 LOGGING full 24 HIGHAVAILABILITY full 25 HACONFIGURATION full 26 HASTATE full 27 SNMP full 28 TIME full 29 FIPS full 30 UPDATE full 31 PACKAGES full 32 AUTODV full 33 SNAPSHOT full 34 USERAUTH full 35 LOCALUSER full 36 USERGROUP full 37 ROLES full 38 RADIUS full 39 LDAP full

NGFW Command Line Interface Reference 21

40 CAPTIVEPORTAL full 41 GENERAL full 42 X509CERT full 43 VPN full 44 IKE full 45 IKECONFIGURATION full 46 IKESTATUS full 47 IPSEC full 48 IPSECCONFIGURATION full 49 IPSECSTATUS full 50 L2TP full 51 L2TPCONFIGURATION full 52 L2TPSTATUS full 53 REPORTING full 54 LOG full 55 FIREWALLLOG full 56 IPSLOG full 57 REPUTATIONLOG full 58 VPNLOG full 59 SYSTEMLOG full 60 AUDITLOG full 61 SECURITYREPORTS full 62 NETWORKREPORTS full 63 DEBUGTOOLS full 64 REBOOT full 65 SHUTDOWN full 66 SERVICEACCESS full 67 NETWORK full 68 INTERFACES full 69 SEGMENTS full 70 DHCPSERVER full 71 DHCPRELAY full 72 ARPNDP full 73 STATICROUTES full 74 STATICMONITOREDROUTES full 75 DYNAMICROUTING full 76 ACCESSLISTS full 77 ROUTEMAPS full 78 OSPF full 79 RIP full 80 BGP full 81 MULTICAST full 82 ROUTINGTABLE full 83 COMPACTFLASH full 84 CUSTOMCATEGORIES full 85 APPLICATIONVISIBILITY full 86 GLOBALINSPECTIONPROFILE full 87 DEBUGNP full

show agglink

Displays information about whether or not the member ports are up in the aggregated link.

Syntax

show (agglink|INTERFACE)

22 Root Commands

Example

NGFW{}show agglink #AGGLINK TABLES Service ETHGRP is inactive

show arp

Syntax

show arp

Example

NGFW{}show arp IP Address Mac-Address Interface State

15.226.140.254 3c:e5:a6:13:7f:2a mgmt delay

show ndp

Syntax

show ndp

Example

NGFW{}show ndp IP Address Mac-Address Interface State fe80::3ee5:a6ff:fe13:7f2a 3c:e5:a6:13:7f:2a mgmt stale

show autoconf dhcpv4 client

Syntax

show autoconf dhcpv4 client (current|history)

Example

NGFW{}show autoconf dhcpv4 client

Example

NGFW{}show autoconf dhcpv4 client history

# DHCPCLIENT LEASES HISTORY Service DHCP is inactive

show autoconf dhcpv6 client

Syntax

Show autoconf dhcpv6 client

Example

NGFW{}show autoconf dhcpv6 client Service DHCPv6 client is inactive

show autoconf ra

Syntax

show autoconf ra (INTERFACE|all)

Example

NGFW{}show autoconf all

NGFW Command Line Interface Reference 23

no data

show cluster

Syntax

show cluster

Example

cluster.3-device23{} show cluster Cluster Status

-------------Name: cluster Identifier: 3 State: Enabled Segment HA: Normal Master: cluster.3-device23 Members

------Name: cluster.3-device23 HA State: Active

show date

This command shows the GMT time or the local time and timezone for the appliance.

Syntax

show date [gmt]

Example

NGFW{}show date Sun Sept 15 04:29:59 2013 GMT NGFW{}show date gmt Wed Aug 21 21:51:13 2013 GMT NGFW{}show date Wed Aug 21 14:51:16 2013 America/Los_Angeles

show dhcp relay

Shows DHCPv4 Relay information.

Syntax

show dhcp relay

Example

NGFW{}show dhcp relay DHCP Relay is not running

show dhcp server lease

Syntax

show dhcp server lease (current | history)

Example

NGFW{}show dhcp server lease current Status: Inactive

24 Root Commands

IP Address Mac Address Start date & time End date & time

show dhcpv6

Syntax

show dhcpv6

Example

NGFW{}show dhcpv6 Service DHCPv6 client is inactive

show dns

Syntax

show dns

Example

NGFW{}show dns # DNS PROXY Proxy Disabled # STATIC DNS # DYNAMIC V4 DNS # DYNAMIC V6 DNS

show firewall

Displays firewall rules and sessions.

Syntax

show firewall rules [count MAX-RULES] [rule all|ID] [action-set ACTIONSET] [src-zones SRC-ZONE] [dst-zones DST-ZONE] [services SERVICES] [schedules SCHEDULE] [application APPS] [more]

show firewall sessions [count MAX-SESSIONS] [family FAMILY] [protocol PROTOCOL] [direction DIRECTION] [more]

Example

NGFW{}show firewall sessions ID Protocol State Direction Source(IP:PORT) Destination(IP:PORT) Bytes Expires

------------------------------------------------------------------------------------

3469 IGMP(2) unreplied original 192.168.1.1 224.0.0.2 32 75

NGFW{}show firewall rules

1. Rule: 20000

Action set: Permit + Notify

2. Rule: 20010

Action set: Permit + Notify

reply 224.0.0.2 192.168.1.1 0

show high-availability

Syntax

show high-availability (state-sync (all|FEATURE))

Example

NGFW{}show high-availability state-sync firewall HA Synchronization State

NGFW Command Line Interface Reference 25

----------------------- Name: firewall State: enabled Synchronization State: Not initialized Reason: Unable to determine synchronization state Total Entries: 353 Added Entries: 324 Deleted Entries: 0

Related Commands

high-availability force (active|passive) high-availability segment force (normal|fallback)

show interface

Syntax

show interface [INTERFACE [statistics [update INT]]] show interface [INTERFACE] multicast-registration

Examples

NGFW{}show interface ha Interface ha MAC Address 00:10:f3:2c:81:df Enabled Yes Link Down Speed 10Mbps Auto Negotiate Enabled Duplex Half MTU 9216

NGFW{}show interface mgmt Interface mgmt IP Address A.B.C.D/24 IPv6 Address fe80::210:f3ff:fe2c:81de/64 (Link Local) MAC Address 00:10:f3:2c:81:de Enabled Yes Link Up Speed 1000Mbps Auto Negotiate Enabled Duplex Full MTU 1500

NGFW{}show interface bridge1 Interface bridge1 IPv6 Address fe80::210:f3ff:fe2c:81e2/64 (Link Local) MAC Address 00:10:f3:2c:81:e2 Enabled Yes Link Up MTU 1500

NGFW{}show interface multicast-registration default: IGMP: igmpv3 MLD : mldv2 force: IGMP: igmpv3 MLD : mldv2

26 Root Commands

show ip bgp

Syntax

show ip bgp show ip bgp debug show ip bgp A.B.C.D/M show ip bgp summary show ip bgp neighbors show ip bgp neighbors A.B.C.D show ip bgp neighbors A.B.C.D (advertised-routes|routes) show ip bgp filter-list FILTER-LIST-NAME show ip bgp prefix-list PREFIX-LIST-NAME show ip bgp route-map ROUTE-MAP-NAME show ip bgp community-list COMMUNITY-LIST-NAME show ip bgp community AA:NN|internet|local-as|no-export|no-advertise

Example

NGFW{}show ip bgp BGP Router Default Instance (ASN 230)

BGP table version is 0, local router ID is 172.16.30.230 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, r RIB-failure, S Stale, R Removed Origin codes: i - IGP, e - EGP, ? - incomplete

Network Next Hop Metric LocPrf Weight Path *> 99.1.0.0/24 172.16.30.99 11 32768 ? *> 99.2.0.98/32 172.16.30.99 11 32768 ? *> 172.16.40.0/24 172.16.20.98 0 0 98 i

Total number of prefixes 3

show ip igmp

Shows IGMP interface information or group information.

Syntax

show ip igmp (interface|groups)

Example

NGFW{}show ip igmp interface ethernet2 is up Interface address: 172.16.30.230/24 IGMP on this interface: enabled Multicast routing on this interface: enabled Multicast TTL threshold: 1 Current IGMP router version: 3 IGMP query interval: 125 seconds IGMP max query response time: 100 deciseconds Last member query response interval: 10 deciseconds IGMP Querier: 172.16.30.230 Robustness: 2 Require Router Alert: enabled Startup Query Interval: 312 deciseconds Startup Query Count: 2 General Query Timer Expiry: 00:00:07 Startup Query Timer Expiry: 00:00:07 Multicast groups joined:

NGFW Command Line Interface Reference 27

show ip mroute

Shows the multicast routes.

Syntax

show ip mroute

Example

NGFW{}show ip mroute Source Group In-interface Out-interface(s)

152.168.1.2 239.255.255.2 pimreg ethernet1

show ip ospf

Displays general information about Open Shortest Path First (OSPF) routing processes.

Syntax

show ip ospf ? show ip ospf (database|interface[IFACE]|neighbor [debug]|redistribute|route[debug])

Example

NGFW{}show ip ospf

OSPF Router with ID (15.255.125.122)

OSPF Routing Process 0 [VRF 0], Router ID: 15.255.125.122 Supports only single TOS (TOS0) routes This implementation conforms to RFC2328 RFC1583Compatibility flag is disabled OpaqueCapability flag is enabled SPF schedule delay 200 secs, Hold time between two SPFs 1000 secs Refresh timer 10 secs Kernel delay 50 ms This router is an ASBR (injecting external routing information) Redistribute Configuration Maximum-Prefix is not configured Number of external LSA 0. Checksum Sum 0x00000000 Number of opaque AS LSA 0. Checksum Sum 0x00000000 Number of areas attached to this router: 1

Area ID: 0.0.0.0 (Backbone) Number of interfaces in this area: Total: 1, Active: 1 Number of fully adjacent neighbors in this area: 1 Area has no authentication SPF algorithm executed 8 times (in 0 ms) Number of LSA 3 Number of router LSA 2. Checksum Sum 0x00015328 Number of network LSA 1. Checksum Sum 0x00000b59 Number of summary LSA 0. Checksum Sum 0x00000000 Number of ASBR summary LSA 0. Checksum Sum 0x00000000 Number of NSSA LSA 0. Checksum Sum 0x00000000 Number of opaque link LSA 0. Checksum Sum 0x00000000 Number of opaque area LSA 0. Checksum Sum 0x00000000

show ip pim-sm

Syntax

show ip pim-sm (interface|neighbor|rp|bsr-router)

28 Root Commands

Example

NGFW{}show ip pim-sm interface Address Interface Mode Neighbor Hello DR DR Address Count Intvl Pri

182.168.1.10 ethernet5 sparse 1 30 1 182.168.1.20

Example

ngfw{}show ip pim-sm neighbor Interface Address ethernet5 182.168.1.20

ngfw{}show ip pim-sm bsr-router PIMv2 Bootstrap information This system is the Bootstrap Router (BSR) BSR address: 182.168.1.10 Uptime: 00:00:26, BSR Priority: 10, Hash mask length: 30 Next bootstrap message in 00:00:34

ngfw{}show ip pim-sm rp The PIM RP Set Group: 239.255.255.2/32 RP: 182.168.1.10 Uptime: 00:00:51, Expires: 00:01:39, Priority: 10

show ip rip

Shows the RIP routes.

Syntax

show ip rip

Example

NGFW{}show ip rip RIP Router Default Instance

Routing Protocol is "rip" Sending updates every 30 seconds with +/-50%, next due in 29 seconds Timeout after 180 seconds, garbage collect after 120 seconds Mesage load balancing using 1 time slots Default redistribution metric is 1 Redistributing: Default version control: send version 2, receive any version Interface Send Recv Pri RIPv1BorderGW RIPv1IngrSumy Key-chain ethernet1 2 1 2 7 Enable Enable Split horizon No authentication Routing for Networks: ethernet1 Routing Information Sources: Gateway BadPackets BadRoutes Distance Last Update Distance: (default is 120)

show ip route

Syntax

NGFW Command Line Interface Reference 29

Example

NGFW{}show ip route debug

Codes: K - kernel route, C- connected, S - static, R - RIP, O - OSPF, B - BGP, > - selected route, * - FIB route

K * 127.0.0.0/8 is directly connected, unknown(0) inactive, rej C>* 127.0.0.0/8 is directly connected, lo C>* 192.168.1.0/24 is directly connected, ethernet13 C>* 192.168.100.0/24 is directly connected, ethernet14 K>* 224.0.0.2/32 is directly connected, lo501 S>* 0.0.0.0/0 [1/0] [vrf 500] via 15.220.140.254, mgmt C>* 15.220.140.0/24 [vrf 500] is directly connected, mgmt C>* 127.0.0.0/8 [vrf 500] is directly connected, lo500 C>* 127.0.0.0/8 [vrf 501] is directly connected, lo501 C>* 169.254.0.0/24 [vrf 501] is directly connected, ha

show ip smr

Show SMR routing information.

Syntax

show ip smr [status]

Example

NGFW{}show ip smr Type Prefix NextHop Distance Probe Target * 1.1.1.0/24 172.16.20.220 10 * 2.2.2.0/24 172.16.20.220 10 * 3.3.3.0/24 172.16.20.220 10

4.4.4.0/24 172.16.20.30 10

NGFW{} show ip smr status 3 route(s) active 1 route(s) inactive Global round-trip avg/max 0.5/29.2 msec 10 packets/640 bytes sent last second

show ipv6 mld

Shows IPv6 routing information for MLD group or interface.

Syntax

show ipv6 mld (interface|groups)

Example

NGFW{}show ipv6 mld interface ethernet1 is up Interface address: fe80::210:f3ff:fe24:5b7e%ethernet1/64 MLD on this interface: enabled Multicast routing on this interface: disabled Current MLD router version: 2 MLD query interval: 125 seconds MLD max query response time: 10 seconds Last member query response interval: 10 deciseconds MLD Querier: fe80::210:f3ff:fe24:5b7e%ethernet1 Robustness: 2 Require Router Alert: enabled Startup Query Interval: 312 deciseconds

30 Root Commands

Startup Query Count: 2 General Query Timer Expiry: 00:01:19 Multicast groups joined:

NGFW{}show ipv6 mld groups MLD Connected Group Membership Group Address Interface Uptime Expires Last Reporter ff1e:11::1 ethernet1 00:00:04 00:04:16 fe80::215:17ff:fe3c:edea%ethernet1

show ipv6 mroute

Shows IPv6 routing information for multicast routes.

Syntax

show ipv6 mroute

Example

NGFW{}show ipv6 mroute Source Group In-interface Out-interface(s) 2001:300::2 ff1e:11::1 pimreg ethernet1

show ipv6 ospfv3

Shows the OSPFv3 unicast routes.

Syntax

show ipv6 ospfv3 (database|interface[IFACE]|neighbor[debug]|route)

Example

NGFW{}show ipv6 ospfv3 OSPFv3 Router with ID (172.16.30.230)

OSPFv3 Routing Process 0 [VRF 0] with Router-ID 172.16.30.230 Running 00:00:07 Graceful Restart: Enabled with interval 120 Status: restarting (left time 113s) Graceful Restart Helper: Enabled Redistribute Configuration Maximum-Prefix is not configured Number of AS scoped LSAs is 0 Number of AS scoped LSAs is 0 Number of areas in this router is 2 Area 0.0.0.0 Number of Area scoped LSAs is 0 Interface attached to this area: ethernet1 Area 0.0.0.9 Number of Area scoped LSAs is 0 Interface attached to this area:

show ipv6 pim-sm

Protocol Independent Multicast - Sparse Mode (PIM-SM) provides efficient communication between members of sparsely distributed groups that are common. PIM-SM is designed to limit multicast traffic so only switches interested in receiving traffic for a particular group receive the traffic

Syntax

show ipv6 pim-sm (interface|neighbor|rp|bsr-router)

NGFW Command Line Interface Reference 31

Example

NGFW{}show ipv6 pim-sm interface Interface Mode Neighbor Hello DR Count Interval Priority ethernet5 sparse 1 30 1 Address: fe80::210:f3ff:fe24:5b82 DR Address: this system

NGFW{}show ipv6 pim-sm neighbor Interface Address ethernet5 fe80::210:f3ff:fe24:5b5b

PIM6v2 Bootstrap information This system is the Bootstrap Router (BSR) BSR address: 2001:200::10 Uptime: 00:20:00, BSR Priority: 10, Hash mask length: 126 Next bootstrap message in 00:00:00

NGFW{}show ipv6 pim-sm rp The PIM6 RP Set Group: ff1e:11::1/128 RP: 2001:200::10 Uptime: 00:20:22, Expires: 00:01:59, Priority: 0

show ipv6 ripng

Shows the RIPng routes.

Syntax

show ipv6 ripng

Example

NGFW{}show ipv6 ripng RIPng Router Default Instance Routing Protocol is "RIPng" Sending updates every 30 seconds with +/-50%, next due in 37 seconds Timeout after 180 seconds, garbage collect after 120 seconds Default redistribution metric is 1 Redistributing: Default version control: send version 1, receive version 1 Interface Send Recv ethernet1 1 1 Split horizon Routing for Networks: ethernet1 Routing Information Sources: Gateway ReceivedPackets BadPackets BadRoutes Distance Last Update Distance: (default is 120)

show ipv6 route ospfv3

Shows the OSPFv3 unicast routes.

Syntax

show ipv6 route ospfv3

Example

NGFW{}show ipv6 route ospfv3

32 Root Commands

Codes: O - ospfv3, > - selected route, * - FIB route O>* 1:1::/64 [110/2] via fe80::20c:29ff:fee0:c919, ethernet2, 00:00:28 O>* 2:2::2:2/128 [110/1] via fe80::72ca:9bff:fe76:16b1, ethernet2, 00:00:28 O>* 2100::/64 [110/2] via fe80::72ca:9bff:fe76:16b1, ethernet2, 00:00:28 O>* 2100::2/128 [110/1] via fe80::72ca:9bff:fe76:16b1, ethernet2, 00:00:28

show ipv6 route ripng

Shows the RIPng routes.

Syntax

show ipv6 route ripng

Example

NGFW{}show ipv6 route ripng Codes: K - kernel route, C - connected, S - static, R - RIPng, O - OSPFv3, I - ISIS, B - BGP, N - NAT-PT, D - Delegated Prefix, > - selected route, * - FIB route, b - Backup route, < - delayed route, Q - Untyped route

R>* 4100::/64 [120/2] via fe80::210:f3ff:fe26:f375, ethernet2, 00:00:07

show (ip|ipv6) route

Syntax

show (ip|ipv6) route (debug|mgmt|static|connected)

Example

NGFW{}show ipv6 route static Codes: S - static, > - selected route, * - FIB route

show key

Shows local server SSH key.

Syntax

show key

Example

NGFW{}show key

show l2tp

Shows layer 2 tunneling protocol information.

Syntax

show l2tp

Example

NGFW{}show l2tp ============= Current sessions for L2TP: L2TP server is not running.

NGFW Command Line Interface Reference 33

show license

Syntax

show license

Example

NGFW{}show license License: 1.0.0.11 (Transitional)

Feature Status Permit Expiration Details

-------- ------ ------- ---------- -------License OK Allow 10/3/2013 Using the transitional license. Update TOS OK Allow 10/3/2013 Update DV OK Allow 10/3/2013 Auxiliary DV Info Deny Never Not licensed to use feature. ReputationDV Info Deny Never Not licensed to use feature.

show log-file

The following log files are available:

•system

•audit

•fwAlert

•fwBlock

•vpn

•ipsAlert

•ipsBlock

•reputationAlert

•reputationBlock

•quarantine

show log-file FILE_NAME

Syntax

34 Root Commands

show log-file audit [raw|tab|csv|rawcsv] [addUUID] [ASC|DESC] [search [(options)]{0,2} PATTERN] [start-time START] [end-time END] [seqnum[ [begin BEGIN] [end END]]] [count COUNT] [more]

show log-file fwAlert [raw|tab|csv|rawcsv] [addUUID] [ASC|DESC] [search [(options)]{0,2} PATTERN] [start-time START] [end-time END] [seqnum[ [begin BEGIN] [end END]]] [count COUNT] [more]

show log-file fwBlock [raw|tab|csv|rawcsv] [addUUID] [ASC|DESC] [search [(options)]{0,2} PATTERN] [start-time START] [end-time END] [seqnum[ [begin BEGIN] [end END]]] [count COUNT] [more]

show log-file ipsAlert [raw|tab|csv|rawcsv] [addUUID] [ASC|DESC] [search [(options)]{0,2} PATTERN] [start-time START] [end-time END] [seqnum[ [begin BEGIN] [end END]]] [count COUNT] [more]

show log-file ipsBlock [raw|tab|csv|rawcsv] [addUUID] [ASC|DESC] [search [(options)]{0,2} PATTERN] [start-time START] [end-time END] [seqnum[ [begin BEGIN] [end END]]] [count COUNT] [more]

show log-file quarantine [raw|tab|csv|rawcsv] [addUUID] [ASC|DESC] [search [(options)]{0,2} PATTERN] [start-time START] [end-time END] [seqnum[ [begin BEGIN] [end END]]] [count COUNT] [more]

show log-file reputationAlert [raw|tab|csv|rawcsv] [addUUID] [ASC|DESC] [search [(options)]{0,2} PATTERN] [start-time START] [end-time END] [seqnum[ [begin BEGIN] [end END]]] [count COUNT] [more]

show log-file reputationBlock [raw|tab|csv|rawcsv] [addUUID] [ASC|DESC] [search [(options)]{0,2} PATTERN] [start-time START] [end-time END] [seqnum[ [begin BEGIN] [end END]]] [count COUNT] [more]

show log-file summary [raw|tab|csv|rawcsv] [addUUID] [ASC|DESC] [search [(options)]{0,2} PATTERN] [start-time START] [end-time END] [seqnum[ [begin BEGIN] [end END]]] [count COUNT] [more]

show log-file system [raw|tab|csv|rawcsv] [addUUID] [ASC|DESC] [search [(options)]{0,2} PATTERN] [start-time START] [end-time END] [seqnum[ [begin BEGIN] [end END]]] [count COUNT] [more]

show log-file vpn [raw|tab|csv|rawcsv] [addUUID] [ASC|DESC] [search [(options)]{0,2} PATTERN] [start-time START] [end-time END] [seqnum[ [begin BEGIN] [end END]]] [count COUNT] [more]

show log-file boot [raw|tab|csv|rawcsv] [addUUID] [ASC|DESC] [search [(options)]{0,2} PATTERN] [start-time START] [end-time END] [seqnum[ [begin BEGIN] [end END]]] [count COUNT] [more]

show log-file audit [raw|tab|csv|rawcsv] [addUUID] [ASC|DESC] [search COLUMN cmp PATTERN [and|or COLUMN cmp PATTERN]{1,25}] [start-time START] [end-time END] [seqnum[ [begin BEGIN] [end END]]] [count COUNT] [more]

show log-file fwAlert [raw|tab|csv|rawcsv] [addUUID] [ASC|DESC] [search COLUMN cmp PATTERN [and|or COLUMN cmp PATTERN]{1,25}] [start-time START] [end-time END] [seqnum[ [begin BEGIN] [end END]]] [count COUNT] [more]

show log-file fwBlock [raw|tab|csv|rawcsv] [addUUID] [ASC|DESC] [search COLUMN cmp PATTERN [and|or COLUMN cmp PATTERN]{1,25}] [start-time START] [end-time END] [seqnum[ [begin BEGIN] [end END]]] [count COUNT] [more]

NGFW Command Line Interface Reference 35

show log-file ipsAlert [raw|tab|csv|rawcsv] [addUUID] [ASC|DESC] [search COLUMN cmp PATTERN [and|or COLUMN cmp PATTERN]{1,25}] [start-time START] [end-time END] [seqnum[ [begin BEGIN] [end END]]] [count COUNT] [more]

show log-file ipsBlock [raw|tab|csv|rawcsv] [addUUID] [ASC|DESC] [search COLUMN cmp PATTERN [and|or COLUMN cmp PATTERN]{1,25}] [start-time START] [end-time END] [seqnum[ [begin BEGIN] [end END]]] [count COUNT] [more]

show log-file quarantine [raw|tab|csv|rawcsv] [addUUID] [ASC|DESC] [search COLUMN cmp PATTERN [and|or COLUMN cmp PATTERN]{1,25}] [start-time START] [end-time END] [seqnum[ [begin BEGIN] [end END]]] [count COUNT] [more]

show log-file reputationAlert [raw|tab|csv|rawcsv] [addUUID] [ASC|DESC] [search COLUMN cmp PATTERN [and|or COLUMN cmp PATTERN]{1,25}] [start-time START] [end-time END] [seqnum[ [begin BEGIN] [end END]]] [count COUNT] [more]

show log-file reputationBlock [raw|tab|csv|rawcsv] [addUUID] [ASC|DESC] [search COLUMN cmp PATTERN [and|or COLUMN cmp PATTERN]{1,25}] [start-time START] [end-time END] [seqnum[ [begin BEGIN] [end END]]] [count COUNT] [more]

show log-file summary [raw|tab|csv|rawcsv] [addUUID] [ASC|DESC] [search COLUMN cmp PATTERN [and|or COLUMN cmp PATTERN]{1,25}] [start-time START] [end-time END] [seqnum[ [begin BEGIN] [end END]]] [count COUNT] [more]

show log-file system [raw|tab|csv|rawcsv] [addUUID] [ASC|DESC] [search COLUMN cmp PATTERN [and|or COLUMN cmp PATTERN]{1,25}] [start-time START] [end-time END] [seqnum[ [begin BEGIN] [end END]]] [count COUNT] [more]

show log-file vpn [raw|tab|csv|rawcsv] [addUUID] [ASC|DESC] [search COLUMN cmp PATTERN [and|or COLUMN cmp PATTERN]{1,25}] [start-time START] [end-time END] [seqnum[ [begin BEGIN] [end END]]] [count COUNT] [more]

show log-file boot [raw|tab|csv|rawcsv] [addUUID] [ASC|DESC] [search COLUMN cmp PATTERN [and|or COLUMN cmp PATTERN]{1,25}] [start-time START] [end-time END] [seqnum[ [begin BEGIN] [end END]]] [count COUNT] [more]

show log-file audit [raw|tab|csv|rawcsv] [addUUID] follow [seqnum] [more] show log-file fwAlert [raw|tab|csv|rawcsv] [addUUID] follow [seqnum] [more] show log-file fwBlock [raw|tab|csv|rawcsv] [addUUID] follow [seqnum] [more] show log-file ipsAlert [raw|tab|csv|rawcsv] [addUUID] follow [seqnum] [more] show log-file ipsBlock [raw|tab|csv|rawcsv] [addUUID] follow [seqnum] [more] show log-file quarantine [raw|tab|csv|rawcsv] [addUUID] follow [seqnum] [more] show log-file reputationAlert [raw|tab|csv|rawcsv] [addUUID] follow [seqnum] [more] show log-file reputationBlock [raw|tab|csv|rawcsv] [addUUID] follow [seqnum] [more] show log-file summary [raw|tab|csv|rawcsv] [addUUID] follow [seqnum] [more] show log-file system [raw|tab|csv|rawcsv] [addUUID] follow [seqnum] [more] show log-file vpn [raw|tab|csv|rawcsv] [addUUID] follow [seqnum] [more] show log-file boot [raw|tab|csv|rawcsv] [addUUID] follow [seqnum] [more] show log-file audit stat show log-file fwAlert stat show log-file fwBlock stat show log-file ipsAlert stat show log-file ipsBlock stat show log-file quarantine stat show log-file reputationAlert stat show log-file reputationBlock stat show log-file summary stat show log-file system stat show log-file vpn stat show log-file boot stat show log-file summary [verbose] show log-file boot [tail COUNT] [more] show log-file boot [search [(options)]{0,2} PATTERN] [count COUNT] [more]

Example

NGFW{}show log ipsAlert

36 Root Commands

Example

NGFW{}show log quarantine

show log-file FILE_NAME stat

Shows the beginning sequence number, ending sequence number, and number of messages for the given log file.

Syntax

show log-file FILE_NAME stat

Example

NGFW{}show log ipsBlock stat Display limited to 500 lines... 1 241097 241097

show log-file summary

Syntax

show log-file summary [verbose]

Example

NGFW{}show log-file summary File Total Entries First Entry Last Entry Allocated Used Location

--------------- -------------- -------------- -------------- ---------- ---- ------

system 2902 1 2902 174.32 MB 0% internal audit 411 1 411 174.32 MB 0% internal fwAlert 2135781 42054583 44190363 700.23 MB 66% ramdisk fwBlock 0 0 0 700.23 MB 0% ramdisk ipsAlert 0 0 0 350.11 MB 0% ramdisk ipsBlock 0 0 0 350.11 MB 0% ramdisk reputationAlert 0 0 0 175.06 MB 0% ramdisk reputationBlock 0 0 0 175.06 MB 0% ramdisk visibility 0 0 0 700.23 MB 0% ramdisk quarantine 0 0 0 175.06 MB 0% ramdisk vpn 0 0 0 175.06 MB 0% ramdisk

show log-file boot

Syntax

show log-file boot [tail [COUNT]] [more] show log-file boot [search [<options>]{0,2} PATTERN] [count COUNT] [more]

If using the more option, the colon will display in the output, to indicate more information is available. Press the Enter key for the scroll to continue, or enter a ‘q’ to exit and return to the

NGFW{} prompt.

Example

NGFW{} show log-file audit more

2013-07-05 ...(log info is displayed) 2013-07-05 ... ...

:q NGFW{}show log-file boot search nocase ethernet7 count 7 NGFW{}show log-file boot search invert ethernet7 count 3 NGFW{}show log-file boot search ethernet7 count 2

NGFW Command Line Interface Reference 37

ADDRCONF(NETDEV_UP): ethernet7: link is not ready device ethernet7 entered promiscuous mode

Example

To tail the last 5 lines of the boot log file:

NGFW{}show log-file boot tail 5

bridge1: port 8(ethernet7) entering disabled state bridge1: port 8(ethernet7) entering disabled state ADDRCONF(NETDEV_UP): ethernet7: link is not ready device ethernet8 left promiscuous mode device ethernet7 left promiscuous mode

show mfg-info

Shows manufacturing information.

Syntax

show mfg-info

Example

NGFW{}show mfg-info device34{}show mfg-info ECO Version : 40AA Manufacturer S/N : TBBC10021827 PCBA Assembly Date : 01/11/2012 Chassis Version : 00 Mfg System Revision : A905 HP Base Unit P/N : 5066-2732 HP Base Unit Revision : A1 Number of MACs : 12 MAC Address : 00:10:F3:2C:81:DE Mgmt Port MAC Address : 00:10:F3:2C:81:DE Ethernet1 MAC Address : 00:10:F3:2C:81:E2 HP Base Unit S/N : PR2AFQY003 Internal Disk Model : 4GB SATA Flash Drive Internal Disk S/N : 11001420994500582125 External Disk Model : 4GB SATA Flash Drive External Disk S/N : 00224192122400702578 BIOS Version : Z513-021 IPM Version : 1.d (working)

show np engine

Shows network processor information.

Syntax

filter - Show filter-level statistics packet - Show packet-layer statistics parse - Show packet parsing statistics reputation - Show reputation statistics on either IP or DNS rule - Show rule statistics

Example

NGFW{}show np engine packet

Packet Statistics: Rx packets OK = 275263890 Rx packets dropped = 0

38 Root Commands

Rx packets dropped no pcb = 0

Tx packets OK = 275262516

Tx packets dropped = 1374

Tx packets dropped no pcb = 0

Rx bytes OK = 14864242660

Tx bytes OK = 16515754024

show np general statistics

Shows general network processor information.

Syntax

show np general statistics

Example

NGFW{}show np general statistics General Statistics: Incoming = 0 Outgoing = 0 Dropped = 0 Interface discards = 0 Second Tier = 0 Matched = 0 Blocked = 1376 Trusted = 0 Permitted = 0 Invalid = 0 Rate Limited = 0

show np protocol-mix

Syntax

show np protocol-mix

Example

NGFW{}show np protocol-mix Network Traffic Protocol Statistics:

Packets Bytes ================= ================= EthType: ARP 289096 17363292 IP 75851320 16817451395 IPv6 110966 91605367 Other 47087 31256790 IpVersion: IPv4 75851320 16817451395 IPv6 110966 91605367 Other 9010 5444502 IpProtocol: TCP 24779397 4847827560 UDP 49956647 11260655728 ICMP 112057 42551652 IPv4 in IPv4 0 0 IPv6 In IPv4 4536 597024 GRE 276372 45779027 AH 414 63180

NGFW Command Line Interface Reference 39

Other 132843 65240426 Ipv6Protocol: TCP 378 265014 UDP 1350 1135803 ICMPv6 3908 1406824 ICMP 0 0 IPv6 in IPv6 89760 77281416 IPv4 in IPv6 2442 1938618 GRE 1398 1106502 AH 0 0 Other 53034 44444961

show np reassembly

Syntax

show np reassembly (ip|tcp)

Example

NGFW{}show np reassembly ip

Summary: Frags incoming = 0 Frags kept = 0 Frags outgoing = 0 Frags passed thru = 0 Frags dropped (duplicate) = 0 Frags recently reassembled = 0 Frags dropped (other) = 0 Dgrams completed = 0

show np rule-stats

Syntax

show np rule-stats

Example

NGFW{}show np rule-stats

Filter Flows Success % Total % Success 6281 9 0 21 0.00 6310 9 0 21 0.00 633 8 3 19 37.50 5337 8 0 19 0.00 2768 7 0 16 0.00 5881 1 0 2 0.00 Total number of flows: 42

show np softlinx

Syntax

show np softlinx

Example

NGFW{}show np softlinx SoftLinx Statistics: Matched both softlinx and a rule = 0 Matched softlinx, but not a rule = 0 Matched a rule, but not softlinx = 0

40 Root Commands

Sleuth inspected packets = 0 Sleuth matched packets = 0 Matched HW (Sleuth) but not softLinx = 0 Sleuth gave up = 0 Sleuth bypassed = 0 Sleuth bypassed zero payload length = 0 Sleuth overflow = 0 Matched nothing = 281567607 Linx rules created = 0 Linx rules deleted = 0 Discarded by the softlinx = 0 Total packets sent to softlinx = 80 Embedded Trigger matches = 0 Engine Trigger matches = 0 Trigger matches = 0 False pkt matches = 80 Good pkt matches = 0 SoftLinx trigger match roll over = 0 Highest flow based trigger match = 0

show np tier-stats

Syntax

show np tier-stats

Example

NGFW{}show np tier-stats

----------------------------------------------------------

Tier 1:

----------------------------------------------------------

Rx Mbps = 0.0 (0.0)

Tx Mbps = 0.0 (0.0)

Rx Packets/Sec = 0.0 (0.0)

Tx Packets/Sec = 0.0 (0.0)

Utilization = 0.0% (0.0%)

Ratio to next tier = 0.0% (100.0%)

----------------------------------------------------------

Tier 2:

----------------------------------------------------------

Rx Mbps = 0.0 (0.0)

Rx Packets/Sec = 0.0 (0.0)

Tx trust packets/sec = 0.0 (0.0)

Utilization = 0.0% (0.0%)

Ratio to best effort = 0.0% (0.0%)

Ratio to next tier = 0.0% (0.0%)

----------------------------------------------------------

Tier 3:

----------------------------------------------------------

Rx Mbps = 0.0 (0.0)

Rx Packets/Sec = 0.0 (0.0)

Rx Trigger match = 0.0 (0.0)

Rx Reroute = 0.0 (0.0)

Rx TCP sequence = 0.0 (0.0)

Tx trust packets/sec = 0.0 (0.0)

Utilization = 0.0% (0.0%)

Ratio to best effort = 0.0% (0.0%)

Ratio to next tier = 0.0% (0.0%)

NGFW Command Line Interface Reference 41

show quarantine-list

Syntax

show quarantine-list

Example

NGFW{}show quarantine-list IP Reason

show reports

Show the status of the data collection for reports.

Syntax

show reports

Example

NGFW{}show reports CPU Utilization: enabled Disk Utilization: enabled Fan Speed: enabled Memory Utilization: enabled Network Bandwidth: enabled Rate Limiter: enabled Temperature: enabled Traffic Profile: enabled VPN: enabled

show service

Shows the state of all the services.

Syntax

show service

Example

NGFW{}show service

Service SSH is active Service TELNET is inactive Service HTTP is active Service IP Forwarding is active Service IPv6 Forwarding is active Service SNMP is inactive Service DNS-PROXY is inactive Service RIP is inactive Service RIPng is inactive Service OSPFv2 is inactive Service OSPFv3 is inactive Service BGP is inactive Service SMR is inactive Service PIM4SM is inactive Service PIM6SM is inactive Service VRRP is inactive Service Multicast-proxy is inactive Service DHCPSERVER is inactive Service DHCP is inactive Service DHCP RELAY is inactive Service DHCPv6-CLIENT is inactive

42 Root Commands

show sms

Syntax

show sms

Example

NGFW{}show sms Device is not under SMS control

show snmp

Syntax

show snmp

Example

NGFW{}show snmp

Service NTP is inactive

Service PPP-CtrlPlane is inactive

Service ETHGRP-LACP is inactive

#SNMP Status

Enabled : Yes

Version : 2c, 3

Engine ID : 0x800029ee030010f327fe2e

Auth. Traps : Yes

System Name : S8020F

System Object ID : .1.3.6.1.4.1.10734.1.9.7

System ID : NGFW

System Contact : Administrator

System Location : Data Center

#SNMP Trap Sessions

Host : A.B.C.D

Version : 3

Port : 162

Security Name : trap

Level : authPriv

Authentication : SHA

Privacy : AES

Inform : Yes

show system buffers

Shows forwarding buffer state information, if you have administrator privileges.

Syntax

show system buffers

Example

NGFW{}show system buffers

show system connections

Syntax

show system connection [ipv4|ipv6|sctp|unix]

NGFW Command Line Interface Reference 43

Example

NGFW{}show system connections ipv4

Active Internet connections (servers and established) vrfid Proto Recv-Q Send-Q Local Address Foreign Address State 0 tcp 0 0 127.0.0.1:60000 0.0.0.0:* LISTEN 0 tcp 0 0 127.0.0.1:616 0.0.0.0:* LISTEN

Example

NGFW{}show system connections unix

Active UNIX domain sockets (servers and established) Proto RefCnt Flags Type State I-Node Path unix 2 [ ACC ] STREAM LISTENING 40709

/var/tmp/apache2/logs/fcgidsock/7095.0 unix 2 [ ACC ] STREAM LISTENING 3871 /var/tmp/segmentdsock unix 2 [ ACC ] STREAM LISTENING 2080 /var/run/nscd/socket unix 2 [ ACC ] STREAM LISTENING 379 @/com/ubuntu/upstart unix 2 [ ACC ] STREAM LISTENING 16968 /var/run/.xms.default unix 2 [ ] DGRAM 16970 /tmp/.server.sockname unix 2 [ ] DGRAM 17575 @/tmp/.has_xmsd unix 2 [ ACC ] STREAM LISTENING 1436

/usr/local/var/syslog-ng.ctl

Example

NGFW{}show system connections sctp ASSOC SOCK STY SST ST HBKT ASSOC-ID TX_QUEUE RX_QUEUE UID INODE LPORT RPORT

LADDRS <-> RADDRS HBINT INS OUTS MAXRT T1X T2X RTXC VRF

show system processes

Syntax

show system processes [LEVEL] brief Brief process information detail Detailed process information extensive Extensive process information summary Active process information

Example

NGFW{}show system processes brief

top - 02:23:22 up 5:08, 2 users, load average: 16.20, 16.23, 16.16 Tasks: 349 total, 6 running, 343 sleeping, 0 stopped, 0 zombie Cpu(s): 37.8% us, 2.4% sy, 0.0% ni, 52.8% id, 0.0% wa, 0.0% hi, 6.9% si Mem: 28681276k total, 10367048k used, 18314228k free, 100416k buffers Swap: 0k total, 0k used, 0k free, 1638220k cached

PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND 3656 root 20 0 11.1g 4.6g 3.7g R 1200 16.7 3691:24 n0 3731 root 20 0 0 0 0 R 100 0.0 307:25.33 dpvi-task3 3730 root 20 0 0 0 0 R 98 0.0 303:42.33 dpvi-task2 3729 root 20 0 0 0 0 R 96 0.0 300:14.52 dpvi-task1 2941 root 20 0 84516 3976 2852 R 2 0.0 4:18.44 syslog-ng 4436 root 20 0 0 0 0 D 2 0.0 1:44.56 fpm-nfct-hf-tas 4216 root 20 0 21496 1112 772 D 0 0.0 0:21.46 sensormond 17380 root 20 0 13084 1292 800 R 0 0.0 0:00.01 top

44 Root Commands

show system statistics

Syntax

show system statistics [PROTO] [non-zero]

Example

NGFW{}show system statistics

show system usage

Show system usage displays the overall system usage. You can run once, or display an updated version every INT seconds. Ctrl-C will exit a re-occurring update.

Syntax

show system usage [update INT]

Example

NGFW{} show system usage update 12

show system virtual-memory

Shows the system’s kernel memory usage in a table with the following column headings.

•name

•active_objs

•num_objs

•objsize

•objperslab

• pagesperslab

•tunables

• limit

• batchcount

•sharedfactor

• slabdata

• active_slabs

• num_slabs

•sharedavail

Syntax

show system virtual-memory

Example

NGFW{}show system virtual-memory

show system xms memory

Shows xms memory statistics.

Syntax

show system xms memory (all| SERVICE)

Example

NGFW{}show system xms memory captive-portals

xmsd memory usage:

NGFW Command Line Interface Reference 45

+ Service: captive-portals + captive-portal-config: 48 Bytes Maximum amounts: 175 Bytes Calls to alloc : 1 times + Service: misc + miscellaneous: 1383 Bytes Maximum amounts: 1585 Bytes Calls to alloc : 10 times + xmlMem: 4341373 Bytes Maximum amounts: 85010535 Bytes Calls to alloc : 53906 times

show terminal

Shows terminal type information.

Syntax

show terminal

Example

NGFW{}show terminal

============= Terminal configuration: type 6wind columns 164 lines 46

show traffic-file

Syntax

show traffic-file FILENAME [verbose INT] [proto PROTO] [without PROTO] [pcap FILTER] [pager]

Options

traffic-file Show network traffic from file FILENAME Capture file name verbose Configure verbosity level INT Verbosity level (0: minimum verbosity) proto Configure captured packets protocol PROTO Protocol name (default: all) without Configure excluded packets protocol PROTO Protocol name (default: all) pcap Configure pcap-syntax filter FILTER Pcap filter string (e.g. "src port 22") pager Show all messages

Example

NGFW{}show traffic-file myfilename

show tse connection-table

Syntax

show tse connection-table TYPE

Example:

This example displays the basic IPS state synchronization by viewing the connection table on the active and passive device.

46 Root Commands

NGFW{}show tse connection-table blocks

Second device:

NGFW{}show tse connection-table blocks

The ‘TRHA’ indicates this is a connection created by state synchronization.

show tse

Shows threat suppression engine information.

Syntax

show tse (connection-table(blocks|trusts)|rate-limit)

Example

NGFW{}show tse connection-table blocks Blocked connections: None found. NGFW{}show tse rate-limit

show user-disk

Syntax

show user-disk

Example

NGFW{}show user-disk External User Disk Status: Mounted Encryption: None Capacity: 3952263168 bytes Used: 784158720 bytes Free: 2907357184 bytes

show users

Syntax

show users [locked|ip-locked]

Example

NGFW{}show users USER IDLE INTERFACE LOGIN IP ADDRESS TYPE myadminuser 00:00 SSH 2013-07-19 23:42:56 198.51.100.139 LOCAL

show version

Syntax

show version

Example

NGFW{}show version Serial: X-NGF-S8020F-GENERIC-0001 Software: 1.0.0.3911 Build Date: "Apr 12 2013 02:13:12" Production Digital Vaccine: 3.2.0.15172 Model: S8020F HW Serial: PR2AFQ300P HW Revision: A603

NGFW Command Line Interface Reference 47

Failsafe: 1.0.0.1801 System Boot Time: Sun Sept 15 21:14:57 2013 Uptime: 05:17:01

shutdown

Allows you to shutdown the system.

Syntax

shutdown

Example

NGFW{}shutdown You are about to shutdown the device. Please use the front panel buttons to restart the device manually. Make sure you have Committed all your changes, and clicked the Save Configuration button if you wish these changes to be applied when the device is restarted.

WARNING: Are you sure you want to shutdown the system (y/n) [n]:

sms

Allows you to configure SMS settings and release SMS.

Syntax

sms must-be-ip (A.B.C.D|A.B.C.D/M) sms unmanage

Example

NGFW{}sms unmanage NGFW{}sms must-be-ip 192.168.1.1

Related commands

show sms

snapshot create

Allows you to manage system snapshots.

Syntax

snapshot create NAME [(reputation|manual|network)]

Default is do not include the following: manual Include manually defined reputation entries in snapshot network Include Management port configuration in snapshot reputation Include reputation package in snapshot nonet Does not restore management port configuration if present in snapshot

Example

NGFW{}snapshot create s_041713

snapshot list

Syntax

snapshot list

48 Root Commands

Example

NGFW{}snapshot list Name Date OS Version DV Version Model Restore

---------------- -------------------------- ---------- ---------- ------- -----s_041713 Wednesday, April 17 2013 1.0.0.3913 3.2.0.15172 S1020F Yes

snapshot remove

Syntax

snapshot remove

Example

NGFW{}snapshot remove s_041713 Success

snapshot restore

Restore system from saved snapshot.

Syntax

snapshot restore NAME

tcpdump

Example

NGFW{}snapshot restore s_041713 Success

Allows you to capture network traffic to the terminal or a file. You can specify a maximum packet count or a maximum capture file size. If you record the capture to a file you must specify a maximum packet count or maximum capture file size. Maxsize is the maximum size of the capture file in millions of bytes, which is limited by the currently available disk allocation.

Syntax

tcpdump INTERFACE [record FILENAME [maxsizebytes 1-10000000]] [packetcount 1-10000000] [verbose 0-990000] [proto (icmp|igmp|tcp|udp|esp|ah|pim|snp|vrrp|stp|isis|sctp)] [without (icmp|igmp|tcp|udp|esp|ah|pim|snp|vrrp|stp|isis|sctp)] [pcap FILTER] [cponly] [pager] [background]

tcpdump stop

Example

NGFW{}tcpdump mgmt count 2 NGFW{}tcpdump bridge0 record mycapturefile count 100 proto tcp without udp pcap "dst

port 443" background

NGFW{}tcpdump6: listening on bridge0, link-type EN10MB (Ethernet), capture size 65535 bytes

100 packets captured 100 packets received by filter 0 packets dropped by kernel

NGFW{}tcpdump stop All tcpdump processes stopped.

NGFW Command Line Interface Reference 49

traceroute

Traceroute shows you the path a packet of information takes from your computer to your designation. It lists all the routers it passes through until it reaches its destination, or fails. Traceroute tells you how long router to router hops take.

Syntax

traceroute (A.B.C.D|HOSTNAME) [from A.B.C.D] [mgmt] (traceroute|traceroute6) X:X::X:X [from X:X::X:X] [mgmt]

Example

NGFW{}traceroute 192.168.140.254 traceroute: Warning: ip checksums disabled traceroute to 192.168.140.254 (192.168.140.254), 30 hops max, 46 byte packets 1 192.168.140.254 (192.168.140.254) 0.256 ms 0.249 ms 0.233 ms

traceroute6

Trace IPv6 network routes.

Example

NGFW{}traceroute6 192.168.140.1

user-disk

The external user-disk is available to mount, unmount, and format. Only a user-disk that the user manually formats and mounts will be “auto-mounted” by the device at boot. The one exception to this is after an initial install, the external cfast present in the box at the time of install will be “auto-mounted”.

The user-disk can be encrypted, but only if the system status on the user-disk causes a ‘format’ to occur and erases any existing data.

User-disk encryption can also be enabled and disabled from the LSM at System->Settings->Log Configuration.

Modify settings for the external user-disk.

Syntax

user-disk (encryption (enable|disable) | format | mount | unmount)

Example

NGFW{}user-disk unmount WARNING: Unmounting the external user disk will disable snapshot and packet capture,

and traffic related logs will be stored in memory only. Do you want to continue (y/n)? [n]: y Success: User disk unmounted.

Example

NGFW{}user-disk mount Note: The external user disk will be used for snapshots, packet captures and traffic

related logs. The external user disk will be automatically mounted on rebooted. Do you want to continue (y/n)? [n]: y Success: User disk mounted.

master-key has been set. Changing the encryption

Example

NGFW{}user-disk format WARNING: This action will erase all existing data on the external user disk! Do you want to continue (y/n)? [n]: y Success: User disk format completed.

50 Root Commands

Example

NGFW{}user-disk encryption enable WARNING: Changing the encryption status of the user disk will erase all traffic log,

snapshot, and packet capture data on the disk. Do you want to continue (y/n)? [n]: y Success: User disk encryption enabled.

Related commands

show user-disk master-key

NGFW Command Line Interface Reference 51

52 Root Commands

4 Log Configure Commands

Enter the log-configure command to access the log configuration context. Enter a question mark (?) at the NGFW{log-configure} prompt to display a list of valid command entries. Then enter help commandname to display help for a specific command.

display

Displays log configuration settings.

Syntax

display [log-sessions] [xml|verbose]

Example

NGFW{log-configure}display # LOG EMAIL SETTINGS email set sleepSeconds 300 email set maxRequeue 2016

# LOG ROTATE SETTINGS rotate set sleepSeconds 600 rotate set defaultFiles 5 rotate set defaultCheckRecords 500 rotate set maxFileSize 100 MB

# LOG FILE DISK ALLOCATION log-storage external 90% log-storage ramdisk 25%

# LOG FILE ALLOCATION SETTINGS # INTERNAL DISK log-file-size system 50% log-file-size audit 50% # ---# Total 100%

# EXTERNAL DISK (USER-DISK) log-file-size fwAlert 20% log-file-size fwBlock 20% log-file-size ipsAlert 10% log-file-size ipsBlock 10% log-file-size reputationAlert 5% log-file-size reputationBlock 5% log-file-size visibility 20% log-file-size quarantine 5% log-file-size vpn 5% # ---# Total 100%

Allows you to set logging email daemon parameters.

Syntax

email set sleepSeconds SLEEPSEC email set maxRequeue MAXREQUEUE

NGFW Command Line Interface Reference 53

email set queueFile QUEUEFILE email set deadletter DEADLETTER email delete (sleepSeconds|maxRequeue|queueFile|deadletter)

Example

NGFW{log-configure}email set sleepSeconds 600 NGFW{log-configure}email delete sleepSeconds NGFW{log-configure}email set maxRequeue 1 NGFW{log-configure}email delete maxRequeue NGFW{log-configure}email set queueFile myqueuefile NGFW{log-configure}email delete queueFile NGFW{log-configure}email set deadletter mydeadletterfile NGFW{log-configure}email delete deadletter

log-file-size

Set log file allocation as a percentage of the total 100 percent allowed for all log files.

# LOG FILE ALLOCATION SETTINGS # INTERNAL DISK log-file-size system 50% log-file-size audit 50% # ---# Total 100%

Syntax

log-file-size FILE_NAME USAGE[%] log-file-size

system and audit log files are kept on the internal disk fwAlert, fwBlock, ipsAlert, ipsBlock, quarantine, reputationAlert, reputationBlock,

visibility, and vpn log files are kept on the external or ramdisk drive

Example

NGFW{log-configure}log-file-size system 50 NGFW{log-configure}log-file-size fwAlert 20 NGFW{log-configure}log-file-size audit 60 ERROR: This would over allocate (110%) the Internal log disk!

log-storage

Set local log file allocation of external CFast disk space. Usage value can range from 50 to 99 percent.

Syntax

log-storage external USAGE[%] log-storage ramdisk USAGE[%]

Example

NGFW{log-configure}log-storage external 90

log-test

Sends a test message to the logging system(s).

Syntax

54 Log Configure Commands

Valid entries: all All log systems audit Audit system vpn VPN (IPsec) system quarantine Quarantine system logID LogID system LOGID Log-session ID to test SEVERITY Set Severity level for log message (default: INFO) Possible values for SEVERITY are:

emergency EMERG level alert ALERT level critical CRIT level error ERR level warning WARNING level notice NOTICE level info INFO level (default)

debug DEBUG level msg Override default message MESSAGE Message to send to logging system

rotate

Example

NGFW{log-configure}log-test logID 1 msg "my test message for logging" NGFW{log-configure}log-test all

Sets log rotation parameters.

Syntax

rotate (set|delete) defaultCheckRecords (100-65535) rotate (set|delete) defaultFiles (2-20) rotate (set|delete) maxFileSize (10-500MB) rotate (set|delete) sleepSeconds (1-65535) rotate (set|delete) audit [Files (2-20)] [Records (100-65535)] rotate (set|delete) fwAlert [Files (2-20)] [Records (100-65535)] rotate (set|delete) fwBlock [Files (2-20)] [Records (100-65535)] rotate (set|delete) ipsAlert [Files (2-20)] [Records (100-65535)] rotate (set|delete) ipsBlock [Files (2-20)] [Records (100-65535)] rotate (set|delete) quarantine [Files (2-20)] [Records (100-65535)] rotate (set|delete) reputationAlert [Files (2-20)] [Records (100-65535)] rotate (set|delete) reputationBlock [Files (2-20)] [Records (100-65535)] rotate (set|delete) system [Files (2-20)] [Records (100-65535)] rotate (set|delete) visibility [Files (2-20)] [Records (100-65535)] rotate (set|delete) vpn [Files (2-20)] [Records (100-65535)]

sleepSeconds Logrotation sleep time between checks SLEEPSEC Number of seconds logrotation waits between checks defaultFiles Default number of logrotation files NUMFILES Number of logrotation files (2 - 20) defaultCheckRecords Default number of records between log daemon size checks NUMRECORDS Number of records between log daemon size checks (100 - 65535)

NGFW Command Line Interface Reference 55

maxFileSize Max size a 'rotated' log file MAXFILESIZE Max log rotation file size in MB (10 - 500) MB Megabytes FILE_NAME Local log file name Files Number of logrotation files Records Number of records between log daemon size checks delete Delete the logrotation parameter

Example

NGFW{log-configure}rotate set sleepSeconds 10 NGFW{log-configure}rotate set visibility Files 5 Records 500 NGFW{log-configure}rotate set vpn Files 5 Records 500 NGFW{log-configure}rotate delete vpn Records NGFW{log-configure}rotate delete vpn Files NGFW{log-configure}rotate delete visibility NGFW{log-configure}rotate set defaultCheckRecords 500 NGFW{log-configure}rotate set defaultFiles 5

56 Log Configure Commands

5 Edit Running Configuration Commands

Enter the edit command to access the configuration mode. In edit mode, you can perform numerous configurations, such as firewall rules and policies, and authentication. Once you have executed the edit command the CLI prompt will appear as available until you exit. To exit the edit configuration mode, enter exit.

Configuration Contexts by Function

Monitor/System

Table 5-1 Monitor and System Commands

NGFW{running}. Configuration options, and sub contexts are

Network

running-blockedStreams Context Commands

running-cluster Context Commands running-cluster-tct Context Commands

running-dns Context Commands

running-gen Context Commands

running-high-availability Context Commands

running-log Context Commands

running-mgmt Context Commands

running-ntp Context Commands

running-snmp Context Commands

Table 5-2 Network Commands

running-agglinkX Context Commands

running-bridgeX Context Commands

running-greX Context Commands

NGFW{running}blockedStreams

NGFW{running}cluster NGFW{running-cluster}tct

NGFW{running}dns

NGFW{running}gen

NGFW{running}high-availability

NGFW{running}log

NGFW{running}interface mgmt

NGFW{running}ntp

NGFW{running}snmp

NGFW{running}interface agglink0

NGFW{running}interface bridge0

NGFW{running}interface gre0

running-l2tp-serverX Context Commands

running-l2tpX Context Commands

running-loopbackX Context Commands

running-pppoeX Context Commands

running-pptpX Context Commands

running-vlanX Context Commands

running-ethernetX Context Commands

running-segmentX Context Commands

NGFW{running}l2tp-server0

NGFW{running}interface l2tp0

NGFW{running}interface loopback0

NGFW{running}interface pppoe0

NGFW{running}interface pptp0

NGFW{running}interface vlan0

NGFW{running}interface ethernet1

NGFW{running}segment0

NGFW Command Line Interface Reference 57

Table 5-2 Network Commands

Policy

running-dhcp-relay Context Commands

running-dhcp-server Context Commands

running-dhcp-server-X Context Commands

Table 5-3 Policy Commands

(immediate commit context)

running-actionsets Context Commands running-actionsets-X Context Commands

running-addressgroups Context Commands running-addressgroups-X Context Commands

(immediate commit context)

running-app-filter-mgmt Context Commands

(immediate commit context)

running-app-groups Context Commands running-app-groups-X Context Commands

NGFW{running}dhcp relay

NGFW{running}dhcp server

NGFW{running-dhcp-server}scope myscope

NGFW{running}actionsets NGFW{running-actionsets}actionset

myactionset1

NGFW{running}addressgroups NGFW{running-addressgroups}addressgroup

myaddressgroups

NGFW{running}application-filter-mgmt

NGFW{running}application-groups NGFW{running-app-groups}application-grou

p FaceBook

(immediate commit context)

running-autodv Context Commands running-autodv-calendar Context Commands running-autodv-periodic Context Commands

running-captive-portal Context Commands running-captive-portal-rule-X Context Commands

running-dnat Context Commands running-dnat-rule-X Context Commands

running-firewall Context Commands running-firewall-rule-X Context Commands

running-global-inspection Context Commands

(immediate commit context)

running-ips Context Commands running-ips-X Context Commands

(immediate commit context)

running-notifycontacts (email) Context Commands running-notifycontacts-X (SNMP) Context Commands

(immediate commit context)

running-rep Context Commands running-rep-X (group X) Context Commands running-rep-X (profile X) Context Commands

NGFW{running}autodv NGFW{running-autodv}calendar NGFW{running-autodv}periodic

NGFW{running}captive-portal NGFW{running-captive-portal}rule 20000

NGFW{running}dst-nat NGFW{running-dnat}rule 1

NGFW{running}firewall NGFW{running-firewall}rule myrule1

NGFW{running}global-inspection

NGFW{running}ips NGFW{running-ips}profile 1

NGFW{running-notifycontacts}contact mycontact1 email

NGFW{running-notifycontacts}contact mycontact1 snmp secret 192.168.1.1

NGFW{running}rep NGFW{running-rep}group 1 NGFW{running-rep}profile abc

running-schedules Context Commands running-schedules-X Context Commands

running-services Context Commands running-services-X Context Commands

58 Edit Running Configuration Commands

NGFW{running}schedules NGFW{running-schedules}schedule myhours1

NGFW{running}services NGFW{running-services}service myservice1

Table 5-3 Policy Commands

running-snat Context Commands running-snat-rule-X Context Commands

running-zones Context Commands running-zones-X Context Commands

Authentication

Table 5-4 Authentication Commands

running-aaa Context Commands running-aaa-ldap-group-X Context Commands running-aaa-radius-group-X Context Commands

running-certificates Context Commands running-certificates-crl Context Commands

Routing

Table 5-5 Routing Commands

running-bgp-X Context Commands

running-multicast-registration Context Commands

running-ospf Context Commands

NGFW{running}src-nat NGFW{running-snat}rule snat1

NGFW{running}zones NGFW{running-zones}zone myzone1

NGFW{running-aaa} NGFW{running-aaa}ldap-group mygroup NGFW{running-aaa}radius-group mygroup

NGFW{running}certificates NGFW{running-certificates}crl

NGFW{running}router bgp 1

NGFW{running}multicast-registration

NGFW{running}router ospf

running-ospfv3 Context Commands

running-pim-smv4 Context Commands

running-pim-smv6 Context Commands

running-rip Context Commands

running-ripng Context Commands

running-route-map Context Commands

running-smr Context Commands

VPN

Table 5-6 VPN Commands

running-ipsec Context Commands

running-manual-sa Context Commands

Edit Context Commands

NGFW{running}router ospfv3

NGFW{running}router pim-smv4

NGFW{running}router pim-smv6

NGFW{running}router rip

NGFW{running}router ripng

NGFW{running}route-map mymap permit 10

NGFW{running}router smr

NGFW{running}vpn ipsec

NGFW{running}vpn ipsec NGFW{running-ipsec}manual

aaa

Enter Authentication and Authorization and Auditing context mode.

Syntax

aaa

NGFW Command Line Interface Reference 59

Example

NGFW{}edit NGFW{running}aaa NGFW{running-aaa}help

NGFW{running-aaa}display user fred xml <?xml version="1.0"?> <record> <index> <user>fred</user> </index> <parameters> <password>$password$</password> <epoch>1373049840</epoch> </parameters> </record> NGFW{running-aaa}exit

Related commands

running-aaa Context Commands

actionsets

Enters action sets context mode. Changes are committed and take effect immediately.

Syntax

actionsets

Example

NGFW{}edit NGFW{running}actionsets NGFW{running-actionsets}help

Example

NGFW{running-actionsets}actionset myactionset NGFW{running-actionsets-myactionset}help NGFW{running-actionsets-myactionset}? Valid entries at this position are: action Set action type, available value: permit, rate-limit, block, trust allow-access Allow quarantined host to access defined IP bytes-to-capture Set bytes to capture for packet trace contact Add a notify contact delete Delete file or configuration item display Display file or configuration item help Display help information http-block Set quarantine option to block HTTP traffic http-custom Set or clear HTTP custom text display option http-redirect Set redirect URL for HTTP redirect option http-showdesc Set or clear HTTP show desc display option http-showname Set or clear HTTP show name display option limit-quarantine Add IP for limit quarantine limit-rate Set the rate value for rate-limit action no-quarantine Add IP for no quarantine nonhttp-block Set quarantine option to block non-HTTP traffic packet-trace Enable/disable packet trace option priority Set packet trace priority quarantine Set quarantine option, available value: no, immediate, threshold tcp-reset Set tcp reset option for block action, can be disable, source,

dest or both

60 Edit Running Configuration Commands

threshold Set quarantine threshold value verbosity Set packet trace verbosity

Related commands

running-actionsets Context Commands

addressgroups

Enters address group context.

Syntax

addressgroups

Example

NGFW{running}addressgroups NGFW{running-addressgroups}help NGFW{running-addressgroups}? Valid entries at this position are: addressgroup Create or enter an address group context delete Delete address group parameters help Display help information rename Rename address group

Related commands

running-addressgroups Context Commands

application-filter-mgmt

Enters application filter management context.

Syntax

application-filter-mgmt

Example

NGFW{}edit NGFW{running}application-filter-mgmt Entering Immediate Commit Feature. Changes take effect immediately. NGFW{running-app-filter-mgmt}help Valid commands are: display filter FILTERNUMBER SYS_ENABLE_OR_DISABLE filter FILTERNUMBER afcstate AFC_ENABLE_OR_DISABLE filter FILTERNUMBER SYS_ENABLE_OR_DISABLE afcstate AFC_ENABLE_OR_DISABLE help [full|COMMAND]

Related commands

running-app-filter-mgmt Context Commands

application-groups

Enters the application-group context mode. Application groups can be associated with firewall rules and can only be defined by the LSM not the CLI. There are CLI commands that are similar in syntax to security categories, but the criteria parameter is deliberately obfuscated. Also, like security categories, application group queries are not editable from the CLI.

NGFW Command Line Interface Reference 61

NOTE: Attempting to create an application group from the CLI will result in an error while parsing the

CRITERIASTRING parameter.

The CRITERIASTRING format is deliberately obfuscated and not supported to prevent users from creating or editing application group criteria from the CLI. Support for setting and getting criteria through the obfuscated format is included so that users can still copy output of CLI display commands and paste them back in.

Syntax

application-groups

Example

NGFW{running}application-groups Entering Immediate Commit Feature. Changes take effect immediately. NGFW{running-app-groups}help Valid commands are: application-group NEWAPPNAME CRITERIASTRING application-group APPNAME delete application-group APPNAME display help [full|COMMAND] rename application-group APPNAME NEWAPPNAME

Related commands

running-app-groups Context Commands

application-visibility

Enables or Disables application visibility.

Syntax

application-visibility (enable|disable)

Example

NGFW{running}application-visibility ? Valid entries at this position are: disable Disable application visibility enable Enable application visibility

autodv

Enters auto digital vaccine context mode.

Syntax

autodv

Example

NGFW{running}autodv Entering Immediate Commit Feature. Changes take effect immediately. NGFW{running-autodv}help Valid commands are: calendar delete proxy delete proxy-password delete proxy-username disable

62 Edit Running Configuration Commands

display enable help [full|COMMAND] list periodic proxy ADDR port PORT proxy-password PASSWD proxy-username USER update

NGFW{running-autodv}? Valid entries at this position are: calendar Enter Calender Style delete Delete file or configuration item disable Disable service display Display file or configuration item enable Enable service help Display help information list List Installed DVs periodic Enter Periodic Style proxy Configure proxy proxy-password Proxy password proxy-username Proxy username update Update AutoDV

Related commands

running-autodv Context Commands

blockedStreams

Enters blockedStreams context mode.

Syntax

blockedStreams

Example

NGFW{running}blockedStreams NGFW{running-blockedStreams}help Valid commands are: flushallstreams flushstreams help [full|COMMAND] list

Related command

running-blockedStreams Context Commands

captive-portal

Enters captive portal context mode.

Syntax

captive-portal

Example

NGFW{running}captive-portal NGFW{running-captive-portal}help Valid commands are:

NGFW Command Line Interface Reference 63

Related commands

running-captive-portal Context Commands

certificates

Enters certificates context mode.

Syntax

certificates

Example

NGFW{running}certificates NGFW{running-certificates}help Valid commands are: # Enter context crl

# Other commands ca-certificate CANAME cert-request CERTREQUEST [key-size SIZE] certificate CERTNAME delete ca-certificate (all|CANAME) delete cert-request (all|CERTREQUEST) delete certificate (all|CERTNAME) display ca-certificate CANAME [pem|text] display cert-request CERTNAME display certificate CERTNAME [pem|text] display private-key CERTNAME help [full|COMMAND] private-key CERTNAME

Related commands

running-certificates Context Commands

cluster

Enters cluster context mode.

Syntax

cluster

64 Edit Running Configuration Commands

Example

NGFW{running}cluster NGFW{running-cluster}help Valid commands are: check CHECK_TYPE enable|disable cluster-name NAME delete standby enable|disable help [full|COMMAND] member-id ID member-name NAME standby tct

NGFW{running-cluster}? Valid entries at this position are: check Perform consistency check cluster-name Apply Cluster Name delete Delete file or configuration item disable Disable clustering enable Enable clustering help Display help information member-id Cluster Member ID member-name Cluster member name standby Set the device on standby tct Enter cluster traffic context

delete

Related commands

running-cluster Context Commands

Deletes file or configuration item.

Syntax

delete SEGNAME delete interface agglinkX delete interface bridgeX delete interface greX delete interface l2tpX delete interface loopbackX delete interface pppoeX delete interface pptpX delete interface vlanX delete interface vrrpvXgY delete ip access-list NAME (permit|deny) A.B.C.D/M delete ip prefix-list NAME (permit|deny) A.B.C.D/M [ge GE-VALUE] [le LE-VALUE] delete ipv6 access-list NAME (permit|deny) X.X.X.X/M delete l2tp-serverX delete route-map ROUTE-MAP-NAME delete route-map ROUTE-MAP-NAME permit|deny ENTRY-POSITION delete router bgp delete router ospf delete router ospfv3 delete router pim-smv6 delete router rip delete router ripng delete router smr

NGFW Command Line Interface Reference 65

Example

NGFW{running}delete segment78 NGFW{running}delete interface agglink0 NGFW{running}delete interface bridge0 NGFW{running}delete interface gre0 NGFW{running}delete interface l2tp0 NGFW{running}delete interface loopback0 NGFW{running}delete interface pppoe0 NGFW{running}delete interface pptp0 NGFW{running}delete interface vlan0 NGFW{running}delete ip access-list myaccesslist permit 0.0.0.0/0 NGFW{running}delete ip prefix-list myprefixlist permit 192.168.0.0/16 ge 24 le 24 NGFW{running}delete ipv6 access-list myipv6accesslist permit 100:0:0:0:0:0:0:0/64 NGFW{running}delete l2tp-server0 NGFW{running}delete route-map myroutemap NGFW{running}delete route-map myroutemap permit 1 NGFW{running}delete router bgp NGFW{running}delete router ospf NGFW{running}delete router ospfv3 NGFW{running}delete router pim-smv6 NGFW{running}delete router rip NGFW{running}delete router ripng NGFW{running}delete router smr

dhcp

dns

Enters DHCP context mode.

Syntax

dhcp relay dhcp server

Example

NGFW{running}dhcp Valid entries at this position are: relay Enter DHCP relay context server Server

Related commands

running-dhcp-relay Context Commands

running-dhcp-server Context Commands

Enters DNS context mode.

Syntax

dns

Example

NGFW{running}dns NGFW{running-dns}help Valid commands are: delete domain-name delete name-server all|A.B.C.D|X:X::X:X delete proxy cache cleaning interval delete proxy cache forwarder all|A.B.C.D|X:X::X:X

66 Edit Running Configuration Commands

delete proxy cache maximum negative ttl delete proxy cache maximum ttl delete proxy cache size domain-name NAME domain-search primary NAME help [full|COMMAND] name-server A.B.C.D|X:X::X:X proxy cache cleaning interval cache cleaning interval in minutes proxy cache forwarder A.B.C.D|X:X::X:X proxy cache maximum negative ttl cache maximum negative TTL in minutes proxy cache maximum ttl cache maximum TTL in minutes proxy cache size cache size in megabytes proxy enable|disable

NGFW{running-dns}? Valid entries at this position are: delete Delete file or configuration item domain-name Configure domain name domain-search Configure domain search help Display help information name-server Configure DNS server proxy Configure proxy proxy Enable or disable proxy

Related commands

running-dns Context Commands

dst-nat

Enters destination NAT context mode.

Syntax

dst-nat

Example

NGFW{running}dst-nat NGFW{running-dnat}help Valid commands are: delete rule all|DSTNATRULEID help [full|COMMAND] rule (auto|DSTNATRULEID) [POSITION_VALUE]

NGFW{running-dnat}? Valid entries at this position are: delete Delete destination NAT rule(s) help Display help information rename Rename destination NAT rule rule Create or enter a rule context

Related commands

running-dnat Context Commands

firewall

Enters firewall context mode.

Syntax

firewall

NGFW Command Line Interface Reference 67

gen

Example

NGFW{running}firewall NGFW{running-firewall}help Valid commands are: default-block-rule DEFACTIONSET delete rule all|XRULEID help [full|COMMAND] rename rule XRULEID NEWRULEID rule (auto|RULEID) [POSITION_VALUE]

NGFW{running-firewall}? Valid entries at this position are: default-block-rule Apply action set for default block rule delete Delete firewall rule help Display help information rename Rename a firewall rule rule Create or enter a rule context

Related commands

running-firewall Context Commands

Enters general context mode.

Usage

gen

Example

NGFW{running}gen NGFW{running-gen}help Valid commands are: # System commands timezone (GMT|(REGION CITY))

# Manage context display [xml]

ndp X:X::X:X INTERFACE MAC ssh enable|disable xmsd remote (port PORT [address A.B.C.D])|disable

|network

NGFW{running-gen}? Valid entries at this position are:

68 Edit Running Configuration Commands

arp Configure static ARP entry auto-restart Enable/disable automatic restart on detection of critical

delete Delete file or configuration item display Display general context ephemeral-port-range Set the range of the ephemeral port (default is 32768-61000) forwarding Enable or disable IPv4/IPv6 forwarding help Display help information host Configure static address to host name association https Enable or disable WEB server configuration inband-management Inband Management management-service Management of a service to use management port or network port ndp Configure static NDP entry ssh Enable or disable ssh service timezone Display or configure time zone

Related commands

running-gen Context Commands

global-inspection

Enters global-inspection context mode.

Syntax

global-inspection

problem

Example

NGFW{running}global-inspection NGFW{running-global-inspection}help Valid commands are: default-inspection (ips-profile IPSPROFILE|none)|(reputation-profile

unknown-app (ips-profile IPSPROFILE|none)|(reputation-profile REPPROFILE|none) display [xml] help [full|COMMAND]

NGFW{running-global-inspection}? Valid entries at this position are: default-inspection Apply default inspection profile display Display global inspection profile configuration help Display help information unknown-app Apply inspection profile during application detection phase

Related commands

running-global-inspection Context Commands

high-availability

Enters high-availability context mode.

REPPROFILE|none)

Syntax

high-availability

Examples

NGFW{running}high-availability NGFW{running-high-availability}help Valid commands are: delete failover-group base-mac

NGFW Command Line Interface Reference 69

NGFW{running-high-availability}? Valid entries at this position are: delete Delete file or configuration item disable Disable high-availability enable Enable high-availability failover-group Failover Group help Display help information state-sync State synchronization

NGFW{running-high-availability}help state-sync Enable or disable high-availability (enable|disable) Syntax: state-sync (global [enable|disable])|(FEATURE [enable|disable|(log-level

state-sync State synchronization global Turn state synchronization on or off enable Enable state synchronization disable Disable state synchronization FEATURE Specify a state synchronization table Possible values for FEATURE are: firewall Firewall state synchronization table ips IPS state synchronization table routing Routing state synchronization table log-level Specify logging level SEVERITY Log service severity Possible values for SEVERITY are: emergency Panic condition messages alert Immediate problem condition messages critical Critical condition messages error Error messages warning Warning messages notice Special condition messages info Informational messages debug Debug messages none Turn off messages

SEVERITY)])

NGFW{running-high-availability}state-sync ? Valid entries at this position are: firewall Firewall state synchronization table ips IPS state synchronization table routing Routing state synchronization table global Turn state synchronization on or off

Related commands

running-high-availability Context Commands

interface

Enters interface context mode. The X represents a number to be entered, such as bridge2.

Syntax

# Enter context interface agglinkX

70 Edit Running Configuration Commands

interface bridgeX interface ethernetX interface greX interface l2tpX interface loopbackX interface mgmt interface pppoeX interface pptpX interface vlanX

Example

NGFW{running}interface bridge2 NGFW{running-bridge2}? Valid entries at this position are: arp/ndp Enable or disable ARP and NDP on interface autoconfv6 Enable or disable IPv6 autoconfiguration on interface bind Bind bridged network interface over ethernet/VLAN/agglink delete Delete file or configuration item description Enter description for the interface help Display help information ip Configure IP settings ipaddress Configure IP address ipv6 Configure IPv6 settings mtu Configure interface MTU prefix Configure IPv6 prefix ra-autoconf-level Modify IPv6 Router Advertisement autoconfiguration level ra-interval Modify IPv6 Router Advertisement interval value ra-interval-transmit Modify IPv6 Router Advertisement interval transmit ra-lifetime Modify IPv6 Router Advertisement prefix lifetime ra-mtu Modify IPv6 Router Advertisement MTU value ra-transmit-mode Modify IPv6 Router Advertisement transmit mode router-advert Configure IPv6 Router Advertisement parameters shutdown Shutdown logical interface state tcp4mss Configure interface TCP MSS for IPv4 tcp6mss Configure interface TCP MSS for IPv6

NGFW{running-bridge2}help

Related commands

running-agglinkX Context Commands

running-bridgeX Context Commands

running-ethernetX Context Commands

running-greX Context Commands

running-l2tpX Context Commands

running-loopbackX Context Commands

running-mgmt Context Commands

running-pppoeX Context Commands

running-pptpX Context Commands

running-vlanX Context Commands

IP configuration mode.

NGFW Command Line Interface Reference 71

Syntax

ip access-list NAME (permit|deny) A.B.C.D/M ip as-path access-list NAME (permit|deny) ASN_FILTER delete ip as-path access-list NAME (permit|deny) ASN_FILTER ip community-list NAME (permit|deny)

delete ip community-list NAME (permit|deny)

ip prefix-list NAME (permit|deny) A.B.C.D/M [ge GE-VALUE] [le LE-VALUE] ip route A.B.C.D/M A.B.C.D|INTERFACE [DISTANCE] ipv6 route X:X::X:X/M (X:X::X:X[%INTERFACE])|INTERFACE [DISTANCE] display ip route

Valid entries: access-list Access list as-path AS Path access list community-list Community list prefix-list Prefix list route Add an IPv4 static route

((AA:NN)|internet|local-as|no-advertise|no-export)

Example

NGFW{running}ip access-list myaccesslist permit 0.0.0.0/0 NGFW{running}ip as-path access-list myasnaccesslist permit ^64496$ NGFW{running}delete ip as-path access-list myasnaccesslist permit ^64496$ NGFW{running}ip community-list mycommunitylist permit 64496:100 NGFW{running}ip community-list mycommunitylist permit internet NGFW{running}delete ip community-list mycommunitylist permit 64496:100 NGFW{running}ip prefix-list myprefixlist permit 192.168.0.0/16 ge 24 le 24 NGFW{running}ip route 192.168.1.0/24 192.0.2.1 1 NGFW{running}ip route 192.168.1.0/24 ethernet5 1 NGFW{running}display ip route # IPV4 ROUTES ip route 192.168.1.0/24 192.0.2.1 1 ip route 192.168.1.0/24 ethernet5

ips

Enters IPS profile context mode.

Syntax

ips

Example

NGFW{running}ips Entering Immediate Commit Feature. Changes take effect immediately. NGFW{running-ips}help Valid commands are: # Enter context display-categoryrules

# Other commands afc-mode AFCMODE afc-severity SEVERITY connection-table TIMEOUTTYPE SECONDS delete profile XPROFILENAME deployment-choices display gzip-decompression enable|disable help [full|COMMAND]

72 Edit Running Configuration Commands

ipv6

profile PROFILENAME quarantine-duration DURATION rename profile XPROFILENAME NEWPROFILENAME

NGFW{running-ips}? Valid entries at this position are: afc-mode AFC mode afc-severity AFC severity connection-table Connection table timeout delete Delete a profile deployment-choices Get deployment choices display Display all ips configuration and profiles display-categoryrules Display category rules for all profiles gzip-decompression GZIP decompression mode help Display help information profile Create/enter a IPS profile quarantine-duration Quarantine duration rename Rename a profile

Related commands

running-ips Context Commands

IPv6 configuration

Syntax

ipv6 access-list NAME (permit|deny) X:X::X:X/M ipv6 route X:X::X:X/M (X:X::X:X[%INTERFACE])|INTERFACE [DISTANCE] display ipv6 route

Valid entries: ipv6 IPv6 configuration route Add static route X:X::X:X/M Unicast IPv6 prefix address X:X::X:X IPv6 address INTERFACE Interface name DISTANCE The distance value (1-255)

Example

NGFW{running}ipv6 access-list myipv6accesslist permit 100:0:0:0:0:0:0:0/64 NGFW{running}ipv6 route 2001:2:0:0:0:0:0:0/48 ethernet5 1 NGFW{running}ipv6 route 2001:2:0:0:0:0:0:0/48 100:0:0:0:0:0:0:1 1 NGFW{running}display ipv6 route # IPV6 ROUTES ipv6 route 2001:2::/48 ethernet5 ipv6 route 2001:2::/48 100::1

l2tp-serverX

Enters L2TP Server context mode. The X represents a number, for example server0.

Syntax

l2tp-serverX

Example

NGFW{running}l2tp-server0 NGFW{running-l2tp-server0}help

NGFW Command Line Interface Reference 73

log

NGFW{running-l2tp-server0}? Valid entries at this position are: auth Authenticated configuration bind Configure bind service of L2TP server delete Delete file or configuration item help Display help information hiding Enable or disable hiding configuration sequencing Enable or disable sequence configuration

Related commands

running-l2tp-serverX Context Commands

Enters log context mode. Note that the 'Management Console' notification contact for the Audit log can not be modified.

Syntax

log

Example

NGFW{running}log NGFW{running-log}help Valid commands are: delete log audit CONTACT-NAME delete log quarantine CONTACT-NAME delete log system CONTACT-NAME delete log vpn CONTACT-NAME delete log-option fib events|kernel|memory|packet [recv|send] delete log-option ppp( all)|( DEL-PPP-LOG-OPTION){1,10} delete log-option xmsd( all)|( LOG_OPTION) help [full|COMMAND] log audit CONTACT-NAME [ALL|none] log quarantine CONTACT-NAME [ALL|none] log system CONTACT-NAME [SEVERITY] log vpn CONTACT-NAME [SEVERITY] log-option fib events|kernel|memory|packet [recv|send] log-option ppp( all)|( PPP-LOG-OPTION){1,255} log-option xmsd( all)|( LOG_OPTION) sub-system SUBSYSTEM [SEVERITY]

NGFW{running-log}? Valid entries at this position are: delete Delete file or configuration item help Display help information log Add a Notification Contact to a log service log-option Add service log option sub-system set sub-system log level

74 Edit Running Configuration Commands

NGFW{running-log}display # LOG SERVICES log system "Management Console" notice #log audit "Management Console" ALL log vpn "Management Console" info log quarantine "Management Console" ALL

# SUB-SERVICES sub-system INIT info sub-system XMS notice sub-system TOS info sub-system HTTPD notice sub-system GATED none sub-system LOGIN notice sub-system PACEMAKER error sub-system COROSYNC notice sub-system CRMADMIN none

Related commands

running-log Context Commands

multicast-registration

Enters multicast registration context mode.

Syntax

multicast-registration

Example

NGFW{running}multicast-registration NGFW{running-multicast-registration}help Valid commands are: help [full|COMMAND] igmp-version default|(mode MODE IGMPvX) mld-version default|(mode MODE MLDvX)

NGFW{running-multicast-registration}? Valid entries at this position are: help Display help information igmp-version Configure system IGMP version mld-version Configure system MLD version

NGFW{running-multicast-registration}igmp-version mode ? Valid entry at this position is: MODE Define IGMP mode (force or default)

Related commands

running-multicast-registration Context Commands

notifycontacts

Enters notify contacts context mode.

Syntax

notifycontacts

Example

NGFW{running}notifycontacts

NGFW Command Line Interface Reference 75

Entering Immediate Commit Feature. Changes take effect immediately. NGFW{running-notifycontacts}help Valid commands are: contact CONTACTNAME contact NEWNAME email contact NEWNAME snmp COMMUNITY IP [PORT] delete contact XCONTACTNAME display email-from-address EMAIL email-from-domain DOMAIN email-server IP email-threshold THRESHOLD email-to-default-address EMAIL help [full|COMMAND] rename contact XCONTACTNAME NEWNAME

NGFW{running-notifycontacts}? Valid entries at this position are: contact Create or edit a notify contact delete Delete file or configuration item display Display all available contacts email-from-address From email address email-from-domain From domain name email-server Set mail server IP email-threshold Set email threshold email-to-default-address Default to email address help Display help information rename Rename contact with new name

ntp

Related commands

running-notifycontacts (email) Context Commands

Enters NTP context mode.

Syntax

ntp

Example

NGFW{running}ntp NGFW{running-ntp}help Valid commands are: delete key all|ID delete server all|HOST help [full|COMMAND] key (1-65535) VALUE ntp enable|disable polling-interval SECONDS server dhcp|NAME [key ID] [prefer]

NGFW{running-ntp}? Valid entries at this position are: delete Delete file or configuration item help Display help information key Configure NTP authentication key ntp Enable or disable NTP polling-interval Configure minimum polling interval

76 Edit Running Configuration Commands

server Configure remote NTP server

Related commands

running-ntp Context Commands

reputation

Enters Reputation context mode.

Syntax

reputation

Example

NGFW{running}reputation Entering Immediate Commit Feature. Changes take effect immediately. NGFW{running-rep}help Valid commands are: delete group USERGROUP delete profile XPROFILENAME display group USERGROUP help [full|COMMAND] profile PROFILENAME rename group USERGROUP NEWUSERGROUP rename profile XPROFILENAME NEWPROFILENAME

NGFW{running-rep}? Valid entries at this position are: delete Delete file or configuration item display Display all reputation profiles and groups group Create/enter reputation group context help Display help information profile Create/enter reputation profile context rename Rename a reputation profile or group

Related commands

running-rep Context Commands

route-map

Allows you to configure the route-map.

Syntax

route-map ROUTE-MAP-NAME (permit|deny) ENTRY-POSITION

Example

NGFW{running}help route-map Enter the route-map context Syntax: route-map ROUTE-MAP-NAME permit|deny ENTRY-POSITION route-map Enter the route-map context ROUTE-MAP-NAME Route-map name permit Permit the network prefix deny Deny the network prefix ENTRY-POSITION Position of the route-map entry (1-65535)

Related commands

running-route-map Context Commands

NGFW Command Line Interface Reference 77

router

Enters the specified router protocol context.

Syntax

router bgp ASNUMBER router ospf router ospfv3 router pim-smv4 router pim-smv6 router rip router ripng router smr

Valid entries: bgp Enter the BGP context ASNUMBER The autonomous system number (1-2147483647) ospf Enter the OSPF context ospfv3 Enter the OSPFv3 context pim-smv4 Enter the PIM-SM IPv4 context pim-smv6 Enter the PIM-SM IPv6 context rip Enter the RIP context ripng Enter the RIPng context smr Enter the SMR context

Example

NGFW{running}router ospf NGFW{running}router ospfv3 NGFW{running}router pim-smv4 NGFW{running}router pim-smv6 NGFW{running}router rip NGFW{running}router ripng NGFW{running}router smr NGFW{running}router bgp

Related commands

running-ospf Context Commands

running-ospfv3 Context Commands

running-bgp-X Context Commands

running-rip Context Commands

running-ripng Context Commands

running-pim-smv4 Context Commands

running-pim-smv6 Context Commands

running-smr Context Commands

schedules

Enters schedules context mode.

Syntax

schedules

Example

NGFW{running}schedules NGFW{running-schedules}help Valid commands are:

78 Edit Running Configuration Commands

delete schedule all|SCHEDULENAME help [full|COMMAND] rename schedule SCHEDULENAME NEWSCHEDULENAME schedule SCHEDULENAME

NGFW{running-schedules}? Valid entries at this position are: delete Delete a schedule help Display help information rename Rename a schedule schedule Create or enter a schedule context

Related commands

running-schedules Context Commands

segmentX

Enters Segment context mode. The X represents a segment number, for example segment0.

Syntax

segmentX

Example

NGFW{running}segment0 NGFW{running-segment0}help Valid commands are: # Enter context bind bind delete bind|high-availability|link-down high-availability mode link-down breaker [wait-time WAIT-TIME] link-down hub link-down wire [wait-time WAIT-TIME] restart

# Other commands description TEXT help [full|COMMAND]

NGFW{running-segment0}? Valid entries at this position are: bind Bind ethernet port pairs to segment delete Delete file or configuration item description Enter description for the segment help Display help information high-availability Intrinsic HA Layer 2 Fallback action link-down Link down synchronization mode restart Restart both Ethernet ports of segment

NGFW{running-segment0}help bind Bind ethernet port pairs to segment Syntax: bind bind bind Bind ethernet port pairs to segment bind ethernet port pairs

Related commands

running-segmentX Context Commands

NGFW Command Line Interface Reference 79

services

Enters services context mode.

Syntax

services

Example

NGFW{running}services NGFW{running-services}help Valid commands are: delete service all|USERSERVICENAME help [full|COMMAND] rename service USERSERVICENAME NEWSERVICENAME restore-default service SERVICENAME

NGFW{running-services}? Valid entries at this position are: delete Delete service(s) help Display help information rename Rename service restore-default Restore default services service Create or enter a service context

Related commands

running-services Context Commands

snmp

Enters SNMP context mode.

Syntax

snmp

Example

NGFW{running}snmp NGFW{running-snmp}help Valid commands are: authtrap enable|disable community COMMUNITY SOURCE delete community COMMUNITY|all delete trapsession (HOST ver VERSION)|all delete username (USERNAME|all) engineID ENGINE-ID help [full|COMMAND] snmp enable|disable trapsession HOST [port PORT] ver 2c COMMUNITY [inform] trapsession HOST [port PORT] ver 3 USERNAME level noAuthNoPriv [inform] trapsession HOST [port PORT] ver 3 USERNAME level authNoPriv authtype AUTHTYPE

AUTHPASS [inform]

trapsession HOST [port PORT] ver 3 USERNAME level authPriv authtype AUTHTYPE

AUTHPASS privproto PRIVPROTO [PRIVPASS] [inform] username USERNAME level noAuthNoPriv username USERNAME level authNoPriv authtype AUTHTYPE AUTHPASS username USERNAME level authPriv authtype AUTHTYPE AUTHPASS privproto PRIVPROTO

[PRIVPASS]

NGFW{running-snmp}?

80 Edit Running Configuration Commands

src-nat

Valid entries at this position are: authtrap Configure SNMP authentication failure trap community Configure SNMP read-only community delete Delete file or configuration item engineID Configure SNMPv3 engine ID help Display help information snmp Enable or disable SNMP trapsession Configure a trap/inform username Configure SNMPv3 USM read-only user

Related commands

running-snmp Context Commands

Enters source NAT context mode.

Syntax

src-nat

Example

NGFW{running}src-nat NGFW{running-snat}help Valid commands are: delete rule all|SRCNATRULEID help [full|COMMAND] rule (auto|SRCNATRULEID) [POSITION_VALUE]

vpn

NGFW{running-snat}? Valid entries at this position are: delete Delete source NAT rule(s) help Display help information rename Rename source NAT rule rule Create or enter a rule context

Related commands

running-snat Context Commands

Enters VPN context mode.

Syntax

vpn ipsec

Example

NGFW{running}vpn ipsec NGFW{running-ipsec}help Valid commands are: delete log vpn CONTACT-NAME delete phase1 proposal (all|NAME) delete phase2 proposal (all|NAME) delete policy (all|NAME) delete pre-shared-keys (all|A.B.C.D|X:X::X:X|HOSTNAME) [vrf-id ID|any] delete retransmit-timeout delete retransmit-tries delete trust (all|CANAME) delete user

NGFW Command Line Interface Reference 81

NGFW{running-ipsec}? Valid entries at this position are: delete Delete file or configuration item help Display help information ipsec Enable or disable IPsec log Add a Notification Contact to a log service manual Enter manual Security Association context phase1 Enter Phase1 proposal context phase2 Enter Phase2 proposal context policy Enter IPSec Policy context pre-shared-key Configure pre-shared key (start with 0x for hexadecimal key) retransmit-timeout Configure IKEv2 Dead Peer Detection retransmission timeout in

retransmit-tries Configure IKEv2 Dead Peer Detection maximum retransmission

trust Configure certification authority trust user Enter VPN user context vpn Enter VPN context

seconds

tries

zones

Related commands

running-ipsec Context Commands

Enters security zone context mode.

Syntax

zones

Example

NGFW{running}zones NGFW{running-zones}help Valid commands are: delete zone all|ZONENAME help [full|COMMAND] rename zone ZONENAME NEWZONENAME zone ZONENAME

NGFW{running-zones}? Valid entries at this position are: delete Delete security zone(s) help Display help information rename Rename a specified zone zone Enter security zone context

82 Edit Running Configuration Commands

Related commands

running-zones Context Commands

Contexts and Related Commands

running-aaa Context Commands

NGFW{running-aaa}delete

Delete file or configuration item.

Syntax

Example

NGFW{running}aaa NGFW{running-aaa}delete ldap-group group1 NGFW{running-aaa}delete radius-group group1 NGFW{running-aaa}delete role myrole1 NGFW{running-aaa}delete user myuser1 NGFW{running-aaa}delete user-group group1

NGFW{running-aaa}display

Display configuration.

Syntax

display ldap-group LDAPGROUP [xml] display ldap-schema

(active-directory|novell-edirectory|fedora-ds|rfc2798|rfc2307nis|samba|custom) [xml] display login-settings [xml] display password-settings [xml] display radius-group RADIUSGROUP [xml] display remote-login-group [xml] display role USER [xml] display user USER [xml] display usergroup USERGROUP [xml]

Example

NGFW{running-aaa}display ldap-group group1 NGFW{running-aaa}display ldap-schema active-directory NGFW{running-aaa}display login-settings NGFW{running-aaa}display password-settings NGFW{running-aaa}display radius-group group1 NGFW{running-aaa}display remote-login-group NGFW{running-aaa}display role superuserRole NGFW{running-aaa}display user myuser1 NGFW{running-aaa}display usergroup group1

NGFW{running-aaa}ldap-group

Configure LDAP group. Maximum number of groups is two.

NGFW Command Line Interface Reference 83

Syntax

ldap-group LDAPNAME

Example

NGFW{running-aaa}ldap-group mygroup

NGFW{running-aaa}ldap-schema

Configure LDAP schema.

Syntax

ldap-schema SCHEMA

Example

NGFW{running-aaa}ldap-schema custom NGFW{running-aaa-ldap-schema-custom}

NGFW{running-aaa}login

Configure login settings.

Syntax

login maximum-attempts (0-10) login failure-action (lockout|lockout-disable|audit) login lockout-period MINUTES login lockout-period (0-1440)

Example

NGFW{running-aaa}login failure-action lockout

NGFW{running-aaa}password

Configure password settings.

Syntax

password quality (basic|maximum|none) password expiry-time (10d|20d|30d|45d|60d|90d|6m|1y) password expiry-action (force-change|notify-user|disable-account)

Example

NGFW{running-aaa}password quality maximum NGFW{running-aaa}password expiry-time 30d NGFW{running-aaa}password expiry-action force-change

NGFW{running-aaa}radius-group

Configure Radius group. Maximum number of radius groups is 2.

Syntax

radius-group RADIUSNAME

Example

NGFW{running-aaa}radius-group group1

84 Edit Running Configuration Commands

NGFW{running-aaa}remote-login-group

Configure LDAP or RADIUS group to use for either network or administrative login.

Syntax

remote-login-group (network|administrator) (GROUP|none)

Example

NGFW{running-aaa}remote-login-group administrator group1

NGFW{running-aaa}role

Configure an access role.

Syntax

role ROLE [OLDROLE]

Example

NGFW{running-aaa}role myrole1

NGFW{running-aaa}user

Configure a name identified user.

Syntax

user NAME

Example

NGFW{running-aaa}user myuser1

NGFW{running-aaa}user-group

Configure a name identified usergroup.

Syntax

user-group GROUPNAME

Example

NGFW{running-aaa}user-group group1

running-aaa-ldap-group-X Context Commands

NGFW{running-aaa-ldap-group-mygroup1}base-dn

Configure base distinguished name (DN).

Syntax

base-dn DN

Example

NGFW{running-aaa}ldap-group mygroup1 NGFW{running-aaa-ldap-group-mygroup1}base-dn DC=example,DC=com

NGFW{running-aaa-ldap-group-mygroup1}bind-dn

Configure bind distinguished name (DN).

NGFW Command Line Interface Reference 85

Syntax

bind-dn DN

Example

NGFW{running-aaa-ldap-group-mygroup1}bind-dn CN=admin,OU=People,DC=example,DC=com

NGFW{running-aaa-ldap-group-mygroup1}bind-password

Configure LDAP bind password.

Syntax

bind-password PASSWORD

Example

NGFW{running-aaa-ldap-group-mygroup1}bind-password mysecret

NGFW{running-aaa-ldap-group-mygroup1}delete

Delete file or configuration item.

Syntax

delete server (ADDRESS|all)

Example

NGFW{running-aaa-ldap-group-mygroup1}delete server 192.168.1.1

NGFW{running-aaa-ldap-group-mygroup1}port

Configure LDAP port.

Syntax

port <0-65535>

Example

NGFW{running-aaa-ldap-group-mygroup1}port 389

NGFW{running-aaa-ldap-group-mygroup1}retries

Configure server(s) retries.

Syntax

retries RETRY

Example

NGFW{running-aaa-ldap-group-mygroup1}retries 3

NGFW{running-aaa-ldap-group-mygroup1}schema

Configure Schema.

Syntax

Example

NGFW{running-aaa-ldap-group-mygroup1}schema active-directory

86 Edit Running Configuration Commands

NGFW{running-aaa-ldap-group-mygroup1}server

Configure LDAP server address.

Syntax

server (A.B.C.D|X:X::X:X) priority (1-6)

Example

NGFW{running-aaa-ldap-group-mygroup1}server 192.168.1.1 priority 1 NGFW{running-aaa-ldap-group-mygroup1}server 192.168.1.2 priority 2

NGFW{running-aaa-ldap-group-mygroup1}timeout

Configure timeout.

Syntax

timeout SECONDS

Example

NGFW{running-aaa-ldap-group-mygroup1}timeout 10

NGFW{running-aaa-ldap-group-mygroup1}tls

Configure TLS.

Syntax

tls (enable|disable) tls start-tls (enable|disable) tls require-valid-server-cert (enable|disable)

Example

NGFW{running-aaa-ldap-group-mygroup1}tls enable NGFW{running-aaa-ldap-group-mygroup1}tls require-valid-server-cert enable NGFW{running-aaa-ldap-group-mygroup1}tls start-tls enable

NGFW{running-aaa-ldap-group-mygroup1}version

Configure LDAP version.

Syntax

version (2|3)

Example

NGFW{running-aaa-ldap-group-mygroup1}version 3

running-aaa-radius-group-X Context Commands

NGFW{running-aaa-radius-group-2}default-usergroup

Default usergroup.

Syntax

default-usergroup GROUP|none

Example

NGFW{running-aaa}radius-group 2 NGFW{running-aaa-radius-group-2}default-usergroup administrator

NGFW Command Line Interface Reference 87

NGFW{running-aaa-radius-group-2}delete

Delete file or configuration item.

Syntax

delete server (A.B.C.D|X:X::X:X|all)

Example

NGFW{running-aaa-radius-group-2}delete server 192.168.1.1

NGFW{running-aaa-radius-group-2}retries

Configure server retries.

Syntax

retries (0-5)

Example

NGFW{running-aaa-radius-group-2}retries 3

NGFW{running-aaa-radius-group-2}server

Configure server.

Syntax

server (A.B.C.D|X:X::X:X) [PORT] password PASSWORD priority (1-6) timeout (0-300) [nas-id NASID]

Example

NGFW{running-aaa-radius-group-2}server 192.168.1.1 1812 password mysecret priority 1 timeout 10 nas-id 1

NGFW{running-aaa-radius-group-2}server 192.168.1.7 1812 password mysecret priority 2 timeout 10 nas-id 1

running-actionsets Context Commands

Immediate Commit Feature. Changes take effect immediately.

NGFW{running-actionsets}actionset

Enter an action set context with defined name.

Syntax

actionset ACTIONSETNAME

Example

NGFW{running}actionsets NGFW{running-actionsets}actionset myactionset1

NGFW{running-actionsets}delete

Delete file or configuration item.

Syntax

delete actionset ACTIONSETNAME

Example

NGFW{running-actionsets}delete actionset myactionset1

88 Edit Running Configuration Commands

NGFW{running-actionsets}rename

Rename action set oldname newname.

Syntax

rename actionset ACTIONSETNAME NEWACTIONSETNAME

Example

NGFW{running-actionsets}rename actionset myactionset1 myactionset2

running-actionsets-X Context Commands

NGFW{running-actionsets-myactionset1}action

Set action type. Available values: permit, rate-limit, block, trust.

Immediate Commit Feature. Changes take effect immediately.

Syntax

action (permit|rate-limit|block|trust)

Example

NGFW{running-actionsets}actionset myactionset1 NGFW{running-actionsets-myactionset1}action rate-limit

NGFW{running-actionsets-myactionset1}allow-access

Allow quarantined host to access defined IP.

Syntax

allow-access DESTIP

Example

NGFW{running-actionsets-myactionset1}allow-access 192.168.1.1

NGFW{running-actionsets-myactionset1}bytes-to-capture

Set bytes to capture for packet trace.

Syntax

bytes-to-capture BYTES

Example

NGFW{running-actionsets-myactionset1}bytes-to-capture 6144

NGFW{running-actionsets-myactionset1}contact

Add a notify contact.

Syntax

contact XCONTACTNAME

Example

NGFW{running-actionsets-myactionset1}contact mycontact1 NGFW{running-actionsets-myactionset1}contact "Management Console"

NGFW Command Line Interface Reference 89

NGFW{running-actionsets-myactionset1}delete

Delete file or configuration item.

Syntax

delete allow-access DESTIP delete contact XCONTACTNAME delete limit-quarantine SOURCEIP delete no-quarantine SOURCEIP

Example

NGFW{running-actionsets-myactionset1}delete allow-access 192.168.1.1 NGFW{running-actionsets-myactionset1}delete contact mycontact1 NGFW{running-actionsets-myactionset1}delete limit-quarantine 192.168.1.1 NGFW{running-actionsets-myactionset1}delete no-quarantine 192.168.1.1

NGFW{running-actionsets-myactionset1}http-block

Set quarantine option to block HTTP traffic.

Syntax

http-block

Example

NGFW{running-actionsets-myactionset1}http-block

NGFW{running-actionsets-myactionset1}http-custom

Set or clear HTTP custom text display option.

Syntax

http-custom TEXT

Example

NGFW{running-actionsets-myactionset1}http-custom "my custom message"

NGFW{running-actionsets-myactionset1}http-redirect

Set redirect URL for HTTP redirect option.

Syntax

http-redirect URL

Example

NGFW{running-actionsets-myactionset1}http-redirect https://www.example.com

NGFW{running-actionsets-myactionset1}http-showdesc

Set or clear HTTP show description display option.

Syntax

http-showdesc (enable|disable)

Example

NGFW{running-actionsets-myactionset1}http-showdesc enable

90 Edit Running Configuration Commands

NGFW{running-actionsets-myactionset1}http-showname

Set or clear HTTP show name display option.

Syntax

http-showname (enable|disable)

Example

NGFW{running-actionsets-myactionset1}http-showname enable

NGFW{running-actionsets-myactionset1}limit-quarantine

Add IP for limit quarantine.

Syntax

limit-quarantine SOURCEIP

Example

NGFW{running-actionsets-myactionset1}limit-quarantine 192.168.1.1

NGFW{running-actionsets-myactionset1}limit-rate

Set the rate value for rate-limit action.

Syntax

limit-rate RATE

Example

NGFW{running-actionsets-myactionset1}limit-rate 1500

NGFW{running-actionsets-myactionset1}no-quarantine

Add IP for no quarantine.

Syntax

no-quarantine SOURCEIP

Example

NGFW{running-actionsets-myactionset1}no-quarantine 192.168.1.1

NGFW{running-actionsets-myactionset1}nonhttp-block

Set quarantine option to block non-HTTP traffic.

Syntax

nonhttp-block (enable|disable)

Example

NGFW{running-actionsets-myactionset1}nonhttp-block enable

NGFW{running-actionsets-myactionset1}packet-trace

Enable/disable packet trace option.

Syntax

packet-trace (enable|disable)

NGFW Command Line Interface Reference 91

Example

NGFW{running-actionsets-myactionset1}packet-trace enable

NGFW{running-actionsets-myactionset1}priority

Set packet trace priority.

Syntax

priority PRIORITY

Example

NGFW{running-actionsets-myactionset1}priority medium

NGFW{running-actionsets-myactionset1}quarantine

Set quarantine option. Available options: no, immediate, threshold.

Syntax

quarantine QUARANTINETYPE

Example

NGFW{running-actionsets-myactionset1}quarantine immediate

NGFW{running-actionsets-myactionset1}tcp-reset

Set tcp reset option for block action. Available options: none (disable), source, dest, or both.

Syntax

tcp-reset (none|source|dest|both)

Example

NGFW{running-actionsets-myactionset1}tcp-reset both

NGFW{running-actionsets-myactionset1}threshold

Set quarantine threshold value.

Syntax

threshold (2-10000) (1-60)

Example

NGFW{running-actionsets-myactionset1}threshold 200 5

NGFW{running-actionsets-myactionset1}verbosity

Set packet trace verbosity.

Syntax

verbosity (partial|full)

Example

NGFW{running-actionsets-myactionset1}verbosity full

92 Edit Running Configuration Commands

HP TippingPoint Next Generation Firewall Command Reference Guide

Specifications and Main Features

Frequently Asked Questions

User Manual

About This Guide

Target Audience

Related Documentation

Document Conventions

Customer Support

Overview

Command Modes

Configuration File Versions

2 Global Commands

3 Root Commands

4 Log Configure Commands

5 Edit Running Configuration Commands

Configuration Contexts by Function

Edit Context Commands

Contexts and Related Commands

NGFW{running-aaa}delete

NGFW{running-aaa}display

NGFW{running-aaa}ldap-group

NGFW{running-aaa}ldap-schema

NGFW{running-aaa}login

NGFW{running-aaa}password

NGFW{running-aaa}radius-group

NGFW{running-aaa}remote-login-group

NGFW{running-aaa}role

NGFW{running-aaa}user

NGFW{running-aaa}user-group

NGFW{running-aaa-ldap-group-mygroup1}base-dn

NGFW{running-aaa-ldap-group-mygroup1}bind-dn

NGFW{running-aaa-ldap-group-mygroup1}bind-password

NGFW{running-aaa-ldap-group-mygroup1}delete

NGFW{running-aaa-ldap-group-mygroup1}port

NGFW{running-aaa-ldap-group-mygroup1}retries

NGFW{running-aaa-ldap-group-mygroup1}schema

NGFW{running-aaa-ldap-group-mygroup1}server

NGFW{running-aaa-ldap-group-mygroup1}timeout

NGFW{running-aaa-ldap-group-mygroup1}tls

NGFW{running-aaa-ldap-group-mygroup1}version

NGFW{running-aaa-radius-group-2}default-usergroup

NGFW{running-aaa-radius-group-2}delete

NGFW{running-aaa-radius-group-2}retries

NGFW{running-aaa-radius-group-2}server

NGFW{running-actionsets}actionset

NGFW{running-actionsets}delete

NGFW{running-actionsets}rename

NGFW{running-actionsets-myactionset1}action

NGFW{running-actionsets-myactionset1}allow-access

NGFW{running-actionsets-myactionset1}bytes-to-capture

NGFW{running-actionsets-myactionset1}contact

NGFW{running-actionsets-myactionset1}delete

NGFW{running-actionsets-myactionset1}http-block

NGFW{running-actionsets-myactionset1}http-custom

NGFW{running-actionsets-myactionset1}http-redirect

NGFW{running-actionsets-myactionset1}http-showdesc

NGFW{running-actionsets-myactionset1}http-showname

NGFW{running-actionsets-myactionset1}limit-quarantine

NGFW{running-actionsets-myactionset1}limit-rate

NGFW{running-actionsets-myactionset1}no-quarantine

NGFW{running-actionsets-myactionset1}nonhttp-block

NGFW{running-actionsets-myactionset1}packet-trace

NGFW{running-actionsets-myactionset1}priority

NGFW{running-actionsets-myactionset1}quarantine

NGFW{running-actionsets-myactionset1}tcp-reset

NGFW{running-actionsets-myactionset1}threshold

NGFW{running-actionsets-myactionset1}verbosity