3Com Corporation reserves the right to revise this documentation and to make
changes in content from time to time without obligation on the part of 3Com
Corporation to provide notification of such revision or change.
3Com Corporation provides this documentation without warranty, term, or condition
of any kind, either implied or expressed, including, but not limited to, the implied
warranties, terms, or conditions of merchantability, satisfactory quality, and fitness
for a particular purpose. 3Com may make improvements or changes in the product(s)
and/or the program(s) described in this documentation at any time.
If there is any software on removable media described in this documentation, it is
furnished under a license agreement included with the product as a separate
document, in the hardcopy documentation, or on the removable media in a directory
file named LICENSE.TXT or !LICENSE.TXT. If you are unable to locate a copy, please
contact 3Com and a copy will be provided to you.
UNITED STATES GOVERNMENT LEGENDS:
If you are a United States government agency, then this documentation and the
software described herein are provided to you subject to the following:
United States Government Legend: All technical data and computer software is
commercial in nature and developed solely at private expense. Software is delivered
as Commercial Computer Software as defined in DFARS 252.227-7014 (June 1995)
or as a commercial item as defined in FAR
such rights as are provided in 3Com’s standard commercial license for the Software.
Technical data is provided with limited rights only as provided in DFAR 252.227-7015
(Nov 1995) or FAR
remove or deface any portion of any legend provided on any licensed program or
documentation contained in, or delivered to you in conjunction with guide.
Unless otherwise indicated, 3Com registered trademarks are registered in the United
States and may or may not be registered in other countries.
3Com, the 3Com logo, TippingPoint, the TippingPoint logo, and Digital Vaccine are
registered trademarks of 3Com Corporation or one of its subsidiaries.
OpenView is a trademark of Hewlett-Packard Development Company. Microsoft and
Windows are registered trademarks or trademarks of Microsoft Corporation in the
United States and other countries. Oracle is a registered trademark of Oracle
Corporation.
Other brand and product names may be registered trademarks or trademarks of their
respective holders.
52.227-14 (June 1987), whichever is applicable. You agree not to
2.101(a) and as such is provided with only
Contents
Contents iii
About This Guide v
Chapter 1: X Family Startup Configuration 1
Welcome to the X Family CLI v
Target Audience vi
Conventions vi
Related Documentation viii
Customer Support viii
Overview 1
Initial Configuration 1
Configuration Categories 2
Initiating the Setup Wizard 4
Account Security Level 4
Super-User Data 5
Host Configuration 7
Timekeeping Options 7
Network Deployment Configuration 9
Virtual Interface Configuration 9
Basic Security Zone Configuration 10
Assigning Zones to Virtual Interfaces 11
Configuring DNS Settings 11
Setup Firewall Rules 12
Enabling SMS Configuration 13
Web, CLI, and SNMP Server Options 14
NMS Settings 16
Restrict SMS 16
Additional Configuration 16
After the Setup Wizard 20
Chapter 2: Command Reference 21
Overview 21
X Family CLI Reference V 2.5.1 iii
! 28
alias 28
boot 29
bugreport 30
clear 31
cls 33
configure 33
debug 81
exit 81
halt 82
help 82
high-availability 82
history 83
logout 83
ping 84
quarantine 85
quit 85
reboot 85
setup 86
show 86
snapshot 118
traceroute 118
traffic-capture 119
tree 120
who 121
whoami 122
Chapter 3: Navigation 123
Index 131
iv X Family CLI Reference V 2.5.1
Overview 123
Logging in to the CLI 123
Navigation 124
Console Settings 128
About This Guide
Explains who this guide is intended for, how the information is organized, where information
updates can be found, and how to obtain customer support if you cannot resolve a problem.
Welcome to the X Family CLI
Welcome to the X family Command Line Interface (CLI). The CLI is the interface for issuing commands
via a command line prompt for the X family device. You use this interface to configure, monitor, and
report on the X family devices in your network.
This section covers the following topics:
• “Target Audience” on page vi
• “Conventions” on page vi
• “Related Documentation” on page viii
• “Customer Support” on page viii
X Family CLI Reference V 2.5.1v
About This Guide
Target Audience
This guide is intended for super-users and administrators who manage one or more X family devices.
Knowledge, Skills, and Abilities
This guide assumes you, the reader, are familiar with general networking concepts and the following
standards and protocols:
•TCP/IP
•UDP
•ICMP
•Ethernet
• Network Time Protocol (NTP)
• Simple Mail Transport Protocol (SMTP)
• Simple Network Management Protocol (SNMP)
Conventions
This guide follows several procedural and typographical conventions to provide clear and
understandable instructions and descriptions. These conventions are described in the following
sections.
This book uses the following conventions for structuring information:
• Cross References
• Ty p e f a ce
• Messages
Cross References
When a topic is covered in depth elsewhere in this guide, or in another guide in this series, a cross
reference to the additional information is provided. Cross references help you find related topics and
information quickly.
Internal Cross References
This guide is designed to be used as an electronic document. It contains cross references to other
sections of the document that act as hyperlinks when you view the document online. The following text
is a hyperlink: M
essages.
External Cross References
Cross references to other publications are not hyperlinked. These cross references will take the form:
see <chapter name > in the Publication Name.
viX FamilyCLI Reference V 2.5.1
Conventions
Typeface
This guide uses the following typographical conventions:
boldused for commands or parameters, which must be entered exactly as shown.
light fontused for variables, for which you supply a value.
brackets []used to indicate an optional element.
<1 | 2 >angle brackets and vertical bars are used to indicate a choice that must be made.
Italicused for guide titles, variables, and important terms.
H
yperlinkused for cross references in a document or links to a Web site.
Messages
Messages are special text that are emphasized by font, format, and icons. There are four types of
messages in this guide:
• Wa r n i n g
• Caution
• Note
• Tip
A description of each message type with an example message follows.
Warning
Warnings tell you how to avoid physical injury to people or equipment. For example:.
WARNING: The push-button on/off power switch on the front panel of the server does not
turn off the AC power. To remove AC power from the server, you must unplug the AC power
cord from either the power supply or the wall outlet.
Caution
Cautions tell you how to avoid a serious loss that could cause physical damage such as the loss of data,
time, or security. You should carefully consider this information when determining a course of action
or procedure. For example:
CAUTION: You should disable password caching in the browser you use to access the
LSM. If you do not disable password caching in your browser, and your workstation is not
secured, your system security may be compromised.
X Family CLI Reference V 2.5.1vii
About This Guide
Note
Notes tell you about information that might not be obvious or that does not relate directly to the
current topic, but that may affect relevant behavior. For example:
Note: Some command examples in this document are split across several lines
due to space constraints; however, you must enter them on a single line (with no
carriage returns).
Tip
Tips are suggestions about how you can perform a task more easily or more efficiently. For example:
Tip: You can collect firewall statistics using configure terminal firewall
monitor.
Related Documentation
The X family devices have a full set of documentation. These publications are available in electronic
format on CD. For the most recent updates, check the Threat Management Center (TMC) web site at
https://tmc.tippingpoint.com.
Customer Support
We are committed to providing quality customer support to all customers. A customer is provided with
detailed customer and support contact information. For the most efficient resolution of your problem,
please take a moment to gather some basic information from your records and from your system before
contacting customer support.
InformationLocation
Your X family device serial
number
Your TOS version numberYou can find this information in the LSM in the System Summary
Your X family system boot
time
Contact Information
Please address all questions regarding the software to your authorized representative.
You can find this number in the LSM in the System Summary page,
on the shipping invoice that came with the device, or on the bottom
of the device.
page, or by using the CLI
You can find this information in the LSM in the System Summary
page.
show version
command.
viiiX FamilyCLI Reference V 2.5.1
1
X Family
Configuration
The X family device is a high-speed, comprehensive security system. This section describes the steps required
to start managing the X family device.
Overview
You must complete basic configuration of the X family device to pass traffic in the default
configuration. The X Family Setup Wizard provides a convenient way for you to enter the necessary
configuration data when you install a new device on your network, or when you move or reconfigure a
device within your network. Refer to the following documents for hardware installation:
•Quick Start Guide
•
Hardware Installation and Safety Guide
For the most recent updates, check the Threat Management Center (TMC) website. The Customer
Support phone number is 1-866-681-8324.
Startup
Initial Configuration
You can perform initial configuration on the X family device with OBE Setup Wizard or with the CLI
Setup Wizard.
The OBE Setup Wizard
The OBE Setup Wizard runs when you first connect to the device through the Local Security Manager
(LSM) with your web browser. The LSM is a web-based GUI for managing one X family device. The
X Family CLI Reference V 2.5.1 1
Chapter 1. X Family Startup Configuration
LSM provides HTTP and HTTPS (secure management) access. This access requires one of the
following browsers:
• Microsoft Internet Explorer 6.0 or later
• Firefox 1.5 or later
• Mozilla 1.7 or later
• Netscape 8.1 or later
Using the LSM, you have a graphical display for reviewing, searching, and modifying settings. The GUI
interface also provides graphical reports for monitoring the device traffic, triggered filters, and packet
statistics.
For more information about using the OBE Setup Wizard to configure the device, refer to the
Start Guide
Security Manager User’s Guide
for the X family device model. For more information about the LSM, refer to the
.
The CLI Setup Wizard
The Setup Wizard runs automatically on a console via a serial port connection when you first boot the
X family device. You can also run the setup wizard from the Command Line Interface (CLI) at any time
by entering the
This chapter describes the initial configuration process with the CLI Setup Wizard.
setup
command.
Configuration Categories
The CLI Setup Wizard runs a series of short interactive dialogs to set several basic configuration
variables on the X family device. The Out-of-the-Box Terminal Setup Wizard runs when the setup
wizard is activated for the first time or at another time with the
on a serial port connected system, such as a workstation and laptop.
After you run the setup wizard using a serial terminal, you can further configure the device using
subsequent setup commands through the CLI. See “
Quick
Local
setup
Additional Configuration” on page 16 for details.
command. This wizard is run
The Out-of-the-Box Setup Wizard runs on a workstation or laptop connected to the serial port of the
device. The configuration dialogs are shown in the following table:
When the Setup Wizard runs, the following screen displays:
Welcome to the TippingPoint Technologies Initial Setup wizard.
Press any key to begin Initial Setup Wizard.
When you press a key, you see the following:
FROM: email
email domain
SMTP server IP
email aggregation period
You will be presented with some questions along with default values in
brackets[]. Please update any empty fields or modify them to match your
requirements. You may press the ENTER key to keep the current default
value. After each group of entries, you will have a chance to confirm
your settings, so don't worry if you make a mistake.
Continue to the following section for instructions on account security.
Tip: During initial setup, use the Ctrl-H key combination to erase characters you
have already typed. Ctrl-H deletes from right to left one character at a time.
Account Security Level
The Security Level dialog sets the security level settings that restrict user names and passwords. The
default security level is Level 2, but you have the option to select any of the three available levels:
Table 1–2: Security Levels
LevelDescription
Level 0User names cannot contain spaces.
Passwords are unrestricted.
Level 1User names must contain at least 6 characters without spaces.
4X Family CLI Reference V 2.5.1
Passwords must contain at least 8 characters without spaces.
Table 1–2: Security Levels
LevelDescription
Level 2Includes Level 1 restrictions and requires the following:
•2 alphabetic characters
•1 numeric character
•1 non-alphanumeric character (special characters such as ! ? and *).
Example
There are three security levels for specifying user names and
passwords:
Level 0: User names and passwords are unrestricted.
Level 1: Names must be at least 6 characters long; passwords
at least 8.
Level 2: In addition to level 1 restrictions, passwords must
contain:
- at least 2 alpha characters
- at least 1 numeric character
- at least 1 non-alphanumeric character
Super-User Data
Please specify a security level to be used for initial superuser name and password creation. As super-user, you can modify
the security level later on via Command Line Interface (CLI) or
Local Security Manager (LSM).
Security level [2]:
Super-User Data
The Super-User Data dialog sets the super-user login name and password. The login name and
password must meet the restrictions of the security level that you set in the Security Level dialog. The
following tables list examples of valid and invalid login names and passwords.
Table 1–3: Login Name Examples
Valid Login NamesInvalid Login Names
fjohnsonfredj (too short in Levels 1 and 2, valid for Level 0)
fredj123fred j 123 (contains spaces)
fredj-123fj123 (too short)
fredj-*123fj 123 (contains spaces)
Table 1–4: Password Examples for Level 2 Security
Valid PasswordsInvalid Passwords
my-pa55wordmy-pa55 (too short)
X Family CLI Reference V 2.5.1 5
Chapter 1. X Family Startup Configuration
Table 1–4: Password Examples for Level 2 Security
Valid PasswordsInvalid Passwords
my-b1rthdaymybirthday (must contain numeric)
myd*g’snam3mydogsnam3 (must contain a non-alphanumeric
character)
6X Family CLI Reference V 2.5.1
Host Configuration
Example
In this example, the password is presented in italics. In the actual dialog, the password would not be
visible.
Please enter a user name that we will use to create your superuser account. Spaces are not allowed.
Name: superuser
Do you wish to accept [superuser] <Y,[N]>:Y
Please enter your super-user account password: root--00
Verify password: root--00
Saving information...Done
Your super-user account has been created.
You may continue initial configuration by logging into your
device. After logging in, you will be asked for additional
information.
Host Configuration
The Host Configuration dialog configures the host name and host location. You also have the option to
configure the host management port.
CAUTION: Do not configure the host management port unless you have been specifically
instructed to do so by technical support.
Example
In this example, the host management port is not configured, and the host name is set as device11 in
the location lab.
The host management port is used to configure and monitor this device via
a network connection (e.g., a web browser).
Have you been directed by technical support to configure
the management port? <Y,[N]>:N
Enter Host Name [myhostname]: device11
Enter Host Location [room/rack]: lab
Host Name: device11
Host Location: lab
Enter [A]ccept, [C]hange, or [E]xit without saving [C]: A
Timekeeping Options
The Timekeeping Options dialog configures the X family device clock. You can configure the following
options.
X Family CLI Reference V 2.5.1 7
Chapter 1. X Family Startup Configuration
Time Zone
The time zone option calculates and shows the local time. System logs are kept in Universal Time
(UTC), but the device calculates local time for display purposes. Entering the proper time zone enables
the device to display local time properly.
Daylight Saving Time
The daylight saving time option enables and disables the calculation of time based on the time of year.
NTP
The X family device can keep time using its internal CMOS clock or it can use a Network Time Protocol
(NTP) server.
Note: Use the show ntp session and sshow stp status commands to inspect
the operation of the NTP protocol.
NTP Server
Configuring a host as an NTP server causes the X family device to query that host to obtain
information on the current time. If multiple time servers are specified, the device aggregates data from
all available servers to calaculate the best time estimate. Providing multiple sources improves both the
reliability and accuracy of the time data.
NTP Peer
Configuring a host as an NTP peer causes the X family device to both send time information to and
receive time information from the host. This allows multiple devices to mutually exchange time
information, allowing for a higher resilience against the failure of one or more time servers.
Date and Time
If you are not using NTP, you must specify the current date and time.
Example
In this example, the time zone is set to Central Standard Time (CST), Daylight Saving Time changes are
enabled, and NTP is not enabled. The default date is accepted, and the current time is entered
manually:
Timekeeping options allow you to set the time zone, enable or
disable daylight saving time, and configure or disable NTP.
Would you like to modify timekeeping options? <Y,[N]>: y
Enter time zone or '?' for complete list [GMT]: CST
Automatically adjust clock for daylight saving changes? [Ye s]: N
Do you want to enable the NTP client? [No]: N
Enter date <YYYY-MM-DD> [2006-06-09]:
Enter time <HH:MM:SS> in 24 hour notation [09:02:40]: 08:02:00
TimeZone: CST
DST enabled: No
NTP enabled: No
Date: 2006-06-09
Time: 08:02:00
8X Family CLI Reference V 2.5.1
Network Deployment Configuration
Enter [A]ccept, [C]hange, or [E]xit without saving [C]: A
Network Deployment Configuration
The Network Deployment Configuration dialog selects the type of network deployment that the X
family device will use. The following deployments are available:
• Routed mode: All IP subnets are unique, and addressees that traverse to the WAN zone may be
subject to Network Address Translation (NAT).
• NAT mode: Hosts in the LAN zone run in a private IP address range, and hosts in the WAN zone run
in a public IP address range. Addressees that traverse to the WAN zone may be subject to Network
Address Translation (NAT).
• Transparent (Layer 2) mode: Firewalls are enforceable between security zones, but all zones are are
in the same broadcast domain.
NAT mode and Routed mode require internal and external virtual interfaces (VIs). The device has a
single internal VI and a single external VI configured by default. Virtual Interface Configuration is
discussed in detail in “
Virtual Interface Configuration” on page 9.
Example
The X-Series device may be configured into a number of well known
network deployments.
Would you like to modify the network deployment mode? <Y,[N]>:y
Please choose a network deployment option:
1) Routed mode
2) NAT mode
3) Transparent (layer 2) mode
Please Select []: 1
Virtual Interface Configuration
The virtual interface dialog of the initial setup wizard modifies the configuration of the internal and
external interfaces and includes IP allocation, IP subnet, default gateway, and enabling or disabling
NAT.
Example
In this example, the default interface IP addresses are reviewed and accepted:
Virtual inte rf ac es def in e ho w thi s de vi ce int eg ra te s wit h th e IP lay er 3
network. You mu st con fi gu re one vi rt ua l in te rf ac e fo r eve ry IP su bn et tha t is
directly con nected to the X-Seri es device. For example , you need one for the WAN
connection (external virtual interface) and one for every directly connected
network subnet (internal virtual interfaces).
Would you like to modify virtual interfaces? <Y,[N]>:y
X Family CLI Reference V 2.5.1 9
Chapter 1. X Family Startup Configuration
Virtual interfaces:
Id Type Mode IP Address Subnet Mask NAT
1 internal static 192.168.1.254 255.255.255.0 external-ip
2 external dhcp 10.0.1.200 255.255.255.0 disable
3 <empty>
4 <empty>
5 <empty>
6 <empty>
Enter [A]ccept, [C]hange, [R]emove or [E]xit without saving [C]:
a
Basic Security Zone Configuration
The Security Zone dialog modifies the basic configuration of security zones, which divide your
network into logical security domains. Network traffic between security zones is routed and scanned
by the firewall and the IPS policies that you create.
In the setup process, you can assign security zones to different ports. You can change the zone
configuration at any time afterwards.
Example
In this example, a new security zone called MyZone is created:
Security zones enable you to section your network logically into security
domains. As network traffic travels between zones, it is routed and securityscanned by th e fi re wa ll an d I PS a cc or din g to th e po li cie s yo u d ef in e. Y ou ne ed
to create se cu ri ty z on es t hat n at ur al ly m ap on to y ou r in te nd ed ne tw or k se cu ri ty
boundaries. A security zone may or may not be connected (mapped) to a virtual
interface.
Would you like to modify security zones? <Y,[N]>:y
Security zones:
# Zone na me Ports
1 LAN 1
2 VPN None
3 WAN 6
4 <empty>
5 <empty>
6 <empty>
7 <empty>
8 <empty>
9 <empty>
10 <empty>
Enter [A]ccept, [C]hange, [R]emove or [E]xit without saving [C]:
c
Enter the number of the entry you want to change []: 2
Zone Name [LAN2]: MyZone
Network port (0 for None) [0]: 1
*** WARNING: Accepting this change will move port 1 from "LAN"
to "VPN".
***
10X Family CLI Reference V 2.5.1
Assigning Zones to Virtual Interfaces
Security zones:
# Zone na me Ports
1 LAN None
2 VPN 1
3 WAN 6
4 <empty>
5 <empty>
6 <empty>
7 <empty>
8 <empty>
9 <empty>
10 <empty>
Enter [A]ccept, [C]hange, [R]emove or [E]xit without saving [C]:
a
Assigning Zones to Virtual Interfaces
The Modify Security Zones Mapping to Virtual Interfaces dialog maps existing zones to existing
interfaces.
Example
Would you like to modify security zone to Virtual Interfaces mapping? <Y,[N]>:y
Virtual inte rf ac e to sec ur it y zon e ma pp in g:
Id TypeZones ModeIP AddressSubnet Mask
1internalLANstatic192.168.1.254 255.255.255.0
VPN
2externalWANdhcp
Enter [A]ccept, [C]hange, or [E]xit without saving [C]: c
Enter the number of the entry you want to change []: 1
Enter [A]dd, [R]emove, or [E]xit without saving [E]: r
Zone name []: LAN
Virtual interface to security zone mapping:
Id TypeZones Mode IP AddressSubnet Mask
1 internalVPNstatic 192.168.1.254 255.255.255.0
2 externalWANdhcp
Enter [A]ccept, [C]hange or [E]xit without saving [C]: a
Configuring DNS Settings
The Domain Name Services (DNS) dialog configures DNS settings. By default, the X family device
acquires DNS settings using DHCP. You can use a custom DHCP server or specify a static address.
Example
DNS (Domai n Na me Se rv ic e) i s a s ys te m wh ic h t ra ns la te s com pu te r ho st na me s t o IP
addresses. The X-Series device requires DNS configuration in order to perform
web filtering.
X Family CLI Reference V 2.5.1 11
Chapter 1. X Family Startup Configuration
Would you like to configure DNS? <Y,[N]>:y
Would you like to use the DNS configuration obtained from the
WAN connection ? <[Y],N>:n
Enter DNS Server 1 IP Address (0.0.0.0 to clear): []: 10.0.0.1
Enter DNS Server 2 IP Address (0.0.0.0 to clear): []: 10.0.0.2
Enter DNS Server 3 IP Address (0.0.0.0 to clear): []:
Enter DNS Search Domain 1 ("" to clear): []: example.com
Enter DNS Search Domain 2 ("" to clear): []:
Enter DNS Search Domain 3 ("" to clear): []:
DNS settings manually configured.
DNS Server 1: 10.0.0.1
DNS Server 2: 10.0.0.2
DNS Server 3:
DNS Domain 1: example.com
DNS Domain 2:
DNS Domain 3:
Enter [A]ccept, [C]hange, or [E]xit without saving [C]: a
Setup Firewall Rules
The Setup Firewall Rules dialog will reset all firewall rules back to the factory defaults and then enable
you to view and modify them.You are also able to configure web filtering.
Example
Firewall pol ic y ru le s co nt ro l the flo w of net wo rk tra ffi c be tw ee n se cu ri ty
zones. Firewall policy rules control traffic flow based on source and
destination security zones and network protocol.
Would you like to modify firewall policy rules? <Y,[N]>:y
The current state of firewall rules is as follows:
ID Action Source Destination Service E
1 permit LAN WAN ANY X
2 permit WAN this-device vpn-protocols X
3 permit LAN this-device management X
4 permit LAN this-device network-protocols X
Key: (E)nabled
Modifying the firewall rules via this wizard resets the rules to
a default state and allows you to configure basic policies for
Internet access, web filtering, and device management.
Do you want to continue? <Y,[N]>:y
Would you like default policies allowing all internal security
zones access to the Internet? <Y,[N]>:y
You may now choose to enable the web filtering service. Note
that access to this service requires a subscription.
12X Family CLI Reference V 2.5.1
Would you like to enable web filtering (license required) and
set up firewall rules for all internal security zones? <Y,[N]>:y
Please choose a web filtering server. For best performance,
select the server location that is closest to you. Available
locations are:
# Location
1 North America (us.surfcpa.com)
2 Europe 1 (uk1.surfcpa.com)
3 Europe 2 (uk2.surfcpa.com)
4 Asia (asia.surfcpa.com)
Enter web filtering server selection []: 3
Would you like to allow management of the device from the
external security zone (inband management)? <Y,[N]>:y
Would you like to enable DHCP server on internal security zon es
<Y,[N]>:y
Enabling SMS Configuration
Enabling SMS Configuration
The SMS Configuration dialog enables or disables configuration of the device by a Security
Management System (SMS). If you enable this feature, you will be prompted to enter the IP address of
the SMS device that you want to manage the X family device. The X family device will initiate a call to
the SMS to begin the acquisition of the configuration files.
Note: The SMS must be correctly configured to enable remote deployment to the
device. For detailed information about the SMS and remote deployment, see “X
Family Remote Deployment” in the SMS User’s Guide.
By default, the external virtual interface on the X family device uses DHCP to acquire a dynamic IP
address from a DHCP Server. You do not need to make any changes to the default setting when you
enable SMS configuration. Additional configuration will be required if you use other external IP
address options such as static, PPPoE, PPTP, or L2TP. The following example assumes that the X family
device is using the default external virtual interface settings.
Example
SMS-based configuration allows the device to retrieve the
configuration for a secure management VPN to the SMS system.
This ensures that the device can be managed securely from the
SMS
Would you like to enable SMS-based configuration? <Y,[N]>:y
Enter Primary Security Management System IP Address []:
10.24.54.210
Do you have a redundant SMS server? <Y,[N]>: n
Primary SMS IP address: 10.24.54.210
Enter [A]ccept, [C]hange, or [E]xit without saving [C]: a
X Family CLI Reference V 2.5.1 13
Chapter 1. X Family Startup Configuration
When the SMS is on a different site than the device, a potential
misconfiguration in the SMS may result in the loss of remote
management access to the device. To protect against this you can
enable a firewall rule to allow SSH and HTTPS access into the
device from the WAN security zone and the internet. This rule
will only be enabled after the SMS has timed out trying to
acquire the device. During the time the firewall rule is
enabled, management access to the device will be available to
any IP address on the internet providing the correct username
and password.
Would you like to enable WAN access on SMS configuration
failure? <Y,[N]>: N
Web, CLI, and SNMP Server Options
The Web, CLI, and SNMP Server Options dialog turns the X family device servers on and off. You
should always use the secure Web and CLI servers (HTTPS and SSH) when conducting normal
operations. You should only use the non-secure (HTTP) servers for troubleshooting if you cannot get
the secure alternatives running for some reason.
Note: You do not need to run any servers if you want to control the X family
device only through the serial port, but you will be unable to manage filters
without servers. You can turn off all servers by using the following commands:
• conf t server no http
• conf t server no https
• conf t server no ssh
• conf t sms no v2
You must reboot the device for changes to HTTP or HTTPS to take effect.
Secure and Non-Secure Operation
You can enable the secure and non-secure servers for the CLI (SSH and HTTP). You cannot enable both
the secure and non-secure servers for the Web. This is to prevent inadvertent security lapses within
your network security infrastructure. In practical terms, this means that if you enable the HTTPS
server, the HTTP server is disabled.
SMS Operation
The HTTPS server is required for SMS management. The implication of this is that if you will be using
the SMS to manage the devices, you cannot run the non-secure HTTP server.
14X Family CLI Reference V 2.5.1
Web, CLI, and SNMP Server Options
Default Server Settings
The default settings of the Web, CLI, and SNMP servers are:
Table 1–5: Default Web, CLI, and SNMP Server Options
Name Default SettingRequired ByReboot Required
SSHONsecure CLI over networkno
HTTPSONSMS, secure LSM yes
HTTPOFFnon-secure LSMyes
SNMPONSMS, NMSyes
Note: You can use the CLI
reboot
command to reboot the X family device if
you modify settings for which a reboot is required.
SSH Server
The SSH Server enables encrypted terminal communications. The SSH server must be enabled to
establish a secure CLI session over your network.
HTTPS Server
The HTTPS web server enables encrypted file transfers over the network. The HTTPS server must be
enabled to use SMS management. You can also run the LSM using the HTTPS server.
HTTP Server
You can enable the HTTP server to run non-secure LSM sessions on your network.
CAUTION: HTTP is not a secure service. If you enable HTTP, you endanger the security of
the X family device. Use HTTPS instead of HTTP for normal operations.
SNMP Server
The SNMP Server provides access to interface counters and other statistics, configuration data, and
general system information via the Simple Network Management Protocol (SNMP). The SNMP server
must be enabled to use SMS management or to allow NMS access.
Example
The Server Options dialog follows:
Server options allow you to enable or disable each of the
following servers: SSH, , HTTPS, HTTP, and SNMP.
Would you like to modify the server options? <Y, [N]>: y
Enable the SSH server? [Yes]:y
Enable the HTTPS server ('No' disables SMS access)? [Yes]:y
Enable the HTTP server? [No]:n
X Family CLI Reference V 2.5.1 15
Chapter 1. X Family Startup Configuration
Enable the SNMP agent ('No' disables SMS and NMS access)?
[Yes]:y
SSH: Yes
HTTPS: Yes
HTTP: No
SNMP: Yes
Enter [A]ccept, [C]hange, or [E]xit without saving [C]: e
NMS Settings
The NMS Options dialog configures the Network Monitoring System (NMS) settings available for the
device. This feature enables monitoring of the device by an NMS, such as HP OpenView.
Example
The NMS Options dialog follows:
A Network Management System (NMS) such as HP OpenView (TM) can
be used to monitor and receive traps from your device.
Would you like to configure a Network Management System?
<Y,[N]>: y
Restrict SMS
This option configures the device to accept management only from an SMS at a specified IP address.
Example
The Restricted SMS Access dialog follows:
SMS sourced co nfig urat ion all ows th e devi ce to ret riev e the co nfigu rati on for a
secure management VPN to the SMS system. This will ensure that the device can be
managed securely from the SMS
Would you like to enable SMS based configuration? <Y,[N]>:n
Additional Configuration
After you have run the initial setup wizard through the Command Line Interface via a serial terminal,
you can further configure the device. These subsequent setup options include the following:
• “Changing Network Deployment Configuration” on page 16
• “Ethernet Port Settings” on page 17
• “Default Email Contact Information” on page 18
Changing Network Deployment Configuration
Use the setup x-series command to change network deployment options. Depending on the options
that you select, you may also be required to change your virtual interface configuration.
16X Family CLI Reference V 2.5.1
Additional Configuration
Example
In this example, the X family device was originally configured in Routed mode, as described in
“
Network Deployment Configuration” on page 9. In changing to NAT mode, an external virtual
interface must also be configured, and you are prompted to do so after selecting NAT mode. The
default IP addresses are accepted, and no additional configurations are made.
device11# se tu p x- se ri es
Would you like to modify the network deployment mode? <Y,[N]>:y
Your selected deployment mode requires an internal interface in
order to function correctly. Would you like to create one now?
<Y,[N]>:y
IP Address [192.168.1.254]:
Mask [255.255.255.0]:
Would you like to modify virtual interfaces? <Y,[N]>:n
Would you like to modify security zones? <Y,[N]>:n
Would you like to modify security zone to virtual interface
mapping? <Y,[N]>:n
Would you like to modify firewall policy rules? <Y,[N]>:n
Would you like to enable SMS based configuration? <Y,[N]>:n
Ethernet Port Settings
The Ethernet port configuration dialog does not run in the Out-of-the-Box Setup Wizard. You can only
access the Ethernet Port Setup by using the
Tip: You can configure Ethernet ports individually using the conf t interface
ethernet command.
CAUTION: When you configure an Ethernet port using the command line interface, the
port will be shut down. Use the conf t int ethernet <slot> <port> no shutdown
command to restart the port.
setup
command in the CLI.
Ethernet Port Options
The Ethernet Port Options dialog sets individual port values for the Ethernet interface.
X Family CLI Reference V 2.5.1 17
Chapter 1. X Family Startup Configuration
Line Speed
The line speed setting for port. A valid entry will meet the following criterion:
• either 10 or 100
Duplex Setting
The duplex setting for the port. A valid entry must be one of the following:
• copper - full or half
Auto Negotiation
The auto negotiation setting determines whether the port will negotiate its speed based on the
connection it can make. A valid entry must be one of the following:
•on
•off
Example
An excerpt of the Ethernet Port Options dialog follows:
device18# se tu p et h
Configure slot 3 (Ethernet Ports)? <Y,[N]>:y
Configure port 1 (Ethernet Port)? <Y,[N]>:y
This port is currently enabled, would you like to disable it?
<Y,[N]>:n
Please enter values for the following options
Line speed [100]:
Duplex setting [Full]:
Auto negotiation [On]:
The settings entered for slot 3, port 1 are as follows:
Line speed: 100
Duplex setting: Full
Auto negotiation: On
Enter [A]ccept, [C]hange, or [E]xit without saving [C]: a
Configure port 2 (Ethernet Port)? <Y,[N]>:
CAUTION: When you configure a Ethernet port using the command line interface, the port
will be shut down. Use the
shutdown
command to restart the port.
conf t int ethernet <s lot> <port> no
Default Email Contact Information
The Default Alert options dialog does not run in the Out-of-the-Box Setup Wizard. You can only access
the Management Port Routing options by using the
These options enable you to establish the default sender and recipient for filter alert e-mails.
18X Family CLI Reference V 2.5.1
setup
command in the CLI.
Additional Configuration
TO email address
The TO email address is the email address to which alert notifications will be sent. A valid entry must
meet the following criteria:
• must be less than 129 characters long
• must be a valid email address. For example: johndoe@mycompany.com
FROM email address
The FROM email address is the address that alert notifications will contain in the from field. A valid
entry will meet the following criteria:
• must be less than 129 characters long
• must be a valid email account name on the SMTP server
• must be a valid email address on the SMTP server
Domain
The Domain Name is the domain name of the SMTP server. A valid entry will meet the following
criteria:
• must be a valid domain name with a DNS entry on the network the device is located on
• must be the domain name where the SMTP server is located
Email Server IP address
The email Server IP address should be the address where the SMTP server is located. A valid entry will
meet the following criterion:
• must be a valid IP address for an SMTP server
Period
The Period is the aggregation period for email alerts. The first time a filter that calls for email
notification is triggered, the device sends an email notification to the target named in the filter. At the
same time, the aggregation timer starts. The device counts additional filter triggers, but does not email
another notification until it sends a count of all filter triggers that occurred during that period. The
timer continues to count and send notifications at the end of each period. A valid entry will meet the
following criterion:
• an integer between 1 and 10,080 representing minutes between notifications
Example
The Default Email Contacts Dialog follows:
Would you like to modify the default Email contact? <Y,[N]>:y
Enter TO: email address (128 max. characters)
Must be a full email address (e.g., recipient@company.com) []:
employee@company.com
Enter FROM: email address (128 max. characters)
Must be a full email address (e.g., sender@company.com) []:
acme@company.com
Enter FROM: Domain Name (128 max. characters, e.g., company.com)
[]: company.com
X Family CLI Reference V 2.5.1 19
Chapter 1. X Family Startup Configuration
Enter email server IP address []: 1.2.3.4
Enter period (in minutes) that email should be sent (1 - 1 0080)
[1]: 5
To: employee@company.com
From: acme@company.com
Domain: company.com
Email Server: 1.2.3.4
Period (minutes): 5
Enter [A]ccept, [C]hange, or [E]xit without saving [C]: a
After the Setup Wizard
After you have completed the setup wizard, if you have changed from the HTTPS to HTTP server or
SNMP, you must reboot. You can accomplish this by issuing the
After the device reboots, you can use the Local Security Manager graphical user interface (GUI) to
perform monitoring and configuration tasks.
Note: The X family device allows for 10 web client connections, 10 SSH (for CLI)
connections, and 1 console connection at any given time.
reboot
commandfrom the CLI.
20X Family CLI Reference V 2.5.1
2
Command Reference
Descriptions and usage of CLI commands.
Overview
The following tables list the CLI commands by functionality, grouped according to the corresponding
LSM pages. Some CLI commands do not have corresponding functions in the LSM, and are listed in
Table 2–9 on page 27.
Table 2–1: LSM Home Page
LSM Home Pagereboot85
LSM ScreenCLI CommandPage
show log98
show version117
logout83
Table 2–2: IPS Commands
LSM ScreenCLI CommandPage
Security Profiles: Category Settingsconf t category-settings38
show conf category-settings88
Traffic Thresholdconf t filter44
show conf filter89
show filter94
X Family CLI Reference V 2.5.1 21
Chapter 3 Command Reference
Table 2–2: IPS Commands (Continued)
LSM ScreenCLI CommandPage
Action Setsconf t notify-contact58
IPS Servicesconf t port59
Preferencesconf t protection-settings60
conf t default-alert-sink40
show action-sets87
show conf default-alert-sink89
show conf notify-contacts91
show default-alert-sink93
show conf port91
conf t tse67
show conf tse92
show protection-settings111
Table 2–3: Firewall Commands
Firewall Rulesconf t firewall rule45
show conf firewall rule89
show firewall rules94
Servicesconf t firewall service48
show conf firewall service90
show conf firewall service-group48
conf t firewall alg45
conf t firewall service-group48
show conf firewall alg90
Schedulesconf t firewall schedule47
show conf firewall schedule90
Virtual Serversconf t firewall virtual-servers49
22 X FamilyCLI Reference V 2.5.1
show conf firewall virtual-servers90
Loading...
+ 112 hidden pages
You need points to download manuals.
1 point = 1 manual.
You can buy points or you can get point for every manual you upload.