HP X Unified Security Platform Command Reference Guide

3Com® X Family Command Line Interface Reference

Version 2.5.1
Part Number TECHD-178 Rev B01 Published April 2007
http://www.3com.com/
3Com Corporation 350 Campus Drive Marlborough, MA 01752-3064
Copyright © 2005–2007, 3Com Corporation. All rights reserved. No part of this documentation may be reproduced in any form or by any means or used to make any derivative work (such as translation, transformation, or adaptation) without written permission from 3Com Corporation.
3Com Corporation reserves the right to revise this documentation and to make changes in content from time to time without obligation on the part of 3Com Corporation to provide notification of such revision or change.
3Com Corporation provides this documentation without warranty, term, or condition of any kind, either implied or expressed, including, but not limited to, the implied warranties, terms, or conditions of merchantability, satisfactory quality, and fitness for a particular purpose. 3Com may make improvements or changes in the product(s) and/or the program(s) described in this documentation at any time.
If there is any software on removable media described in this documentation, it is furnished under a license agreement included with the product as a separate document, in the hardcopy documentation, or on the removable media in a directory file named LICENSE.TXT or !LICENSE.TXT. If you are unable to locate a copy, please contact 3Com and a copy will be provided to you.
UNITED STATES GOVERNMENT LEGENDS:
If you are a United States government agency, then this documentation and the software described herein are provided to you subject to the following:
United States Government Legend: All technical data and computer software is commercial in nature and developed solely at private expense. Software is delivered as Commercial Computer Software as defined in DFARS 252.227-7014 (June 1995) or as a commercial item as defined in FAR such rights as are provided in 3Com’s standard commercial license for the Software. Technical data is provided with limited rights only as provided in DFAR 252.227-7015 (Nov 1995) or FAR remove or deface any portion of any legend provided on any licensed program or documentation contained in, or delivered to you in conjunction with guide.
Unless otherwise indicated, 3Com registered trademarks are registered in the United States and may or may not be registered in other countries.
3Com, the 3Com logo, TippingPoint, the TippingPoint logo, and Digital Vaccine are registered trademarks of 3Com Corporation or one of its subsidiaries.
OpenView is a trademark of Hewlett-Packard Development Company. Microsoft and Windows are registered trademarks or trademarks of Microsoft Corporation in the United States and other countries. Oracle is a registered trademark of Oracle Corporation.
Other brand and product names may be registered trademarks or trademarks of their respective holders.
52.227-14 (June 1987), whichever is applicable. You agree not to
2.101(a) and as such is provided with only

Contents

Contents iii
About This Guide v
Chapter 1: X Family Startup Configuration 1
Welcome to the X Family CLI v Target Audience vi Conventions vi Related Documentation viii Customer Support viii
Overview 1 Initial Configuration 1 Configuration Categories 2 Initiating the Setup Wizard 4 Account Security Level 4 Super-User Data 5 Host Configuration 7 Timekeeping Options 7 Network Deployment Configuration 9 Virtual Interface Configuration 9 Basic Security Zone Configuration 10 Assigning Zones to Virtual Interfaces 11 Configuring DNS Settings 11 Setup Firewall Rules 12 Enabling SMS Configuration 13 Web, CLI, and SNMP Server Options 14 NMS Settings 16 Restrict SMS 16 Additional Configuration 16 After the Setup Wizard 20
Chapter 2: Command Reference 21
Overview 21
X Family CLI Reference V 2.5.1 iii
! 28 alias 28 boot 29 bugreport 30 clear 31 cls 33 configure 33 debug 81 exit 81 halt 82 help 82 high-availability 82 history 83 logout 83 ping 84 quarantine 85 quit 85 reboot 85 setup 86 show 86 snapshot 118 traceroute 118 traffic-capture 119 tree 120 who 121 whoami 122
Chapter 3: Navigation 123
Index 131
iv X Family CLI Reference V 2.5.1
Overview 123 Logging in to the CLI 123 Navigation 124 Console Settings 128

About This Guide

Explains who this guide is intended for, how the information is organized, where information updates can be found, and how to obtain customer support if you cannot resolve a problem.

Welcome to the X Family CLI

Welcome to the X family Command Line Interface (CLI). The CLI is the interface for issuing commands via a command line prompt for the X family device. You use this interface to configure, monitor, and report on the X family devices in your network.
This section covers the following topics:
“Target Audience” on page vi
“Conventions” on page vi
“Related Documentation” on page viii
“Customer Support” on page viii
X Family CLI Reference V 2.5.1 v
About This Guide

Target Audience

This guide is intended for super-users and administrators who manage one or more X family devices.

Knowledge, Skills, and Abilities

This guide assumes you, the reader, are familiar with general networking concepts and the following standards and protocols:
•TCP/IP
•UDP
•ICMP
•Ethernet
• Network Time Protocol (NTP)
• Simple Mail Transport Protocol (SMTP)
• Simple Network Management Protocol (SNMP)

Conventions

This guide follows several procedural and typographical conventions to provide clear and understandable instructions and descriptions. These conventions are described in the following sections.
This book uses the following conventions for structuring information:
Cross References
Ty p e f a ce
Messages

Cross References

When a topic is covered in depth elsewhere in this guide, or in another guide in this series, a cross reference to the additional information is provided. Cross references help you find related topics and information quickly.
Internal Cross References
This guide is designed to be used as an electronic document. It contains cross references to other sections of the document that act as hyperlinks when you view the document online. The following text is a hyperlink: M
essages.
External Cross References
Cross references to other publications are not hyperlinked. These cross references will take the form: see <chapter name > in the Publication Name.
vi X Family CLI Reference V 2.5.1
Conventions

Typeface

This guide uses the following typographical conventions:
bold used for commands or parameters, which must be entered exactly as shown.
light font used for variables, for which you supply a value.
brackets [] used to indicate an optional element. <1 | 2 > angle brackets and vertical bars are used to indicate a choice that must be made.
Italic used for guide titles, variables, and important terms.
H
yperlink used for cross references in a document or links to a Web site.

Messages

Messages are special text that are emphasized by font, format, and icons. There are four types of messages in this guide:
Wa r n i n g
Caution
Note
Tip
A description of each message type with an example message follows.
Warning
Warnings tell you how to avoid physical injury to people or equipment. For example:.
WARNING: The push-button on/off power switch on the front panel of the server does not turn off the AC power. To remove AC power from the server, you must unplug the AC power cord from either the power supply or the wall outlet.
Caution
Cautions tell you how to avoid a serious loss that could cause physical damage such as the loss of data, time, or security. You should carefully consider this information when determining a course of action or procedure. For example:
CAUTION: You should disable password caching in the browser you use to access the LSM. If you do not disable password caching in your browser, and your workstation is not secured, your system security may be compromised.
X Family CLI Reference V 2.5.1 vii
About This Guide
Note
Notes tell you about information that might not be obvious or that does not relate directly to the current topic, but that may affect relevant behavior. For example:
Note: Some command examples in this document are split across several lines due to space constraints; however, you must enter them on a single line (with no carriage returns).
Tip
Tips are suggestions about how you can perform a task more easily or more efficiently. For example:
Tip: You can collect firewall statistics using configure terminal firewall monitor.

Related Documentation

The X family devices have a full set of documentation. These publications are available in electronic format on CD. For the most recent updates, check the Threat Management Center (TMC) web site at https://tmc.tippingpoint.com.

Customer Support

We are committed to providing quality customer support to all customers. A customer is provided with detailed customer and support contact information. For the most efficient resolution of your problem, please take a moment to gather some basic information from your records and from your system before contacting customer support.
Information Location
Your X family device serial number
Your TOS version number You can find this information in the LSM in the System Summary
Your X family system boot time

Contact Information

Please address all questions regarding the software to your authorized representative.
You can find this number in the LSM in the System Summary page, on the shipping invoice that came with the device, or on the bottom of the device.
page, or by using the CLI
You can find this information in the LSM in the System Summary page.
show version
command.
viii X Family CLI Reference V 2.5.1
1
X Family Configuration
The X family device is a high-speed, comprehensive security system. This section describes the steps required to start managing the X family device.

Overview

You must complete basic configuration of the X family device to pass traffic in the default configuration. The X Family Setup Wizard provides a convenient way for you to enter the necessary configuration data when you install a new device on your network, or when you move or reconfigure a device within your network. Refer to the following documents for hardware installation:
•Quick Start Guide
Hardware Installation and Safety Guide
For the most recent updates, check the Threat Management Center (TMC) website. The Customer Support phone number is 1-866-681-8324.
Startup

Initial Configuration

You can perform initial configuration on the X family device with OBE Setup Wizard or with the CLI Setup Wizard.

The OBE Setup Wizard

The OBE Setup Wizard runs when you first connect to the device through the Local Security Manager (LSM) with your web browser. The LSM is a web-based GUI for managing one X family device. The
X Family CLI Reference V 2.5.1 1
Chapter 1. X Family Startup Configuration
LSM provides HTTP and HTTPS (secure management) access. This access requires one of the following browsers:
• Microsoft Internet Explorer 6.0 or later
• Firefox 1.5 or later
• Mozilla 1.7 or later
• Netscape 8.1 or later
Using the LSM, you have a graphical display for reviewing, searching, and modifying settings. The GUI interface also provides graphical reports for monitoring the device traffic, triggered filters, and packet statistics.
For more information about using the OBE Setup Wizard to configure the device, refer to the
Start Guide Security Manager User’s Guide
for the X family device model. For more information about the LSM, refer to the
.

The CLI Setup Wizard

The Setup Wizard runs automatically on a console via a serial port connection when you first boot the X family device. You can also run the setup wizard from the Command Line Interface (CLI) at any time by entering the
This chapter describes the initial configuration process with the CLI Setup Wizard.
setup
command.

Configuration Categories

The CLI Setup Wizard runs a series of short interactive dialogs to set several basic configuration variables on the X family device. The Out-of-the-Box Terminal Setup Wizard runs when the setup wizard is activated for the first time or at another time with the on a serial port connected system, such as a workstation and laptop.
After you run the setup wizard using a serial terminal, you can further configure the device using subsequent setup commands through the CLI. See
Quick
Local
setup
Additional Configuration” on page 16 for details.
command. This wizard is run
The Out-of-the-Box Setup Wizard runs on a workstation or laptop connected to the serial port of the device. The configuration dialogs are shown in the following table:
Table 1–1: Out-of-the-Box Terminal Setup Wizard Configuration Settings
Out-of-the-Box Setup Subsequent Setups Settings
Account Security Level account security level
Super-user Data super-user login name
2 X Family CLI Reference V 2.5.1
super-user password
Configuration Categories
Table 1–1: Out-of-the-Box Terminal Setup Wizard Configuration Settings (Continued)
Out-of-the-Box Setup Subsequent Setups Settings
Timekeeping Options Timekeeping Options NTP or CMOS clock
time zone daylight saving time NTP: up to four time servers or peers CMOS clock:
date time
Modify interfaces Modify virtual interfaces IP allocation settings
Subnet mask NAT enable/disable
Modify security zones Modify security zones Create zone
Allocate ports to zones Assign zones to interfaces Enable DHCP on an internal interface
Setup basic firewall rules Modify firewall rules View default firewall rules
Allow all internal zones access to the Internet Apply web filtering Allow management of device from WAN
Enable SMS Configuration Enable SMS Configuration enable SMS configuration
select the SMS device that will configure the X family device
Web, CLI, and SNMP Server Options
Web, CLI, and SNMP Server Options
HTTPS or HTTP SSH SNMP
NMS Configuration NMS Configuration NMS IP address and port
NMS community string
Restricted SMS Access Restricted SMS Access SMS IP address
Ethernet Ports enable ports
line speed duplex setting auto negotiation
X Family CLI Reference V 2.5.1 3
Chapter 1. X Family Startup Configuration
Table 1–1: Out-of-the-Box Terminal Setup Wizard Configuration Settings (Continued)
Out-of-the-Box Setup Subsequent Setups Settings
Default E-Mail Contact TO: email
Remote Syslog Server IP address

Initiating the Setup Wizard

When the Setup Wizard runs, the following screen displays:
Welcome to the TippingPoint Technologies Initial Setup wizard. Press any key to begin Initial Setup Wizard.
When you press a key, you see the following:
FROM: email email domain SMTP server IP email aggregation period
You will be presented with some questions along with default values in brackets[]. Please update any empty fields or modify them to match your requirements. You may press the ENTER key to keep the current default value. After each group of entries, you will have a chance to confirm your settings, so don't worry if you make a mistake.
Continue to the following section for instructions on account security.
Tip: During initial setup, use the Ctrl-H key combination to erase characters you have already typed. Ctrl-H deletes from right to left one character at a time.

Account Security Level

The Security Level dialog sets the security level settings that restrict user names and passwords. The default security level is Level 2, but you have the option to select any of the three available levels:
Table 1–2: Security Levels
Level Description
Level 0 User names cannot contain spaces.
Passwords are unrestricted.
Level 1 User names must contain at least 6 characters without spaces.
4 X Family CLI Reference V 2.5.1
Passwords must contain at least 8 characters without spaces.
Table 1–2: Security Levels
Level Description
Level 2 Includes Level 1 restrictions and requires the following:
•2 alphabetic characters
•1 numeric character
•1 non-alphanumeric character (special characters such as ! ? and *).
Example
There are three security levels for specifying user names and passwords:
Level 0: User names and passwords are unrestricted. Level 1: Names must be at least 6 characters long; passwords at least 8. Level 2: In addition to level 1 restrictions, passwords must contain:
- at least 2 alpha characters
- at least 1 numeric character
- at least 1 non-alphanumeric character

Super-User Data

Please specify a security level to be used for initial super­user name and password creation. As super-user, you can modify the security level later on via Command Line Interface (CLI) or Local Security Manager (LSM).
Security level [2]:
Super-User Data
The Super-User Data dialog sets the super-user login name and password. The login name and password must meet the restrictions of the security level that you set in the Security Level dialog. The following tables list examples of valid and invalid login names and passwords.
Table 1–3: Login Name Examples
Valid Login Names Invalid Login Names
fjohnson fredj (too short in Levels 1 and 2, valid for Level 0)
fredj123 fred j 123 (contains spaces)
fredj-123 fj123 (too short)
fredj-*123 fj 123 (contains spaces)
Table 1–4: Password Examples for Level 2 Security
Valid Passwords Invalid Passwords
my-pa55word my-pa55 (too short)
X Family CLI Reference V 2.5.1 5
Chapter 1. X Family Startup Configuration
Table 1–4: Password Examples for Level 2 Security
Valid Passwords Invalid Passwords
my-b1rthday mybirthday (must contain numeric)
myd*g’snam3 mydogsnam3 (must contain a non-alphanumeric
character)
6 X Family CLI Reference V 2.5.1

Host Configuration

Example
In this example, the password is presented in italics. In the actual dialog, the password would not be visible.
Please enter a user name that we will use to create your super­user account. Spaces are not allowed.
Name: superuser Do you wish to accept [superuser] <Y,[N]>:Y
Please enter your super-user account password: root--00 Verify password: root--00 Saving information...Done
Your super-user account has been created.
You may continue initial configuration by logging into your device. After logging in, you will be asked for additional information.
Host Configuration
The Host Configuration dialog configures the host name and host location. You also have the option to configure the host management port.
CAUTION: Do not configure the host management port unless you have been specifically instructed to do so by technical support.
Example
In this example, the host management port is not configured, and the host name is set as device11 in the location lab.
The host management port is used to configure and monitor this device via a network connection (e.g., a web browser).
Have you been directed by technical support to configure the management port? <Y,[N]>:N Enter Host Name [myhostname]: device11 Enter Host Location [room/rack]: lab
Host Name: device11 Host Location: lab Enter [A]ccept, [C]hange, or [E]xit without saving [C]: A

Timekeeping Options

The Timekeeping Options dialog configures the X family device clock. You can configure the following options.
X Family CLI Reference V 2.5.1 7
Chapter 1. X Family Startup Configuration
Time Zone
The time zone option calculates and shows the local time. System logs are kept in Universal Time (UTC), but the device calculates local time for display purposes. Entering the proper time zone enables the device to display local time properly.
Daylight Saving Time
The daylight saving time option enables and disables the calculation of time based on the time of year.
NTP
The X family device can keep time using its internal CMOS clock or it can use a Network Time Protocol (NTP) server.
Note: Use the show ntp session and sshow stp status commands to inspect the operation of the NTP protocol.
NTP Server
Configuring a host as an NTP server causes the X family device to query that host to obtain information on the current time. If multiple time servers are specified, the device aggregates data from all available servers to calaculate the best time estimate. Providing multiple sources improves both the reliability and accuracy of the time data.
NTP Peer
Configuring a host as an NTP peer causes the X family device to both send time information to and receive time information from the host. This allows multiple devices to mutually exchange time information, allowing for a higher resilience against the failure of one or more time servers.
Date and Time
If you are not using NTP, you must specify the current date and time.
Example
In this example, the time zone is set to Central Standard Time (CST), Daylight Saving Time changes are enabled, and NTP is not enabled. The default date is accepted, and the current time is entered manually:
Timekeeping options allow you to set the time zone, enable or disable daylight saving time, and configure or disable NTP.
Would you like to modify timekeeping options? <Y,[N]>: y
Enter time zone or '?' for complete list [GMT]: CST Automatically adjust clock for daylight saving changes? [Ye s]: N Do you want to enable the NTP client? [No]: N Enter date <YYYY-MM-DD> [2006-06-09]: Enter time <HH:MM:SS> in 24 hour notation [09:02:40]: 08:02:00
TimeZone: CST DST enabled: No NTP enabled: No Date: 2006-06-09 Time: 08:02:00
8 X Family CLI Reference V 2.5.1

Network Deployment Configuration

Enter [A]ccept, [C]hange, or [E]xit without saving [C]: A
Network Deployment Configuration
The Network Deployment Configuration dialog selects the type of network deployment that the X family device will use. The following deployments are available:
Routed mode: All IP subnets are unique, and addressees that traverse to the WAN zone may be subject to Network Address Translation (NAT).
NAT mode: Hosts in the LAN zone run in a private IP address range, and hosts in the WAN zone run in a public IP address range. Addressees that traverse to the WAN zone may be subject to Network Address Translation (NAT).
Transparent (Layer 2) mode: Firewalls are enforceable between security zones, but all zones are are in the same broadcast domain.
NAT mode and Routed mode require internal and external virtual interfaces (VIs). The device has a single internal VI and a single external VI configured by default. Virtual Interface Configuration is discussed in detail in
Virtual Interface Configuration” on page 9.
Example
The X-Series device may be configured into a number of well known network deployments.
Would you like to modify the network deployment mode? <Y,[N]>:y
Please choose a network deployment option:
1) Routed mode
2) NAT mode
3) Transparent (layer 2) mode
Please Select []: 1

Virtual Interface Configuration

The virtual interface dialog of the initial setup wizard modifies the configuration of the internal and external interfaces and includes IP allocation, IP subnet, default gateway, and enabling or disabling NAT.
Example
In this example, the default interface IP addresses are reviewed and accepted:
Virtual inte rf ac es def in e ho w thi s de vi ce int eg ra te s wit h th e IP lay er 3 network. You mu st con fi gu re one vi rt ua l in te rf ac e fo r eve ry IP su bn et tha t is directly con nected to the X-Seri es device. For example , you need one for the WAN connection (external virtual interface) and one for every directly connected network subnet (internal virtual interfaces).
Would you like to modify virtual interfaces? <Y,[N]>:y
X Family CLI Reference V 2.5.1 9
Chapter 1. X Family Startup Configuration
Virtual interfaces: Id Type Mode IP Address Subnet Mask NAT 1 internal static 192.168.1.254 255.255.255.0 external-ip 2 external dhcp 10.0.1.200 255.255.255.0 disable 3 <empty> 4 <empty> 5 <empty> 6 <empty>
Enter [A]ccept, [C]hange, [R]emove or [E]xit without saving [C]: a

Basic Security Zone Configuration

The Security Zone dialog modifies the basic configuration of security zones, which divide your network into logical security domains. Network traffic between security zones is routed and scanned by the firewall and the IPS policies that you create.
In the setup process, you can assign security zones to different ports. You can change the zone configuration at any time afterwards.
Example
In this example, a new security zone called MyZone is created:
Security zones enable you to section your network logically into security domains. As network traffic travels between zones, it is routed and security­scanned by th e fi re wa ll an d I PS a cc or din g to th e po li cie s yo u d ef in e. Y ou ne ed to create se cu ri ty z on es t hat n at ur al ly m ap on to y ou r in te nd ed ne tw or k se cu ri ty boundaries. A security zone may or may not be connected (mapped) to a virtual interface.
Would you like to modify security zones? <Y,[N]>:y Security zones: # Zone na me Ports 1 LAN 1 2 VPN None 3 WAN 6 4 <empty> 5 <empty> 6 <empty> 7 <empty> 8 <empty> 9 <empty> 10 <empty>
Enter [A]ccept, [C]hange, [R]emove or [E]xit without saving [C]: c Enter the number of the entry you want to change []: 2 Zone Name [LAN2]: MyZone Network port (0 for None) [0]: 1
*** WARNING: Accepting this change will move port 1 from "LAN" to "VPN". ***
10 X Family CLI Reference V 2.5.1

Assigning Zones to Virtual Interfaces

Security zones: # Zone na me Ports 1 LAN None 2 VPN 1 3 WAN 6 4 <empty> 5 <empty> 6 <empty> 7 <empty> 8 <empty> 9 <empty> 10 <empty>
Enter [A]ccept, [C]hange, [R]emove or [E]xit without saving [C]: a
Assigning Zones to Virtual Interfaces
The Modify Security Zones Mapping to Virtual Interfaces dialog maps existing zones to existing interfaces.
Example
Would you like to modify security zone to Virtual Interfaces mapping? <Y,[N]>:y
Virtual inte rf ac e to sec ur it y zon e ma pp in g: Id Type Zones Mode IP Address Subnet Mask 1 internal LAN static 192.168.1.254 255.255.255.0
VPN
2 external WAN dhcp
Enter [A]ccept, [C]hange, or [E]xit without saving [C]: c Enter the number of the entry you want to change []: 1 Enter [A]dd, [R]emove, or [E]xit without saving [E]: r Zone name []: LAN
Virtual interface to security zone mapping: Id Type Zones Mode IP Address Subnet Mask 1 internal VPN static 192.168.1.254 255.255.255.0 2 external WAN dhcp
Enter [A]ccept, [C]hange or [E]xit without saving [C]: a

Configuring DNS Settings

The Domain Name Services (DNS) dialog configures DNS settings. By default, the X family device acquires DNS settings using DHCP. You can use a custom DHCP server or specify a static address.
Example
DNS (Domai n Na me Se rv ic e) i s a s ys te m wh ic h t ra ns la te s com pu te r ho st na me s t o IP addresses. The X-Series device requires DNS configuration in order to perform web filtering.
X Family CLI Reference V 2.5.1 11
Chapter 1. X Family Startup Configuration
Would you like to configure DNS? <Y,[N]>:y
Would you like to use the DNS configuration obtained from the WAN connection ? <[Y],N>:n Enter DNS Server 1 IP Address (0.0.0.0 to clear): []: 10.0.0.1 Enter DNS Server 2 IP Address (0.0.0.0 to clear): []: 10.0.0.2 Enter DNS Server 3 IP Address (0.0.0.0 to clear): []: Enter DNS Search Domain 1 ("" to clear): []: example.com Enter DNS Search Domain 2 ("" to clear): []: Enter DNS Search Domain 3 ("" to clear): []:
DNS settings manually configured.
DNS Server 1: 10.0.0.1 DNS Server 2: 10.0.0.2 DNS Server 3: DNS Domain 1: example.com DNS Domain 2: DNS Domain 3:
Enter [A]ccept, [C]hange, or [E]xit without saving [C]: a

Setup Firewall Rules

The Setup Firewall Rules dialog will reset all firewall rules back to the factory defaults and then enable you to view and modify them.You are also able to configure web filtering.
Example
Firewall pol ic y ru le s co nt ro l the flo w of net wo rk tra ffi c be tw ee n se cu ri ty zones. Firewall policy rules control traffic flow based on source and destination security zones and network protocol.
Would you like to modify firewall policy rules? <Y,[N]>:y
The current state of firewall rules is as follows:
ID Action Source Destination Service E 1 permit LAN WAN ANY X 2 permit WAN this-device vpn-protocols X 3 permit LAN this-device management X 4 permit LAN this-device network-protocols X Key: (E)nabled
Modifying the firewall rules via this wizard resets the rules to a default state and allows you to configure basic policies for Internet access, web filtering, and device management.
Do you want to continue? <Y,[N]>:y
Would you like default policies allowing all internal security zones access to the Internet? <Y,[N]>:y
You may now choose to enable the web filtering service. Note that access to this service requires a subscription.
12 X Family CLI Reference V 2.5.1
Would you like to enable web filtering (license required) and set up firewall rules for all internal security zones? <Y,[N]>:y
Please choose a web filtering server. For best performance, select the server location that is closest to you. Available locations are:
# Location 1 North America (us.surfcpa.com) 2 Europe 1 (uk1.surfcpa.com) 3 Europe 2 (uk2.surfcpa.com) 4 Asia (asia.surfcpa.com)
Enter web filtering server selection []: 3
Would you like to allow management of the device from the external security zone (inband management)? <Y,[N]>:y
Would you like to enable DHCP server on internal security zon es <Y,[N]>:y

Enabling SMS Configuration

Enabling SMS Configuration
The SMS Configuration dialog enables or disables configuration of the device by a Security Management System (SMS). If you enable this feature, you will be prompted to enter the IP address of the SMS device that you want to manage the X family device. The X family device will initiate a call to the SMS to begin the acquisition of the configuration files.
Note: The SMS must be correctly configured to enable remote deployment to the device. For detailed information about the SMS and remote deployment, see “X Family Remote Deployment” in the SMS User’s Guide.
By default, the external virtual interface on the X family device uses DHCP to acquire a dynamic IP address from a DHCP Server. You do not need to make any changes to the default setting when you enable SMS configuration. Additional configuration will be required if you use other external IP address options such as static, PPPoE, PPTP, or L2TP. The following example assumes that the X family device is using the default external virtual interface settings.
Example
SMS-based configuration allows the device to retrieve the configuration for a secure management VPN to the SMS system. This ensures that the device can be managed securely from the SMS
Would you like to enable SMS-based configuration? <Y,[N]>:y
Enter Primary Security Management System IP Address []:
10.24.54.210
Do you have a redundant SMS server? <Y,[N]>: n
Primary SMS IP address: 10.24.54.210 Enter [A]ccept, [C]hange, or [E]xit without saving [C]: a
X Family CLI Reference V 2.5.1 13
Chapter 1. X Family Startup Configuration
When the SMS is on a different site than the device, a potential misconfiguration in the SMS may result in the loss of remote management access to the device. To protect against this you can enable a firewall rule to allow SSH and HTTPS access into the device from the WAN security zone and the internet. This rule will only be enabled after the SMS has timed out trying to acquire the device. During the time the firewall rule is enabled, management access to the device will be available to any IP address on the internet providing the correct username and password.
Would you like to enable WAN access on SMS configuration failure? <Y,[N]>: N

Web, CLI, and SNMP Server Options

The Web, CLI, and SNMP Server Options dialog turns the X family device servers on and off. You should always use the secure Web and CLI servers (HTTPS and SSH) when conducting normal operations. You should only use the non-secure (HTTP) servers for troubleshooting if you cannot get the secure alternatives running for some reason.
Note: You do not need to run any servers if you want to control the X family device only through the serial port, but you will be unable to manage filters without servers. You can turn off all servers by using the following commands:
• conf t server no http
• conf t server no https
• conf t server no ssh
• conf t sms no v2
You must reboot the device for changes to HTTP or HTTPS to take effect.

Secure and Non-Secure Operation

You can enable the secure and non-secure servers for the CLI (SSH and HTTP). You cannot enable both the secure and non-secure servers for the Web. This is to prevent inadvertent security lapses within your network security infrastructure. In practical terms, this means that if you enable the HTTPS server, the HTTP server is disabled.

SMS Operation

The HTTPS server is required for SMS management. The implication of this is that if you will be using the SMS to manage the devices, you cannot run the non-secure HTTP server.
14 X Family CLI Reference V 2.5.1
Web, CLI, and SNMP Server Options

Default Server Settings

The default settings of the Web, CLI, and SNMP servers are:
Table 1–5: Default Web, CLI, and SNMP Server Options
Name Default Setting Required By Reboot Required
SSH ON secure CLI over network no
HTTPS ON SMS, secure LSM yes
HTTP OFF non-secure LSM yes
SNMP ON SMS, NMS yes
Note: You can use the CLI
reboot
command to reboot the X family device if
you modify settings for which a reboot is required.
SSH Server
The SSH Server enables encrypted terminal communications. The SSH server must be enabled to establish a secure CLI session over your network.
HTTPS Server
The HTTPS web server enables encrypted file transfers over the network. The HTTPS server must be enabled to use SMS management. You can also run the LSM using the HTTPS server.
HTTP Server
You can enable the HTTP server to run non-secure LSM sessions on your network.
CAUTION: HTTP is not a secure service. If you enable HTTP, you endanger the security of the X family device. Use HTTPS instead of HTTP for normal operations.
SNMP Server
The SNMP Server provides access to interface counters and other statistics, configuration data, and general system information via the Simple Network Management Protocol (SNMP). The SNMP server must be enabled to use SMS management or to allow NMS access.
Example
The Server Options dialog follows:
Server options allow you to enable or disable each of the following servers: SSH, , HTTPS, HTTP, and SNMP. Would you like to modify the server options? <Y, [N]>: y
Enable the SSH server? [Yes]:y Enable the HTTPS server ('No' disables SMS access)? [Yes]:y Enable the HTTP server? [No]:n
X Family CLI Reference V 2.5.1 15
Chapter 1. X Family Startup Configuration
Enable the SNMP agent ('No' disables SMS and NMS access)? [Yes]:y
SSH: Yes HTTPS: Yes HTTP: No SNMP: Yes Enter [A]ccept, [C]hange, or [E]xit without saving [C]: e

NMS Settings

The NMS Options dialog configures the Network Monitoring System (NMS) settings available for the device. This feature enables monitoring of the device by an NMS, such as HP OpenView.
Example
The NMS Options dialog follows:
A Network Management System (NMS) such as HP OpenView (TM) can be used to monitor and receive traps from your device.
Would you like to configure a Network Management System? <Y,[N]>: y

Restrict SMS

This option configures the device to accept management only from an SMS at a specified IP address.
Example
The Restricted SMS Access dialog follows:
SMS sourced co nfig urat ion all ows th e devi ce to ret riev e the co nfigu rati on for a secure management VPN to the SMS system. This will ensure that the device can be managed securely from the SMS Would you like to enable SMS based configuration? <Y,[N]>:n

Additional Configuration

After you have run the initial setup wizard through the Command Line Interface via a serial terminal, you can further configure the device. These subsequent setup options include the following:
“Changing Network Deployment Configuration” on page 16
“Ethernet Port Settings” on page 17
“Default Email Contact Information” on page 18

Changing Network Deployment Configuration

Use the setup x-series command to change network deployment options. Depending on the options that you select, you may also be required to change your virtual interface configuration.
16 X Family CLI Reference V 2.5.1
Additional Configuration
Example
In this example, the X family device was originally configured in Routed mode, as described in
Network Deployment Configuration” on page 9. In changing to NAT mode, an external virtual
interface must also be configured, and you are prompted to do so after selecting NAT mode. The default IP addresses are accepted, and no additional configurations are made.
device11# se tu p x- se ri es
Would you like to modify the network deployment mode? <Y,[N]>:y
Please choose a network deployment option:
1) Routed mode
2) NAT mode
3) Transparent (layer 2) mode
Please Select []: 2
You must now configure the external interface.
Mode (static, dhcp, pppoe, pptp, l2tp) [static]: dhcp
Your selected deployment mode requires an internal interface in order to function correctly. Would you like to create one now? <Y,[N]>:y
IP Address [192.168.1.254]: Mask [255.255.255.0]:
Would you like to modify virtual interfaces? <Y,[N]>:n Would you like to modify security zones? <Y,[N]>:n Would you like to modify security zone to virtual interface mapping? <Y,[N]>:n Would you like to modify firewall policy rules? <Y,[N]>:n Would you like to enable SMS based configuration? <Y,[N]>:n

Ethernet Port Settings

The Ethernet port configuration dialog does not run in the Out-of-the-Box Setup Wizard. You can only access the Ethernet Port Setup by using the
Tip: You can configure Ethernet ports individually using the conf t interface ethernet command.
CAUTION: When you configure an Ethernet port using the command line interface, the
port will be shut down. Use the conf t int ethernet <slot> <port> no shutdown command to restart the port.
setup
command in the CLI.
Ethernet Port Options
The Ethernet Port Options dialog sets individual port values for the Ethernet interface.
X Family CLI Reference V 2.5.1 17
Chapter 1. X Family Startup Configuration
Line Speed
The line speed setting for port. A valid entry will meet the following criterion:
• either 10 or 100
Duplex Setting
The duplex setting for the port. A valid entry must be one of the following:
• copper - full or half
Auto Negotiation
The auto negotiation setting determines whether the port will negotiate its speed based on the connection it can make. A valid entry must be one of the following:
•on
•off
Example
An excerpt of the Ethernet Port Options dialog follows:
device18# se tu p et h
Configure slot 3 (Ethernet Ports)? <Y,[N]>:y Configure port 1 (Ethernet Port)? <Y,[N]>:y This port is currently enabled, would you like to disable it? <Y,[N]>:n Please enter values for the following options Line speed [100]: Duplex setting [Full]: Auto negotiation [On]:
The settings entered for slot 3, port 1 are as follows: Line speed: 100 Duplex setting: Full Auto negotiation: On
Enter [A]ccept, [C]hange, or [E]xit without saving [C]: a
Configure port 2 (Ethernet Port)? <Y,[N]>:
CAUTION: When you configure a Ethernet port using the command line interface, the port will be shut down. Use the
shutdown
command to restart the port.
conf t int ethernet <s lot> <port> no

Default Email Contact Information

The Default Alert options dialog does not run in the Out-of-the-Box Setup Wizard. You can only access the Management Port Routing options by using the
These options enable you to establish the default sender and recipient for filter alert e-mails.
18 X Family CLI Reference V 2.5.1
setup
command in the CLI.
Additional Configuration
TO email address
The TO email address is the email address to which alert notifications will be sent. A valid entry must meet the following criteria:
• must be less than 129 characters long
• must be a valid email address. For example: johndoe@mycompany.com
FROM email address
The FROM email address is the address that alert notifications will contain in the from field. A valid entry will meet the following criteria:
• must be less than 129 characters long
• must be a valid email account name on the SMTP server
• must be a valid email address on the SMTP server
Domain
The Domain Name is the domain name of the SMTP server. A valid entry will meet the following criteria:
• must be a valid domain name with a DNS entry on the network the device is located on
• must be the domain name where the SMTP server is located
Email Server IP address
The email Server IP address should be the address where the SMTP server is located. A valid entry will meet the following criterion:
• must be a valid IP address for an SMTP server
Period
The Period is the aggregation period for email alerts. The first time a filter that calls for email notification is triggered, the device sends an email notification to the target named in the filter. At the same time, the aggregation timer starts. The device counts additional filter triggers, but does not email another notification until it sends a count of all filter triggers that occurred during that period. The timer continues to count and send notifications at the end of each period. A valid entry will meet the following criterion:
• an integer between 1 and 10,080 representing minutes between notifications
Example
The Default Email Contacts Dialog follows:
Would you like to modify the default Email contact? <Y,[N]>:y Enter TO: email address (128 max. characters) Must be a full email address (e.g., recipient@company.com) []: employee@company.com Enter FROM: email address (128 max. characters) Must be a full email address (e.g., sender@company.com) []: acme@company.com Enter FROM: Domain Name (128 max. characters, e.g., company.com) []: company.com
X Family CLI Reference V 2.5.1 19
Chapter 1. X Family Startup Configuration
Enter email server IP address []: 1.2.3.4 Enter period (in minutes) that email should be sent (1 - 1 0080) [1]: 5
To: employee@company.com From: acme@company.com Domain: company.com Email Server: 1.2.3.4 Period (minutes): 5 Enter [A]ccept, [C]hange, or [E]xit without saving [C]: a

After the Setup Wizard

After you have completed the setup wizard, if you have changed from the HTTPS to HTTP server or SNMP, you must reboot. You can accomplish this by issuing the After the device reboots, you can use the Local Security Manager graphical user interface (GUI) to perform monitoring and configuration tasks.
Note: The X family device allows for 10 web client connections, 10 SSH (for CLI) connections, and 1 console connection at any given time.
reboot
command from the CLI.
20 X Family CLI Reference V 2.5.1
2

Command Reference

Descriptions and usage of CLI commands.

Overview

The following tables list the CLI commands by functionality, grouped according to the corresponding LSM pages. Some CLI commands do not have corresponding functions in the LSM, and are listed in Table 2–9 on page 27.
Table 2–1: LSM Home Page
LSM Home Page reboot 85
LSM Screen CLI Command Page
show log 98
show version 117
logout 83
Table 2–2: IPS Commands
LSM Screen CLI Command Page
Security Profiles: Category Settings conf t category-settings 38
show conf category-settings 88
Traffic Threshold conf t filter 44
show conf filter 89
show filter 94
X Family CLI Reference V 2.5.1 21
Chapter 3 Command Reference
Table 2–2: IPS Commands (Continued)
LSM Screen CLI Command Page
Action Sets conf t notify-contact 58
IPS Services conf t port 59
Preferences conf t protection-settings 60
conf t default-alert-sink 40
show action-sets 87
show conf default-alert-sink 89
show conf notify-contacts 91
show default-alert-sink 93
show conf port 91
conf t tse 67
show conf tse 92
show protection-settings 111
Table 2–3: Firewall Commands
Firewall Rules conf t firewall rule 45
show conf firewall rule 89
show firewall rules 94
Services conf t firewall service 48
show conf firewall service 90
show conf firewall service-group 48
conf t firewall alg 45
conf t firewall service-group 48
show conf firewall alg 90
Schedules conf t firewall schedule 47
show conf firewall schedule 90
Virtual Servers conf t firewall virtual-servers 49
22 X Family CLI Reference V 2.5.1
show conf firewall virtual-servers 90
Loading...
+ 112 hidden pages