HP TippingPoint Next Generation Firewall Command Reference Guide

HP TippingPoint Next Generation Firewall Command Line
Interface Reference Guide
Version1.0.1
Abstract
This reference manual describes the Next Generation Firewall Command Line Interface (CLI) and the commands you can use to configure and manage a NGFW appliance.
*5998-4803*
Part number: 5998-4803 Edition: August 2013, First
Legal and notice information
© Copyright 2013 Hewlett-Packard Development Company, L.P.
Hewlett-Packard Company makes no warranty of any kind with regard to this material, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose. Hewlett-Packard shall not be liable for errors contained herein or for incidental or consequential damages in connection with the furnishing, performance, or use of this material.
This document contains proprietary information, which is protected by copyright. No part of this document may be photocopied, reproduced, or translated into another language without the prior written consent of Hewlett-Packard. The information is provided “as is” without warranty of any kind and is subject to change without notice. The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein.
TippingPoint® , the TippingPoint logo, and Digital Vaccine® are registered trademarks of Hewlett-Packard All other company and product names may be trademarks of their respective holders. All rights reserved. This document contains confidential information, trade secrets or both, which are the property of Hewlett-Packard No part of this documentation may be reproduced in any form or by any means or used to make any derivative work (such as translation, transformation, or adaptation) without written permission from Hewlett-Packard or one of its subsidiaries.
Adobe® and Acrobat® are trademarks of Adobe Systems Incorporated.
Intel and Itanium are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries.
Microsoft, Windows, Windows NT, and Windows XP are U.S. registered trademarks of Microsoft Corporation.
Oracle® is a registered U.S. trademark of Oracle Corporation, Redwood City, California.
UNIX® is a registered trademark of The Open Group.
Printed in US or Puerto Rico
Next Generation Firewall Command Line Interface Reference Guide
Publication Part Number: 5998-4803
Table of Contents
About This Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Target Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Related Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Document Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
Typefaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
Document Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
Customer Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Contact Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
1 Command Line Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Command Line Interface Syntax. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Shortcut Navigation Keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Hierarchical Menu and Prompt display . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Help. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Command Modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Root Command Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Edit Configuration Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Configuration File Versions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Utilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Display . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
2 Global Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
commit. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
exit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
help. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
more . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
display . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
3 Root Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
boot . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
clear . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
date . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
edit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
flush . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
help. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
high-availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
list. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
log-configure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
logout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
master-key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
ping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
ping6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
reboot . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
save-config. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
service-access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
set. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
show aaa. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
show agglink . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
show arp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
show ndp. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
CLI Reference Guide i
show autoconf dhcpv4 client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
show autoconf dhcpv6 client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
show autoconf ra . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
show cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
show date . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
show dhcp relay . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
show dhcp server lease . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
show dhcpv6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
show dns . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
show firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
show high-availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
show interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
show ip bgp. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
show ip igmp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
show ip mroute. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
show ip ospf . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
show ip pim-sm. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
show ip rip. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
show ip route . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
show ip smr . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
show ipv6 mld . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
show ipv6 mroute . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
show ipv6 ospfv3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
show ipv6 pim-sm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
show ipv6 ripng . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
show ipv6 route ospfv3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
show ipv6 route ripng . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
show (ip|ipv6) route . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
show key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
show l2tp. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
show license. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
show log-file. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
show log-file FILE_NAME . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
show log-file FILE_NAME stat . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
show log-file summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
show log-file boot . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
show mfg-info. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
show np engine . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
show np general statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
show np protocol-mix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
show np reassembly . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
show np rule-stats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
show np softlinx . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
show np tier-stats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
show quarantine-list. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
show reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
show service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
show sms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
show snmp. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
show system buffers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
show system connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . 43
show system processes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
show system statistics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
show system usage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
show system virtual-memory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
show system xms memory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
show terminal. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
show traffic-file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
show tse connection-table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
ii
show tse . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
show user-disk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
show users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
show version . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
shutdown . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
sms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
snapshot create . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
snapshot list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
snapshot remove. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
snapshot restore . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
tcpdump . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
traceroute. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
traceroute6. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
user-disk. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
4 Log Configure Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
display . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
email. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
log-file-size . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
log-storage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
log-test. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
rotate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
5 Edit Running Configuration Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
Configuration Contexts by Function . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
Monitor/System. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
Routing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
VPN. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
Edit Context Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
aaa. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
actionsets. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
addressgroups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
application-filter-mgmt . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
application-groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
application-visibility. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
autodv . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
blockedStreams . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
captive-portal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
delete . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
dhcp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
dns . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
dst-nat . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
gen . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
global-inspection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
high-availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
ip . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
ips . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
ipv6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
l2tp-serverX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
multicast-registration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
notifycontacts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
CLI Reference Guide iii
ntp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
reputation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
route-map . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
router . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
schedules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
segmentX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
snmp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
src-nat . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
vpn . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
Contexts and Related Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
running-aaa Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
running-aaa-ldap-group-X Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
running-aaa-radius-group-X Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
running-actionsets Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
running-actionsets-X Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
running-addressgroups Context Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
running-addressgroups-X Context Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
running-agglinkX Context Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
running-app-filter-mgmt Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100
running-app-groups Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100
running-app-groups-X Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
running-autodv Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
running-autodv-calendar Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103
running-autodv-periodic Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104
running-bgp-X Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104
running-blockedStreams Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
running-bridgeX Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
running-captive-portal Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114
running-captive-portal-rule-X Context Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115
running-certificates Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
running-certificates-crl Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120
running-cluster Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121
running-cluster-tct Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
running-dhcp-relay Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126
running-dhcp-server Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127
running-dhcp-server-X Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128
running-dnat Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131
running-dnat-rule-X Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132
running-dns Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134
running-ethernetX Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136
running-firewall Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143
running-firewall-rule-X Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143
running-gen Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148
running-global-inspection Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151
running-greX Context Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152
running-high-availability Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156
running-ips Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157
running-ips-X Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160
running-ipsec Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161
running-ipsec-policy-X Context Commands and their Usage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165
running-ipsec-vpn-X Context Commands and their Usage. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166
running-l2tp-serverX Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169
running-l2tpX Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170
running-log Context Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176
running-loopbackX Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180
running-manual-sa Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182
running-mgmt Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184
iv
running-multicast-registration Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186
running-notifycontacts (email) Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186
running-notifycontacts-X (SNMP) Context Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188
running-ntp Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189
running-phase1-proposal-X Context Commands and their Usage . . . . . . . . . . . . . . . . . . . . . . . . . 190
running-phase1-proposal-X Context Commands and their Usage . . . . . . . . . . . . . . . . . . . . . . . . . 191
running-ospf Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192
running-ospfv3 Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195
running-pim-smv4 Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198
running-pim-smv6 Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200
running-pppoeX Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202
running-pptpX Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208
running-rep Context Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214
running-rep-X (group X) Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215
running-rep-X (profile X) Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216
running-rip Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218
running-ripng Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221
running-route-map Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224
running-schedules Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225
running-schedules-X Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225
running-segmentX Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226
running-services Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227
running-services-X Context Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228
running-smr Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 230
running-snat Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231
running-snat-rule-X Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232
running-snmp Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234
running-vlanX Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237
running-zones Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 243
running-zones-X Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 244
CLI Reference Guide v
vi

About This Guide

The Next Generation Firewall command line interface enables you to configure and manage the NGFW Appliance from a command line. The NGFW commands can be used in custom scripts to automate tasks.
This section covers the following topics:
Target Audience, page 1
Related Documentation, page 1
Document Conventions, page 2
Customer Support, page 3

Target Audience

This guide is intended for security network administrators and specialists that have the responsibility of monitoring, managing, and improving system security. The audience for this material is expected to be familiar with the HP TippingPoint Next Generation Firewall.

Related Documentation

ccess the documentation at http://www.hp.com/support/manuals . For the most recent updates for your products, check the HP Networking Support web site at
http://www.hp.com/networking/support.
CLI reference guide 1

Document Conventions

This guide uses the following document conventions.
Typefaces, page 2
Document Messages, page 2
Typefaces
HP TippingPoint publications use the following typographic conventions for structuring information:
Table 1-1 Document Typographic conventions
Convention Element
Medium blue text: Figure 1
Blue, underlined text (http://www.hp.com
Bold font Key names
Italics font Text emphasis, important terms, variables, and publication titles.
Monospace font File and directory names
Monospace, italic font Code variables
Monospace, bold font Emphasis of file and directory names, system output, code, and text
Document Messages
Document messages are special text that is emphasized by font, format, and icons. This reference guide contains the following types of messages:
Cross-reference links and e-mail addresses
)
Web site addresses
Text typed into a GUI element, such as into a box
GUI elements that are clicked or selected, such as menu and list
items, buttons, and check boxes. Example: Click
System output
Code
Text typed at the command-line
Command-line variables
typed at the command line
OK to accept.
Warning
Caution
Note
Tip
WARNING! Warning notes alert you to potential danger of bodily harm or other potential harmful
consequences.
CAUTION: Caution notes provide information to help minimize risk, for example, when a failure to follow
directions could result in damage to equipment or loss of data.
NOTE: Notes provide additional information to explain a concept or complete a task. Notes of specific
importance in clarifying information or instructions are denoted as such.
2
IMPORTANT: Another type of note that provides clarifying information or specific instructions.
TIP: Tips provide helpful hints and shortcuts, such as suggestions about how you can perform a task more
easily or more efficiently.

Customer Support

HP is committed to providing quality customer support to all of its customers. Each customer is provided with a customized support agreement that provides detailed customer and support contact information. When you need technical support, use the following information to contact Customer Support.
Contact Information
For additional information or assistance, contact the HP Networking Support:
http://www.hp.com/networking/support
Before contacting HP, collect the following information:
Product model names and numbers
Technical support registration number (if applicable)
Product serial numbers
Error messages
Operating system type and revision level
Detailed questions
HP Contact Information
For the name of the nearest HP authorized reseller, see the contact HP worldwide web site:
http://www.hp.com/country/us/en/wwcontact.html
CLI reference guide 3
4
1 Command Line Interface
In addition to the Local System Manager (LSM) and the Centralized Management Capability of the Security Management System (SMS), a Command-line Interface (CLI) can be used to configure and manage the NGFW Appliance. The CLI is accessed directly through the console or remotely through SSH. Non-secure connections, such as Telnet, are not permitted. For the initial set up, the "superuser" account is set for the appliance. Once that is set, you can login from the console and set the management port IP address. SSH and HTTPS are then accessible at the management port IP address.
NOTE: To access the most recent updates to the NGFW product documentation, go to
http://www.hp.com/support/manuals.
This chapter covers the following topics:
•”Overview” on page 5
•”Command Modes” on page 7
•”Configuration File Versions” on page 9

Overview

This chapter covers the hierarchical structure of the CLI, the command line syntax, and an overview on how to edit, save and manage configuration files. Also provided, are a list of unix like utilities for monitoring and troubleshooting the system. The
display command displays sections of the running configuration file, or can be used to list a preview of
your configuration file edits before making a commitment to save.
show command provides easy to read sections from log files. The
Access to the NGFW is through the console to initially configure management access. The management port is enabled by default for SSH and LSM management access. All access is determined by group membership and the management of their roles. To configure granular levels of access, the aaa (Authentication and Authorization and Auditing) context has the necessary utilities to modify users, groups, roles, and their capabilities.
Command Line Interface Syntax
The following syntax is used in the CLI.
Table 1-1 Command Line Syntax
Syntax Convention Explanation
UPPERCASE Uppercase replaced by a value that you supply
(x) Parentheses indicate a mandatory argument.
[x] Brackets indicate an optional argument.
| A vertical bar indicates a logical OR - such as alternatives within
Example:
NGFW{}traceroute ? (displays help information) NGFW{}traceroute (A.B.C.D|HOSTNAME) [from A.B.C.D] [mgmt]
In the above example, arguments for the Traceroute command must either use a IP address or the hostname. An optional argument can either be “from” a source IP address or the argument “mgmt”.
parentheses or brackets.
NGFW{}traceroute 198.162.0.1 from 198.162.0.2 NGFW{}traceroute 198.162.0.1 mgmt
NGFW Command Line Interface Reference 5
Shortcut Navigation Keys
The CLI has the ability to store typed commands in a circular memory. Typed commands can be recalled with the UP and DOWN arrow keys.
The TAB key may be used to complete partial commands. If the partial command is ambiguous, pressing the TAB key twice gives a list of possible commands.
Following is a list of shortcuts.
Table 1-2 Shortcut Keys
Shortcut Description
ENTER Run the command
TAB Complete partial command
? Question mark at the root prompt or after a command (separated by
! Exclamation mark before a command allows you to execute the
UP ARROW Show the previous command
space) will list next valid sub-commands or command arguments. Question mark can also be used after sub-commands for more information. A question mark immediately following a character(s) (no space) will list commands beginning with those characters.
command from any feature context or sub-level. For example,
NGFW{running-gen}!ping 203.0.113.0
DOWN ARROW Show the next command
Ctrl + P Show the previous command
Ctrl + N Show the next command
Ctrl + L Clear the screen, does not clear history
Ctrl + A Return to the start of the command you are typing
Ctrl + E Go to the end of the command you are typing
Ctrl + U Cut the whole line to a special clipboard
Ctrl + K Cut everything after the cursor to a special clipboard
Ctrl + Y Paste from the special clipboard used by Ctrl + U and Ctrl + K
Hierarchical Menu and Prompt display
Prompts will be displayed based on the context level as shown in the following table.
Table 1-3 Root, Edit and Log configuration modes
Command Line prompt Description
NGFW{}
NGFW{}edit
Top level root command mode
From the root command line mode, enter the edit com­mand to access configuration mode.
NGFW{running}
NGFW{running}firewall
NGFW{running}display
NGFW{running}commit
NGFW{running}exit
6 Command Line Interface
Configuration mode - indicated with the prompt change
Enters the firewall configuration context
View current configuration and your changes
Commits changes to the running configuration
Leaves the current context mode
Table 1-3 Root, Edit and Log configuration modes
Command Line prompt Description
NGFW{}log-configure
NGFW{log-configure}
NGFW{log-configure}help
NGFW{log-configure}exit
Help
The help command provides a list of commands within the current context and the command line usage. The help command can be executed with or without an argument.
•Enter help or ? to see a list of all commands. (question mark at any context level generates a list of available commands within the context, along with a brief description)
•Enter help
•Enter
•Enter
commandname commandname string
? to show the commands or keywords that match the string. For example, s?.

Command Modes

From the root command line mode, enter the log-config­ure command to access the log configuration mode.
log configuration mode
display list of valid commands and syntax usage
leave the log configuration mode
to see the syntax for a command.
? to list the options for a command. For example, ping ?.
The NGFW uses a hierarchical menu structure. Within this structure, commands are grouped by functional area within one of three command modes: Root Command mode, Edit Configuration mode (edit), and Log Configuration mode (log-configure). At the top of the hierarchy is the Root command mode.
NGFW{} Root command line mode NGFW{running} Edit configuration mode NGFW{log-configure} Log configuration mode
A context is an environment in which a set of parameters can be configured for a feature or named object. A context can be the name of an instance of an object set by the administrator, or can be the feature itself. The current context is indicated in the command prompt, and it’s visibility is determined by the user’s role.
Administrative access allows the ability to modify the configuration of the NGFW appliance. Not all contexts may be visible.
The
help and display commands are useful in becoming familiar with the context options. The question
mark (?) lists the next valid entry and help for this entry.
If the appliance is controlled by SMS, only read-only access will be available to the system resources. To determine if the SMS controls the unit, or to change the control, see the
Root Command Mode
When you initially enter the NGFW Appliance, either through the console or SSH, you will be placed at the top level root command line mode with the NGFW{} prompt. The commands at this level are used for managing and monitoring system operations for the various subsystems. From the root command mode, you can access the configuration mode, and the available operational commands that apply to the unit as a whole. To view the commands available at this level, type prompt.
sms command usage.
help[full|COMMAND] at the command
NGFW{}help
The default NGFW{} command prompt can be changed using the host name command in the interface
mgmt
context of the edit mode. For example:
NGFW Command Line Interface Reference 7
NGFW{}edit NGFW{running}interface mgmt NGFW{running-mgmt}help host (displays valid entries for configuring management port host settings) NGFW{running-mgmt}host ? (displays valid entries for host command) NGFW{running-mgmt}host name yourhostname
For a list of root commands and their usage see the Root Commands section.
NOTE: Your membership role determines your command line interface.
Edit Configuration Mode
The configuration mode enables administrators with the appropriate credentials to write configuration changes to the active (running) configuration. The logon account used to configure the device must either be associated with the Superuser role or the Administrator role to edit the configuration context. The configuration mode has different context levels that provide access to a specific set of configuration commands. To enter the configuration mode, use the edit command. Once you have executed the edit command the CLI prompt will indicate that you are in the Edit mode, and can make configuration changes. Configuration options, and sub contexts are available for use until you exit. To exit the edit configuration mode, type exit.
When exiting the configuration mode, the following warning appears:
“WARNING: Modifications will be lost. Are you sure to exit (y/n)? [n]”
will discard any uncommitted changes you made to the configuration file, and n will keep you in the
y
edit context.
The display command is a helpful utility to view the current running configuration and to review your configuration changes before you save the changes.
NGFW{running} display
A commit command must be used to save your changes to the running configuration.
The command hierarchy has two types of statements. The Container statement, which contain objects and the Object statement, which are actual commands with options.
For example:
• Container statement in edit mode:
NGFW{running}log NGFW{running-log}? (help will list all the available entries)
• Object statement:
NGFW{running} application-visibility enable|disable (help will display command options)
A brief overview of what you can do within the edit configuration mode:
• Issue a command that configures a setting in the candidate configuration setting. The candidate configuration allows you to make configuration changes without causing changes to the active configuration until you can review your changes and issue the
commit command.
• Enter into a container context to access additional configuration settings.
•Run the modifications you make can be viewed using the
•Run the
display command to see your candidate configuration settings for a context. Any
display command.
Commit command to save any changes from your candidate configuration to the running
configuration.
Exit from a context.
8 Command Line Interface
NOTE: As you move through the context menu hierarchies, the command prompt changes accordingly.
The
help or display command can be entered at any level.

Configuration File Versions

When troubleshooting or needing to rollback a configuration, the current configuration setup can be viewed. Reviewing network configuration files should be a necessary step to becoming knowledgeable about your current system setup. When the device is initially configured, make sure the settings are saved to the persistent configuration with the snapshot using the following command:
NGFW{}snapshot create orig_conf
Snapshots capture the configuration of a device, which can then be delivered to technical support for troubleshooting. Users can also use snapshots to save and re-apply configurations. Snapshots include the currently installed OS version, and cannot be restored on a device that is not running the same version of the OS. If a snapshot restore needs to be completed, use the following command:
NGFW{}snapshot restore orig_conf
A warning message is displayed, followed by an automatic reboot when snapshot restore is completed.
The NGFW Appliance CLI uses the deferred-commit model. In this capacity, the architecture maintains a set of configuration files to ensure that a working configuration is persistently maintained. This configuration set includes the following configuration files.
NGFW{}save-config command. It’s also advisable to create a
Utilities
Running configuration — this version is currently executing on the system. Any changes that administrators make from the will take effect once they have been committed, by issuing the committed, all modifications are discarded on administrators are on the system, the version that was last committed is used as the current running configuration and is visible to other administrators, once they have exited the prompt is displayed if the committed changes would overwrite configuration that was made by another administrator since the configuration was edited.
Saved (persistent) configuration — this is the running configuration that was last committed prior to executing the configuration when the system reboots.
Start configurationThis is a backup copy of the configuration file saved at the time of system startup, and is loaded at the next system bootup. The persistent and running configuration that was the last known good configuration.
NOTE: Future versions of the product will support multiple named saved configuration sets.
The Display and Show commands are helpful for troubleshooting and monitoring the operational status of the system. Command line usage can be found in Root Commands.
save-config command. NGFW copies the saved configuration to the start
edit mode (except for IPS features, action sets and notification contacts)
Commit command. If changes are not
exit from the running context. If multiple
edit mode. A warning
rollback-config command can be used to rollback to a
Display
Enter display to see your candidate configuration settings for a context. Any modifications you make can be viewed using the command is executed. If executed at the configuration level, it displays the entire configuration of the unit. Executing the display command with a configuration name parameter, or from within a context displays the contents of that particular configuration.
display command. The output of the display command depends on where the
NGFW Command Line Interface Reference 9
Show
The show command is most efficient in providing critical information, such as traffic usage, router platform type, operating system revision, amount of memory, and the number of interfaces. The
show command can
also be used to evaluate logging, troubleshooting, tracking resources, sessions, and security settings. To view all the available
show utilities, enter the help show command at the root command level. All the
available commands along with the correct command line usage are displayed.
10 Command Line Interface

2 Global Commands

Global commands can be used in any context.
commit
Initiates all pending configuration changes in the edit mode.
NOTE: This command does not write the modifications to the startup configuration file. However, the
save-config command can be run from the edit configuration context by using the exclamation mark.
Syntax
commit
Example
NGFW{running}commit NGFW{running}!save-config
exit
Exits the current context.
help
Syntax
exit
Example
NGFW{running-aaa}exit NGFW{running}
Displays help information.
Syntax
help [full|COMMAND]
Example
NGFW{running}help log Enter log context Syntax: log log Enter log context
Example
NGFW{running-firewall}help Valid commands are: default-block-rule DEFACTIONSET delete rule all|XRULEID help [full|COMMAND] rename rule XRULEID NEWRULEID rule (auto|RULEID) [POSITION_VALUE]
NGFW Command Line Interface Reference 11
more
display
Set session to display output page by page.
Syntax
more (enable|disable)
Example
NGFW{running}more enable
Displays the current configuration, or the candidate configuration before a commit is issued. Display options vary by context, enter the "help display" command in a context to view the available options.
Syntax
display display [xml]
Example
NGFW{running-aaa-user-myuser1}display # USER ID user myuser1
12 Global Commands

3 Root Commands

The top level root command line mode displays the NGFW{} prompt. Commands at this level are used for managing and monitoring system operations for the various subsystems. From the root command mode, you can access the configuration mode, and the available commands that apply to the appliance as a
boot
whole. Enter commands or help on a specific command.
NGFW{}help
The default NGFW{} command prompt can be changed using the host name command in the interface
mgmt
context of the edit mode. For example:
NGFW{}edit NGFW{running}interface mgmt NGFW{running-mgmt}help host (displays valid entries for configuring management port host settings) NGFW{running-mgmt}host ? (displays valid entries for host command) NGFW{running-mgmt}host name yourhostname
Manages software packages.
Syntax
boot (list-image|rollback)
help full or help COMMANDNAME at the command prompt to display a list of available
clear
Example
NGFW{}boot list-image Index Version
------------------------------------------------------
0 1.0.0.3935 1 1.0.0.2923 2 1.0.0.3932 3 1.0.0.3917 Oldest Index is 2 Factory Reset Index is 3
Clears system information.
Syntax
clear connection-table (blocks|trusts) clear high-availability state-sync (all|firewall|ips|routing) clear ip bgp (A.B.C.D|ASNUMBER|all|external) [soft] [in|out] clear ip bgp peer-group NAME [soft] [in|out] clear log-file
(audit|fwAlert|fwBlock|ipsAlert|ipsBlock|quarantine|reputationAlert|reputationBlock| system|visibility|vpn)
clear np engine filter clear np engine packet clear np engine parse clear np engine reputation dns clear np engine reputation ip clear np engine rule clear np reassembly ip clear np reassembly tcp clear np rule-stats
NGFW Command Line Interface Reference 13
date
clear np softlinx clear np tier-stats clear counter policy clear rate-limit streams clear users all [locked|ip-locked] clear users (NAME|A.B.C.D|X:X::X:X) [locked]
Example
NGFW{}clear log-file vpn
Example
NGFW{}clear ip bgp 10.10.10.10 soft in Not cleared BGP is not active
Example
NGFW{}clear ip bgp external soft
Example
NGFW{}clear users fred
Used alone to display the current date, or with arguments to configure the date in a 24 hour format. The date command shows the current time in the time zone configured on the device and the "gmt" argument shows the time in GMT (UTC).
edit
flush
Syntax
date [MMDDhhmm[[CC]YY][.ss]]) date gmt
Example
NGFW{}date 071718202013.59 (sets date to July 17 2013 6:20PM 59 seconds)
The edit context modifies the configuration that identifies the security policy and interfaces that you can configure for your firewall.
Edit takes an instance of the running configuration file. This instance is your
version. After making modifications to this candidate configuration version, you have the option of saving it to the running configuration, or discarding any changes you made. To discard, simply your candidates configuration, enter the
commit command before exiting the edit context. To see
exit. To save
commands under the edit context, see edit configuration.
NGFW{} NGFW{}edit NGFW{running} NGFW{running}commit NGFW{running}exit NGFW{}
Flushes the following configuration items.
Syntax
flush (arp|ndp) flush ipsec sa policy NAME [id ID] flush ike sa [policy NAME [id ID]] flush bgp [ip] A.B.C.D [(in prefix-filter)|in|out|(soft [in|out])|rsclient]
14 Root Commands
flush bgp ip A.B.C.D [ipv4 (unicast|multicast) (in prefix-filter)|in|out|(soft [in|out])]
flush bgp ip A.B.C.D [vpnv4 unicast in|out|(soft [in|out])] flush bgp ipv6 X:X::X:X [(in prefix-filter)|in|out|(soft [in|out])|rsclient] flush bgp [ip] dampening [A.B.C.D/M|(A.B.C.D [A.B.C.D])] flush bgp [ip] external [(in prefix-filter)|in|out|(soft [in|out])] flush bgp ip external [ipv4 (unicast|multicast) (in prefix-filter)|in|out|(soft
[in|out])] flush bgp ipv6 external [(in prefix-filter)|(soft [in|out])] flush bgp ipv6 external [peer WORD (in|out)] flush bgp [ip] view WORD [soft [in|out]] flush bgp [ip|ipv6] view WORD (A.B.C.D|X:X::X:X|all) rsclient flush bgp ip view WORD [ipv4 (unicast|multicast)] (in prefix-filter)|(soft [in|out]) flush bgp [ip|ipv6] PEERAS [(in prefix-filter)|in|out|(soft [in|out])] flush bgp ip PEERAS [ipv4 (unicast|multicast) (in prefix-filter)|in|out|(soft
[in|out])] flush bgp ip PEERAS [vpnv4 unicast in|out|(soft [in|out])] flush bgp [ip|ipv6] all [(in prefix-filter)|in|out|(soft [in|out])|rsclient] flush bgp ip all [ipv4 (unicast|multicast) (in prefix-filter)|in|out|(soft
[in|out])] flush bgp ip all [vpnv4 unicast in|out|(soft [in|out])] flush bgp [ip|ipv6] peer-group [(in prefix-filter)|in|out|(soft [in|out])] flush firewall-session (all|ID) [family (ipv4|ipv6)]
Example
NGFW{}flush firewall-session 134217756 Success NGFW{}flush ipsec sa policy mytunnel
help
Displays help information at any context level.
high-availability
Manage high-availability devices.
Syntax
high-availability force (active|passive) high-availability segment force (normal|fallback)
Example
NGFW{}high-availability segment force normal Status: OK
list
Displays traffic capture file list.
Syntax
list traffic-file
Example
NGFW{}list traffic-file
log-configure
Enter log configuration context.
NGFW Command Line Interface Reference 15
Syntax
log-configure
Example
Related Commands
Log Configure Commands
logout
Logs you out of the system.
Syntax
logout
Example
NGFW{} logout
master-key
The system master-key is used to encrypt the removable user-disk (the external CFast), and the system keystore. The user-disk holds traffic logs, packet capture data, and system snapshots. The keystore retains data such as device certificates and private keys.
NGFW{}log-configure NGFW{log-configure}help NGFW{log-configure}show log-file summary
The master-key has the following complexity requirements:
• Must be between 9 and 32 characters in length.
• Combination of upper and lower case alpha and numbers.
• Must contain at least one “special” char (eg: !@#$%)
• Set or clear the master key for keystore and external Cfast user-disk encryption.
Syntax
master-key (clear|get|set)
Example
Get the master key for keystore and user-disk encryption
NGFW{}master-key set
WARNING: Master key will be used to encrypt the keystore and external user disk. Do you want to continue (y/n)? [n]: y Enter Master Key : **************** Re-enter Master Key: **************** Success: Master key has been set.
Example
NGFW{}master-key get Success: My.1.MasterKey!!
Example
NGFW{}master-key clear
WARNING: Clearing master key will remove encryption from the keystore and external user disk.
Do you want to continue (y/n)? [n]: y Success: Master key has been cleared.
16 Root Commands
ping
Test connectivity with ICMP traffic. The mgmt option uses the management interface.
Syntax
ping (A.B.C.D|HOSTNAME) [count INT] [maxhop INT] [from A.B.C.D] [mgmt] [datasize INT] ping (A.B.C.D|HOSTNAME) [count (1-900000)] [maxhop (1-800)] [from A.B.C.D] [mgmt]
[datasize (64-65468)] ping6 (X:X::X:X|HOSTNAME) [count INT] [maxhop INT] [interface INTERFACE] [from
X:X::X:X] [datasize INT] ping6 (X:X::X:X|HOSTNAME) [count (1-900000)] [maxhop (1-800)] [interface INTERFACE]
[from X:X::X:X] [datasize (64-65468)]
Example
NGFW{}ping 192.168.1.1 mgmt ping using mgmt port PING 192.168.1.1 (192.168.1.1): 56 data bytes 64 bytes from 192.168.1.1: icmp_seq=1 ttl=64 vrfid=500 time=0.4 ms 64 bytes from 192.168.1.1: icmp_seq=2 ttl=64 vrfid=500 time=0.1 ms 64 bytes from 192.168.1.1: icmp_seq=3 ttl=64 vrfid=500 time=0.1 ms 64 bytes from 192.168.1.1: icmp_seq=4 ttl=64 vrfid=500 time=0.1 ms
--- 192.168.1.1 ping statistics ---
4 packets transmitted, 4 packets received, 0% packet loss round-trip min/avg/max = 0.1/0.1/0.4 ms
ping6
reboot
Test connectivity with ICMPv6 traffic
Syntax
ping6 (X:X::X:X|HOSTNAME) [count (1-900000)] [maxhop (1-800)] [interface INTERFACE] [from X:X::X:X] [datasize (64-65468)]
Example
NGFW{}ping6 100:0:0:0:0:0:0:1 ping using data ports PING 100:0:0:0:0:0:0:1 (100:0:0:0:0:0:0:1): 56 data bytes 64 bytes from 100:0:0:0:0:0:0:1: icmp_seq=1 ttl=64 vrfid=0 time=0.3 ms 64 bytes from 100:0:0:0:0:0:0:1: icmp_seq=2 ttl=64 vrfid=0 time=0.1 ms 64 bytes from 100:0:0:0:0:0:0:1: icmp_seq=3 ttl=64 vrfid=0 time=0.1 ms 64 bytes from 100:0:0:0:0:0:0:1: icmp_seq=4 ttl=64 vrfid=0 time=0.1 ms
--- 100:0:0:0:0:0:0:1 ping statistics ---
4 packets transmitted, 4 packets received, 0% packet loss round-trip min/avg/max = 0.1/0.1/0.3 ms
Reboots the system.
Syntax
reboot
Example
NGFW{}reboot WARNING: Are you sure you want to reboot the system (y/n) [n]:
NGFW Command Line Interface Reference 17
Reports
Configure data collection for on-box reports.
Syntax
reports (reset|enable|disable) [all|cpu|disk|fan|memory|network|rate-limiter|temperature|traffic-profile|vpn]
Valid entries: reset Delete report data enable Start data collection for reports disable Stop data collection for reports all All reports (default) cpu CPU utilization report disk Disk utilization report fan Fan speed report memory Memory utilization report network Network bandwidth report rate-limiter Rate Limiter report temperature Temperature report traffic-profile Traffic Profile report vpn VPN report
Example
NGFW{}reports enable cpu NGFW{}reports reset cpu WARNING: Are you sure you want to reset cpu reports (y/n)? [n]:
Related Commands
show reports
save-config
Saves the running configuration to a persistent configuration.
Syntax
save-config
Example
NGFW{}save-config WARNING: Saving will apply this configuration at the next system start. Continue
(y/n)? [n]:
service-access
Enable or disable service access.
Syntax
service-access (enable|disable)
Example
NGFW{}service-access enable Serial: X-NGF-S1020F-GENERIC-001 Salt: Zk0lenyg NGFW{}service-access disable
18 Root Commands
set
show
Syntax
set cli filtering rule (auto-comment|no-auto-comment|(last-auto-comment-value INT))
Example
NGFW{}set cli filtering rule auto-comment NGFW{}set cli filtering rule no-auto-comment
The show command enables you to view current system configuration, status, and statistics.
Table 3-1 Show command
Command Description
show aaa show AAA information
show agglink Show agglink status
show arp Show Address Resolution Protocol entries
show autoconf dhcpv4 client IPv4 Dynamic Host Configuration Protocol
show autoconf dhcpv6 client IPv6 Dynamic Host Configuration Protocol
show autoconf ra Show autoconfig Router Advertisement information
show cluster Show cluster status
show date Show the current router date and time
show dhcp relay Show DHCPv4 Relay information
show dhcp server lease Display DHCP server leases history
show dhcpv6 Show DHCPv6 client lease
show dns Show Domain Name Service
show firewall Displays firewall rules and sessions.
show high-availability Show high-availability status
show interface Show network interface
show ip bgp Show the Border Gateway Protocol information
show ip igmp Show Internet Group Management Protocol
show ip mroute Show Multicast Static IP route
show ip ospf Show Open Shortest Path First (OSPF) information
show ip pim-sm Show PIM-SM routing information
show ip rip Show the RIP routes
show ip route Show the unicast routes
show ip smr Show SMR routing information
show ipv6 mld Show IPv6 routing information for MLD group or
interface
show ipv6 mroute Show IPv6 routing information for multicast routes
show ipv6 ospfv3 Show the OSPFv3 unicast routes
NGFW Command Line Interface Reference 19
Table 3-1 Show command
Command Description
show ipv6 pim-sm Show ipv6 Protocol Independent Multicast - Sparse
Mode (PIM-SM) routing information
show ipv6 ripng Show RIPng routing information
show ipv6 route ripng Show ripng route information
show (ip|ipv6) route Show the unicast routes
show key Show local server SSH key information
show l2tp Show Layer 2 Tunneling Protocol information
show license Shows the license number and status
show log-file Shows the logfiles
show log-file boot Shows the boot file
show mfg-info Show manufacturing information
show ndp Show Neighbor Discovery Protocol
show np engine Show net processor statistics
show np general statistics Show general network processor information
show np protocol-mix Show network processor protocol-level statistics
show np reassembly Show network processor reassembly statistics
show np rule-stats Show network processor rules, number of flows,
successful matches
show np softlinx Show network processor softlinx statistics
show np tier-stats Show network processor throughput and utilization for
each tier
show quarantine-list Show quarantine list information
show reports Show status of data collection for reports
show service Show network service information
show sms Show status of SMS control
show snmp Show SNMP information
show system buffers Show Forwarding buffer state
show system connections Show active socket information
show system processes Show system processes
show system statistics Show system-wide protocol-related statistics
show system usage Show system usage
show system virtual-memory Show system virtual memory
show system xms memory Show xms memory usage
show terminal Show terminal settings
show traffic-file Show network traffic from file
show tse connection-table Show TSE connection-table information
20 Root Commands
Table 3-1 Show command
Command Description
show users Show users information
show version Show device version information
show aaa
Syntax
show aaa capabilities USER
Example
show aaa capabilities fred NGFW{}show aaa capabilities fred ID NAME STATE
--------------------------------------------­1 NGFW full 2 SECURITY full 3 FIREWALLRULES full 4 SECURITYZONES full 5 APPLICATIONGROUPS full 6 ADDRESSGROUPS full 7 SERVICES full 8 SCHEDULES full 9 INSPECTIONPROFILES full 10 IPS full 11 IPREPUTATION full 12 PROFILEGROUPS full 13 CAPTIVEPORTALRULES full 14 NATRULES full 15 ACTIONSETS full 16 SYSTEM full 17 SMSMANAGED full 18 MANAGEMENT full 19 DNS full 20 IPFILTERS full 21 UPGRADE full 22 NOTIFICATION full 23 LOGGING full 24 HIGHAVAILABILITY full 25 HACONFIGURATION full 26 HASTATE full 27 SNMP full 28 TIME full 29 FIPS full 30 UPDATE full 31 PACKAGES full 32 AUTODV full 33 SNAPSHOT full 34 USERAUTH full 35 LOCALUSER full 36 USERGROUP full 37 ROLES full 38 RADIUS full 39 LDAP full
NGFW Command Line Interface Reference 21
40 CAPTIVEPORTAL full 41 GENERAL full 42 X509CERT full 43 VPN full 44 IKE full 45 IKECONFIGURATION full 46 IKESTATUS full 47 IPSEC full 48 IPSECCONFIGURATION full 49 IPSECSTATUS full 50 L2TP full 51 L2TPCONFIGURATION full 52 L2TPSTATUS full 53 REPORTING full 54 LOG full 55 FIREWALLLOG full 56 IPSLOG full 57 REPUTATIONLOG full 58 VPNLOG full 59 SYSTEMLOG full 60 AUDITLOG full 61 SECURITYREPORTS full 62 NETWORKREPORTS full 63 DEBUGTOOLS full 64 REBOOT full 65 SHUTDOWN full 66 SERVICEACCESS full 67 NETWORK full 68 INTERFACES full 69 SEGMENTS full 70 DHCPSERVER full 71 DHCPRELAY full 72 ARPNDP full 73 STATICROUTES full 74 STATICMONITOREDROUTES full 75 DYNAMICROUTING full 76 ACCESSLISTS full 77 ROUTEMAPS full 78 OSPF full 79 RIP full 80 BGP full 81 MULTICAST full 82 ROUTINGTABLE full 83 COMPACTFLASH full 84 CUSTOMCATEGORIES full 85 APPLICATIONVISIBILITY full 86 GLOBALINSPECTIONPROFILE full 87 DEBUGNP full
show agglink
Displays information about whether or not the member ports are up in the aggregated link.
Syntax
show (agglink|INTERFACE)
22 Root Commands
Example
NGFW{}show agglink #AGGLINK TABLES Service ETHGRP is inactive
show arp
Syntax
show arp
Example
NGFW{}show arp IP Address Mac-Address Interface State
15.226.140.254 3c:e5:a6:13:7f:2a mgmt delay
show ndp
Syntax
show ndp
Example
NGFW{}show ndp IP Address Mac-Address Interface State fe80::3ee5:a6ff:fe13:7f2a 3c:e5:a6:13:7f:2a mgmt stale
show autoconf dhcpv4 client
Syntax
show autoconf dhcpv4 client (current|history)
Example
NGFW{}show autoconf dhcpv4 client
Example
NGFW{}show autoconf dhcpv4 client history
# DHCPCLIENT LEASES HISTORY Service DHCP is inactive
show autoconf dhcpv6 client
Syntax
Show autoconf dhcpv6 client
Example
NGFW{}show autoconf dhcpv6 client Service DHCPv6 client is inactive
show autoconf ra
Syntax
show autoconf ra (INTERFACE|all)
Example
NGFW{}show autoconf all
NGFW Command Line Interface Reference 23
no data
show cluster
Syntax
show cluster
Example
cluster.3-device23{} show cluster Cluster Status
-------------­Name: cluster Identifier: 3 State: Enabled Segment HA: Normal Master: cluster.3-device23 Members
------­Name: cluster.3-device23 HA State: Active
show date
This command shows the GMT time or the local time and timezone for the appliance.
Syntax
show date [gmt]
Example
NGFW{}show date Sun Sept 15 04:29:59 2013 GMT NGFW{}show date gmt Wed Aug 21 21:51:13 2013 GMT NGFW{}show date Wed Aug 21 14:51:16 2013 America/Los_Angeles
show dhcp relay
Shows DHCPv4 Relay information.
Syntax
show dhcp relay
Example
NGFW{}show dhcp relay DHCP Relay is not running
show dhcp server lease
Syntax
show dhcp server lease (current | history)
Example
NGFW{}show dhcp server lease current Status: Inactive
24 Root Commands
IP Address Mac Address Start date & time End date & time
show dhcpv6
Syntax
show dhcpv6
Example
NGFW{}show dhcpv6 Service DHCPv6 client is inactive
show dns
Syntax
show dns
Example
NGFW{}show dns # DNS PROXY Proxy Disabled # STATIC DNS # DYNAMIC V4 DNS # DYNAMIC V6 DNS
show firewall
Displays firewall rules and sessions.
Syntax
show firewall rules [count MAX-RULES] [rule all|ID] [action-set ACTIONSET] [src-zones SRC-ZONE] [dst-zones DST-ZONE] [services SERVICES] [schedules SCHEDULE] [application APPS] [more]
show firewall sessions [count MAX-SESSIONS] [family FAMILY] [protocol PROTOCOL] [direction DIRECTION] [more]
Example
NGFW{}show firewall sessions ID Protocol State Direction Source(IP:PORT) Destination(IP:PORT) Bytes Expires
------------------------------------------------------------------------------------
3469 IGMP(2) unreplied original 192.168.1.1 224.0.0.2 32 75
NGFW{}show firewall rules
1. Rule: 20000
Action set: Permit + Notify
2. Rule: 20010
Action set: Permit + Notify
reply 224.0.0.2 192.168.1.1 0
show high-availability
Syntax
show high-availability (state-sync (all|FEATURE))
Example
NGFW{}show high-availability state-sync firewall HA Synchronization State
NGFW Command Line Interface Reference 25
-----------------------­ Name: firewall State: enabled Synchronization State: Not initialized Reason: Unable to determine synchronization state Total Entries: 353 Added Entries: 324 Deleted Entries: 0
Related Commands
high-availability force (active|passive) high-availability segment force (normal|fallback)
show interface
Syntax
show interface [INTERFACE [statistics [update INT]]] show interface [INTERFACE] multicast-registration
Examples
NGFW{}show interface ha Interface ha MAC Address 00:10:f3:2c:81:df Enabled Yes Link Down Speed 10Mbps Auto Negotiate Enabled Duplex Half MTU 9216
NGFW{}show interface mgmt Interface mgmt IP Address A.B.C.D/24 IPv6 Address fe80::210:f3ff:fe2c:81de/64 (Link Local) MAC Address 00:10:f3:2c:81:de Enabled Yes Link Up Speed 1000Mbps Auto Negotiate Enabled Duplex Full MTU 1500
NGFW{}show interface bridge1 Interface bridge1 IPv6 Address fe80::210:f3ff:fe2c:81e2/64 (Link Local) MAC Address 00:10:f3:2c:81:e2 Enabled Yes Link Up MTU 1500
NGFW{}show interface multicast-registration default: IGMP: igmpv3 MLD : mldv2 force: IGMP: igmpv3 MLD : mldv2
26 Root Commands
show ip bgp
Syntax
show ip bgp show ip bgp debug show ip bgp A.B.C.D/M show ip bgp summary show ip bgp neighbors show ip bgp neighbors A.B.C.D show ip bgp neighbors A.B.C.D (advertised-routes|routes) show ip bgp filter-list FILTER-LIST-NAME show ip bgp prefix-list PREFIX-LIST-NAME show ip bgp route-map ROUTE-MAP-NAME show ip bgp community-list COMMUNITY-LIST-NAME show ip bgp community AA:NN|internet|local-as|no-export|no-advertise
Example
NGFW{}show ip bgp BGP Router Default Instance (ASN 230)
BGP table version is 0, local router ID is 172.16.30.230 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, r RIB-failure, S Stale, R Removed Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path *> 99.1.0.0/24 172.16.30.99 11 32768 ? *> 99.2.0.98/32 172.16.30.99 11 32768 ? *> 172.16.40.0/24 172.16.20.98 0 0 98 i
Total number of prefixes 3
show ip igmp
Shows IGMP interface information or group information.
Syntax
show ip igmp (interface|groups)
Example
NGFW{}show ip igmp interface ethernet2 is up Interface address: 172.16.30.230/24 IGMP on this interface: enabled Multicast routing on this interface: enabled Multicast TTL threshold: 1 Current IGMP router version: 3 IGMP query interval: 125 seconds IGMP max query response time: 100 deciseconds Last member query response interval: 10 deciseconds IGMP Querier: 172.16.30.230 Robustness: 2 Require Router Alert: enabled Startup Query Interval: 312 deciseconds Startup Query Count: 2 General Query Timer Expiry: 00:00:07 Startup Query Timer Expiry: 00:00:07 Multicast groups joined:
NGFW Command Line Interface Reference 27
show ip mroute
Shows the multicast routes.
Syntax
show ip mroute
Example
NGFW{}show ip mroute Source Group In-interface Out-interface(s)
152.168.1.2 239.255.255.2 pimreg ethernet1
show ip ospf
Displays general information about Open Shortest Path First (OSPF) routing processes.
Syntax
show ip ospf ? show ip ospf (database|interface[IFACE]|neighbor [debug]|redistribute|route[debug])
Example
NGFW{}show ip ospf
OSPF Router with ID (15.255.125.122)
OSPF Routing Process 0 [VRF 0], Router ID: 15.255.125.122 Supports only single TOS (TOS0) routes This implementation conforms to RFC2328 RFC1583Compatibility flag is disabled OpaqueCapability flag is enabled SPF schedule delay 200 secs, Hold time between two SPFs 1000 secs Refresh timer 10 secs Kernel delay 50 ms This router is an ASBR (injecting external routing information) Redistribute Configuration Maximum-Prefix is not configured Number of external LSA 0. Checksum Sum 0x00000000 Number of opaque AS LSA 0. Checksum Sum 0x00000000 Number of areas attached to this router: 1
Area ID: 0.0.0.0 (Backbone) Number of interfaces in this area: Total: 1, Active: 1 Number of fully adjacent neighbors in this area: 1 Area has no authentication SPF algorithm executed 8 times (in 0 ms) Number of LSA 3 Number of router LSA 2. Checksum Sum 0x00015328 Number of network LSA 1. Checksum Sum 0x00000b59 Number of summary LSA 0. Checksum Sum 0x00000000 Number of ASBR summary LSA 0. Checksum Sum 0x00000000 Number of NSSA LSA 0. Checksum Sum 0x00000000 Number of opaque link LSA 0. Checksum Sum 0x00000000 Number of opaque area LSA 0. Checksum Sum 0x00000000
show ip pim-sm
Syntax
show ip pim-sm (interface|neighbor|rp|bsr-router)
28 Root Commands
Example
NGFW{}show ip pim-sm interface Address Interface Mode Neighbor Hello DR DR Address Count Intvl Pri
182.168.1.10 ethernet5 sparse 1 30 1 182.168.1.20
Example
ngfw{}show ip pim-sm neighbor Interface Address ethernet5 182.168.1.20
ngfw{}show ip pim-sm bsr-router PIMv2 Bootstrap information This system is the Bootstrap Router (BSR) BSR address: 182.168.1.10 Uptime: 00:00:26, BSR Priority: 10, Hash mask length: 30 Next bootstrap message in 00:00:34
ngfw{}show ip pim-sm rp The PIM RP Set Group: 239.255.255.2/32 RP: 182.168.1.10 Uptime: 00:00:51, Expires: 00:01:39, Priority: 10
show ip rip
Shows the RIP routes.
Syntax
show ip rip
Example
NGFW{}show ip rip RIP Router Default Instance
Routing Protocol is "rip" Sending updates every 30 seconds with +/-50%, next due in 29 seconds Timeout after 180 seconds, garbage collect after 120 seconds Mesage load balancing using 1 time slots Default redistribution metric is 1 Redistributing: Default version control: send version 2, receive any version Interface Send Recv Pri RIPv1BorderGW RIPv1IngrSumy Key-chain ethernet1 2 1 2 7 Enable Enable Split horizon No authentication Routing for Networks: ethernet1 Routing Information Sources: Gateway BadPackets BadRoutes Distance Last Update Distance: (default is 120)
show ip route
Syntax
show ip route (bgp|connected|debug|mgmt|ospf|rip|smr|static)
NGFW Command Line Interface Reference 29
Example
NGFW{}show ip route debug
Codes: K - kernel route, C- connected, S - static, R - RIP, O - OSPF, B - BGP, > - selected route, * - FIB route
K * 127.0.0.0/8 is directly connected, unknown(0) inactive, rej C>* 127.0.0.0/8 is directly connected, lo C>* 192.168.1.0/24 is directly connected, ethernet13 C>* 192.168.100.0/24 is directly connected, ethernet14 K>* 224.0.0.2/32 is directly connected, lo501 S>* 0.0.0.0/0 [1/0] [vrf 500] via 15.220.140.254, mgmt C>* 15.220.140.0/24 [vrf 500] is directly connected, mgmt C>* 127.0.0.0/8 [vrf 500] is directly connected, lo500 C>* 127.0.0.0/8 [vrf 501] is directly connected, lo501 C>* 169.254.0.0/24 [vrf 501] is directly connected, ha
show ip smr
Show SMR routing information.
Syntax
show ip smr [status]
Example
NGFW{}show ip smr Type Prefix NextHop Distance Probe Target * 1.1.1.0/24 172.16.20.220 10 * 2.2.2.0/24 172.16.20.220 10 * 3.3.3.0/24 172.16.20.220 10
4.4.4.0/24 172.16.20.30 10
NGFW{} show ip smr status 3 route(s) active 1 route(s) inactive Global round-trip avg/max 0.5/29.2 msec 10 packets/640 bytes sent last second
show ipv6 mld
Shows IPv6 routing information for MLD group or interface.
Syntax
show ipv6 mld (interface|groups)
Example
NGFW{}show ipv6 mld interface ethernet1 is up Interface address: fe80::210:f3ff:fe24:5b7e%ethernet1/64 MLD on this interface: enabled Multicast routing on this interface: disabled Current MLD router version: 2 MLD query interval: 125 seconds MLD max query response time: 10 seconds Last member query response interval: 10 deciseconds MLD Querier: fe80::210:f3ff:fe24:5b7e%ethernet1 Robustness: 2 Require Router Alert: enabled Startup Query Interval: 312 deciseconds
30 Root Commands
Startup Query Count: 2 General Query Timer Expiry: 00:01:19 Multicast groups joined:
NGFW{}show ipv6 mld groups MLD Connected Group Membership Group Address Interface Uptime Expires Last Reporter ff1e:11::1 ethernet1 00:00:04 00:04:16 fe80::215:17ff:fe3c:edea%ethernet1
show ipv6 mroute
Shows IPv6 routing information for multicast routes.
Syntax
show ipv6 mroute
Example
NGFW{}show ipv6 mroute Source Group In-interface Out-interface(s) 2001:300::2 ff1e:11::1 pimreg ethernet1
show ipv6 ospfv3
Shows the OSPFv3 unicast routes.
Syntax
show ipv6 ospfv3 (database|interface[IFACE]|neighbor[debug]|route)
Example
NGFW{}show ipv6 ospfv3 OSPFv3 Router with ID (172.16.30.230)
OSPFv3 Routing Process 0 [VRF 0] with Router-ID 172.16.30.230 Running 00:00:07 Graceful Restart: Enabled with interval 120 Status: restarting (left time 113s) Graceful Restart Helper: Enabled Redistribute Configuration Maximum-Prefix is not configured Number of AS scoped LSAs is 0 Number of AS scoped LSAs is 0 Number of areas in this router is 2 Area 0.0.0.0 Number of Area scoped LSAs is 0 Interface attached to this area: ethernet1 Area 0.0.0.9 Number of Area scoped LSAs is 0 Interface attached to this area:
show ipv6 pim-sm
Protocol Independent Multicast - Sparse Mode (PIM-SM) provides efficient communication between members of sparsely distributed groups that are common. PIM-SM is designed to limit multicast traffic so only switches interested in receiving traffic for a particular group receive the traffic
Syntax
show ipv6 pim-sm (interface|neighbor|rp|bsr-router)
.
NGFW Command Line Interface Reference 31
Example
NGFW{}show ipv6 pim-sm interface Interface Mode Neighbor Hello DR Count Interval Priority ethernet5 sparse 1 30 1 Address: fe80::210:f3ff:fe24:5b82 DR Address: this system
NGFW{}show ipv6 pim-sm neighbor Interface Address ethernet5 fe80::210:f3ff:fe24:5b5b
PIM6v2 Bootstrap information This system is the Bootstrap Router (BSR) BSR address: 2001:200::10 Uptime: 00:20:00, BSR Priority: 10, Hash mask length: 126 Next bootstrap message in 00:00:00
NGFW{}show ipv6 pim-sm rp The PIM6 RP Set Group: ff1e:11::1/128 RP: 2001:200::10 Uptime: 00:20:22, Expires: 00:01:59, Priority: 0
show ipv6 ripng
Shows the RIPng routes.
Syntax
show ipv6 ripng
Example
NGFW{}show ipv6 ripng RIPng Router Default Instance Routing Protocol is "RIPng" Sending updates every 30 seconds with +/-50%, next due in 37 seconds Timeout after 180 seconds, garbage collect after 120 seconds Default redistribution metric is 1 Redistributing: Default version control: send version 1, receive version 1 Interface Send Recv ethernet1 1 1 Split horizon Routing for Networks: ethernet1 Routing Information Sources: Gateway ReceivedPackets BadPackets BadRoutes Distance Last Update Distance: (default is 120)
show ipv6 route ospfv3
Shows the OSPFv3 unicast routes.
Syntax
show ipv6 route ospfv3
Example
NGFW{}show ipv6 route ospfv3
32 Root Commands
Codes: O - ospfv3, > - selected route, * - FIB route O>* 1:1::/64 [110/2] via fe80::20c:29ff:fee0:c919, ethernet2, 00:00:28 O>* 2:2::2:2/128 [110/1] via fe80::72ca:9bff:fe76:16b1, ethernet2, 00:00:28 O>* 2100::/64 [110/2] via fe80::72ca:9bff:fe76:16b1, ethernet2, 00:00:28 O>* 2100::2/128 [110/1] via fe80::72ca:9bff:fe76:16b1, ethernet2, 00:00:28
show ipv6 route ripng
Shows the RIPng routes.
Syntax
show ipv6 route ripng
Example
NGFW{}show ipv6 route ripng Codes: K - kernel route, C - connected, S - static, R - RIPng, O - OSPFv3, I - ISIS, B - BGP, N - NAT-PT, D - Delegated Prefix, > - selected route, * - FIB route, b - Backup route, < - delayed route, Q - Untyped route
R>* 4100::/64 [120/2] via fe80::210:f3ff:fe26:f375, ethernet2, 00:00:07
show (ip|ipv6) route
Syntax
show (ip|ipv6) route (debug|mgmt|static|connected)
Example
NGFW{}show ipv6 route static Codes: S - static, > - selected route, * - FIB route
show key
Shows local server SSH key.
Syntax
show key
Example
NGFW{}show key
show l2tp
Shows layer 2 tunneling protocol information.
Syntax
show l2tp
Example
NGFW{}show l2tp ============= Current sessions for L2TP: L2TP server is not running.
NGFW Command Line Interface Reference 33
show license
Syntax
show license
Example
NGFW{}show license License: 1.0.0.11 (Transitional)
Feature Status Permit Expiration Details
-------- ------ ------- ---------- -------­License OK Allow 10/3/2013 Using the transitional license. Update TOS OK Allow 10/3/2013 Update DV OK Allow 10/3/2013 Auxiliary DV Info Deny Never Not licensed to use feature. ReputationDV Info Deny Never Not licensed to use feature.
show log-file
The following log files are available:
•system
•audit
•fwAlert
•fwBlock
•vpn
•ipsAlert
•ipsBlock
•reputationAlert
•reputationBlock
•quarantine
show log-file FILE_NAME
Syntax
show log-file audit [raw|tab|csv|rawcsv] [addUUID] [ASC|DESC|(tail [COUNT])] [seqnum] [more]
show log-file fwAlert [raw|tab|csv|rawcsv] [addUUID] [ASC|DESC|(tail [COUNT])] [seqnum] [more]
show log-file fwBlock [raw|tab|csv|rawcsv] [addUUID] [ASC|DESC|(tail [COUNT])] [seqnum] [more]
show log-file ipsAlert [raw|tab|csv|rawcsv] [addUUID] [ASC|DESC|(tail [COUNT])] [seqnum] [more]
show log-file ipsBlock [raw|tab|csv|rawcsv] [addUUID] [ASC|DESC|(tail [COUNT])] [seqnum] [more]
show log-file quarantine [raw|tab|csv|rawcsv] [addUUID] [ASC|DESC|(tail [COUNT])] [seqnum] [more]
show log-file reputationAlert [raw|tab|csv|rawcsv] [addUUID] [ASC|DESC|(tail [COUNT])] [seqnum] [more]
show log-file reputationBlock [raw|tab|csv|rawcsv] [addUUID] [ASC|DESC|(tail [COUNT])] [seqnum] [more]
34 Root Commands
show log-file summary [raw|tab|csv|rawcsv] [addUUID] [ASC|DESC|(tail [COUNT])] [seqnum] [more]
show log-file system [raw|tab|csv|rawcsv] [addUUID] [ASC|DESC|(tail [COUNT])] [seqnum] [more]
show log-file vpn [raw|tab|csv|rawcsv] [addUUID] [ASC|DESC|(tail [COUNT])] [seqnum] [more]
show log-file boot [raw|tab|csv|rawcsv] [addUUID] [ASC|DESC|(tail [COUNT])] [seqnum] [more]
show log-file audit [raw|tab|csv|rawcsv] [addUUID] [ASC|DESC] [search [(options)]{0,2} PATTERN] [start-time START] [end-time END] [seqnum[ [begin BEGIN] [end END]]] [count COUNT] [more]
show log-file fwAlert [raw|tab|csv|rawcsv] [addUUID] [ASC|DESC] [search [(options)]{0,2} PATTERN] [start-time START] [end-time END] [seqnum[ [begin BEGIN] [end END]]] [count COUNT] [more]
show log-file fwBlock [raw|tab|csv|rawcsv] [addUUID] [ASC|DESC] [search [(options)]{0,2} PATTERN] [start-time START] [end-time END] [seqnum[ [begin BEGIN] [end END]]] [count COUNT] [more]
show log-file ipsAlert [raw|tab|csv|rawcsv] [addUUID] [ASC|DESC] [search [(options)]{0,2} PATTERN] [start-time START] [end-time END] [seqnum[ [begin BEGIN] [end END]]] [count COUNT] [more]
show log-file ipsBlock [raw|tab|csv|rawcsv] [addUUID] [ASC|DESC] [search [(options)]{0,2} PATTERN] [start-time START] [end-time END] [seqnum[ [begin BEGIN] [end END]]] [count COUNT] [more]
show log-file quarantine [raw|tab|csv|rawcsv] [addUUID] [ASC|DESC] [search [(options)]{0,2} PATTERN] [start-time START] [end-time END] [seqnum[ [begin BEGIN] [end END]]] [count COUNT] [more]
show log-file reputationAlert [raw|tab|csv|rawcsv] [addUUID] [ASC|DESC] [search [(options)]{0,2} PATTERN] [start-time START] [end-time END] [seqnum[ [begin BEGIN] [end END]]] [count COUNT] [more]
show log-file reputationBlock [raw|tab|csv|rawcsv] [addUUID] [ASC|DESC] [search [(options)]{0,2} PATTERN] [start-time START] [end-time END] [seqnum[ [begin BEGIN] [end END]]] [count COUNT] [more]
show log-file summary [raw|tab|csv|rawcsv] [addUUID] [ASC|DESC] [search [(options)]{0,2} PATTERN] [start-time START] [end-time END] [seqnum[ [begin BEGIN] [end END]]] [count COUNT] [more]
show log-file system [raw|tab|csv|rawcsv] [addUUID] [ASC|DESC] [search [(options)]{0,2} PATTERN] [start-time START] [end-time END] [seqnum[ [begin BEGIN] [end END]]] [count COUNT] [more]
show log-file vpn [raw|tab|csv|rawcsv] [addUUID] [ASC|DESC] [search [(options)]{0,2} PATTERN] [start-time START] [end-time END] [seqnum[ [begin BEGIN] [end END]]] [count COUNT] [more]
show log-file boot [raw|tab|csv|rawcsv] [addUUID] [ASC|DESC] [search [(options)]{0,2} PATTERN] [start-time START] [end-time END] [seqnum[ [begin BEGIN] [end END]]] [count COUNT] [more]
show log-file audit [raw|tab|csv|rawcsv] [addUUID] [ASC|DESC] [search COLUMN cmp PATTERN [and|or COLUMN cmp PATTERN]{1,25}] [start-time START] [end-time END] [seqnum[ [begin BEGIN] [end END]]] [count COUNT] [more]
show log-file fwAlert [raw|tab|csv|rawcsv] [addUUID] [ASC|DESC] [search COLUMN cmp PATTERN [and|or COLUMN cmp PATTERN]{1,25}] [start-time START] [end-time END] [seqnum[ [begin BEGIN] [end END]]] [count COUNT] [more]
show log-file fwBlock [raw|tab|csv|rawcsv] [addUUID] [ASC|DESC] [search COLUMN cmp PATTERN [and|or COLUMN cmp PATTERN]{1,25}] [start-time START] [end-time END] [seqnum[ [begin BEGIN] [end END]]] [count COUNT] [more]
NGFW Command Line Interface Reference 35
show log-file ipsAlert [raw|tab|csv|rawcsv] [addUUID] [ASC|DESC] [search COLUMN cmp PATTERN [and|or COLUMN cmp PATTERN]{1,25}] [start-time START] [end-time END] [seqnum[ [begin BEGIN] [end END]]] [count COUNT] [more]
show log-file ipsBlock [raw|tab|csv|rawcsv] [addUUID] [ASC|DESC] [search COLUMN cmp PATTERN [and|or COLUMN cmp PATTERN]{1,25}] [start-time START] [end-time END] [seqnum[ [begin BEGIN] [end END]]] [count COUNT] [more]
show log-file quarantine [raw|tab|csv|rawcsv] [addUUID] [ASC|DESC] [search COLUMN cmp PATTERN [and|or COLUMN cmp PATTERN]{1,25}] [start-time START] [end-time END] [seqnum[ [begin BEGIN] [end END]]] [count COUNT] [more]
show log-file reputationAlert [raw|tab|csv|rawcsv] [addUUID] [ASC|DESC] [search COLUMN cmp PATTERN [and|or COLUMN cmp PATTERN]{1,25}] [start-time START] [end-time END] [seqnum[ [begin BEGIN] [end END]]] [count COUNT] [more]
show log-file reputationBlock [raw|tab|csv|rawcsv] [addUUID] [ASC|DESC] [search COLUMN cmp PATTERN [and|or COLUMN cmp PATTERN]{1,25}] [start-time START] [end-time END] [seqnum[ [begin BEGIN] [end END]]] [count COUNT] [more]
show log-file summary [raw|tab|csv|rawcsv] [addUUID] [ASC|DESC] [search COLUMN cmp PATTERN [and|or COLUMN cmp PATTERN]{1,25}] [start-time START] [end-time END] [seqnum[ [begin BEGIN] [end END]]] [count COUNT] [more]
show log-file system [raw|tab|csv|rawcsv] [addUUID] [ASC|DESC] [search COLUMN cmp PATTERN [and|or COLUMN cmp PATTERN]{1,25}] [start-time START] [end-time END] [seqnum[ [begin BEGIN] [end END]]] [count COUNT] [more]
show log-file vpn [raw|tab|csv|rawcsv] [addUUID] [ASC|DESC] [search COLUMN cmp PATTERN [and|or COLUMN cmp PATTERN]{1,25}] [start-time START] [end-time END] [seqnum[ [begin BEGIN] [end END]]] [count COUNT] [more]
show log-file boot [raw|tab|csv|rawcsv] [addUUID] [ASC|DESC] [search COLUMN cmp PATTERN [and|or COLUMN cmp PATTERN]{1,25}] [start-time START] [end-time END] [seqnum[ [begin BEGIN] [end END]]] [count COUNT] [more]
show log-file audit [raw|tab|csv|rawcsv] [addUUID] follow [seqnum] [more] show log-file fwAlert [raw|tab|csv|rawcsv] [addUUID] follow [seqnum] [more] show log-file fwBlock [raw|tab|csv|rawcsv] [addUUID] follow [seqnum] [more] show log-file ipsAlert [raw|tab|csv|rawcsv] [addUUID] follow [seqnum] [more] show log-file ipsBlock [raw|tab|csv|rawcsv] [addUUID] follow [seqnum] [more] show log-file quarantine [raw|tab|csv|rawcsv] [addUUID] follow [seqnum] [more] show log-file reputationAlert [raw|tab|csv|rawcsv] [addUUID] follow [seqnum] [more] show log-file reputationBlock [raw|tab|csv|rawcsv] [addUUID] follow [seqnum] [more] show log-file summary [raw|tab|csv|rawcsv] [addUUID] follow [seqnum] [more] show log-file system [raw|tab|csv|rawcsv] [addUUID] follow [seqnum] [more] show log-file vpn [raw|tab|csv|rawcsv] [addUUID] follow [seqnum] [more] show log-file boot [raw|tab|csv|rawcsv] [addUUID] follow [seqnum] [more] show log-file audit stat show log-file fwAlert stat show log-file fwBlock stat show log-file ipsAlert stat show log-file ipsBlock stat show log-file quarantine stat show log-file reputationAlert stat show log-file reputationBlock stat show log-file summary stat show log-file system stat show log-file vpn stat show log-file boot stat show log-file summary [verbose] show log-file boot [tail COUNT] [more] show log-file boot [search [(options)]{0,2} PATTERN] [count COUNT] [more]
Example
NGFW{}show log ipsAlert
36 Root Commands
Example
NGFW{}show log quarantine
show log-file FILE_NAME stat
Shows the beginning sequence number, ending sequence number, and number of messages for the given log file.
Syntax
show log-file FILE_NAME stat
Example
NGFW{}show log ipsBlock stat Display limited to 500 lines... 1 241097 241097
show log-file summary
Syntax
show log-file summary [verbose]
Example
NGFW{}show log-file summary File Total Entries First Entry Last Entry Allocated Used Location
--------------- -------------- -------------- -------------- ---------- ---- ------
system 2902 1 2902 174.32 MB 0% internal audit 411 1 411 174.32 MB 0% internal fwAlert 2135781 42054583 44190363 700.23 MB 66% ramdisk fwBlock 0 0 0 700.23 MB 0% ramdisk ipsAlert 0 0 0 350.11 MB 0% ramdisk ipsBlock 0 0 0 350.11 MB 0% ramdisk reputationAlert 0 0 0 175.06 MB 0% ramdisk reputationBlock 0 0 0 175.06 MB 0% ramdisk visibility 0 0 0 700.23 MB 0% ramdisk quarantine 0 0 0 175.06 MB 0% ramdisk vpn 0 0 0 175.06 MB 0% ramdisk
show log-file boot
Syntax
show log-file boot [tail [COUNT]] [more] show log-file boot [search [<options>]{0,2} PATTERN] [count COUNT] [more]
If using the more option, the colon will display in the output, to indicate more information is available. Press the Enter key for the scroll to continue, or enter a ‘q’ to exit and return to the
NGFW{} prompt.
Example
NGFW{} show log-file audit more
2013-07-05 ...(log info is displayed) 2013-07-05 ... ...
:q NGFW{}show log-file boot search nocase ethernet7 count 7 NGFW{}show log-file boot search invert ethernet7 count 3 NGFW{}show log-file boot search ethernet7 count 2
NGFW Command Line Interface Reference 37
ADDRCONF(NETDEV_UP): ethernet7: link is not ready device ethernet7 entered promiscuous mode
Example
To tail the last 5 lines of the boot log file:
NGFW{}show log-file boot tail 5
bridge1: port 8(ethernet7) entering disabled state bridge1: port 8(ethernet7) entering disabled state ADDRCONF(NETDEV_UP): ethernet7: link is not ready device ethernet8 left promiscuous mode device ethernet7 left promiscuous mode
show mfg-info
Shows manufacturing information.
Syntax
show mfg-info
Example
NGFW{}show mfg-info device34{}show mfg-info ECO Version : 40AA Manufacturer S/N : TBBC10021827 PCBA Assembly Date : 01/11/2012 Chassis Version : 00 Mfg System Revision : A905 HP Base Unit P/N : 5066-2732 HP Base Unit Revision : A1 Number of MACs : 12 MAC Address : 00:10:F3:2C:81:DE Mgmt Port MAC Address : 00:10:F3:2C:81:DE Ethernet1 MAC Address : 00:10:F3:2C:81:E2 HP Base Unit S/N : PR2AFQY003 Internal Disk Model : 4GB SATA Flash Drive Internal Disk S/N : 11001420994500582125 External Disk Model : 4GB SATA Flash Drive External Disk S/N : 00224192122400702578 BIOS Version : Z513-021 IPM Version : 1.d (working)
show np engine
Shows network processor information.
Syntax
show np engine(filter|packet|parse|reputation(ip|dns)|rule)
filter - Show filter-level statistics packet - Show packet-layer statistics parse - Show packet parsing statistics reputation - Show reputation statistics on either IP or DNS rule - Show rule statistics
Example
NGFW{}show np engine packet
Packet Statistics: Rx packets OK = 275263890 Rx packets dropped = 0
38 Root Commands
Rx packets dropped no pcb = 0
Tx packets OK = 275262516
Tx packets dropped = 1374
Tx packets dropped no pcb = 0
Rx bytes OK = 14864242660
Tx bytes OK = 16515754024
show np general statistics
Shows general network processor information.
Syntax
show np general statistics
Example
NGFW{}show np general statistics General Statistics: Incoming = 0 Outgoing = 0 Dropped = 0 Interface discards = 0 Second Tier = 0 Matched = 0 Blocked = 1376 Trusted = 0 Permitted = 0 Invalid = 0 Rate Limited = 0
show np protocol-mix
Syntax
show np protocol-mix
Example
NGFW{}show np protocol-mix Network Traffic Protocol Statistics:
Packets Bytes ================= ================= EthType: ARP 289096 17363292 IP 75851320 16817451395 IPv6 110966 91605367 Other 47087 31256790 IpVersion: IPv4 75851320 16817451395 IPv6 110966 91605367 Other 9010 5444502 IpProtocol: TCP 24779397 4847827560 UDP 49956647 11260655728 ICMP 112057 42551652 IPv4 in IPv4 0 0 IPv6 In IPv4 4536 597024 GRE 276372 45779027 AH 414 63180
NGFW Command Line Interface Reference 39
Other 132843 65240426 Ipv6Protocol: TCP 378 265014 UDP 1350 1135803 ICMPv6 3908 1406824 ICMP 0 0 IPv6 in IPv6 89760 77281416 IPv4 in IPv6 2442 1938618 GRE 1398 1106502 AH 0 0 Other 53034 44444961
show np reassembly
Syntax
show np reassembly (ip|tcp)
Example
NGFW{}show np reassembly ip
Summary: Frags incoming = 0 Frags kept = 0 Frags outgoing = 0 Frags passed thru = 0 Frags dropped (duplicate) = 0 Frags recently reassembled = 0 Frags dropped (other) = 0 Dgrams completed = 0
show np rule-stats
Syntax
show np rule-stats
Example
NGFW{}show np rule-stats
Filter Flows Success % Total % Success 6281 9 0 21 0.00 6310 9 0 21 0.00 633 8 3 19 37.50 5337 8 0 19 0.00 2768 7 0 16 0.00 5881 1 0 2 0.00 Total number of flows: 42
show np softlinx
Syntax
show np softlinx
Example
NGFW{}show np softlinx SoftLinx Statistics: Matched both softlinx and a rule = 0 Matched softlinx, but not a rule = 0 Matched a rule, but not softlinx = 0
40 Root Commands
Sleuth inspected packets = 0 Sleuth matched packets = 0 Matched HW (Sleuth) but not softLinx = 0 Sleuth gave up = 0 Sleuth bypassed = 0 Sleuth bypassed zero payload length = 0 Sleuth overflow = 0 Matched nothing = 281567607 Linx rules created = 0 Linx rules deleted = 0 Discarded by the softlinx = 0 Total packets sent to softlinx = 80 Embedded Trigger matches = 0 Engine Trigger matches = 0 Trigger matches = 0 False pkt matches = 80 Good pkt matches = 0 SoftLinx trigger match roll over = 0 Highest flow based trigger match = 0
show np tier-stats
Syntax
show np tier-stats
Example
NGFW{}show np tier-stats
----------------------------------------------------------
Tier 1:
----------------------------------------------------------
Rx Mbps = 0.0 (0.0)
Tx Mbps = 0.0 (0.0)
Rx Packets/Sec = 0.0 (0.0)
Tx Packets/Sec = 0.0 (0.0)
Utilization = 0.0% (0.0%)
Ratio to next tier = 0.0% (100.0%)
----------------------------------------------------------
Tier 2:
----------------------------------------------------------
Rx Mbps = 0.0 (0.0)
Rx Packets/Sec = 0.0 (0.0)
Tx trust packets/sec = 0.0 (0.0)
Utilization = 0.0% (0.0%)
Ratio to best effort = 0.0% (0.0%)
Ratio to next tier = 0.0% (0.0%)
----------------------------------------------------------
Tier 3:
----------------------------------------------------------
Rx Mbps = 0.0 (0.0)
Rx Packets/Sec = 0.0 (0.0)
Rx Trigger match = 0.0 (0.0)
Rx Reroute = 0.0 (0.0)
Rx TCP sequence = 0.0 (0.0)
Tx trust packets/sec = 0.0 (0.0)
Utilization = 0.0% (0.0%)
Ratio to best effort = 0.0% (0.0%)
Ratio to next tier = 0.0% (0.0%)
NGFW Command Line Interface Reference 41
show quarantine-list
Syntax
show quarantine-list
Example
NGFW{}show quarantine-list IP Reason
show reports
Show the status of the data collection for reports.
Syntax
show reports
Example
NGFW{}show reports CPU Utilization: enabled Disk Utilization: enabled Fan Speed: enabled Memory Utilization: enabled Network Bandwidth: enabled Rate Limiter: enabled Temperature: enabled Traffic Profile: enabled VPN: enabled
show service
Shows the state of all the services.
Syntax
show service
Example
NGFW{}show service
Service SSH is active Service TELNET is inactive Service HTTP is active Service IP Forwarding is active Service IPv6 Forwarding is active Service SNMP is inactive Service DNS-PROXY is inactive Service RIP is inactive Service RIPng is inactive Service OSPFv2 is inactive Service OSPFv3 is inactive Service BGP is inactive Service SMR is inactive Service PIM4SM is inactive Service PIM6SM is inactive Service VRRP is inactive Service Multicast-proxy is inactive Service DHCPSERVER is inactive Service DHCP is inactive Service DHCP RELAY is inactive Service DHCPv6-CLIENT is inactive
42 Root Commands
show sms
Syntax
show sms
Example
NGFW{}show sms Device is not under SMS control
show snmp
Syntax
show snmp
Example
NGFW{}show snmp
Service NTP is inactive
Service PPP-CtrlPlane is inactive
Service ETHGRP-LACP is inactive
#SNMP Status
Enabled : Yes
Version : 2c, 3
Engine ID : 0x800029ee030010f327fe2e
Auth. Traps : Yes
System Name : S8020F
System Object ID : .1.3.6.1.4.1.10734.1.9.7
System ID : NGFW
System Contact : Administrator
System Location : Data Center
#SNMP Trap Sessions
Host : A.B.C.D
Version : 3
Port : 162
Security Name : trap
Level : authPriv
Authentication : SHA
Privacy : AES
Inform : Yes
show system buffers
Shows forwarding buffer state information, if you have administrator privileges.
Syntax
show system buffers
Example
NGFW{}show system buffers
show system connections
Syntax
show system connection [ipv4|ipv6|sctp|unix]
NGFW Command Line Interface Reference 43
Example
NGFW{}show system connections ipv4
Active Internet connections (servers and established) vrfid Proto Recv-Q Send-Q Local Address Foreign Address State 0 tcp 0 0 127.0.0.1:60000 0.0.0.0:* LISTEN 0 tcp 0 0 127.0.0.1:616 0.0.0.0:* LISTEN
Example
NGFW{}show system connections unix
Active UNIX domain sockets (servers and established) Proto RefCnt Flags Type State I-Node Path unix 2 [ ACC ] STREAM LISTENING 40709
/var/tmp/apache2/logs/fcgidsock/7095.0 unix 2 [ ACC ] STREAM LISTENING 3871 /var/tmp/segmentdsock unix 2 [ ACC ] STREAM LISTENING 2080 /var/run/nscd/socket unix 2 [ ACC ] STREAM LISTENING 379 @/com/ubuntu/upstart unix 2 [ ACC ] STREAM LISTENING 16968 /var/run/.xms.default unix 2 [ ] DGRAM 16970 /tmp/.server.sockname unix 2 [ ] DGRAM 17575 @/tmp/.has_xmsd unix 2 [ ACC ] STREAM LISTENING 1436
/usr/local/var/syslog-ng.ctl
Example
NGFW{}show system connections sctp ASSOC SOCK STY SST ST HBKT ASSOC-ID TX_QUEUE RX_QUEUE UID INODE LPORT RPORT
LADDRS <-> RADDRS HBINT INS OUTS MAXRT T1X T2X RTXC VRF
show system processes
Syntax
show system processes [LEVEL] brief Brief process information detail Detailed process information extensive Extensive process information summary Active process information
Example
NGFW{}show system processes brief
top - 02:23:22 up 5:08, 2 users, load average: 16.20, 16.23, 16.16 Tasks: 349 total, 6 running, 343 sleeping, 0 stopped, 0 zombie Cpu(s): 37.8% us, 2.4% sy, 0.0% ni, 52.8% id, 0.0% wa, 0.0% hi, 6.9% si Mem: 28681276k total, 10367048k used, 18314228k free, 100416k buffers Swap: 0k total, 0k used, 0k free, 1638220k cached
PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND 3656 root 20 0 11.1g 4.6g 3.7g R 1200 16.7 3691:24 n0 3731 root 20 0 0 0 0 R 100 0.0 307:25.33 dpvi-task3 3730 root 20 0 0 0 0 R 98 0.0 303:42.33 dpvi-task2 3729 root 20 0 0 0 0 R 96 0.0 300:14.52 dpvi-task1 2941 root 20 0 84516 3976 2852 R 2 0.0 4:18.44 syslog-ng 4436 root 20 0 0 0 0 D 2 0.0 1:44.56 fpm-nfct-hf-tas 4216 root 20 0 21496 1112 772 D 0 0.0 0:21.46 sensormond 17380 root 20 0 13084 1292 800 R 0 0.0 0:00.01 top
44 Root Commands
show system statistics
Syntax
show system statistics [PROTO] [non-zero]
Example
NGFW{}show system statistics
show system usage
Show system usage displays the overall system usage. You can run once, or display an updated version every INT seconds. Ctrl-C will exit a re-occurring update.
Syntax
show system usage [update INT]
Example
NGFW{} show system usage update 12
show system virtual-memory
Shows the system’s kernel memory usage in a table with the following column headings.
•name
•active_objs
•num_objs
•objsize
•objperslab
• pagesperslab
•tunables
• limit
• batchcount
•sharedfactor
• slabdata
• active_slabs
• num_slabs
•sharedavail
Syntax
show system virtual-memory
Example
NGFW{}show system virtual-memory
show system xms memory
Shows xms memory statistics.
Syntax
show system xms memory (all| SERVICE)
Example
NGFW{}show system xms memory captive-portals
xmsd memory usage:
NGFW Command Line Interface Reference 45
+ Service: captive-portals + captive-portal-config: 48 Bytes Maximum amounts: 175 Bytes Calls to alloc : 1 times + Service: misc + miscellaneous: 1383 Bytes Maximum amounts: 1585 Bytes Calls to alloc : 10 times + xmlMem: 4341373 Bytes Maximum amounts: 85010535 Bytes Calls to alloc : 53906 times
show terminal
Shows terminal type information.
Syntax
show terminal
Example
NGFW{}show terminal
============= Terminal configuration: type 6wind columns 164 lines 46
show traffic-file
Syntax
show traffic-file FILENAME [verbose INT] [proto PROTO] [without PROTO] [pcap FILTER] [pager]
Options
traffic-file Show network traffic from file FILENAME Capture file name verbose Configure verbosity level INT Verbosity level (0: minimum verbosity) proto Configure captured packets protocol PROTO Protocol name (default: all) without Configure excluded packets protocol PROTO Protocol name (default: all) pcap Configure pcap-syntax filter FILTER Pcap filter string (e.g. "src port 22") pager Show all messages
Example
NGFW{}show traffic-file myfilename
show tse connection-table
Syntax
show tse connection-table TYPE
Example:
This example displays the basic IPS state synchronization by viewing the connection table on the active and passive device.
46 Root Commands
NGFW{}show tse connection-table blocks
Second device:
NGFW{}show tse connection-table blocks
The ‘TRHA’ indicates this is a connection created by state synchronization.
show tse
Shows threat suppression engine information.
Syntax
show tse (connection-table(blocks|trusts)|rate-limit)
Example
NGFW{}show tse connection-table blocks Blocked connections: None found. NGFW{}show tse rate-limit
show user-disk
Syntax
show user-disk
Example
NGFW{}show user-disk External User Disk Status: Mounted Encryption: None Capacity: 3952263168 bytes Used: 784158720 bytes Free: 2907357184 bytes
show users
Syntax
show users [locked|ip-locked]
Example
NGFW{}show users USER IDLE INTERFACE LOGIN IP ADDRESS TYPE myadminuser 00:00 SSH 2013-07-19 23:42:56 198.51.100.139 LOCAL
show version
Syntax
show version
Example
NGFW{}show version Serial: X-NGF-S8020F-GENERIC-0001 Software: 1.0.0.3911 Build Date: "Apr 12 2013 02:13:12" Production Digital Vaccine: 3.2.0.15172 Model: S8020F HW Serial: PR2AFQ300P HW Revision: A603
NGFW Command Line Interface Reference 47
Failsafe: 1.0.0.1801 System Boot Time: Sun Sept 15 21:14:57 2013 Uptime: 05:17:01
shutdown
Allows you to shutdown the system.
Syntax
shutdown
Example
NGFW{}shutdown You are about to shutdown the device. Please use the front panel buttons to restart the device manually. Make sure you have Committed all your changes, and clicked the Save Configuration button if you wish these changes to be applied when the device is restarted.
WARNING: Are you sure you want to shutdown the system (y/n) [n]:
sms
Allows you to configure SMS settings and release SMS.
Syntax
sms must-be-ip (A.B.C.D|A.B.C.D/M) sms unmanage
Example
NGFW{}sms unmanage NGFW{}sms must-be-ip 192.168.1.1
Related commands
show sms
snapshot create
Allows you to manage system snapshots.
Syntax
snapshot create NAME [(reputation|manual|network)]
Default is do not include the following: manual Include manually defined reputation entries in snapshot network Include Management port configuration in snapshot reputation Include reputation package in snapshot nonet Does not restore management port configuration if present in snapshot
Example
NGFW{}snapshot create s_041713
snapshot list
Syntax
snapshot list
48 Root Commands
Example
NGFW{}snapshot list Name Date OS Version DV Version Model Restore
---------------- -------------------------- ---------- ---------- ------- -----­s_041713 Wednesday, April 17 2013 1.0.0.3913 3.2.0.15172 S1020F Yes
snapshot remove
Syntax
snapshot remove
Example
NGFW{}snapshot remove s_041713 Success
snapshot restore
Restore system from saved snapshot.
Syntax
snapshot restore NAME
tcpdump
Example
NGFW{}snapshot restore s_041713 Success
Allows you to capture network traffic to the terminal or a file. You can specify a maximum packet count or a maximum capture file size. If you record the capture to a file you must specify a maximum packet count or maximum capture file size. Maxsize is the maximum size of the capture file in millions of bytes, which is limited by the currently available disk allocation.
Syntax
tcpdump INTERFACE [record FILENAME [maxsizebytes 1-10000000]] [packetcount 1-10000000] [verbose 0-990000] [proto (icmp|igmp|tcp|udp|esp|ah|pim|snp|vrrp|stp|isis|sctp)] [without (icmp|igmp|tcp|udp|esp|ah|pim|snp|vrrp|stp|isis|sctp)] [pcap FILTER] [cponly] [pager] [background]
tcpdump stop
Example
NGFW{}tcpdump mgmt count 2 NGFW{}tcpdump bridge0 record mycapturefile count 100 proto tcp without udp pcap "dst
port 443" background
NGFW{}tcpdump6: listening on bridge0, link-type EN10MB (Ethernet), capture size 65535 bytes
100 packets captured 100 packets received by filter 0 packets dropped by kernel
NGFW{}tcpdump stop All tcpdump processes stopped.
NGFW Command Line Interface Reference 49
traceroute
Traceroute shows you the path a packet of information takes from your computer to your designation. It lists all the routers it passes through until it reaches its destination, or fails. Traceroute tells you how long router to router hops take.
Syntax
traceroute (A.B.C.D|HOSTNAME) [from A.B.C.D] [mgmt] (traceroute|traceroute6) X:X::X:X [from X:X::X:X] [mgmt]
Example
NGFW{}traceroute 192.168.140.254 traceroute: Warning: ip checksums disabled traceroute to 192.168.140.254 (192.168.140.254), 30 hops max, 46 byte packets 1 192.168.140.254 (192.168.140.254) 0.256 ms 0.249 ms 0.233 ms
traceroute6
Trace IPv6 network routes.
Example
NGFW{}traceroute6 192.168.140.1
user-disk
The external user-disk is available to mount, unmount, and format. Only a user-disk that the user manually formats and mounts will be “auto-mounted” by the device at boot. The one exception to this is after an initial install, the external cfast present in the box at the time of install will be “auto-mounted”.
The user-disk can be encrypted, but only if the system status on the user-disk causes a ‘format’ to occur and erases any existing data.
User-disk encryption can also be enabled and disabled from the LSM at System->Settings->Log Configuration.
Modify settings for the external user-disk.
Syntax
user-disk (encryption (enable|disable) | format | mount | unmount)
Example
NGFW{}user-disk unmount WARNING: Unmounting the external user disk will disable snapshot and packet capture,
and traffic related logs will be stored in memory only. Do you want to continue (y/n)? [n]: y Success: User disk unmounted.
Example
NGFW{}user-disk mount Note: The external user disk will be used for snapshots, packet captures and traffic
related logs. The external user disk will be automatically mounted on rebooted. Do you want to continue (y/n)? [n]: y Success: User disk mounted.
master-key has been set. Changing the encryption
Example
NGFW{}user-disk format WARNING: This action will erase all existing data on the external user disk! Do you want to continue (y/n)? [n]: y Success: User disk format completed.
50 Root Commands
Example
NGFW{}user-disk encryption enable WARNING: Changing the encryption status of the user disk will erase all traffic log,
snapshot, and packet capture data on the disk. Do you want to continue (y/n)? [n]: y Success: User disk encryption enabled.
Related commands
show user-disk master-key
NGFW Command Line Interface Reference 51
52 Root Commands

4 Log Configure Commands

Enter the log-configure command to access the log configuration context. Enter a question mark (?) at the NGFW{log-configure} prompt to display a list of valid command entries. Then enter help commandname to display help for a specific command.
display
Displays log configuration settings.
Syntax
display [log-sessions] [xml|verbose]
Example
NGFW{log-configure}display # LOG EMAIL SETTINGS email set sleepSeconds 300 email set maxRequeue 2016
# LOG ROTATE SETTINGS rotate set sleepSeconds 600 rotate set defaultFiles 5 rotate set defaultCheckRecords 500 rotate set maxFileSize 100 MB
# LOG FILE DISK ALLOCATION log-storage external 90% log-storage ramdisk 25%
# LOG FILE ALLOCATION SETTINGS # INTERNAL DISK log-file-size system 50% log-file-size audit 50% # ---­# Total 100%
# EXTERNAL DISK (USER-DISK) log-file-size fwAlert 20% log-file-size fwBlock 20% log-file-size ipsAlert 10% log-file-size ipsBlock 10% log-file-size reputationAlert 5% log-file-size reputationBlock 5% log-file-size visibility 20% log-file-size quarantine 5% log-file-size vpn 5% # ---­# Total 100%
email
Allows you to set logging email daemon parameters.
Syntax
email set sleepSeconds SLEEPSEC email set maxRequeue MAXREQUEUE
NGFW Command Line Interface Reference 53
email set queueFile QUEUEFILE email set deadletter DEADLETTER email delete (sleepSeconds|maxRequeue|queueFile|deadletter)
Example
NGFW{log-configure}email set sleepSeconds 600 NGFW{log-configure}email delete sleepSeconds NGFW{log-configure}email set maxRequeue 1 NGFW{log-configure}email delete maxRequeue NGFW{log-configure}email set queueFile myqueuefile NGFW{log-configure}email delete queueFile NGFW{log-configure}email set deadletter mydeadletterfile NGFW{log-configure}email delete deadletter
log-file-size
Set log file allocation as a percentage of the total 100 percent allowed for all log files.
# LOG FILE ALLOCATION SETTINGS # INTERNAL DISK log-file-size system 50% log-file-size audit 50% # ---­# Total 100%
Syntax
log-file-size FILE_NAME USAGE[%] log-file-size
(audit|fwAlert|fwBlock|ipsAlert|ipsBlock|quarantine|reputationAlert|reputationBlock| system|visibility|vpn) USAGE[%]
system and audit log files are kept on the internal disk fwAlert, fwBlock, ipsAlert, ipsBlock, quarantine, reputationAlert, reputationBlock,
visibility, and vpn log files are kept on the external or ramdisk drive
Example
NGFW{log-configure}log-file-size system 50 NGFW{log-configure}log-file-size fwAlert 20 NGFW{log-configure}log-file-size audit 60 ERROR: This would over allocate (110%) the Internal log disk!
log-storage
Set local log file allocation of external CFast disk space. Usage value can range from 50 to 99 percent.
Syntax
log-storage external USAGE[%] log-storage ramdisk USAGE[%]
Example
NGFW{log-configure}log-storage external 90
log-test
Sends a test message to the logging system(s).
Syntax
log-test (all|audit|vpn|quarantine|logID LOGID) [emergency [MESSAGE]] log-test (all|audit|vpn|quarantine|logID LOGID) [alert [MESSAGE]]
54 Log Configure Commands
log-test (all|audit|vpn|quarantine|logID LOGID) [critical [MESSAGE]] log-test (all|audit|vpn|quarantine|logID LOGID) [error [MESSAGE]] log-test (all|audit|vpn|quarantine|logID LOGID) [warning [MESSAGE]] log-test (all|audit|vpn|quarantine|logID LOGID) [notice [MESSAGE]] log-test (all|audit|vpn|quarantine|logID LOGID) [info [MESSAGE]] log-test (all|audit|vpn|quarantine|logID LOGID) [debug [MESSAGE]] log-test (all|audit|vpn|quarantine|logID LOGID) [msg MESSAGE]
Valid entries: all All log systems audit Audit system vpn VPN (IPsec) system quarantine Quarantine system logID LogID system LOGID Log-session ID to test SEVERITY Set Severity level for log message (default: INFO) Possible values for SEVERITY are:
emergency EMERG level alert ALERT level critical CRIT level error ERR level warning WARNING level notice NOTICE level info INFO level (default)
debug DEBUG level msg Override default message MESSAGE Message to send to logging system
rotate
Example
NGFW{log-configure}log-test logID 1 msg "my test message for logging" NGFW{log-configure}log-test all
Sets log rotation parameters.
Syntax
rotate (set|delete) defaultCheckRecords (100-65535) rotate (set|delete) defaultFiles (2-20) rotate (set|delete) maxFileSize (10-500MB) rotate (set|delete) sleepSeconds (1-65535) rotate (set|delete) audit [Files (2-20)] [Records (100-65535)] rotate (set|delete) fwAlert [Files (2-20)] [Records (100-65535)] rotate (set|delete) fwBlock [Files (2-20)] [Records (100-65535)] rotate (set|delete) ipsAlert [Files (2-20)] [Records (100-65535)] rotate (set|delete) ipsBlock [Files (2-20)] [Records (100-65535)] rotate (set|delete) quarantine [Files (2-20)] [Records (100-65535)] rotate (set|delete) reputationAlert [Files (2-20)] [Records (100-65535)] rotate (set|delete) reputationBlock [Files (2-20)] [Records (100-65535)] rotate (set|delete) system [Files (2-20)] [Records (100-65535)] rotate (set|delete) visibility [Files (2-20)] [Records (100-65535)] rotate (set|delete) vpn [Files (2-20)] [Records (100-65535)]
sleepSeconds Logrotation sleep time between checks SLEEPSEC Number of seconds logrotation waits between checks defaultFiles Default number of logrotation files NUMFILES Number of logrotation files (2 - 20) defaultCheckRecords Default number of records between log daemon size checks NUMRECORDS Number of records between log daemon size checks (100 - 65535)
NGFW Command Line Interface Reference 55
maxFileSize Max size a 'rotated' log file MAXFILESIZE Max log rotation file size in MB (10 - 500) MB Megabytes FILE_NAME Local log file name Files Number of logrotation files Records Number of records between log daemon size checks delete Delete the logrotation parameter
Example
NGFW{log-configure}rotate set sleepSeconds 10 NGFW{log-configure}rotate set visibility Files 5 Records 500 NGFW{log-configure}rotate set vpn Files 5 Records 500 NGFW{log-configure}rotate delete vpn Records NGFW{log-configure}rotate delete vpn Files NGFW{log-configure}rotate delete visibility NGFW{log-configure}rotate set defaultCheckRecords 500 NGFW{log-configure}rotate set defaultFiles 5
56 Log Configure Commands

5 Edit Running Configuration Commands

Enter the edit command to access the configuration mode. In edit mode, you can perform numerous configurations, such as firewall rules and policies, and authentication. Once you have executed the edit command the CLI prompt will appear as available until you exit. To exit the edit configuration mode, enter exit.
The configuration mode enables administrators with the appropriate credentials to write configuration changes to the active (running) configuration. The logon account used to configure the device must either be associated with the Superuser role or the Administrator role to edit the configuration context. The configuration mode has different context levels that provide access to a specific set of configuration commands.

Configuration Contexts by Function

Monitor/System
Table 5-1 Monitor and System Commands
NGFW{running}. Configuration options, and sub contexts are
Network
running-blockedStreams Context Commands
running-cluster Context Commands running-cluster-tct Context Commands
running-dns Context Commands
running-gen Context Commands
running-high-availability Context Commands
running-log Context Commands
running-mgmt Context Commands
running-ntp Context Commands
running-snmp Context Commands
Table 5-2 Network Commands
running-agglinkX Context Commands
running-bridgeX Context Commands
running-greX Context Commands
NGFW{running}blockedStreams
NGFW{running}cluster NGFW{running-cluster}tct
NGFW{running}dns
NGFW{running}gen
NGFW{running}high-availability
NGFW{running}log
NGFW{running}interface mgmt
NGFW{running}ntp
NGFW{running}snmp
NGFW{running}interface agglink0
NGFW{running}interface bridge0
NGFW{running}interface gre0
running-l2tp-serverX Context Commands
running-l2tpX Context Commands
running-loopbackX Context Commands
running-pppoeX Context Commands
running-pptpX Context Commands
running-vlanX Context Commands
running-ethernetX Context Commands
running-segmentX Context Commands
NGFW{running}l2tp-server0
NGFW{running}interface l2tp0
NGFW{running}interface loopback0
NGFW{running}interface pppoe0
NGFW{running}interface pptp0
NGFW{running}interface vlan0
NGFW{running}interface ethernet1
NGFW{running}segment0
NGFW Command Line Interface Reference 57
Table 5-2 Network Commands
Policy
running-dhcp-relay Context Commands
running-dhcp-server Context Commands
running-dhcp-server-X Context Commands
Table 5-3 Policy Commands
(immediate commit context)
running-actionsets Context Commands running-actionsets-X Context Commands
running-addressgroups Context Commands running-addressgroups-X Context Commands
(immediate commit context)
running-app-filter-mgmt Context Commands
(immediate commit context)
running-app-groups Context Commands running-app-groups-X Context Commands
NGFW{running}dhcp relay
NGFW{running}dhcp server
NGFW{running-dhcp-server}scope myscope
NGFW{running}actionsets NGFW{running-actionsets}actionset
myactionset1
NGFW{running}addressgroups NGFW{running-addressgroups}addressgroup
myaddressgroups
NGFW{running}application-filter-mgmt
NGFW{running}application-groups NGFW{running-app-groups}application-grou
p FaceBook
(immediate commit context)
running-autodv Context Commands running-autodv-calendar Context Commands running-autodv-periodic Context Commands
running-captive-portal Context Commands running-captive-portal-rule-X Context Commands
running-dnat Context Commands running-dnat-rule-X Context Commands
running-firewall Context Commands running-firewall-rule-X Context Commands
running-global-inspection Context Commands
(immediate commit context)
running-ips Context Commands running-ips-X Context Commands
(immediate commit context)
running-notifycontacts (email) Context Commands running-notifycontacts-X (SNMP) Context Com­mands
(immediate commit context)
running-rep Context Commands running-rep-X (group X) Context Commands running-rep-X (profile X) Context Commands
NGFW{running}autodv NGFW{running-autodv}calendar NGFW{running-autodv}periodic
NGFW{running}captive-portal NGFW{running-captive-portal}rule 20000
NGFW{running}dst-nat NGFW{running-dnat}rule 1
NGFW{running}firewall NGFW{running-firewall}rule myrule1
NGFW{running}global-inspection
NGFW{running}ips NGFW{running-ips}profile 1
NGFW{running-notifycontacts}contact mycontact1 email
NGFW{running-notifycontacts}contact mycontact1 snmp secret 192.168.1.1
NGFW{running}rep NGFW{running-rep}group 1 NGFW{running-rep}profile abc
running-schedules Context Commands running-schedules-X Context Commands
running-services Context Commands running-services-X Context Commands
58 Edit Running Configuration Commands
NGFW{running}schedules NGFW{running-schedules}schedule myhours1
NGFW{running}services NGFW{running-services}service myservice1
Table 5-3 Policy Commands
running-snat Context Commands running-snat-rule-X Context Commands
running-zones Context Commands running-zones-X Context Commands
Authentication
Table 5-4 Authentication Commands
running-aaa Context Commands running-aaa-ldap-group-X Context Commands running-aaa-radius-group-X Context Commands
running-certificates Context Commands running-certificates-crl Context Commands
Routing
Table 5-5 Routing Commands
running-bgp-X Context Commands
running-multicast-registration Context Commands
running-ospf Context Commands
NGFW{running}src-nat NGFW{running-snat}rule snat1
NGFW{running}zones NGFW{running-zones}zone myzone1
NGFW{running-aaa} NGFW{running-aaa}ldap-group mygroup NGFW{running-aaa}radius-group mygroup
NGFW{running}certificates NGFW{running-certificates}crl
NGFW{running}router bgp 1
NGFW{running}multicast-registration
NGFW{running}router ospf
running-ospfv3 Context Commands
running-pim-smv4 Context Commands
running-pim-smv6 Context Commands
running-rip Context Commands
running-ripng Context Commands
running-route-map Context Commands
running-smr Context Commands
VPN
Table 5-6 VPN Commands
running-ipsec Context Commands
running-manual-sa Context Commands

Edit Context Commands

NGFW{running}router ospfv3
NGFW{running}router pim-smv4
NGFW{running}router pim-smv6
NGFW{running}router rip
NGFW{running}router ripng
NGFW{running}route-map mymap permit 10
NGFW{running}router smr
NGFW{running}vpn ipsec
NGFW{running}vpn ipsec NGFW{running-ipsec}manual
aaa
Enter Authentication and Authorization and Auditing context mode.
Syntax
aaa
NGFW Command Line Interface Reference 59
Example
NGFW{}edit NGFW{running}aaa NGFW{running-aaa}help
NGFW{running-aaa}display user fred xml <?xml version="1.0"?> <record> <index> <user>fred</user> </index> <parameters> <password>$password$</password> <epoch>1373049840</epoch> </parameters> </record> NGFW{running-aaa}exit
Related commands
running-aaa Context Commands
actionsets
Enters action sets context mode. Changes are committed and take effect immediately.
Syntax
actionsets
Example
NGFW{}edit NGFW{running}actionsets NGFW{running-actionsets}help
Example
NGFW{running-actionsets}actionset myactionset NGFW{running-actionsets-myactionset}help NGFW{running-actionsets-myactionset}? Valid entries at this position are: action Set action type, available value: permit, rate-limit, block, trust allow-access Allow quarantined host to access defined IP bytes-to-capture Set bytes to capture for packet trace contact Add a notify contact delete Delete file or configuration item display Display file or configuration item help Display help information http-block Set quarantine option to block HTTP traffic http-custom Set or clear HTTP custom text display option http-redirect Set redirect URL for HTTP redirect option http-showdesc Set or clear HTTP show desc display option http-showname Set or clear HTTP show name display option limit-quarantine Add IP for limit quarantine limit-rate Set the rate value for rate-limit action no-quarantine Add IP for no quarantine nonhttp-block Set quarantine option to block non-HTTP traffic packet-trace Enable/disable packet trace option priority Set packet trace priority quarantine Set quarantine option, available value: no, immediate, threshold tcp-reset Set tcp reset option for block action, can be disable, source,
dest or both
60 Edit Running Configuration Commands
threshold Set quarantine threshold value verbosity Set packet trace verbosity
Related commands
running-actionsets Context Commands
addressgroups
Enters address group context.
Syntax
addressgroups
Example
NGFW{running}addressgroups NGFW{running-addressgroups}help NGFW{running-addressgroups}? Valid entries at this position are: addressgroup Create or enter an address group context delete Delete address group parameters help Display help information rename Rename address group
Related commands
running-addressgroups Context Commands
application-filter-mgmt
Enters application filter management context.
Syntax
application-filter-mgmt
Example
NGFW{}edit NGFW{running}application-filter-mgmt Entering Immediate Commit Feature. Changes take effect immediately. NGFW{running-app-filter-mgmt}help Valid commands are: display filter FILTERNUMBER SYS_ENABLE_OR_DISABLE filter FILTERNUMBER afcstate AFC_ENABLE_OR_DISABLE filter FILTERNUMBER SYS_ENABLE_OR_DISABLE afcstate AFC_ENABLE_OR_DISABLE help [full|COMMAND]
Related commands
running-app-filter-mgmt Context Commands
application-groups
Enters the application-group context mode. Application groups can be associated with firewall rules and can only be defined by the LSM not the CLI. There are CLI commands that are similar in syntax to security categories, but the criteria parameter is deliberately obfuscated. Also, like security categories, application group queries are not editable from the CLI.
NGFW Command Line Interface Reference 61
NOTE: Attempting to create an application group from the CLI will result in an error while parsing the
CRITERIASTRING parameter.
The CRITERIASTRING format is deliberately obfuscated and not supported to prevent users from creating or editing application group criteria from the CLI. Support for setting and getting criteria through the obfuscated format is included so that users can still copy output of CLI display commands and paste them back in.
Syntax
application-groups
Example
NGFW{running}application-groups Entering Immediate Commit Feature. Changes take effect immediately. NGFW{running-app-groups}help Valid commands are: application-group NEWAPPNAME CRITERIASTRING application-group APPNAME delete application-group APPNAME display help [full|COMMAND] rename application-group APPNAME NEWAPPNAME
Related commands
running-app-groups Context Commands
application-visibility
Enables or Disables application visibility.
Syntax
application-visibility (enable|disable)
Example
NGFW{running}application-visibility ? Valid entries at this position are: disable Disable application visibility enable Enable application visibility
autodv
Enters auto digital vaccine context mode.
Syntax
autodv
Example
NGFW{running}autodv Entering Immediate Commit Feature. Changes take effect immediately. NGFW{running-autodv}help Valid commands are: calendar delete proxy delete proxy-password delete proxy-username disable
62 Edit Running Configuration Commands
display enable help [full|COMMAND] list periodic proxy ADDR port PORT proxy-password PASSWD proxy-username USER update
NGFW{running-autodv}? Valid entries at this position are: calendar Enter Calender Style delete Delete file or configuration item disable Disable service display Display file or configuration item enable Enable service help Display help information list List Installed DVs periodic Enter Periodic Style proxy Configure proxy proxy-password Proxy password proxy-username Proxy username update Update AutoDV
Related commands
running-autodv Context Commands
blockedStreams
Enters blockedStreams context mode.
Syntax
blockedStreams
Example
NGFW{running}blockedStreams NGFW{running-blockedStreams}help Valid commands are: flushallstreams flushstreams help [full|COMMAND] list
Related command
running-blockedStreams Context Commands
captive-portal
Enters captive portal context mode.
Syntax
captive-portal
Example
NGFW{running}captive-portal NGFW{running-captive-portal}help Valid commands are:
NGFW Command Line Interface Reference 63
delete rule all|RULEID help [full|COMMAND] rename rule RULEID NEWRULEID rule (auto|RULEID) [POSITION_VALUE] set max-session-time MINUTES set inactive-timeout MINUTES set port PORT set certificate CERTNAME set login-page|status-page foreground-color|background-color HEX|COLOR set login-page header-HTML|footer-HTML|failed-HTML set status-page foreground-color|background-color HEX|COLOR set status-page main-HTML reset max-session-time|inactive-timeout|port|certificate reset login-page|status-page foreground-color|background-color reset login-page header-HTML|footer-HTML|failed-HTML reset status-page main-HTML
Related commands
running-captive-portal Context Commands
certificates
Enters certificates context mode.
Syntax
certificates
Example
NGFW{running}certificates NGFW{running-certificates}help Valid commands are: # Enter context crl
# Other commands ca-certificate CANAME cert-request CERTREQUEST [key-size SIZE] certificate CERTNAME delete ca-certificate (all|CANAME) delete cert-request (all|CERTREQUEST) delete certificate (all|CERTNAME) display ca-certificate CANAME [pem|text] display cert-request CERTNAME display certificate CERTNAME [pem|text] display private-key CERTNAME help [full|COMMAND] private-key CERTNAME
Related commands
running-certificates Context Commands
cluster
Enters cluster context mode.
Syntax
cluster
64 Edit Running Configuration Commands
Example
NGFW{running}cluster NGFW{running-cluster}help Valid commands are: check CHECK_TYPE enable|disable cluster-name NAME delete standby enable|disable help [full|COMMAND] member-id ID member-name NAME standby tct
NGFW{running-cluster}? Valid entries at this position are: check Perform consistency check cluster-name Apply Cluster Name delete Delete file or configuration item disable Disable clustering enable Enable clustering help Display help information member-id Cluster Member ID member-name Cluster member name standby Set the device on standby tct Enter cluster traffic context
delete
Related commands
running-cluster Context Commands
Deletes file or configuration item.
Syntax
delete SEGNAME delete interface agglinkX delete interface bridgeX delete interface greX delete interface l2tpX delete interface loopbackX delete interface pppoeX delete interface pptpX delete interface vlanX delete interface vrrpvXgY delete ip access-list NAME (permit|deny) A.B.C.D/M delete ip prefix-list NAME (permit|deny) A.B.C.D/M [ge GE-VALUE] [le LE-VALUE] delete ipv6 access-list NAME (permit|deny) X.X.X.X/M delete l2tp-serverX delete route-map ROUTE-MAP-NAME delete route-map ROUTE-MAP-NAME permit|deny ENTRY-POSITION delete router bgp delete router ospf delete router ospfv3 delete router pim-smv6 delete router rip delete router ripng delete router smr
NGFW Command Line Interface Reference 65
Example
NGFW{running}delete segment78 NGFW{running}delete interface agglink0 NGFW{running}delete interface bridge0 NGFW{running}delete interface gre0 NGFW{running}delete interface l2tp0 NGFW{running}delete interface loopback0 NGFW{running}delete interface pppoe0 NGFW{running}delete interface pptp0 NGFW{running}delete interface vlan0 NGFW{running}delete ip access-list myaccesslist permit 0.0.0.0/0 NGFW{running}delete ip prefix-list myprefixlist permit 192.168.0.0/16 ge 24 le 24 NGFW{running}delete ipv6 access-list myipv6accesslist permit 100:0:0:0:0:0:0:0/64 NGFW{running}delete l2tp-server0 NGFW{running}delete route-map myroutemap NGFW{running}delete route-map myroutemap permit 1 NGFW{running}delete router bgp NGFW{running}delete router ospf NGFW{running}delete router ospfv3 NGFW{running}delete router pim-smv6 NGFW{running}delete router rip NGFW{running}delete router ripng NGFW{running}delete router smr
dhcp
dns
Enters DHCP context mode.
Syntax
dhcp relay dhcp server
Example
NGFW{running}dhcp Valid entries at this position are: relay Enter DHCP relay context server Server
Related commands
running-dhcp-relay Context Commands
running-dhcp-server Context Commands
Enters DNS context mode.
Syntax
dns
Example
NGFW{running}dns NGFW{running-dns}help Valid commands are: delete domain-name delete name-server all|A.B.C.D|X:X::X:X delete proxy cache cleaning interval delete proxy cache forwarder all|A.B.C.D|X:X::X:X
66 Edit Running Configuration Commands
delete proxy cache maximum negative ttl delete proxy cache maximum ttl delete proxy cache size domain-name NAME domain-search primary NAME help [full|COMMAND] name-server A.B.C.D|X:X::X:X proxy cache cleaning interval cache cleaning interval in minutes proxy cache forwarder A.B.C.D|X:X::X:X proxy cache maximum negative ttl cache maximum negative TTL in minutes proxy cache maximum ttl cache maximum TTL in minutes proxy cache size cache size in megabytes proxy enable|disable
NGFW{running-dns}? Valid entries at this position are: delete Delete file or configuration item domain-name Configure domain name domain-search Configure domain search help Display help information name-server Configure DNS server proxy Configure proxy proxy Enable or disable proxy
Related commands
running-dns Context Commands
dst-nat
Enters destination NAT context mode.
Syntax
dst-nat
Example
NGFW{running}dst-nat NGFW{running-dnat}help Valid commands are: delete rule all|DSTNATRULEID help [full|COMMAND] rule (auto|DSTNATRULEID) [POSITION_VALUE]
NGFW{running-dnat}? Valid entries at this position are: delete Delete destination NAT rule(s) help Display help information rename Rename destination NAT rule rule Create or enter a rule context
Related commands
running-dnat Context Commands
firewall
Enters firewall context mode.
Syntax
firewall
NGFW Command Line Interface Reference 67
gen
Example
NGFW{running}firewall NGFW{running-firewall}help Valid commands are: default-block-rule DEFACTIONSET delete rule all|XRULEID help [full|COMMAND] rename rule XRULEID NEWRULEID rule (auto|RULEID) [POSITION_VALUE]
NGFW{running-firewall}? Valid entries at this position are: default-block-rule Apply action set for default block rule delete Delete firewall rule help Display help information rename Rename a firewall rule rule Create or enter a rule context
Related commands
running-firewall Context Commands
Enters general context mode.
Usage
gen
Example
NGFW{running}gen NGFW{running-gen}help Valid commands are: # System commands timezone (GMT|(REGION CITY))
# Manage context display [xml]
# Other commands arp A.B.C.D INTERFACE MAC auto-restart enable|disable delete arp all|(ENTRY INTERFACE) delete host NAME|all delete ndp all|(ENTRY INTERFACE) ephemeral-port-range default|(LOWRANGE HIGHRANGE) forwarding ipv4|ipv6 enable|disable help [full|COMMAND] host NAME A.B.C.D|X:X::X:X https enable|disable inband-management enable|disable management-service all|dns|email|ldap|ntp|radius|remote-syslog|snmp management
ndp X:X::X:X INTERFACE MAC ssh enable|disable xmsd remote (port PORT [address A.B.C.D])|disable
|network
NGFW{running-gen}? Valid entries at this position are:
68 Edit Running Configuration Commands
arp Configure static ARP entry auto-restart Enable/disable automatic restart on detection of critical
delete Delete file or configuration item display Display general context ephemeral-port-range Set the range of the ephemeral port (default is 32768-61000) forwarding Enable or disable IPv4/IPv6 forwarding help Display help information host Configure static address to host name association https Enable or disable WEB server configuration inband-management Inband Management management-service Management of a service to use management port or network port ndp Configure static NDP entry ssh Enable or disable ssh service timezone Display or configure time zone
Related commands
running-gen Context Commands
global-inspection
Enters global-inspection context mode.
Syntax
global-inspection
problem
Example
NGFW{running}global-inspection NGFW{running-global-inspection}help Valid commands are: default-inspection (ips-profile IPSPROFILE|none)|(reputation-profile
unknown-app (ips-profile IPSPROFILE|none)|(reputation-profile REPPROFILE|none) display [xml] help [full|COMMAND]
NGFW{running-global-inspection}? Valid entries at this position are: default-inspection Apply default inspection profile display Display global inspection profile configuration help Display help information unknown-app Apply inspection profile during application detection phase
Related commands
running-global-inspection Context Commands
high-availability
Enters high-availability context mode.
REPPROFILE|none)
Syntax
high-availability
Examples
NGFW{running}high-availability NGFW{running-high-availability}help Valid commands are: delete failover-group base-mac
NGFW Command Line Interface Reference 69
delete failover-group name enable|disable failover-group base-mac X:X:X:X:X:X failover-group name NAME help [full|COMMAND] state-sync (global [enable|disable])|(FEATURE [enable|disable|(log-level SEVERITY)])
NGFW{running-high-availability}? Valid entries at this position are: delete Delete file or configuration item disable Disable high-availability enable Enable high-availability failover-group Failover Group help Display help information state-sync State synchronization
NGFW{running-high-availability}help state-sync Enable or disable high-availability (enable|disable) Syntax: state-sync (global [enable|disable])|(FEATURE [enable|disable|(log-level
state-sync State synchronization global Turn state synchronization on or off enable Enable state synchronization disable Disable state synchronization FEATURE Specify a state synchronization table Possible values for FEATURE are: firewall Firewall state synchronization table ips IPS state synchronization table routing Routing state synchronization table log-level Specify logging level SEVERITY Log service severity Possible values for SEVERITY are: emergency Panic condition messages alert Immediate problem condition messages critical Critical condition messages error Error messages warning Warning messages notice Special condition messages info Informational messages debug Debug messages none Turn off messages
SEVERITY)])
NGFW{running-high-availability}state-sync ? Valid entries at this position are: firewall Firewall state synchronization table ips IPS state synchronization table routing Routing state synchronization table global Turn state synchronization on or off
Related commands
running-high-availability Context Commands
interface
Enters interface context mode. The X represents a number to be entered, such as bridge2.
Syntax
# Enter context interface agglinkX
70 Edit Running Configuration Commands
interface bridgeX interface ethernetX interface greX interface l2tpX interface loopbackX interface mgmt interface pppoeX interface pptpX interface vlanX
Example
NGFW{running}interface bridge2 NGFW{running-bridge2}? Valid entries at this position are: arp/ndp Enable or disable ARP and NDP on interface autoconfv6 Enable or disable IPv6 autoconfiguration on interface bind Bind bridged network interface over ethernet/VLAN/agglink delete Delete file or configuration item description Enter description for the interface help Display help information ip Configure IP settings ipaddress Configure IP address ipv6 Configure IPv6 settings mtu Configure interface MTU prefix Configure IPv6 prefix ra-autoconf-level Modify IPv6 Router Advertisement autoconfiguration level ra-interval Modify IPv6 Router Advertisement interval value ra-interval-transmit Modify IPv6 Router Advertisement interval transmit ra-lifetime Modify IPv6 Router Advertisement prefix lifetime ra-mtu Modify IPv6 Router Advertisement MTU value ra-transmit-mode Modify IPv6 Router Advertisement transmit mode router-advert Configure IPv6 Router Advertisement parameters shutdown Shutdown logical interface state tcp4mss Configure interface TCP MSS for IPv4 tcp6mss Configure interface TCP MSS for IPv6
ip
NGFW{running-bridge2}help
Related commands
running-agglinkX Context Commands
running-bridgeX Context Commands
running-ethernetX Context Commands
running-greX Context Commands
running-l2tpX Context Commands
running-loopbackX Context Commands
running-mgmt Context Commands
running-pppoeX Context Commands
running-pptpX Context Commands
running-vlanX Context Commands
IP configuration mode.
NGFW Command Line Interface Reference 71
Syntax
ip access-list NAME (permit|deny) A.B.C.D/M ip as-path access-list NAME (permit|deny) ASN_FILTER delete ip as-path access-list NAME (permit|deny) ASN_FILTER ip community-list NAME (permit|deny)
delete ip community-list NAME (permit|deny)
ip prefix-list NAME (permit|deny) A.B.C.D/M [ge GE-VALUE] [le LE-VALUE] ip route A.B.C.D/M A.B.C.D|INTERFACE [DISTANCE] ipv6 route X:X::X:X/M (X:X::X:X[%INTERFACE])|INTERFACE [DISTANCE] display ip route
Valid entries: access-list Access list as-path AS Path access list community-list Community list prefix-list Prefix list route Add an IPv4 static route
((AA:NN)|internet|local-as|no-advertise|no-export)
((AA:NN)|internet|local-as|no-advertise|no-export)
Example
NGFW{running}ip access-list myaccesslist permit 0.0.0.0/0 NGFW{running}ip as-path access-list myasnaccesslist permit ^64496$ NGFW{running}delete ip as-path access-list myasnaccesslist permit ^64496$ NGFW{running}ip community-list mycommunitylist permit 64496:100 NGFW{running}ip community-list mycommunitylist permit internet NGFW{running}delete ip community-list mycommunitylist permit 64496:100 NGFW{running}ip prefix-list myprefixlist permit 192.168.0.0/16 ge 24 le 24 NGFW{running}ip route 192.168.1.0/24 192.0.2.1 1 NGFW{running}ip route 192.168.1.0/24 ethernet5 1 NGFW{running}display ip route # IPV4 ROUTES ip route 192.168.1.0/24 192.0.2.1 1 ip route 192.168.1.0/24 ethernet5
ips
Enters IPS profile context mode.
Syntax
ips
Example
NGFW{running}ips Entering Immediate Commit Feature. Changes take effect immediately. NGFW{running-ips}help Valid commands are: # Enter context display-categoryrules
# Other commands afc-mode AFCMODE afc-severity SEVERITY connection-table TIMEOUTTYPE SECONDS delete profile XPROFILENAME deployment-choices display gzip-decompression enable|disable help [full|COMMAND]
72 Edit Running Configuration Commands
ipv6
profile PROFILENAME quarantine-duration DURATION rename profile XPROFILENAME NEWPROFILENAME
NGFW{running-ips}? Valid entries at this position are: afc-mode AFC mode afc-severity AFC severity connection-table Connection table timeout delete Delete a profile deployment-choices Get deployment choices display Display all ips configuration and profiles display-categoryrules Display category rules for all profiles gzip-decompression GZIP decompression mode help Display help information profile Create/enter a IPS profile quarantine-duration Quarantine duration rename Rename a profile
Related commands
running-ips Context Commands
IPv6 configuration
Syntax
ipv6 access-list NAME (permit|deny) X:X::X:X/M ipv6 route X:X::X:X/M (X:X::X:X[%INTERFACE])|INTERFACE [DISTANCE] display ipv6 route
Valid entries: ipv6 IPv6 configuration route Add static route X:X::X:X/M Unicast IPv6 prefix address X:X::X:X IPv6 address INTERFACE Interface name DISTANCE The distance value (1-255)
Example
NGFW{running}ipv6 access-list myipv6accesslist permit 100:0:0:0:0:0:0:0/64 NGFW{running}ipv6 route 2001:2:0:0:0:0:0:0/48 ethernet5 1 NGFW{running}ipv6 route 2001:2:0:0:0:0:0:0/48 100:0:0:0:0:0:0:1 1 NGFW{running}display ipv6 route # IPV6 ROUTES ipv6 route 2001:2::/48 ethernet5 ipv6 route 2001:2::/48 100::1
l2tp-serverX
Enters L2TP Server context mode. The X represents a number, for example server0.
Syntax
l2tp-serverX
Example
NGFW{running}l2tp-server0 NGFW{running-l2tp-server0}help
NGFW Command Line Interface Reference 73
log
Valid commands are: auth enable|disable auth shared-secret A.B.C.D|any secret-key bind none|any|(A.B.C.D [port]) delete auth shared-secret A.B.C.D|all help [full|COMMAND] hiding enable|disable sequencing enable|disable
NGFW{running-l2tp-server0}? Valid entries at this position are: auth Authenticated configuration bind Configure bind service of L2TP server delete Delete file or configuration item help Display help information hiding Enable or disable hiding configuration sequencing Enable or disable sequence configuration
Related commands
running-l2tp-serverX Context Commands
Enters log context mode. Note that the 'Management Console' notification contact for the Audit log can not be modified.
Syntax
log
Example
NGFW{running}log NGFW{running-log}help Valid commands are: delete log audit CONTACT-NAME delete log quarantine CONTACT-NAME delete log system CONTACT-NAME delete log vpn CONTACT-NAME delete log-option fib events|kernel|memory|packet [recv|send] delete log-option ppp( all)|( DEL-PPP-LOG-OPTION){1,10} delete log-option xmsd( all)|( LOG_OPTION) help [full|COMMAND] log audit CONTACT-NAME [ALL|none] log quarantine CONTACT-NAME [ALL|none] log system CONTACT-NAME [SEVERITY] log vpn CONTACT-NAME [SEVERITY] log-option fib events|kernel|memory|packet [recv|send] log-option ppp( all)|( PPP-LOG-OPTION){1,255} log-option xmsd( all)|( LOG_OPTION) sub-system SUBSYSTEM [SEVERITY]
NGFW{running-log}? Valid entries at this position are: delete Delete file or configuration item help Display help information log Add a Notification Contact to a log service log-option Add service log option sub-system set sub-system log level
74 Edit Running Configuration Commands
NGFW{running-log}display # LOG SERVICES log system "Management Console" notice #log audit "Management Console" ALL log vpn "Management Console" info log quarantine "Management Console" ALL
# SUB-SERVICES sub-system INIT info sub-system XMS notice sub-system TOS info sub-system HTTPD notice sub-system GATED none sub-system LOGIN notice sub-system PACEMAKER error sub-system COROSYNC notice sub-system CRMADMIN none
Related commands
running-log Context Commands
multicast-registration
Enters multicast registration context mode.
Syntax
multicast-registration
Example
NGFW{running}multicast-registration NGFW{running-multicast-registration}help Valid commands are: help [full|COMMAND] igmp-version default|(mode MODE IGMPvX) mld-version default|(mode MODE MLDvX)
NGFW{running-multicast-registration}? Valid entries at this position are: help Display help information igmp-version Configure system IGMP version mld-version Configure system MLD version
NGFW{running-multicast-registration}igmp-version mode ? Valid entry at this position is: MODE Define IGMP mode (force or default)
Related commands
running-multicast-registration Context Commands
notifycontacts
Enters notify contacts context mode.
Syntax
notifycontacts
Example
NGFW{running}notifycontacts
NGFW Command Line Interface Reference 75
Entering Immediate Commit Feature. Changes take effect immediately. NGFW{running-notifycontacts}help Valid commands are: contact CONTACTNAME contact NEWNAME email contact NEWNAME snmp COMMUNITY IP [PORT] delete contact XCONTACTNAME display email-from-address EMAIL email-from-domain DOMAIN email-server IP email-threshold THRESHOLD email-to-default-address EMAIL help [full|COMMAND] rename contact XCONTACTNAME NEWNAME
NGFW{running-notifycontacts}? Valid entries at this position are: contact Create or edit a notify contact delete Delete file or configuration item display Display all available contacts email-from-address From email address email-from-domain From domain name email-server Set mail server IP email-threshold Set email threshold email-to-default-address Default to email address help Display help information rename Rename contact with new name
ntp
Related commands
running-notifycontacts (email) Context Commands
Enters NTP context mode.
Syntax
ntp
Example
NGFW{running}ntp NGFW{running-ntp}help Valid commands are: delete key all|ID delete server all|HOST help [full|COMMAND] key (1-65535) VALUE ntp enable|disable polling-interval SECONDS server dhcp|NAME [key ID] [prefer]
NGFW{running-ntp}? Valid entries at this position are: delete Delete file or configuration item help Display help information key Configure NTP authentication key ntp Enable or disable NTP polling-interval Configure minimum polling interval
76 Edit Running Configuration Commands
server Configure remote NTP server
Related commands
running-ntp Context Commands
reputation
Enters Reputation context mode.
Syntax
reputation
Example
NGFW{running}reputation Entering Immediate Commit Feature. Changes take effect immediately. NGFW{running-rep}help Valid commands are: delete group USERGROUP delete profile XPROFILENAME display group USERGROUP help [full|COMMAND] profile PROFILENAME rename group USERGROUP NEWUSERGROUP rename profile XPROFILENAME NEWPROFILENAME
NGFW{running-rep}? Valid entries at this position are: delete Delete file or configuration item display Display all reputation profiles and groups group Create/enter reputation group context help Display help information profile Create/enter reputation profile context rename Rename a reputation profile or group
Related commands
running-rep Context Commands
route-map
Allows you to configure the route-map.
Syntax
route-map ROUTE-MAP-NAME (permit|deny) ENTRY-POSITION
Example
NGFW{running}help route-map Enter the route-map context Syntax: route-map ROUTE-MAP-NAME permit|deny ENTRY-POSITION route-map Enter the route-map context ROUTE-MAP-NAME Route-map name permit Permit the network prefix deny Deny the network prefix ENTRY-POSITION Position of the route-map entry (1-65535)
Related commands
running-route-map Context Commands
NGFW Command Line Interface Reference 77
router
Enters the specified router protocol context.
Syntax
router bgp ASNUMBER router ospf router ospfv3 router pim-smv4 router pim-smv6 router rip router ripng router smr
Valid entries: bgp Enter the BGP context ASNUMBER The autonomous system number (1-2147483647) ospf Enter the OSPF context ospfv3 Enter the OSPFv3 context pim-smv4 Enter the PIM-SM IPv4 context pim-smv6 Enter the PIM-SM IPv6 context rip Enter the RIP context ripng Enter the RIPng context smr Enter the SMR context
Example
NGFW{running}router ospf NGFW{running}router ospfv3 NGFW{running}router pim-smv4 NGFW{running}router pim-smv6 NGFW{running}router rip NGFW{running}router ripng NGFW{running}router smr NGFW{running}router bgp
Related commands
running-ospf Context Commands
running-ospfv3 Context Commands
running-bgp-X Context Commands
running-rip Context Commands
running-ripng Context Commands
running-pim-smv4 Context Commands
running-pim-smv6 Context Commands
running-smr Context Commands
schedules
Enters schedules context mode.
Syntax
schedules
Example
NGFW{running}schedules NGFW{running-schedules}help Valid commands are:
78 Edit Running Configuration Commands
delete schedule all|SCHEDULENAME help [full|COMMAND] rename schedule SCHEDULENAME NEWSCHEDULENAME schedule SCHEDULENAME
NGFW{running-schedules}? Valid entries at this position are: delete Delete a schedule help Display help information rename Rename a schedule schedule Create or enter a schedule context
Related commands
running-schedules Context Commands
segmentX
Enters Segment context mode. The X represents a segment number, for example segment0.
Syntax
segmentX
Example
NGFW{running}segment0 NGFW{running-segment0}help Valid commands are: # Enter context bind bind delete bind|high-availability|link-down high-availability mode link-down breaker [wait-time WAIT-TIME] link-down hub link-down wire [wait-time WAIT-TIME] restart
# Other commands description TEXT help [full|COMMAND]
NGFW{running-segment0}? Valid entries at this position are: bind Bind ethernet port pairs to segment delete Delete file or configuration item description Enter description for the segment help Display help information high-availability Intrinsic HA Layer 2 Fallback action link-down Link down synchronization mode restart Restart both Ethernet ports of segment
NGFW{running-segment0}help bind Bind ethernet port pairs to segment Syntax: bind bind bind Bind ethernet port pairs to segment bind ethernet port pairs
Related commands
running-segmentX Context Commands
NGFW Command Line Interface Reference 79
services
Enters services context mode.
Syntax
services
Example
NGFW{running}services NGFW{running-services}help Valid commands are: delete service all|USERSERVICENAME help [full|COMMAND] rename service USERSERVICENAME NEWSERVICENAME restore-default service SERVICENAME
NGFW{running-services}? Valid entries at this position are: delete Delete service(s) help Display help information rename Rename service restore-default Restore default services service Create or enter a service context
Related commands
running-services Context Commands
snmp
Enters SNMP context mode.
Syntax
snmp
Example
NGFW{running}snmp NGFW{running-snmp}help Valid commands are: authtrap enable|disable community COMMUNITY SOURCE delete community COMMUNITY|all delete trapsession (HOST ver VERSION)|all delete username (USERNAME|all) engineID ENGINE-ID help [full|COMMAND] snmp enable|disable trapsession HOST [port PORT] ver 2c COMMUNITY [inform] trapsession HOST [port PORT] ver 3 USERNAME level noAuthNoPriv [inform] trapsession HOST [port PORT] ver 3 USERNAME level authNoPriv authtype AUTHTYPE
AUTHPASS [inform]
trapsession HOST [port PORT] ver 3 USERNAME level authPriv authtype AUTHTYPE
AUTHPASS privproto PRIVPROTO [PRIVPASS] [inform] username USERNAME level noAuthNoPriv username USERNAME level authNoPriv authtype AUTHTYPE AUTHPASS username USERNAME level authPriv authtype AUTHTYPE AUTHPASS privproto PRIVPROTO
[PRIVPASS]
NGFW{running-snmp}?
80 Edit Running Configuration Commands
src-nat
Valid entries at this position are: authtrap Configure SNMP authentication failure trap community Configure SNMP read-only community delete Delete file or configuration item engineID Configure SNMPv3 engine ID help Display help information snmp Enable or disable SNMP trapsession Configure a trap/inform username Configure SNMPv3 USM read-only user
Related commands
running-snmp Context Commands
Enters source NAT context mode.
Syntax
src-nat
Example
NGFW{running}src-nat NGFW{running-snat}help Valid commands are: delete rule all|SRCNATRULEID help [full|COMMAND] rule (auto|SRCNATRULEID) [POSITION_VALUE]
vpn
NGFW{running-snat}? Valid entries at this position are: delete Delete source NAT rule(s) help Display help information rename Rename source NAT rule rule Create or enter a rule context
Related commands
running-snat Context Commands
Enters VPN context mode.
Syntax
vpn ipsec
Example
NGFW{running}vpn ipsec NGFW{running-ipsec}help Valid commands are: delete log vpn CONTACT-NAME delete phase1 proposal (all|NAME) delete phase2 proposal (all|NAME) delete policy (all|NAME) delete pre-shared-keys (all|A.B.C.D|X:X::X:X|HOSTNAME) [vrf-id ID|any] delete retransmit-timeout delete retransmit-tries delete trust (all|CANAME) delete user
NGFW Command Line Interface Reference 81
delete vpn (all|NAME) help [full|COMMAND] ipsec enable|disable log vpn CONTACT-NAME [SEVERITY] manual phase1 VERSION proposal NAME phase2 VERSION proposal NAME policy NAME [PRIORITY] pre-shared-key local A.B.C.D|X:X::X:X|LFQDN remote A.B.C.D|X:X::X:X|RFQDN|any retransmit-timeout TIMEOUT retransmit-tries COUNT trust CANAME user vpn NAME
NGFW{running-ipsec}? Valid entries at this position are: delete Delete file or configuration item help Display help information ipsec Enable or disable IPsec log Add a Notification Contact to a log service manual Enter manual Security Association context phase1 Enter Phase1 proposal context phase2 Enter Phase2 proposal context policy Enter IPSec Policy context pre-shared-key Configure pre-shared key (start with 0x for hexadecimal key) retransmit-timeout Configure IKEv2 Dead Peer Detection retransmission timeout in
retransmit-tries Configure IKEv2 Dead Peer Detection maximum retransmission
trust Configure certification authority trust user Enter VPN user context vpn Enter VPN context
seconds
tries
zones
Related commands
running-ipsec Context Commands
Enters security zone context mode.
Syntax
zones
Example
NGFW{running}zones NGFW{running-zones}help Valid commands are: delete zone all|ZONENAME help [full|COMMAND] rename zone ZONENAME NEWZONENAME zone ZONENAME
NGFW{running-zones}? Valid entries at this position are: delete Delete security zone(s) help Display help information rename Rename a specified zone zone Enter security zone context
82 Edit Running Configuration Commands
Related commands
running-zones Context Commands

Contexts and Related Commands

running-aaa Context Commands

NGFW{running-aaa}delete

Delete file or configuration item.
Syntax
delete ldap-group (LDAPNAME|all) delete radius-group (RADIUSNAME|all) delete role (ROLE|all) delete user (USER|all) delete user-group (USERGROUP|all)
Example
NGFW{running}aaa NGFW{running-aaa}delete ldap-group group1 NGFW{running-aaa}delete radius-group group1 NGFW{running-aaa}delete role myrole1 NGFW{running-aaa}delete user myuser1 NGFW{running-aaa}delete user-group group1

NGFW{running-aaa}display

Display configuration.
Syntax
display ldap-group LDAPGROUP [xml] display ldap-schema
(active-directory|novell-edirectory|fedora-ds|rfc2798|rfc2307nis|samba|custom) [xml] display login-settings [xml] display password-settings [xml] display radius-group RADIUSGROUP [xml] display remote-login-group [xml] display role USER [xml] display user USER [xml] display usergroup USERGROUP [xml]
Example
NGFW{running-aaa}display ldap-group group1 NGFW{running-aaa}display ldap-schema active-directory NGFW{running-aaa}display login-settings NGFW{running-aaa}display password-settings NGFW{running-aaa}display radius-group group1 NGFW{running-aaa}display remote-login-group NGFW{running-aaa}display role superuserRole NGFW{running-aaa}display user myuser1 NGFW{running-aaa}display usergroup group1

NGFW{running-aaa}ldap-group

Configure LDAP group. Maximum number of groups is two.
NGFW Command Line Interface Reference 83
Syntax
ldap-group LDAPNAME
Example
NGFW{running-aaa}ldap-group mygroup

NGFW{running-aaa}ldap-schema

Configure LDAP schema.
Syntax
ldap-schema SCHEMA
SCHEMA (active-directory|novell-edirectory|fedora-ds|rfc2798|rfc2307nis|samba|custom)
Example
NGFW{running-aaa}ldap-schema custom NGFW{running-aaa-ldap-schema-custom}

NGFW{running-aaa}login

Configure login settings.
Syntax
login maximum-attempts (0-10) login failure-action (lockout|lockout-disable|audit) login lockout-period MINUTES login lockout-period (0-1440)
Example
NGFW{running-aaa}login failure-action lockout

NGFW{running-aaa}password

Configure password settings.
Syntax
password quality (basic|maximum|none) password expiry-time (10d|20d|30d|45d|60d|90d|6m|1y) password expiry-action (force-change|notify-user|disable-account)
Example
NGFW{running-aaa}password quality maximum NGFW{running-aaa}password expiry-time 30d NGFW{running-aaa}password expiry-action force-change

NGFW{running-aaa}radius-group

Configure Radius group. Maximum number of radius groups is 2.
Syntax
radius-group RADIUSNAME
Example
NGFW{running-aaa}radius-group group1
84 Edit Running Configuration Commands

NGFW{running-aaa}remote-login-group

Configure LDAP or RADIUS group to use for either network or administrative login.
Syntax
remote-login-group (network|administrator) (GROUP|none)
Example
NGFW{running-aaa}remote-login-group administrator group1

NGFW{running-aaa}role

Configure an access role.
Syntax
role ROLE [OLDROLE]
Example
NGFW{running-aaa}role myrole1

NGFW{running-aaa}user

Configure a name identified user.
Syntax
user NAME
Example
NGFW{running-aaa}user myuser1

NGFW{running-aaa}user-group

Configure a name identified usergroup.
Syntax
user-group GROUPNAME
Example
NGFW{running-aaa}user-group group1
running-aaa-ldap-group-X Context Commands
NGFW{running-aaa-ldap-group-mygroup1}base-dn
Configure base distinguished name (DN).
Syntax
base-dn DN
Example
NGFW{running-aaa}ldap-group mygroup1 NGFW{running-aaa-ldap-group-mygroup1}base-dn DC=example,DC=com
NGFW{running-aaa-ldap-group-mygroup1}bind-dn
Configure bind distinguished name (DN).
NGFW Command Line Interface Reference 85
Syntax
bind-dn DN
Example
NGFW{running-aaa-ldap-group-mygroup1}bind-dn CN=admin,OU=People,DC=example,DC=com
NGFW{running-aaa-ldap-group-mygroup1}bind-password
Configure LDAP bind password.
Syntax
bind-password PASSWORD
Example
NGFW{running-aaa-ldap-group-mygroup1}bind-password mysecret
NGFW{running-aaa-ldap-group-mygroup1}delete
Delete file or configuration item.
Syntax
delete server (ADDRESS|all)
Example
NGFW{running-aaa-ldap-group-mygroup1}delete server 192.168.1.1
NGFW{running-aaa-ldap-group-mygroup1}port
Configure LDAP port.
Syntax
port <0-65535>
Example
NGFW{running-aaa-ldap-group-mygroup1}port 389
NGFW{running-aaa-ldap-group-mygroup1}retries
Configure server(s) retries.
Syntax
retries RETRY
Example
NGFW{running-aaa-ldap-group-mygroup1}retries 3
NGFW{running-aaa-ldap-group-mygroup1}schema
Configure Schema.
Syntax
schema(active-directory|fedora-ds|novell-edirectory|rfc2307nis|rfc2798|samba|custom)
Example
NGFW{running-aaa-ldap-group-mygroup1}schema active-directory
86 Edit Running Configuration Commands
NGFW{running-aaa-ldap-group-mygroup1}server
Configure LDAP server address.
Syntax
server (A.B.C.D|X:X::X:X) priority (1-6)
Example
NGFW{running-aaa-ldap-group-mygroup1}server 192.168.1.1 priority 1 NGFW{running-aaa-ldap-group-mygroup1}server 192.168.1.2 priority 2
NGFW{running-aaa-ldap-group-mygroup1}timeout
Configure timeout.
Syntax
timeout SECONDS
Example
NGFW{running-aaa-ldap-group-mygroup1}timeout 10
NGFW{running-aaa-ldap-group-mygroup1}tls
Configure TLS.
Syntax
tls (enable|disable) tls start-tls (enable|disable) tls require-valid-server-cert (enable|disable)
Example
NGFW{running-aaa-ldap-group-mygroup1}tls enable NGFW{running-aaa-ldap-group-mygroup1}tls require-valid-server-cert enable NGFW{running-aaa-ldap-group-mygroup1}tls start-tls enable
NGFW{running-aaa-ldap-group-mygroup1}version
Configure LDAP version.
Syntax
version (2|3)
Example
NGFW{running-aaa-ldap-group-mygroup1}version 3
running-aaa-radius-group-X Context Commands
NGFW{running-aaa-radius-group-2}default-usergroup
Default usergroup.
Syntax
default-usergroup GROUP|none
Example
NGFW{running-aaa}radius-group 2 NGFW{running-aaa-radius-group-2}default-usergroup administrator
NGFW Command Line Interface Reference 87
NGFW{running-aaa-radius-group-2}delete
Delete file or configuration item.
Syntax
delete server (A.B.C.D|X:X::X:X|all)
Example
NGFW{running-aaa-radius-group-2}delete server 192.168.1.1
NGFW{running-aaa-radius-group-2}retries
Configure server retries.
Syntax
retries (0-5)
Example
NGFW{running-aaa-radius-group-2}retries 3
NGFW{running-aaa-radius-group-2}server
Configure server.
Syntax
server (A.B.C.D|X:X::X:X) [PORT] password PASSWORD priority (1-6) timeout (0-300) [nas-id NASID]
Example
NGFW{running-aaa-radius-group-2}server 192.168.1.1 1812 password mysecret priority 1 timeout 10 nas-id 1
NGFW{running-aaa-radius-group-2}server 192.168.1.7 1812 password mysecret priority 2 timeout 10 nas-id 1
running-actionsets Context Commands
Immediate Commit Feature. Changes take effect immediately.

NGFW{running-actionsets}actionset

Enter an action set context with defined name.
Syntax
actionset ACTIONSETNAME
Example
NGFW{running}actionsets NGFW{running-actionsets}actionset myactionset1

NGFW{running-actionsets}delete

Delete file or configuration item.
Syntax
delete actionset ACTIONSETNAME
Example
NGFW{running-actionsets}delete actionset myactionset1
88 Edit Running Configuration Commands

NGFW{running-actionsets}rename

Rename action set oldname newname.
Syntax
rename actionset ACTIONSETNAME NEWACTIONSETNAME
Example
NGFW{running-actionsets}rename actionset myactionset1 myactionset2
running-actionsets-X Context Commands
NGFW{running-actionsets-myactionset1}action
Set action type. Available values: permit, rate-limit, block, trust.
Immediate Commit Feature. Changes take effect immediately.
Syntax
action (permit|rate-limit|block|trust)
Example
NGFW{running-actionsets}actionset myactionset1 NGFW{running-actionsets-myactionset1}action rate-limit
NGFW{running-actionsets-myactionset1}allow-access
Allow quarantined host to access defined IP.
Syntax
allow-access DESTIP
Example
NGFW{running-actionsets-myactionset1}allow-access 192.168.1.1
NGFW{running-actionsets-myactionset1}bytes-to-capture
Set bytes to capture for packet trace.
Syntax
bytes-to-capture BYTES
Example
NGFW{running-actionsets-myactionset1}bytes-to-capture 6144
NGFW{running-actionsets-myactionset1}contact
Add a notify contact.
Syntax
contact XCONTACTNAME
Example
NGFW{running-actionsets-myactionset1}contact mycontact1 NGFW{running-actionsets-myactionset1}contact "Management Console"
NGFW Command Line Interface Reference 89
NGFW{running-actionsets-myactionset1}delete
Delete file or configuration item.
Syntax
delete allow-access DESTIP delete contact XCONTACTNAME delete limit-quarantine SOURCEIP delete no-quarantine SOURCEIP
Example
NGFW{running-actionsets-myactionset1}delete allow-access 192.168.1.1 NGFW{running-actionsets-myactionset1}delete contact mycontact1 NGFW{running-actionsets-myactionset1}delete limit-quarantine 192.168.1.1 NGFW{running-actionsets-myactionset1}delete no-quarantine 192.168.1.1
NGFW{running-actionsets-myactionset1}http-block
Set quarantine option to block HTTP traffic.
Syntax
http-block
Example
NGFW{running-actionsets-myactionset1}http-block
NGFW{running-actionsets-myactionset1}http-custom
Set or clear HTTP custom text display option.
Syntax
http-custom TEXT
Example
NGFW{running-actionsets-myactionset1}http-custom "my custom message"
NGFW{running-actionsets-myactionset1}http-redirect
Set redirect URL for HTTP redirect option.
Syntax
http-redirect URL
Example
NGFW{running-actionsets-myactionset1}http-redirect https://www.example.com
NGFW{running-actionsets-myactionset1}http-showdesc
Set or clear HTTP show description display option.
Syntax
http-showdesc (enable|disable)
Example
NGFW{running-actionsets-myactionset1}http-showdesc enable
90 Edit Running Configuration Commands
NGFW{running-actionsets-myactionset1}http-showname
Set or clear HTTP show name display option.
Syntax
http-showname (enable|disable)
Example
NGFW{running-actionsets-myactionset1}http-showname enable
NGFW{running-actionsets-myactionset1}limit-quarantine
Add IP for limit quarantine.
Syntax
limit-quarantine SOURCEIP
Example
NGFW{running-actionsets-myactionset1}limit-quarantine 192.168.1.1
NGFW{running-actionsets-myactionset1}limit-rate
Set the rate value for rate-limit action.
Syntax
limit-rate RATE
Example
NGFW{running-actionsets-myactionset1}limit-rate 1500
NGFW{running-actionsets-myactionset1}no-quarantine
Add IP for no quarantine.
Syntax
no-quarantine SOURCEIP
Example
NGFW{running-actionsets-myactionset1}no-quarantine 192.168.1.1
NGFW{running-actionsets-myactionset1}nonhttp-block
Set quarantine option to block non-HTTP traffic.
Syntax
nonhttp-block (enable|disable)
Example
NGFW{running-actionsets-myactionset1}nonhttp-block enable
NGFW{running-actionsets-myactionset1}packet-trace
Enable/disable packet trace option.
Syntax
packet-trace (enable|disable)
NGFW Command Line Interface Reference 91
Example
NGFW{running-actionsets-myactionset1}packet-trace enable
NGFW{running-actionsets-myactionset1}priority
Set packet trace priority.
Syntax
priority PRIORITY
Example
NGFW{running-actionsets-myactionset1}priority medium
NGFW{running-actionsets-myactionset1}quarantine
Set quarantine option. Available options: no, immediate, threshold.
Syntax
quarantine QUARANTINETYPE
Example
NGFW{running-actionsets-myactionset1}quarantine immediate
NGFW{running-actionsets-myactionset1}tcp-reset
Set tcp reset option for block action. Available options: none (disable), source, dest, or both.
Syntax
tcp-reset (none|source|dest|both)
Example
NGFW{running-actionsets-myactionset1}tcp-reset both
NGFW{running-actionsets-myactionset1}threshold
Set quarantine threshold value.
Syntax
threshold (2-10000) (1-60)
Example
NGFW{running-actionsets-myactionset1}threshold 200 5
NGFW{running-actionsets-myactionset1}verbosity
Set packet trace verbosity.
Syntax
verbosity (partial|full)
Example
NGFW{running-actionsets-myactionset1}verbosity full
92 Edit Running Configuration Commands
Loading...