HP | TippingPoint Next Generation Firewall Series | Command Reference Guide | HP TippingPoint Next Generation Firewall Series Command Reference Guide

HP TippingPoint
Next Generation Firewall Command Line
Interface Reference Guide
Version1.0.1
Abstract
This reference manual describes the Next Generation Firewall Command Line Interface (CLI) and the commands you
can use to configure and manage a NGFW appliance.
*5998-4803*
Part number: 5998-4803
Edition: August 2013, First
Legal and notice information
© Copyright 2013 Hewlett-Packard Development Company, L.P.
Hewlett-Packard Company makes no warranty of any kind with regard to this material, including, but not limited to, the implied warranties of
merchantability and fitness for a particular purpose. Hewlett-Packard shall not be liable for errors contained herein or for incidental or consequential
damages in connection with the furnishing, performance, or use of this material.
This document contains proprietary information, which is protected by copyright. No part of this document may be photocopied, reproduced, or
translated into another language without the prior written consent of Hewlett-Packard. The information is provided “as is” without warranty of any
kind and is subject to change without notice. The only warranties for HP products and services are set forth in the express warranty statements
accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for
technical or editorial errors or omissions contained herein.
TippingPoint® , the TippingPoint logo, and Digital Vaccine® are registered trademarks of Hewlett-Packard All other company and product names
may be trademarks of their respective holders. All rights reserved. This document contains confidential information, trade secrets or both, which are
the property of Hewlett-Packard No part of this documentation may be reproduced in any form or by any means or used to make any derivative
work (such as translation, transformation, or adaptation) without written permission from Hewlett-Packard or one of its subsidiaries.
Adobe® and Acrobat® are trademarks of Adobe Systems Incorporated.
Intel and Itanium are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries.
Microsoft, Windows, Windows NT, and Windows XP are U.S. registered trademarks of Microsoft Corporation.
Oracle® is a registered U.S. trademark of Oracle Corporation, Redwood City, California.
UNIX® is a registered trademark of The Open Group.
Printed in US or Puerto Rico
Next Generation Firewall Command Line Interface Reference Guide
Publication Part Number: 5998-4803
Table of Contents
About This Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Target Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Related Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Document Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Typefaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Document Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Customer Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Contact Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1
....
....
....
....
....
....
....
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
1
1
2
2
2
3
3
Command Line Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Command Line Interface Syntax. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Shortcut Navigation Keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Hierarchical Menu and Prompt display. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Help. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Command Modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Root Command Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Edit Configuration Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configuration File Versions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Utilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Display . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
.
.
.
.
.
.
.
.
.
.
.
5
5
6
6
7
7
7
8
9
9
9
10
2
Global Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
3
Root Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
commit. . . . . . . . . .
exit . . . . . . . . . . . .
help. . . . . . . . . . . .
more . . . . . . . . . . .
display . . . . . . . . .
.
.
.
.
.
..
..
..
..
..
..
..
..
..
..
.
.
.
.
.
..
..
..
..
..
..
..
..
..
..
.
.
.
.
.
..
..
..
..
..
.
.
.
.
.
..
..
..
..
..
..
..
..
..
..
.
.
.
.
.
..
..
..
..
..
..
..
..
..
..
.
.
.
.
.
..
..
..
..
..
.
.
.
.
.
..
..
..
..
..
..
..
..
..
..
.
.
.
.
.
..
..
..
..
..
..
..
..
..
..
.
.
.
.
.
..
..
..
..
..
.
.
.
.
.
..
..
..
..
..
..
..
..
..
..
.
.
.
.
.
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
.
.
.
.
.
boot . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
clear . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
date . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
edit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
flush . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
help. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
high-availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
log-configure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
logout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
master-key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ping6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
reboot . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
save-config. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
service-access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
set. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show aaa. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show agglink . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show arp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show ndp. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
CLI Reference Guide
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
11
11
11
12
12
13
13
14
14
14
15
15
15
15
16
16
17
17
17
18
18
18
19
19
21
22
23
23
i
show
show
show
show
show
show
show
show
show
show
show
show
show
show
show
show
show
show
show
show
show
show
show
show
show
show
show
show
show
show
show
show
show
show
show
show
show
show
show
show
show
show
show
show
show
show
show
show
show
show
show
show
show
show
show
show
show
show
show
ii
autoconf dhcpv4 client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
autoconf dhcpv6 client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
autoconf ra . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
date . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
dhcp relay . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
dhcp server lease . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
dhcpv6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
dns . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
high-availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ip bgp. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ip igmp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ip mroute. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ip ospf . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ip pim-sm. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ip rip. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ip route . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ip smr . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ipv6 mld . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ipv6 mroute . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ipv6 ospfv3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ipv6 pim-sm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ipv6 ripng . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ipv6 route ospfv3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ipv6 route ripng . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
(ip|ipv6) route . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
l2tp. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
license. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
log-file. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
log-file FILE_NAME . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
log-file FILE_NAME stat . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
log-file summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
log-file boot . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
mfg-info . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
np engine . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
np general statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
np protocol-mix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
np reassembly . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
np rule-stats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
np softlinx . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
np tier-stats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
quarantine-list. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
sms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
snmp. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
system buffers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
system connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
system processes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
system statistics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
system usage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
system virtual-memory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
system xms memory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
terminal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
traffic-file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
tse connection-table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
23
23
23
24
24
24
24
25
25
25
25
26
27
27
28
28
28
29
29
30
30
31
31
31
32
32
33
33
33
33
34
34
34
37
37
37
38
38
39
39
40
40
40
41
42
42
42
43
43
43
43
44
45
45
45
45
46
46
46
show tse . . . . . . . . . . .
show user-disk . . . . . . .
show users . . . . . . . . . .
show version . . . . . . . .
shutdown . . . . . . . . . . .
sms . . . . . . . . . . . . . . .
snapshot create . . . . . .
snapshot list . . . . . . . . .
snapshot remove . . . . . .
snapshot restore . . . . . .
tcpdump . . . . . . . . . . .
traceroute. . . . . . . . . . .
traceroute6. . . . . . . . . .
user-disk. . . . . . . . . . . .
..
..
..
..
..
..
..
..
..
..
..
..
..
..
.
.
.
.
.
.
.
.
.
.
.
.
.
.
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
.
.
.
.
.
.
.
.
.
.
.
.
.
.
..
..
..
..
..
..
..
..
..
..
..
..
..
..
.
.
.
.
.
.
.
.
.
.
.
.
.
.
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
.
.
.
.
.
.
.
.
.
.
.
.
.
.
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
.
.
.
.
.
.
.
.
.
.
.
.
.
.
..
..
..
..
..
..
..
..
..
..
..
..
..
..
.
.
.
.
.
.
.
.
.
.
.
.
.
.
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
.
.
.
.
.
.
.
.
.
.
.
.
.
.
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
.
.
.
.
.
.
.
.
.
.
.
.
.
.
..
..
..
..
..
..
..
..
..
..
..
..
..
..
.
.
.
.
.
.
.
.
.
.
.
.
.
.
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
.
.
.
.
.
.
.
.
.
.
.
.
.
.
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
.
.
.
.
.
.
.
.
.
.
.
.
.
.
...
...
...
...
...
...
...
...
...
...
...
...
...
...
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
47
47
47
47
48
48
48
48
49
49
49
50
50
50
4
Log Configure Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
5
Edit Running Configuration Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
display . . . .
email . . . . . .
log-file-size . .
log-storage . .
log-test . . . . .
rotate . . . . .
..
..
..
..
..
..
.
.
.
.
.
.
..
..
..
..
..
..
.
.
.
.
.
.
..
..
..
..
..
..
..
..
..
..
..
..
.
.
.
.
.
.
..
..
..
..
..
..
..
..
..
..
..
..
.
.
.
.
.
.
..
..
..
..
..
..
.
.
.
.
.
.
..
..
..
..
..
..
..
..
..
..
..
..
.
.
.
.
.
.
..
..
..
..
..
..
..
..
..
..
..
..
.
.
.
.
.
.
..
..
..
..
..
..
.
.
.
.
.
.
..
..
..
..
..
..
..
..
..
..
..
..
.
.
.
.
.
.
..
..
..
..
..
..
..
..
..
..
..
..
.
.
.
.
.
.
..
..
..
..
..
..
.
.
.
.
.
.
..
..
..
..
..
..
..
..
..
..
..
..
.
.
.
.
.
.
..
..
..
..
..
..
..
..
..
..
..
..
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Configuration Contexts by Function . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Monitor/System. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Routing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Edit Context Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
aaa . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
actionsets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
addressgroups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
application-filter-mgmt . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
application-groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
application-visibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
autodv . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
blockedStreams . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
captive-portal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
delete . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
dhcp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
dns . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
dst-nat . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
gen . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
global-inspection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
high-availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ip . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ips . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ipv6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
l2tp-serverX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
multicast-registration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
notifycontacts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
CLI Reference Guide
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
53
53
54
54
54
55
57
57
57
58
59
59
59
59
59
60
61
61
61
62
62
63
63
64
64
65
66
66
67
67
68
69
69
70
71
72
73
73
74
75
75
iii
ntp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
reputation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
route-map . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
router . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
schedules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
segmentX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
snmp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
src-nat . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
vpn . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
Contexts and Related Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
running-aaa Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
running-aaa-ldap-group-X Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
running-aaa-radius-group-X Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
running-actionsets Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
running-actionsets-X Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
running-addressgroups Context Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
running-addressgroups-X Context Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
running-agglinkX Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
running-app-filter-mgmt Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100
running-app-groups Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100
running-app-groups-X Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
running-autodv Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
running-autodv-calendar Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103
running-autodv-periodic Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104
running-bgp-X Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104
running-blockedStreams Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
running-bridgeX Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
running-captive-portal Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114
running-captive-portal-rule-X Context Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115
running-certificates Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
running-certificates-crl Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120
running-cluster Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121
running-cluster-tct Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
running-dhcp-relay Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126
running-dhcp-server Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127
running-dhcp-server-X Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128
running-dnat Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131
running-dnat-rule-X Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132
running-dns Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134
running-ethernetX Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136
running-firewall Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143
running-firewall-rule-X Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143
running-gen Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148
running-global-inspection Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151
running-greX Context Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152
running-high-availability Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156
running-ips Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157
running-ips-X Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160
running-ipsec Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161
running-ipsec-policy-X Context Commands and their Usage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165
running-ipsec-vpn-X Context Commands and their Usage. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166
running-l2tp-serverX Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169
running-l2tpX Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170
running-log Context Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176
running-loopbackX Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180
running-manual-sa Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182
running-mgmt Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184
iv
running-multicast-registration Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
running-notifycontacts (email) Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
running-notifycontacts-X (SNMP) Context Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
running-ntp Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
running-phase1-proposal-X Context Commands and their Usage . . . . . . . . . . . . . . . . . . . . . . . . .
running-phase1-proposal-X Context Commands and their Usage . . . . . . . . . . . . . . . . . . . . . . . . .
running-ospf Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
running-ospfv3 Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
running-pim-smv4 Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
running-pim-smv6 Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
running-pppoeX Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
running-pptpX Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
running-rep Context Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
running-rep-X (group X) Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
running-rep-X (profile X) Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
running-rip Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
running-ripng Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
running-route-map Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
running-schedules Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
running-schedules-X Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
running-segmentX Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
running-services Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
running-services-X Context Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
running-smr Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
running-snat Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
running-snat-rule-X Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
running-snmp Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
running-vlanX Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
running-zones Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
running-zones-X Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
CLI Reference Guide
186
186
188
189
190
191
192
195
198
200
202
208
214
215
216
218
221
224
225
225
226
227
228
230
231
232
234
237
243
244
v
vi
About This Guide
The Next Generation Firewall command line interface enables you to configure and manage the NGFW
Appliance from a command line. The NGFW commands can be used in custom scripts to automate tasks.
This section covers the following topics:
• Target Audience, page 1
• Related Documentation, page 1
• Document Conventions, page 2
• Customer Support, page 3
Target Audience
This guide is intended for security network administrators and specialists that have the responsibility of
monitoring, managing, and improving system security. The audience for this material is expected to be
familiar with the HP TippingPoint Next Generation Firewall.
Related Documentation
ccess the documentation at http://www.hp.com/support/manuals . For the most recent updates for your
products, check the HP Networking Support web site at http://www.hp.com/networking/support.
CLI reference guide
1
Document Conventions
This guide uses the following document conventions.
• Typefaces, page 2
• Document Messages, page 2
Typefaces
HP TippingPoint publications use the following typographic conventions for structuring information:
Table 1-1
Document Typographic conventions
Convention
Element
Medium blue text: Figure 1
Cross-reference links and e-mail addresses
Blue, underlined text (http://www.hp.com) Web site addresses
Bold font
•
•
Key names
Text typed into a GUI element, such as into a box
• GUI elements that are clicked or selected, such as menu and list
items, buttons, and check boxes. Example: Click OK to accept.
Italics font
Text emphasis, important terms, variables, and publication titles.
Monospace font
•
•
•
•
File and directory names
System output
Code
Text typed at the command-line
Monospace, italic font
•
•
Code variables
Command-line variables
Monospace, bold font
Emphasis of file and directory names, system output, code, and text
typed at the command line
Document Messages
Document messages are special text that is emphasized by font, format, and icons. This reference guide
contains the following types of messages:
• Warning
• Caution
• Note
• Tip
WARNING! Warning notes alert you to potential danger of bodily harm or other potential harmful
consequences.
CAUTION: Caution notes provide information to help minimize risk, for example, when a failure to follow
directions could result in damage to equipment or loss of data.
NOTE: Notes provide additional information to explain a concept or complete a task. Notes of specific
importance in clarifying information or instructions are denoted as such.
2
IMPORTANT:
Another type of note that provides clarifying information or specific instructions.
TIP: Tips provide helpful hints and shortcuts, such as suggestions about how you can perform a task more
easily or more efficiently.
Customer Support
HP is committed to providing quality customer support to all of its customers. Each customer is provided
with a customized support agreement that provides detailed customer and support contact information.
When you need technical support, use the following information to contact Customer Support.
Contact Information
For additional information or assistance, contact the HP Networking Support:
http://www.hp.com/networking/support
Before contacting HP, collect the following information:
• Product model names and numbers
• Technical support registration number (if applicable)
• Product serial numbers
• Error messages
• Operating system type and revision level
• Detailed questions
HP Contact Information
For the name of the nearest HP authorized reseller, see the contact HP worldwide web site:
http://www.hp.com/country/us/en/wwcontact.html
CLI reference guide
3
4
1
Command Line Interface
In addition to the Local System Manager (LSM) and the Centralized Management Capability of the
Security Management System (SMS), a Command-line Interface (CLI) can be used to configure and
manage the NGFW Appliance. The CLI is accessed directly through the console or remotely through SSH.
Non-secure connections, such as Telnet, are not permitted. For the initial set up, the "superuser" account is
set for the appliance. Once that is set, you can login from the console and set the management port IP
address. SSH and HTTPS are then accessible at the management port IP address.
NOTE:
To access the most recent updates to the NGFW product documentation, go to
http://www.hp.com/support/manuals.
This chapter covers the following topics:
• ”Overview” on page 5
• ”Command Modes” on page 7
• ”Configuration File Versions” on page 9
Overview
This chapter covers the hierarchical structure of the CLI, the command line syntax, and an overview on how
to edit, save and manage configuration files. Also provided, are a list of unix like utilities for monitoring
and troubleshooting the system. The show command provides easy to read sections from log files. The
display command displays sections of the running configuration file, or can be used to list a preview of
your configuration file edits before making a commitment to save.
Access to the NGFW is through the console to initially configure management access. The management
port is enabled by default for SSH and LSM management access. All access is determined by group
membership and the management of their roles. To configure granular levels of access, the aaa
(Authentication and Authorization and Auditing) context has the necessary utilities to modify users, groups,
roles, and their capabilities.
Command Line Interface Syntax
The following syntax is used in the CLI.
Table 1-1
Command Line Syntax
Syntax Convention
Explanation
UPPERCASE
Uppercase replaced by a value that you supply
(x)
Parentheses indicate a mandatory argument.
[x]
Brackets indicate an optional argument.
|
A vertical bar indicates a logical OR - such as alternatives within
parentheses or brackets.
Example:
NGFW{}traceroute ? (displays help information)
NGFW{}traceroute (A.B.C.D|HOSTNAME) [from A.B.C.D] [mgmt]
In the above example, arguments for the Traceroute command must either use a IP address or the
hostname. An optional argument can either be “from” a source IP address or the argument “mgmt”.
NGFW{}traceroute 198.162.0.1 from 198.162.0.2
NGFW{}traceroute 198.162.0.1 mgmt
NGFW Command Line Interface Reference
5
Shortcut Navigation Keys
The CLI has the ability to store typed commands in a circular memory. Typed commands can be recalled
with the UP and DOWN arrow keys.
The TAB key may be used to complete partial commands. If the partial command is ambiguous, pressing
the TAB key twice gives a list of possible commands.
Following is a list of shortcuts.
Table 1-2
Shortcut Keys
Shortcut
Description
ENTER
Run the command
TAB
Complete partial command
?
Question mark at the root prompt or after a command (separated by
space) will list next valid sub-commands or command arguments.
Question mark can also be used after sub-commands for more
information. A question mark immediately following a character(s)
(no space) will list commands beginning with those characters.
!
Exclamation mark before a command allows you to execute the
command from any feature context or sub-level. For example,
NGFW{running-gen}!ping 203.0.113.0
UP ARROW
Show the previous command
DOWN ARROW
Show the next command
Ctrl + P
Show the previous command
Ctrl + N
Show the next command
Ctrl + L
Clear the screen, does not clear history
Ctrl + A
Return to the start of the command you are typing
Ctrl + E
Go to the end of the command you are typing
Ctrl + U
Cut the whole line to a special clipboard
Ctrl + K
Cut everything after the cursor to a special clipboard
Ctrl + Y
Paste from the special clipboard used by Ctrl + U and Ctrl + K
Hierarchical Menu and Prompt display
Prompts will be displayed based on the context level as shown in the following table.
Table 1-3
6
Root, Edit and Log configuration modes
Command Line prompt
Description
NGFW{}
Top level root command mode
NGFW{}edit
From the root command line mode, enter the edit command to access configuration mode.
NGFW{running}
Configuration mode - indicated with the prompt change
NGFW{running}firewall
Enters the firewall configuration context
NGFW{running}display
View current configuration and your changes
NGFW{running}commit
Commits changes to the running configuration
NGFW{running}exit
Leaves the current context mode
Command Line Interface
Table 1-3
Root, Edit and Log configuration modes
Command Line prompt
Description
NGFW{}log-configure
From the root command line mode, enter the log-configure command to access the log configuration mode.
NGFW{log-configure}
log configuration mode
NGFW{log-configure}help
display list of valid commands and syntax usage
NGFW{log-configure}exit
leave the log configuration mode
Help
The help command provides a list of commands within the current context and the command line usage.
The help command can be executed with or without an argument.
• Enter help or ? to see a list of all commands. (question mark at any context level generates a list of
available commands within the context, along with a brief description)
• Enter help commandname to see the syntax for a command.
• Enter commandname ? to list the options for a command. For example, ping ?.
• Enter string? to show the commands or keywords that match the string. For example, s?.
Command Modes
The NGFW uses a hierarchical menu structure. Within this structure, commands are grouped by functional
area within one of three command modes: Root Command mode, Edit Configuration mode (edit), and
Log Configuration mode (log-configure). At the top of the hierarchy is the Root command mode.
NGFW{} Root command line mode
NGFW{running} Edit configuration mode
NGFW{log-configure} Log configuration mode
A context is an environment in which a set of parameters can be configured for a feature or named
object. A context can be the name of an instance of an object set by the administrator, or can be the
feature itself. The current context is indicated in the command prompt, and it’s visibility is determined by
the user’s role.
Administrative access allows the ability to modify the configuration of the NGFW appliance. Not all
contexts may be visible.
The help and display commands are useful in becoming familiar with the context options. The question
mark (?) lists the next valid entry and help for this entry.
If the appliance is controlled by SMS, only read-only access will be available to the system resources. To
determine if the SMS controls the unit, or to change the control, see the sms command usage.
Root Command Mode
When you initially enter the NGFW Appliance, either through the console or SSH, you will be placed at
the top level root command line mode with the NGFW{} prompt. The commands at this level are used for
managing and monitoring system operations for the various subsystems. From the root command mode,
you can access the configuration mode, and the available operational commands that apply to the unit as
a whole. To view the commands available at this level, type help[full|COMMAND] at the command
prompt.
NGFW{}help
The default NGFW{} command prompt can be changed using the host name command in the interface
mgmt context of the edit mode. For example:
NGFW Command Line Interface Reference
7
NGFW{}edit
NGFW{running}interface
NGFW{running-mgmt}help
NGFW{running-mgmt}host
NGFW{running-mgmt}host
mgmt
host (displays valid entries for configuring management port host settings)
? (displays valid entries for host command)
name yourhostname
For a list of root commands and their usage see the Root Commands section.
NOTE:
Your membership role determines your command line interface.
Edit Configuration Mode
The configuration mode enables administrators with the appropriate credentials to write configuration
changes to the active (running) configuration. The logon account used to configure the device must either
be associated with the Superuser role or the Administrator role to edit the configuration context. The
configuration mode has different context levels that provide access to a specific set of configuration
commands. To enter the configuration mode, use the edit command. Once you have executed the edit
command the CLI prompt will indicate that you are in the Edit mode, and can make configuration
changes. Configuration options, and sub contexts are available for use until you exit. To exit the edit
configuration mode, type exit.
When exiting the configuration mode, the following warning appears:
“WARNING: Modifications will be lost. Are you sure to exit (y/n)? [n]”
y will discard any uncommitted changes you made to the configuration file, and n will keep you in the
edit context.
The display command is a helpful utility to view the current running configuration and to review your
configuration changes before you save the changes.
NGFW{running} display
A commit command must be used to save your changes to the running configuration.
The command hierarchy has two types of statements. The Container statement, which contain objects and
the Object statement, which are actual commands with options.
For example:
• Container statement in edit mode:
NGFW{running}log
NGFW{running-log}? (help will list all the available entries)
• Object statement:
NGFW{running} application-visibility enable|disable (help will display command options)
A brief overview of what you can do within the edit configuration mode:
• Issue a command that configures a setting in the candidate configuration setting. The candidate
configuration allows you to make configuration changes without causing changes to the active
configuration until you can review your changes and issue the commit command.
• Enter into a container context to access additional configuration settings.
• Run the display command to see your candidate configuration settings for a context. Any
modifications you make can be viewed using the display command.
• Run the Commit command to save any changes from your candidate configuration to the running
configuration.
• Exit from a context.
8
Command Line Interface
NOTE: As you move through the context menu hierarchies, the command prompt changes accordingly.
The help or display command can be entered at any level.
Configuration File Versions
When troubleshooting or needing to rollback a configuration, the current configuration setup can be
viewed. Reviewing network configuration files should be a necessary step to becoming knowledgeable
about your current system setup. When the device is initially configured, make sure the settings are saved
to the persistent configuration with the NGFW{}save-config command. It’s also advisable to create a
snapshot using the following command:
NGFW{}snapshot create orig_conf
Snapshots capture the configuration of a device, which can then be delivered to technical support for
troubleshooting. Users can also use snapshots to save and re-apply configurations. Snapshots include the
currently installed OS version, and cannot be restored on a device that is not running the same version of
the OS. If a snapshot restore needs to be completed, use the following command:
NGFW{}snapshot restore orig_conf
A warning message is displayed, followed by an automatic reboot when snapshot restore is completed.
The NGFW Appliance CLI uses the deferred-commit model. In this capacity, the architecture maintains a
set of configuration files to ensure that a working configuration is persistently maintained. This
configuration set includes the following configuration files.
• Running configuration — this version is currently executing on the system. Any changes that
administrators make from the edit mode (except for IPS features, action sets and notification contacts)
will take effect once they have been committed, by issuing the Commit command. If changes are not
committed, all modifications are discarded on exit from the running context. If multiple
administrators are on the system, the version that was last committed is used as the current running
configuration and is visible to other administrators, once they have exited the edit mode. A warning
prompt is displayed if the committed changes would overwrite configuration that was made by
another administrator since the configuration was edited.
• Saved (persistent) configuration — this is the running configuration that was last committed prior to
executing the save-config command. NGFW copies the saved configuration to the start
configuration when the system reboots.
• Start configuration — This is a backup copy of the configuration file saved at the time of system startup, and
is loaded at the next system bootup. The rollback-config command can be used to rollback to a
persistent and running configuration that was the last known good configuration.
NOTE:
Future versions of the product will support multiple named saved configuration sets.
Utilities
The Display and Show commands are helpful for troubleshooting and monitoring the operational status of
the system. Command line usage can be found in Root Commands.
Display
Enter display to see your candidate configuration settings for a context. Any modifications you make can
be viewed using the display command. The output of the display command depends on where the
command is executed. If executed at the configuration level, it displays the entire configuration of the unit.
Executing the display command with a configuration name parameter, or from within a context displays
the contents of that particular configuration.
NGFW Command Line Interface Reference
9
Show
The show command is most efficient in providing critical information, such as traffic usage, router platform
type, operating system revision, amount of memory, and the number of interfaces. The show command can
also be used to evaluate logging, troubleshooting, tracking resources, sessions, and security settings. To
view all the available show utilities, enter the help show command at the root command level. All the
available commands along with the correct command line usage are displayed.
10
Command Line Interface
2
Global Commands
Global commands can be used in any context.
commit
Initiates all pending configuration changes in the edit mode.
NOTE: This command does not write the modifications to the startup configuration file. However, the
save-config command can be run from the edit configuration context by using the exclamation mark.
Syntax
commit
Example
NGFW{running}commit
NGFW{running}!save-config
exit
Exits the current context.
Syntax
exit
Example
NGFW{running-aaa}exit
NGFW{running}
help
Displays help information.
Syntax
help [full|COMMAND]
Example
NGFW{running}help log
Enter log context
Syntax: log
log
Enter log context
Example
NGFW{running-firewall}help
Valid commands are:
default-block-rule DEFACTIONSET
delete rule all|XRULEID
help [full|COMMAND]
rename rule XRULEID NEWRULEID
rule (auto|RULEID) [POSITION_VALUE]
NGFW Command Line Interface Reference
11
more
Set session to display output page by page.
Syntax
more (enable|disable)
Example
NGFW{running}more enable
display
Displays the current configuration, or the candidate configuration before a commit is issued. Display
options vary by context, enter the "help display" command in a context to view the available options.
Syntax
display
display [xml]
Example
NGFW{running-aaa-user-myuser1}display
# USER ID
user myuser1
12
Global Commands
3
Root Commands
The top level root command line mode displays the NGFW{} prompt. Commands at this level are used for
managing and monitoring system operations for the various subsystems. From the root command mode,
you can access the configuration mode, and the available commands that apply to the appliance as a
whole. Enter help full or help COMMANDNAME at the command prompt to display a list of available
commands or help on a specific command.
NGFW{}help
The default NGFW{} command prompt can be changed using the host name command in the interface
mgmt context of the edit mode. For example:
NGFW{}edit
NGFW{running}interface
NGFW{running-mgmt}help
NGFW{running-mgmt}host
NGFW{running-mgmt}host
mgmt
host (displays valid entries for configuring management port host settings)
? (displays valid entries for host command)
name yourhostname
boot
Manages software packages.
Syntax
boot (list-image|rollback)
Example
NGFW{}boot list-image
Index
Version
-----------------------------------------------------0
1.0.0.3935
1
1.0.0.2923
2
1.0.0.3932
3
1.0.0.3917
Oldest Index is
2
Factory Reset Index is 3
clear
Clears system information.
Syntax
clear connection-table (blocks|trusts)
clear high-availability state-sync (all|firewall|ips|routing)
clear ip bgp (A.B.C.D|ASNUMBER|all|external) [soft] [in|out]
clear ip bgp peer-group NAME [soft] [in|out]
clear log-file
(audit|fwAlert|fwBlock|ipsAlert|ipsBlock|quarantine|reputationAlert|reputationBlock|
system|visibility|vpn)
clear np engine filter
clear np engine packet
clear np engine parse
clear np engine reputation dns
clear np engine reputation ip
clear np engine rule
clear np reassembly ip
clear np reassembly tcp
clear np rule-stats
NGFW Command Line Interface Reference
13
clear
clear
clear
clear
clear
clear
np softlinx
np tier-stats
counter policy
rate-limit streams
users all [locked|ip-locked]
users (NAME|A.B.C.D|X:X::X:X) [locked]
Example
NGFW{}clear log-file vpn
Example
NGFW{}clear ip bgp 10.10.10.10 soft in
Not cleared BGP is not active
Example
NGFW{}clear ip bgp external soft
Example
NGFW{}clear users fred
date
Used alone to display the current date, or with arguments to configure the date in a 24 hour format. The
date command shows the current time in the time zone configured on the device and the "gmt" argument
shows the time in GMT (UTC).
Syntax
date [MMDDhhmm[[CC]YY][.ss]])
date gmt
Example
NGFW{}date 071718202013.59 (sets date to July 17 2013 6:20PM 59 seconds)
edit
The edit context modifies the configuration that identifies the security policy and interfaces that you can
configure for your firewall. Edit takes an instance of the running configuration file. This instance is your
version. After making modifications to this candidate configuration version, you have the option of saving
it to the running configuration, or discarding any changes you made. To discard, simply exit. To save
your candidates configuration, enter the commit command before exiting the edit context. To see
commands under the edit context, see edit configuration.
NGFW{}
NGFW{}edit
NGFW{running}
NGFW{running}commit
NGFW{running}exit
NGFW{}
flush
Flushes the following configuration items.
Syntax
flush
flush
flush
flush
14
(arp|ndp)
ipsec sa policy NAME [id ID]
ike sa [policy NAME [id ID]]
bgp [ip] A.B.C.D [(in prefix-filter)|in|out|(soft [in|out])|rsclient]
Root Commands
flush bgp ip A.B.C.D [ipv4 (unicast|multicast) (in prefix-filter)|in|out|(soft
[in|out])]
flush bgp ip A.B.C.D [vpnv4 unicast in|out|(soft [in|out])]
flush bgp ipv6 X:X::X:X [(in prefix-filter)|in|out|(soft [in|out])|rsclient]
flush bgp [ip] dampening [A.B.C.D/M|(A.B.C.D [A.B.C.D])]
flush bgp [ip] external [(in prefix-filter)|in|out|(soft [in|out])]
flush bgp ip external [ipv4 (unicast|multicast) (in prefix-filter)|in|out|(soft
[in|out])]
flush bgp ipv6 external [(in prefix-filter)|(soft [in|out])]
flush bgp ipv6 external [peer WORD (in|out)]
flush bgp [ip] view WORD [soft [in|out]]
flush bgp [ip|ipv6] view WORD (A.B.C.D|X:X::X:X|all) rsclient
flush bgp ip view WORD [ipv4 (unicast|multicast)] (in prefix-filter)|(soft [in|out])
flush bgp [ip|ipv6] PEERAS [(in prefix-filter)|in|out|(soft [in|out])]
flush bgp ip PEERAS [ipv4 (unicast|multicast) (in prefix-filter)|in|out|(soft
[in|out])]
flush bgp ip PEERAS [vpnv4 unicast in|out|(soft [in|out])]
flush bgp [ip|ipv6] all [(in prefix-filter)|in|out|(soft [in|out])|rsclient]
flush bgp ip all [ipv4 (unicast|multicast) (in prefix-filter)|in|out|(soft
[in|out])]
flush bgp ip all [vpnv4 unicast in|out|(soft [in|out])]
flush bgp [ip|ipv6] peer-group [(in prefix-filter)|in|out|(soft [in|out])]
flush firewall-session (all|ID) [family (ipv4|ipv6)]
Example
NGFW{}flush firewall-session 134217756
Success
NGFW{}flush ipsec sa policy mytunnel
help
Displays help information at any context level.
high-availability
Manage high-availability devices.
Syntax
high-availability force (active|passive)
high-availability segment force (normal|fallback)
Example
NGFW{}high-availability segment force normal
Status: OK
list
Displays traffic capture file list.
Syntax
list traffic-file
Example
NGFW{}list traffic-file
log-configure
Enter log configuration context.
NGFW Command Line Interface Reference
15
Syntax
log-configure
Example
NGFW{}log-configure
NGFW{log-configure}help
NGFW{log-configure}show log-file summary
Related Commands
Log Configure Commands
logout
Logs you out of the system.
Syntax
logout
Example
NGFW{} logout
master-key
The system master-key is used to encrypt the removable user-disk (the external CFast), and the system
keystore. The user-disk holds traffic logs, packet capture data, and system snapshots. The keystore retains
data such as device certificates and private keys.
The master-key has the following complexity requirements:
• Must be between 9 and 32 characters in length.
• Combination of upper and lower case alpha and numbers.
• Must contain at least one “special” char (eg: !@#$%)
• Set or clear the master key for keystore and external Cfast user-disk encryption.
Syntax
master-key (clear|get|set)
Example
Get the master key for keystore and user-disk encryption
NGFW{}master-key set
WARNING: Master key will be used to encrypt the keystore and external user disk.
Do you want to continue (y/n)? [n]: y
Enter Master Key
: ****************
Re-enter Master Key: ****************
Success: Master key has been set.
Example
NGFW{}master-key get
Success: My.1.MasterKey!!
Example
NGFW{}master-key clear
WARNING: Clearing master key will remove encryption from the keystore and
external user disk.
Do you want to continue (y/n)? [n]: y
Success: Master key has been cleared.
16
Root Commands
ping
Test connectivity with ICMP traffic. The mgmt option uses the management interface.
Syntax
ping (A.B.C.D|HOSTNAME) [count INT] [maxhop INT] [from A.B.C.D] [mgmt] [datasize INT]
ping (A.B.C.D|HOSTNAME) [count (1-900000)] [maxhop (1-800)] [from A.B.C.D] [mgmt]
[datasize (64-65468)]
ping6 (X:X::X:X|HOSTNAME) [count INT] [maxhop INT] [interface INTERFACE] [from
X:X::X:X] [datasize INT]
ping6 (X:X::X:X|HOSTNAME) [count (1-900000)] [maxhop (1-800)] [interface INTERFACE]
[from X:X::X:X] [datasize (64-65468)]
Example
NGFW{}ping 192.168.1.1 mgmt
ping using mgmt port
PING 192.168.1.1 (192.168.1.1): 56 data bytes
64 bytes from 192.168.1.1: icmp_seq=1 ttl=64 vrfid=500 time=0.4
64 bytes from 192.168.1.1: icmp_seq=2 ttl=64 vrfid=500 time=0.1
64 bytes from 192.168.1.1: icmp_seq=3 ttl=64 vrfid=500 time=0.1
64 bytes from 192.168.1.1: icmp_seq=4 ttl=64 vrfid=500 time=0.1
--- 192.168.1.1 ping statistics --4 packets transmitted, 4 packets received, 0% packet loss
round-trip min/avg/max = 0.1/0.1/0.4 ms
ms
ms
ms
ms
ping6
Test connectivity with ICMPv6 traffic
Syntax
ping6 (X:X::X:X|HOSTNAME) [count (1-900000)] [maxhop (1-800)] [interface INTERFACE]
[from X:X::X:X] [datasize (64-65468)]
Example
NGFW{}ping6 100:0:0:0:0:0:0:1
ping using data ports
PING 100:0:0:0:0:0:0:1 (100:0:0:0:0:0:0:1):
64 bytes from 100:0:0:0:0:0:0:1: icmp_seq=1
64 bytes from 100:0:0:0:0:0:0:1: icmp_seq=2
64 bytes from 100:0:0:0:0:0:0:1: icmp_seq=3
64 bytes from 100:0:0:0:0:0:0:1: icmp_seq=4
56 data bytes
ttl=64 vrfid=0
ttl=64 vrfid=0
ttl=64 vrfid=0
ttl=64 vrfid=0
time=0.3
time=0.1
time=0.1
time=0.1
ms
ms
ms
ms
--- 100:0:0:0:0:0:0:1 ping statistics --4 packets transmitted, 4 packets received, 0% packet loss
round-trip min/avg/max = 0.1/0.1/0.3 ms
reboot
Reboots the system.
Syntax
reboot
Example
NGFW{}reboot
WARNING: Are you sure you want to reboot the system (y/n) [n]:
NGFW Command Line Interface Reference
17
Reports
Configure data collection for on-box reports.
Syntax
reports (reset|enable|disable)
[all|cpu|disk|fan|memory|network|rate-limiter|temperature|traffic-profile|vpn]
Valid entries:
reset
enable
disable
all
cpu
disk
fan
memory
network
rate-limiter
temperature
traffic-profile
vpn
Delete report data
Start data collection for reports
Stop data collection for reports
All reports (default)
CPU utilization report
Disk utilization report
Fan speed report
Memory utilization report
Network bandwidth report
Rate Limiter report
Temperature report
Traffic Profile report
VPN report
Example
NGFW{}reports enable cpu
NGFW{}reports reset cpu
WARNING: Are you sure you want to reset cpu reports (y/n)? [n]:
Related Commands
show reports
save-config
Saves the running configuration to a persistent configuration.
Syntax
save-config
Example
NGFW{}save-config
WARNING: Saving will apply this configuration at the next system start. Continue
(y/n)? [n]:
service-access
Enable or disable service access.
Syntax
service-access (enable|disable)
Example
NGFW{}service-access enable
Serial: X-NGF-S1020F-GENERIC-001
Salt:
Zk0lenyg
NGFW{}service-access disable
18
Root Commands
set
Syntax
set cli filtering rule (auto-comment|no-auto-comment|(last-auto-comment-value INT))
Example
NGFW{}set cli filtering rule auto-comment
NGFW{}set cli filtering rule no-auto-comment
show
The show command enables you to view current system configuration, status, and statistics.
Table 3-1
Show command
Command
Description
show aaa
show AAA information
show agglink
Show agglink status
show arp
Show Address Resolution Protocol entries
show autoconf dhcpv4 client
IPv4 Dynamic Host Configuration Protocol
show autoconf dhcpv6 client
IPv6 Dynamic Host Configuration Protocol
show autoconf ra
Show autoconfig Router Advertisement information
show cluster
Show cluster status
show date
Show the current router date and time
show dhcp relay
Show DHCPv4 Relay information
show dhcp server lease
Display DHCP server leases history
show dhcpv6
Show DHCPv6 client lease
show dns
Show Domain Name Service
show firewall
Displays firewall rules and sessions.
show high-availability
Show high-availability status
show interface
Show network interface
show ip bgp
Show the Border Gateway Protocol information
show ip igmp
Show Internet Group Management Protocol
show ip mroute
Show Multicast Static IP route
show ip ospf
Show Open Shortest Path First (OSPF) information
show ip pim-sm
Show PIM-SM routing information
show ip rip
Show the RIP routes
show ip route
Show the unicast routes
show ip smr
Show SMR routing information
show ipv6 mld
Show IPv6 routing information for MLD group or
interface
show ipv6 mroute
Show IPv6 routing information for multicast routes
show ipv6 ospfv3
Show the OSPFv3 unicast routes
NGFW Command Line Interface Reference
19
Table 3-1
20
Show command
Command
Description
show ipv6 pim-sm
Show ipv6 Protocol Independent Multicast - Sparse
Mode (PIM-SM) routing information
show ipv6 ripng
Show RIPng routing information
show ipv6 route ripng
Show ripng route information
show (ip|ipv6) route
Show the unicast routes
show key
Show local server SSH key information
show l2tp
Show Layer 2 Tunneling Protocol information
show license
Shows the license number and status
show log-file
Shows the logfiles
show log-file boot
Shows the boot file
show mfg-info
Show manufacturing information
show ndp
Show Neighbor Discovery Protocol
show np engine
Show net processor statistics
show np general statistics
Show general network processor information
show np protocol-mix
Show network processor protocol-level statistics
show np reassembly
Show network processor reassembly statistics
show np rule-stats
Show network processor rules, number of flows,
successful matches
show np softlinx
Show network processor softlinx statistics
show np tier-stats
Show network processor throughput and utilization for
each tier
show quarantine-list
Show quarantine list information
show reports
Show status of data collection for reports
show service
Show network service information
show sms
Show status of SMS control
show snmp
Show SNMP information
show system buffers
Show Forwarding buffer state
show system connections
Show active socket information
show system processes
Show system processes
show system statistics
Show system-wide protocol-related statistics
show system usage
Show system usage
show system virtual-memory
Show system virtual memory
show system xms memory
Show xms memory usage
show terminal
Show terminal settings
show traffic-file
Show network traffic from file
show tse connection-table
Show TSE connection-table information
Root Commands
Table 3-1
Show command
Command
Description
show users
Show users information
show version
Show device version information
show aaa
Syntax
show aaa capabilities USER
Example
show aaa capabilities fred
NGFW{}show aaa capabilities fred
ID
NAME
STATE
--------------------------------------------1
NGFW
full
2
SECURITY
full
3
FIREWALLRULES
full
4
SECURITYZONES
full
5
APPLICATIONGROUPS
full
6
ADDRESSGROUPS
full
7
SERVICES
full
8
SCHEDULES
full
9
INSPECTIONPROFILES
full
10
IPS
full
11
IPREPUTATION
full
12
PROFILEGROUPS
full
13
CAPTIVEPORTALRULES
full
14
NATRULES
full
15
ACTIONSETS
full
16
SYSTEM
full
17
SMSMANAGED
full
18
MANAGEMENT
full
19
DNS
full
20
IPFILTERS
full
21
UPGRADE
full
22
NOTIFICATION
full
23
LOGGING
full
24
HIGHAVAILABILITY
full
25
HACONFIGURATION
full
26
HASTATE
full
27
SNMP
full
28
TIME
full
29
FIPS
full
30
UPDATE
full
31
PACKAGES
full
32
AUTODV
full
33
SNAPSHOT
full
34
USERAUTH
full
35
LOCALUSER
full
36
USERGROUP
full
37
ROLES
full
38
RADIUS
full
39
LDAP
full
NGFW Command Line Interface Reference
21
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
CAPTIVEPORTAL
GENERAL
X509CERT
VPN
IKE
IKECONFIGURATION
IKESTATUS
IPSEC
IPSECCONFIGURATION
IPSECSTATUS
L2TP
L2TPCONFIGURATION
L2TPSTATUS
REPORTING
LOG
FIREWALLLOG
IPSLOG
REPUTATIONLOG
VPNLOG
SYSTEMLOG
AUDITLOG
SECURITYREPORTS
NETWORKREPORTS
DEBUGTOOLS
REBOOT
SHUTDOWN
SERVICEACCESS
NETWORK
INTERFACES
SEGMENTS
DHCPSERVER
DHCPRELAY
ARPNDP
STATICROUTES
STATICMONITOREDROUTES
DYNAMICROUTING
ACCESSLISTS
ROUTEMAPS
OSPF
RIP
BGP
MULTICAST
ROUTINGTABLE
COMPACTFLASH
CUSTOMCATEGORIES
APPLICATIONVISIBILITY
GLOBALINSPECTIONPROFILE
DEBUGNP
full
full
full
full
full
full
full
full
full
full
full
full
full
full
full
full
full
full
full
full
full
full
full
full
full
full
full
full
full
full
full
full
full
full
full
full
full
full
full
full
full
full
full
full
full
full
full
full
show agglink
Displays information about whether or not the member ports are up in the aggregated link.
Syntax
show (agglink|INTERFACE)
22
Root Commands
Example
NGFW{}show agglink
#AGGLINK TABLES
Service ETHGRP is inactive
show arp
Syntax
show arp
Example
NGFW{}show arp
IP Address
15.226.140.254
Mac-Address
3c:e5:a6:13:7f:2a
Interface
mgmt
State
delay
NGFW{}show ndp
IP Address
Mac-Address
fe80::3ee5:a6ff:fe13:7f2a 3c:e5:a6:13:7f:2a
Interface
mgmt
State
stale
show ndp
Syntax
show ndp
Example
show autoconf dhcpv4 client
Syntax
show autoconf dhcpv4 client (current|history)
Example
NGFW{}show autoconf dhcpv4 client
Example
NGFW{}show autoconf dhcpv4 client history
# DHCPCLIENT LEASES HISTORY
Service DHCP
is inactive
show autoconf dhcpv6 client
Syntax
Show autoconf dhcpv6 client
Example
NGFW{}show autoconf dhcpv6 client
Service DHCPv6 client is inactive
show autoconf ra
Syntax
show autoconf ra (INTERFACE|all)
Example
NGFW{}show autoconf all
NGFW Command Line Interface Reference
23
no data
show cluster
Syntax
show cluster
Example
cluster.3-device23{} show cluster
Cluster Status
-------------Name:
cluster
Identifier: 3
State:
Enabled
Segment HA: Normal
Master:
cluster.3-device23
Members
------Name:
cluster.3-device23
HA State:
Active
show date
This command shows the GMT time or the local time and timezone for the appliance.
Syntax
show date [gmt]
Example
NGFW{}show date
Sun Sept 15 04:29:59 2013 GMT
NGFW{}show date gmt
Wed Aug 21 21:51:13 2013 GMT
NGFW{}show date
Wed Aug 21 14:51:16 2013 America/Los_Angeles
show dhcp relay
Shows DHCPv4 Relay information.
Syntax
show dhcp relay
Example
NGFW{}show dhcp relay
DHCP Relay is not running
show dhcp server lease
Syntax
show dhcp server lease (current | history)
Example
NGFW{}show dhcp server lease current
Status: Inactive
24
Root Commands
IP Address
Mac Address
Start date & time
End date & time
show dhcpv6
Syntax
show dhcpv6
Example
NGFW{}show dhcpv6
Service DHCPv6 client is inactive
show dns
Syntax
show dns
Example
NGFW{}show dns
# DNS PROXY
Proxy Disabled
# STATIC DNS
# DYNAMIC V4 DNS
# DYNAMIC V6 DNS
show firewall
Displays firewall rules and sessions.
Syntax
show firewall rules [count MAX-RULES] [rule all|ID] [action-set ACTIONSET]
[src-zones SRC-ZONE] [dst-zones DST-ZONE] [services SERVICES] [schedules SCHEDULE]
[application APPS] [more]
show firewall sessions [count MAX-SESSIONS] [family FAMILY] [protocol PROTOCOL]
[direction DIRECTION] [more]
Example
NGFW{}show firewall sessions
ID Protocol State
Direction Source(IP:PORT) Destination(IP:PORT) Bytes Expires
-----------------------------------------------------------------------------------3469 IGMP(2) unreplied original 192.168.1.1
224.0.0.2
32
75
reply
224.0.0.2
192.168.1.1
0
NGFW{}show firewall rules
1.
Rule:
Action set:
2.
Rule:
Action set:
20000
Permit + Notify
20010
Permit + Notify
show high-availability
Syntax
show high-availability (state-sync (all|FEATURE))
Example
NGFW{}show high-availability state-sync firewall
HA Synchronization State
NGFW Command Line Interface Reference
25
-----------------------Name: firewall
State: enabled
Synchronization State: Not initialized
Reason: Unable to determine synchronization state
Total Entries: 353
Added Entries: 324
Deleted Entries: 0
Related Commands
high-availability force (active|passive)
high-availability segment force (normal|fallback)
show interface
Syntax
show interface [INTERFACE [statistics [update INT]]]
show interface [INTERFACE] multicast-registration
Examples
NGFW{}show interface ha
Interface
ha
MAC Address
00:10:f3:2c:81:df
Enabled
Yes
Link
Down
Speed
10Mbps
Auto Negotiate Enabled
Duplex
Half
MTU
9216
NGFW{}show interface mgmt
Interface
mgmt
IP Address
A.B.C.D/24
IPv6 Address
fe80::210:f3ff:fe2c:81de/64 (Link Local)
MAC Address
00:10:f3:2c:81:de
Enabled
Yes
Link
Up
Speed
1000Mbps
Auto Negotiate Enabled
Duplex
Full
MTU
1500
NGFW{}show interface bridge1
Interface
bridge1
IPv6 Address
fe80::210:f3ff:fe2c:81e2/64 (Link Local)
MAC Address
00:10:f3:2c:81:e2
Enabled
Yes
Link
Up
MTU
1500
NGFW{}show interface multicast-registration
default:
IGMP: igmpv3
MLD : mldv2
force:
IGMP: igmpv3
MLD : mldv2
26
Root Commands
show ip bgp
Syntax
show
show
show
show
show
show
show
show
show
show
show
show
ip
ip
ip
ip
ip
ip
ip
ip
ip
ip
ip
ip
bgp
bgp
bgp
bgp
bgp
bgp
bgp
bgp
bgp
bgp
bgp
bgp
debug
A.B.C.D/M
summary
neighbors
neighbors A.B.C.D
neighbors A.B.C.D (advertised-routes|routes)
filter-list FILTER-LIST-NAME
prefix-list PREFIX-LIST-NAME
route-map ROUTE-MAP-NAME
community-list COMMUNITY-LIST-NAME
community AA:NN|internet|local-as|no-export|no-advertise
Example
NGFW{}show ip bgp
BGP Router Default Instance (ASN 230)
BGP table version is 0, local router ID is 172.16.30.230
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale, R Removed
Origin codes: i - IGP, e - EGP, ? - incomplete
Network
*> 99.1.0.0/24
*> 99.2.0.98/32
*> 172.16.40.0/24
Next Hop
172.16.30.99
172.16.30.99
172.16.20.98
Metric LocPrf Weight Path
11
32768 ?
11
32768 ?
0
0 98 i
Total number of prefixes 3
show ip igmp
Shows IGMP interface information or group information.
Syntax
show ip igmp (interface|groups)
Example
NGFW{}show ip igmp interface
ethernet2 is up
Interface address: 172.16.30.230/24
IGMP on this interface: enabled
Multicast routing on this interface: enabled
Multicast TTL threshold: 1
Current IGMP router version: 3
IGMP query interval: 125 seconds
IGMP max query response time: 100 deciseconds
Last member query response interval: 10 deciseconds
IGMP Querier: 172.16.30.230
Robustness: 2
Require Router Alert: enabled
Startup Query Interval: 312 deciseconds
Startup Query Count: 2
General Query Timer Expiry: 00:00:07
Startup Query Timer Expiry: 00:00:07
Multicast groups joined:
NGFW Command Line Interface Reference
27
show ip mroute
Shows the multicast routes.
Syntax
show ip mroute
Example
NGFW{}show ip mroute
Source
Group
152.168.1.2
239.255.255.2
In-interface
pimreg
Out-interface(s)
ethernet1
show ip ospf
Displays general information about Open Shortest Path First (OSPF) routing processes.
Syntax
show ip ospf ?
show ip ospf (database|interface[IFACE]|neighbor [debug]|redistribute|route[debug])
Example
NGFW{}show ip ospf
OSPF Router with ID (15.255.125.122)
OSPF Routing Process 0 [VRF 0], Router ID: 15.255.125.122
Supports only single TOS (TOS0) routes
This implementation conforms to RFC2328
RFC1583Compatibility flag is disabled
OpaqueCapability flag is enabled
SPF schedule delay 200 secs, Hold time between two SPFs 1000 secs
Refresh timer 10 secs
Kernel delay 50 ms
This router is an ASBR (injecting external routing information)
Redistribute Configuration
Maximum-Prefix is not configured
Number of external LSA 0. Checksum Sum 0x00000000
Number of opaque AS LSA 0. Checksum Sum 0x00000000
Number of areas attached to this router: 1
Area ID: 0.0.0.0 (Backbone)
Number of interfaces in this area: Total: 1, Active: 1
Number of fully adjacent neighbors in this area: 1
Area has no authentication
SPF algorithm executed 8 times (in 0 ms)
Number of LSA 3
Number of router LSA 2. Checksum Sum 0x00015328
Number of network LSA 1. Checksum Sum 0x00000b59
Number of summary LSA 0. Checksum Sum 0x00000000
Number of ASBR summary LSA 0. Checksum Sum 0x00000000
Number of NSSA LSA 0. Checksum Sum 0x00000000
Number of opaque link LSA 0. Checksum Sum 0x00000000
Number of opaque area LSA 0. Checksum Sum 0x00000000
show ip pim-sm
Syntax
show ip pim-sm (interface|neighbor|rp|bsr-router)
28
Root Commands
Example
NGFW{}show ip pim-sm interface
Address
Interface
Mode
182.168.1.10
ethernet5
sparse
Neighbor
Count
1
Hello DR
Intvl Pri
30
1
DR Address
182.168.1.20
Example
ngfw{}show ip pim-sm neighbor
Interface
Address
ethernet5
182.168.1.20
ngfw{}show ip pim-sm bsr-router
PIMv2 Bootstrap information
This system is the Bootstrap Router (BSR)
BSR address: 182.168.1.10
Uptime:
00:00:26, BSR Priority: 10, Hash mask length: 30
Next bootstrap message in 00:00:34
ngfw{}show ip pim-sm rp
The PIM RP Set
Group: 239.255.255.2/32
RP: 182.168.1.10
Uptime: 00:00:51, Expires: 00:01:39, Priority: 10
show ip rip
Shows the RIP routes.
Syntax
show ip rip
Example
NGFW{}show ip rip
RIP Router Default Instance
Routing Protocol is "rip"
Sending updates every 30 seconds with +/-50%, next due in 29 seconds
Timeout after 180 seconds, garbage collect after 120 seconds
Mesage load balancing using 1 time slots
Default redistribution metric is 1
Redistributing:
Default version control: send version 2, receive any version
Interface
Send Recv Pri RIPv1BorderGW RIPv1IngrSumy Key-chain
ethernet1
2
1 2
7
Enable
Enable
Split horizon
No authentication
Routing for Networks:
ethernet1
Routing Information Sources:
Gateway
BadPackets BadRoutes Distance Last Update
Distance: (default is 120)
show ip route
Syntax
show ip route (bgp|connected|debug|mgmt|ospf|rip|smr|static)
NGFW Command Line Interface Reference
29
Example
NGFW{}show ip route debug
Codes: K - kernel route, C- connected, S - static, R - RIP, O - OSPF,
B - BGP, > - selected route, * - FIB route
K *
C>*
C>*
C>*
K>*
S>*
C>*
C>*
C>*
C>*
127.0.0.0/8 is directly connected, unknown(0) inactive, rej
127.0.0.0/8 is directly connected, lo
192.168.1.0/24 is directly connected, ethernet13
192.168.100.0/24 is directly connected, ethernet14
224.0.0.2/32 is directly connected, lo501
0.0.0.0/0 [1/0] [vrf 500] via 15.220.140.254, mgmt
15.220.140.0/24 [vrf 500] is directly connected, mgmt
127.0.0.0/8 [vrf 500] is directly connected, lo500
127.0.0.0/8 [vrf 501] is directly connected, lo501
169.254.0.0/24 [vrf 501] is directly connected, ha
show ip smr
Show SMR routing information.
Syntax
show ip smr [status]
Example
NGFW{}show ip smr
Type Prefix
*
1.1.1.0/24
*
2.2.2.0/24
*
3.3.3.0/24
4.4.4.0/24
NextHop
172.16.20.220
172.16.20.220
172.16.20.220
172.16.20.30
Distance
10
10
10
10
Probe Target
NGFW{} show ip smr status
3 route(s) active
1 route(s) inactive
Global round-trip avg/max 0.5/29.2 msec
10 packets/640 bytes sent last second
show ipv6 mld
Shows IPv6 routing information for MLD group or interface.
Syntax
show ipv6 mld (interface|groups)
Example
NGFW{}show ipv6 mld interface
ethernet1 is up
Interface address: fe80::210:f3ff:fe24:5b7e%ethernet1/64
MLD on this interface: enabled
Multicast routing on this interface: disabled
Current MLD router version: 2
MLD query interval: 125 seconds
MLD max query response time: 10 seconds
Last member query response interval: 10 deciseconds
MLD Querier: fe80::210:f3ff:fe24:5b7e%ethernet1
Robustness: 2
Require Router Alert: enabled
Startup Query Interval: 312 deciseconds
30
Root Commands
Startup Query Count: 2
General Query Timer Expiry: 00:01:19
Multicast groups joined:
NGFW{}show ipv6 mld groups
MLD Connected Group Membership
Group Address Interface
Uptime
ff1e:11::1
ethernet1
00:00:04
Expires
00:04:16
Last Reporter
fe80::215:17ff:fe3c:edea%ethernet1
show ipv6 mroute
Shows IPv6 routing information for multicast routes.
Syntax
show ipv6 mroute
Example
NGFW{}show ipv6 mroute
Source Group In-interface Out-interface(s)
2001:300::2 ff1e:11::1 pimreg ethernet1
show ipv6 ospfv3
Shows the OSPFv3 unicast routes.
Syntax
show ipv6 ospfv3 (database|interface[IFACE]|neighbor[debug]|route)
Example
NGFW{}show ipv6 ospfv3
OSPFv3 Router with ID (172.16.30.230)
OSPFv3 Routing Process 0 [VRF 0] with Router-ID 172.16.30.230
Running 00:00:07
Graceful Restart: Enabled with interval 120
Status: restarting (left time 113s)
Graceful Restart Helper: Enabled
Redistribute Configuration
Maximum-Prefix is not configured
Number of AS scoped LSAs is 0
Number of AS scoped LSAs is 0
Number of areas in this router is 2
Area 0.0.0.0
Number of Area scoped LSAs is 0
Interface attached to this area: ethernet1
Area 0.0.0.9
Number of Area scoped LSAs is 0
Interface attached to this area:
show ipv6 pim-sm
Protocol Independent Multicast - Sparse Mode (PIM-SM) provides efficient communication between
members of sparsely distributed groups that are common. PIM-SM is designed to limit multicast traffic so
only switches interested in receiving traffic for a particular group receive the traffic.
Syntax
show ipv6 pim-sm (interface|neighbor|rp|bsr-router)
NGFW Command Line Interface Reference
31
Example
NGFW{}show ipv6 pim-sm interface
Interface
Mode
ethernet5
sparse
Address:
fe80::210:f3ff:fe24:5b82
DR Address: this system
Neighbor
Count
1
Hello
DR
Interval Priority
30
1
NGFW{}show ipv6 pim-sm neighbor
Interface
Address
ethernet5
fe80::210:f3ff:fe24:5b5b
PIM6v2 Bootstrap information
This system is the Bootstrap Router (BSR)
BSR address: 2001:200::10
Uptime:
00:20:00, BSR Priority: 10, Hash mask length: 126
Next bootstrap message in 00:00:00
NGFW{}show ipv6 pim-sm rp
The PIM6 RP Set
Group: ff1e:11::1/128
RP: 2001:200::10
Uptime: 00:20:22, Expires: 00:01:59, Priority: 0
show ipv6 ripng
Shows the RIPng routes.
Syntax
show ipv6 ripng
Example
NGFW{}show ipv6 ripng
RIPng Router Default Instance
Routing Protocol is "RIPng"
Sending updates every 30 seconds with +/-50%, next due in 37 seconds
Timeout after 180 seconds, garbage collect after 120 seconds
Default redistribution metric is 1
Redistributing:
Default version control: send version 1, receive version 1
Interface
Send Recv
ethernet1
1
1
Split horizon
Routing for Networks:
ethernet1
Routing Information Sources:
Gateway ReceivedPackets BadPackets BadRoutes Distance
Last Update
Distance: (default is 120)
show ipv6 route ospfv3
Shows the OSPFv3 unicast routes.
Syntax
show ipv6 route ospfv3
Example
NGFW{}show ipv6 route ospfv3
32
Root Commands
Codes: O - ospfv3, > - selected route, * - FIB route
O>* 1:1::/64 [110/2] via fe80::20c:29ff:fee0:c919, ethernet2, 00:00:28
O>* 2:2::2:2/128 [110/1] via fe80::72ca:9bff:fe76:16b1, ethernet2, 00:00:28
O>* 2100::/64 [110/2] via fe80::72ca:9bff:fe76:16b1, ethernet2, 00:00:28
O>* 2100::2/128 [110/1] via fe80::72ca:9bff:fe76:16b1, ethernet2, 00:00:28
show ipv6 route ripng
Shows the RIPng routes.
Syntax
show ipv6 route ripng
Example
NGFW{}show ipv6 route ripng
Codes: K - kernel route, C - connected, S - static, R - RIPng, O - OSPFv3,
I - ISIS, B - BGP, N - NAT-PT, D - Delegated Prefix, > - selected route,
* - FIB route, b - Backup route, < - delayed route, Q - Untyped route
R>* 4100::/64 [120/2] via fe80::210:f3ff:fe26:f375, ethernet2, 00:00:07
show (ip|ipv6) route
Syntax
show (ip|ipv6) route (debug|mgmt|static|connected)
Example
NGFW{}show ipv6 route static
Codes: S - static, > - selected route, * - FIB route
show key
Shows local server SSH key.
Syntax
show key
Example
NGFW{}show key
show l2tp
Shows layer 2 tunneling protocol information.
Syntax
show l2tp
Example
NGFW{}show l2tp
=============
Current sessions for L2TP:
L2TP server is not running.
NGFW Command Line Interface Reference
33
show license
Syntax
show license
Example
NGFW{}show license
License: 1.0.0.11 (Transitional)
Feature
-------License
Update TOS
Update DV
Auxiliary DV
ReputationDV
Status
-----OK
OK
OK
Info
Info
Permit
Expiration
------- ---------Allow
10/3/2013
Allow
10/3/2013
Allow
10/3/2013
Deny
Never
Deny
Never
Details
-------Using the transitional license.
Not licensed to use feature.
Not licensed to use feature.
show log-file
The following log files are available:
• system
• audit
• fwAlert
• fwBlock
• vpn
• ipsAlert
• ipsBlock
• reputationAlert
• reputationBlock
• quarantine
show log-file FILE_NAME
Syntax
show log-file audit [raw|tab|csv|rawcsv] [addUUID] [ASC|DESC|(tail [COUNT])]
[seqnum] [more]
show log-file fwAlert [raw|tab|csv|rawcsv] [addUUID] [ASC|DESC|(tail [COUNT])]
[seqnum] [more]
show log-file fwBlock [raw|tab|csv|rawcsv] [addUUID] [ASC|DESC|(tail [COUNT])]
[seqnum] [more]
show log-file ipsAlert [raw|tab|csv|rawcsv] [addUUID] [ASC|DESC|(tail [COUNT])]
[seqnum] [more]
show log-file ipsBlock [raw|tab|csv|rawcsv] [addUUID] [ASC|DESC|(tail [COUNT])]
[seqnum] [more]
show log-file quarantine [raw|tab|csv|rawcsv] [addUUID] [ASC|DESC|(tail [COUNT])]
[seqnum] [more]
show log-file reputationAlert [raw|tab|csv|rawcsv] [addUUID] [ASC|DESC|(tail
[COUNT])] [seqnum] [more]
show log-file reputationBlock [raw|tab|csv|rawcsv] [addUUID] [ASC|DESC|(tail
[COUNT])] [seqnum] [more]
34
Root Commands
show log-file summary [raw|tab|csv|rawcsv] [addUUID] [ASC|DESC|(tail [COUNT])]
[seqnum] [more]
show log-file system [raw|tab|csv|rawcsv] [addUUID] [ASC|DESC|(tail [COUNT])]
[seqnum] [more]
show log-file vpn [raw|tab|csv|rawcsv] [addUUID] [ASC|DESC|(tail [COUNT])] [seqnum]
[more]
show log-file boot [raw|tab|csv|rawcsv] [addUUID] [ASC|DESC|(tail [COUNT])] [seqnum]
[more]
show log-file audit [raw|tab|csv|rawcsv] [addUUID] [ASC|DESC] [search
[(options)]{0,2} PATTERN] [start-time START] [end-time END] [seqnum[ [begin BEGIN]
[end END]]] [count COUNT] [more]
show log-file fwAlert [raw|tab|csv|rawcsv] [addUUID] [ASC|DESC] [search
[(options)]{0,2} PATTERN] [start-time START] [end-time END] [seqnum[ [begin BEGIN]
[end END]]] [count COUNT] [more]
show log-file fwBlock [raw|tab|csv|rawcsv] [addUUID] [ASC|DESC] [search
[(options)]{0,2} PATTERN] [start-time START] [end-time END] [seqnum[ [begin BEGIN]
[end END]]] [count COUNT] [more]
show log-file ipsAlert [raw|tab|csv|rawcsv] [addUUID] [ASC|DESC] [search
[(options)]{0,2} PATTERN] [start-time START] [end-time END] [seqnum[ [begin BEGIN]
[end END]]] [count COUNT] [more]
show log-file ipsBlock [raw|tab|csv|rawcsv] [addUUID] [ASC|DESC] [search
[(options)]{0,2} PATTERN] [start-time START] [end-time END] [seqnum[ [begin BEGIN]
[end END]]] [count COUNT] [more]
show log-file quarantine [raw|tab|csv|rawcsv] [addUUID] [ASC|DESC] [search
[(options)]{0,2} PATTERN] [start-time START] [end-time END] [seqnum[ [begin BEGIN]
[end END]]] [count COUNT] [more]
show log-file reputationAlert [raw|tab|csv|rawcsv] [addUUID] [ASC|DESC] [search
[(options)]{0,2} PATTERN] [start-time START] [end-time END] [seqnum[ [begin BEGIN]
[end END]]] [count COUNT] [more]
show log-file reputationBlock [raw|tab|csv|rawcsv] [addUUID] [ASC|DESC] [search
[(options)]{0,2} PATTERN] [start-time START] [end-time END] [seqnum[ [begin BEGIN]
[end END]]] [count COUNT] [more]
show log-file summary [raw|tab|csv|rawcsv] [addUUID] [ASC|DESC] [search
[(options)]{0,2} PATTERN] [start-time START] [end-time END] [seqnum[ [begin BEGIN]
[end END]]] [count COUNT] [more]
show log-file system [raw|tab|csv|rawcsv] [addUUID] [ASC|DESC] [search
[(options)]{0,2} PATTERN] [start-time START] [end-time END] [seqnum[ [begin BEGIN]
[end END]]] [count COUNT] [more]
show log-file vpn [raw|tab|csv|rawcsv] [addUUID] [ASC|DESC] [search [(options)]{0,2}
PATTERN] [start-time START] [end-time END] [seqnum[ [begin BEGIN] [end END]]] [count
COUNT] [more]
show log-file boot [raw|tab|csv|rawcsv] [addUUID] [ASC|DESC] [search
[(options)]{0,2} PATTERN] [start-time START] [end-time END] [seqnum[ [begin BEGIN]
[end END]]] [count COUNT] [more]
show log-file audit [raw|tab|csv|rawcsv] [addUUID] [ASC|DESC] [search COLUMN cmp
PATTERN [and|or COLUMN cmp PATTERN]{1,25}] [start-time START] [end-time END]
[seqnum[ [begin BEGIN] [end END]]] [count COUNT] [more]
show log-file fwAlert [raw|tab|csv|rawcsv] [addUUID] [ASC|DESC] [search COLUMN cmp
PATTERN [and|or COLUMN cmp PATTERN]{1,25}] [start-time START] [end-time END]
[seqnum[ [begin BEGIN] [end END]]] [count COUNT] [more]
show log-file fwBlock [raw|tab|csv|rawcsv] [addUUID] [ASC|DESC] [search COLUMN cmp
PATTERN [and|or COLUMN cmp PATTERN]{1,25}] [start-time START] [end-time END]
[seqnum[ [begin BEGIN] [end END]]] [count COUNT] [more]
NGFW Command Line Interface Reference
35
show log-file ipsAlert [raw|tab|csv|rawcsv] [addUUID] [ASC|DESC] [search COLUMN cmp
PATTERN [and|or COLUMN cmp PATTERN]{1,25}] [start-time START] [end-time END]
[seqnum[ [begin BEGIN] [end END]]] [count COUNT] [more]
show log-file ipsBlock [raw|tab|csv|rawcsv] [addUUID] [ASC|DESC] [search COLUMN cmp
PATTERN [and|or COLUMN cmp PATTERN]{1,25}] [start-time START] [end-time END]
[seqnum[ [begin BEGIN] [end END]]] [count COUNT] [more]
show log-file quarantine [raw|tab|csv|rawcsv] [addUUID] [ASC|DESC] [search COLUMN
cmp PATTERN [and|or COLUMN cmp PATTERN]{1,25}] [start-time START] [end-time END]
[seqnum[ [begin BEGIN] [end END]]] [count COUNT] [more]
show log-file reputationAlert [raw|tab|csv|rawcsv] [addUUID] [ASC|DESC] [search
COLUMN cmp PATTERN [and|or COLUMN cmp PATTERN]{1,25}] [start-time START] [end-time
END] [seqnum[ [begin BEGIN] [end END]]] [count COUNT] [more]
show log-file reputationBlock [raw|tab|csv|rawcsv] [addUUID] [ASC|DESC] [search
COLUMN cmp PATTERN [and|or COLUMN cmp PATTERN]{1,25}] [start-time START] [end-time
END] [seqnum[ [begin BEGIN] [end END]]] [count COUNT] [more]
show log-file summary [raw|tab|csv|rawcsv] [addUUID] [ASC|DESC] [search COLUMN cmp
PATTERN [and|or COLUMN cmp PATTERN]{1,25}] [start-time START] [end-time END]
[seqnum[ [begin BEGIN] [end END]]] [count COUNT] [more]
show log-file system [raw|tab|csv|rawcsv] [addUUID] [ASC|DESC] [search COLUMN cmp
PATTERN [and|or COLUMN cmp PATTERN]{1,25}] [start-time START] [end-time END]
[seqnum[ [begin BEGIN] [end END]]] [count COUNT] [more]
show log-file vpn [raw|tab|csv|rawcsv] [addUUID] [ASC|DESC] [search COLUMN cmp
PATTERN [and|or COLUMN cmp PATTERN]{1,25}] [start-time START] [end-time END]
[seqnum[ [begin BEGIN] [end END]]] [count COUNT] [more]
show log-file boot [raw|tab|csv|rawcsv] [addUUID] [ASC|DESC] [search COLUMN cmp
PATTERN [and|or COLUMN cmp PATTERN]{1,25}] [start-time START] [end-time END]
[seqnum[ [begin BEGIN] [end END]]] [count COUNT] [more]
show
show
show
show
show
show
show
show
show
show
show
show
show
show
show
show
show
show
show
show
show
show
show
show
show
show
show
log-file
log-file
log-file
log-file
log-file
log-file
log-file
log-file
log-file
log-file
log-file
log-file
log-file
log-file
log-file
log-file
log-file
log-file
log-file
log-file
log-file
log-file
log-file
log-file
log-file
log-file
log-file
audit [raw|tab|csv|rawcsv] [addUUID] follow [seqnum] [more]
fwAlert [raw|tab|csv|rawcsv] [addUUID] follow [seqnum] [more]
fwBlock [raw|tab|csv|rawcsv] [addUUID] follow [seqnum] [more]
ipsAlert [raw|tab|csv|rawcsv] [addUUID] follow [seqnum] [more]
ipsBlock [raw|tab|csv|rawcsv] [addUUID] follow [seqnum] [more]
quarantine [raw|tab|csv|rawcsv] [addUUID] follow [seqnum] [more]
reputationAlert [raw|tab|csv|rawcsv] [addUUID] follow [seqnum] [more]
reputationBlock [raw|tab|csv|rawcsv] [addUUID] follow [seqnum] [more]
summary [raw|tab|csv|rawcsv] [addUUID] follow [seqnum] [more]
system [raw|tab|csv|rawcsv] [addUUID] follow [seqnum] [more]
vpn [raw|tab|csv|rawcsv] [addUUID] follow [seqnum] [more]
boot [raw|tab|csv|rawcsv] [addUUID] follow [seqnum] [more]
audit stat
fwAlert stat
fwBlock stat
ipsAlert stat
ipsBlock stat
quarantine stat
reputationAlert stat
reputationBlock stat
summary stat
system stat
vpn stat
boot stat
summary [verbose]
boot [tail COUNT] [more]
boot [search [(options)]{0,2} PATTERN] [count COUNT] [more]
Example
NGFW{}show log ipsAlert
36
Root Commands
Example
NGFW{}show log quarantine
show log-file FILE_NAME stat
Shows the beginning sequence number, ending sequence number, and number of messages for the given
log file.
Syntax
show log-file FILE_NAME stat
Example
NGFW{}show log ipsBlock stat
Display limited to 500 lines...
1
241097
241097
show log-file summary
Syntax
show log-file summary [verbose]
Example
NGFW{}show log-file summary
File
Total Entries First Entry
Last Entry
Allocated Used Location
--------------- -------------- -------------- -------------- ---------- ---- -----system
2902
1
2902 174.32 MB
0% internal
audit
411
1
411 174.32 MB
0% internal
fwAlert
2135781
42054583
44190363 700.23 MB 66% ramdisk
fwBlock
0
0
0 700.23 MB
0% ramdisk
ipsAlert
0
0
0 350.11 MB
0% ramdisk
ipsBlock
0
0
0 350.11 MB
0% ramdisk
reputationAlert
0
0
0 175.06 MB
0% ramdisk
reputationBlock
0
0
0 175.06 MB
0% ramdisk
visibility
0
0
0 700.23 MB
0% ramdisk
quarantine
0
0
0 175.06 MB
0% ramdisk
vpn
0
0
0 175.06 MB
0% ramdisk
show log-file boot
Syntax
show log-file boot [tail [COUNT]] [more]
show log-file boot [search [<options>]{0,2} PATTERN] [count COUNT] [more]
If using the more option, the colon will display in the output, to indicate more information is available.
Press the Enter key for the scroll to continue, or enter a ‘q’ to exit and return to the NGFW{} prompt.
Example
NGFW{} show log-file audit more
2013-07-05 ...(log info is displayed)
2013-07-05 ...
...
:q
NGFW{}show log-file boot search nocase ethernet7 count 7
NGFW{}show log-file boot search invert ethernet7 count 3
NGFW{}show log-file boot search ethernet7 count 2
NGFW Command Line Interface Reference
37
ADDRCONF(NETDEV_UP): ethernet7: link is not ready
device ethernet7 entered promiscuous mode
Example
To tail the last 5 lines of the boot log file:
NGFW{}show log-file boot tail 5
bridge1: port 8(ethernet7) entering disabled state
bridge1: port 8(ethernet7) entering disabled state
ADDRCONF(NETDEV_UP): ethernet7: link is not ready
device ethernet8 left promiscuous mode
device ethernet7 left promiscuous mode
show mfg-info
Shows manufacturing information.
Syntax
show mfg-info
Example
NGFW{}show mfg-info
device34{}show mfg-info
ECO Version
:
Manufacturer S/N
:
PCBA Assembly Date
:
Chassis Version
:
Mfg System Revision
:
HP Base Unit P/N
:
HP Base Unit Revision :
Number of MACs
:
MAC Address
:
Mgmt Port MAC Address :
Ethernet1 MAC Address :
HP Base Unit S/N
:
Internal Disk Model
:
Internal Disk S/N
:
External Disk Model
:
External Disk S/N
:
BIOS Version
:
IPM Version
:
40AA
TBBC10021827
01/11/2012
00
A905
5066-2732
A1
12
00:10:F3:2C:81:DE
00:10:F3:2C:81:DE
00:10:F3:2C:81:E2
PR2AFQY003
4GB SATA Flash Drive
11001420994500582125
4GB SATA Flash Drive
00224192122400702578
Z513-021
1.d (working)
show np engine
Shows network processor information.
Syntax
show np engine(filter|packet|parse|reputation(ip|dns)|rule)
filter - Show filter-level statistics
packet - Show packet-layer statistics
parse - Show packet parsing statistics
reputation - Show reputation statistics on either IP or DNS
rule - Show rule statistics
Example
NGFW{}show np engine packet
Packet Statistics:
Rx packets OK
Rx packets dropped
38
Root Commands
=
=
275263890
0
Rx
Tx
Tx
Tx
Rx
Tx
packets dropped no pcb =
packets OK
=
packets dropped
=
packets dropped no pcb =
bytes OK
=
bytes OK
=
0
275262516
1374
0
14864242660
16515754024
show np general statistics
Shows general network processor information.
Syntax
show np general statistics
Example
NGFW{}show np general statistics
General Statistics:
Incoming
=
0
Outgoing
=
0
Dropped
=
0
Interface discards =
0
Second Tier
=
0
Matched
=
0
Blocked
=
1376
Trusted
=
0
Permitted
=
0
Invalid
=
0
Rate Limited
=
0
show np protocol-mix
Syntax
show np protocol-mix
Example
NGFW{}show np protocol-mix
Network Traffic Protocol Statistics:
EthType:
ARP
IP
IPv6
Other
IpVersion:
IPv4
IPv6
Other
IpProtocol:
TCP
UDP
ICMP
IPv4 in IPv4
IPv6 In IPv4
GRE
AH
Packets
=================
Bytes
=================
289096
75851320
110966
47087
17363292
16817451395
91605367
31256790
75851320
110966
9010
16817451395
91605367
5444502
24779397
49956647
112057
0
4536
276372
414
4847827560
11260655728
42551652
0
597024
45779027
63180
NGFW Command Line Interface Reference
39
Other
Ipv6Protocol:
TCP
UDP
ICMPv6
ICMP
IPv6 in IPv6
IPv4 in IPv6
GRE
AH
Other
132843
65240426
378
1350
3908
0
89760
2442
1398
0
53034
265014
1135803
1406824
0
77281416
1938618
1106502
0
44444961
show np reassembly
Syntax
show np reassembly (ip|tcp)
Example
NGFW{}show np reassembly ip
Summary:
Frags incoming
Frags kept
Frags outgoing
Frags passed thru
Frags dropped (duplicate)
Frags recently reassembled
Frags dropped (other)
Dgrams completed
=
=
=
=
=
=
=
=
0
0
0
0
0
0
0
0
show np rule-stats
Syntax
show np rule-stats
Example
NGFW{}show np rule-stats
Filter
Flows Success
6281
9
0
6310
9
0
633
8
3
5337
8
0
2768
7
0
5881
1
0
Total number of flows: 42
% Total
21
21
19
19
16
2
% Success
0.00
0.00
37.50
0.00
0.00
0.00
show np softlinx
Syntax
show np softlinx
Example
NGFW{}show np softlinx
SoftLinx Statistics:
Matched both softlinx and a rule
Matched softlinx, but not a rule
Matched a rule, but not softlinx
40
Root Commands
=
=
=
0
0
0
Sleuth inspected packets
Sleuth matched packets
Matched HW (Sleuth) but not softLinx
Sleuth gave up
Sleuth bypassed
Sleuth bypassed zero payload length
Sleuth overflow
Matched nothing
Linx rules created
Linx rules deleted
Discarded by the softlinx
Total packets sent to softlinx
Embedded Trigger matches
Engine Trigger matches
Trigger matches
False pkt matches
Good pkt matches
SoftLinx trigger match roll over
Highest flow based trigger match
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
0
0
0
0
0
0
0
281567607
0
0
0
80
0
0
0
80
0
0
0
show np tier-stats
Syntax
show np tier-stats
Example
NGFW{}show np tier-stats
---------------------------------------------------------Tier 1:
---------------------------------------------------------Rx Mbps
=
0.0 (0.0)
Tx Mbps
=
0.0 (0.0)
Rx Packets/Sec
=
0.0 (0.0)
Tx Packets/Sec
=
0.0 (0.0)
Utilization
=
0.0% (0.0%)
Ratio to next tier
=
0.0% (100.0%)
---------------------------------------------------------Tier 2:
---------------------------------------------------------Rx Mbps
=
0.0 (0.0)
Rx Packets/Sec
=
0.0 (0.0)
Tx trust packets/sec =
0.0 (0.0)
Utilization
=
0.0% (0.0%)
Ratio to best effort =
0.0% (0.0%)
Ratio to next tier
=
0.0% (0.0%)
---------------------------------------------------------Tier 3:
---------------------------------------------------------Rx Mbps
=
0.0 (0.0)
Rx Packets/Sec
=
0.0 (0.0)
Rx Trigger match
=
0.0 (0.0)
Rx Reroute
=
0.0 (0.0)
Rx TCP sequence
=
0.0 (0.0)
Tx trust packets/sec =
0.0 (0.0)
Utilization
=
0.0% (0.0%)
Ratio to best effort =
0.0% (0.0%)
Ratio to next tier
=
0.0% (0.0%)
NGFW Command Line Interface Reference
41
show quarantine-list
Syntax
show quarantine-list
Example
NGFW{}show quarantine-list
IP
Reason
show reports
Show the status of the data collection for reports.
Syntax
show reports
Example
NGFW{}show reports
CPU Utilization:
Disk Utilization:
Fan Speed:
Memory Utilization:
Network Bandwidth:
Rate Limiter:
Temperature:
Traffic Profile:
VPN:
enabled
enabled
enabled
enabled
enabled
enabled
enabled
enabled
enabled
show service
Shows the state of all the services.
Syntax
show service
Example
NGFW{}show service
Service SSH
Service TELNET
Service HTTP
Service IP Forwarding
Service IPv6 Forwarding
Service SNMP
Service DNS-PROXY
Service RIP
Service RIPng
Service OSPFv2
Service OSPFv3
Service BGP
Service SMR
Service PIM4SM
Service PIM6SM
Service VRRP
Service Multicast-proxy
Service DHCPSERVER
Service DHCP
Service DHCP RELAY
Service DHCPv6-CLIENT
42
Root Commands
is
is
is
is
is
is
is
is
is
is
is
is
is
is
is
is
is
is
is
is
is
active
inactive
active
active
active
inactive
inactive
inactive
inactive
inactive
inactive
inactive
inactive
inactive
inactive
inactive
inactive
inactive
inactive
inactive
inactive
Service
Service
Service
NTP
PPP-CtrlPlane
ETHGRP-LACP
is inactive
is inactive
is inactive
show sms
Syntax
show sms
Example
NGFW{}show sms
Device is not under SMS control
show snmp
Syntax
show snmp
Example
NGFW{}show snmp
#SNMP Status
Enabled
Version
Engine ID
Auth. Traps
System Name
System Object ID
System ID
System Contact
System Location
:
:
:
:
:
:
:
:
:
#SNMP Trap Sessions
Host
:
Version
:
Port
:
Security Name
:
Level
:
Authentication
:
Privacy
:
Inform
:
Yes
2c, 3
0x800029ee030010f327fe2e
Yes
S8020F
.1.3.6.1.4.1.10734.1.9.7
NGFW
Administrator
Data Center
A.B.C.D
3
162
trap
authPriv
SHA
AES
Yes
show system buffers
Shows forwarding buffer state information, if you have administrator privileges.
Syntax
show system buffers
Example
NGFW{}show system buffers
show system connections
Syntax
show system connection [ipv4|ipv6|sctp|unix]
NGFW Command Line Interface Reference
43
Example
NGFW{}show system connections ipv4
Active Internet connections (servers and established)
vrfid Proto Recv-Q Send-Q Local Address
Foreign Address
0 tcp
0
0 127.0.0.1:60000
0.0.0.0:*
0 tcp
0
0 127.0.0.1:616
0.0.0.0:*
State
LISTEN
LISTEN
Example
NGFW{}show system connections unix
Active UNIX domain sockets (servers and established)
Proto RefCnt Flags
Type
State
I-Node
unix 2
[ ACC ]
STREAM
LISTENING
40709
/var/tmp/apache2/logs/fcgidsock/7095.0
unix 2
[ ACC ]
STREAM
LISTENING
3871
unix 2
[ ACC ]
STREAM
LISTENING
2080
unix 2
[ ACC ]
STREAM
LISTENING
379
unix 2
[ ACC ]
STREAM
LISTENING
16968
unix 2
[ ]
DGRAM
16970
unix 2
[ ]
DGRAM
17575
unix 2
[ ACC ]
STREAM
LISTENING
1436
/usr/local/var/syslog-ng.ctl
Path
/var/tmp/segmentdsock
/var/run/nscd/socket
@/com/ubuntu/upstart
/var/run/.xms.default
/tmp/.server.sockname
@/tmp/.has_xmsd
Example
NGFW{}show system connections sctp
ASSOC
SOCK
STY SST ST HBKT ASSOC-ID TX_QUEUE RX_QUEUE UID INODE LPORT RPORT
LADDRS <-> RADDRS HBINT INS OUTS MAXRT T1X T2X RTXC VRF
show system processes
Syntax
show system
brief
detail
extensive
summary
processes [LEVEL]
Brief process information
Detailed process information
Extensive process information
Active process information
Example
NGFW{}show system processes brief
top - 02:23:22 up 5:08, 2 users, load average: 16.20, 16.23, 16.16
Tasks: 349 total,
6 running, 343 sleeping,
0 stopped,
0 zombie
Cpu(s): 37.8% us, 2.4% sy, 0.0% ni, 52.8% id, 0.0% wa, 0.0% hi, 6.9% si
Mem: 28681276k total, 10367048k used, 18314228k free,
100416k buffers
Swap:
0k total,
0k used,
0k free, 1638220k cached
PID USER
3656 root
3731 root
3730 root
3729 root
2941 root
4436 root
4216 root
17380 root
44
Root Commands
PR
NI
20
20
20
20
20
20
20
20
VIRT RES SHR S
11.1g 4.6g 3.7g
0
0
0
0
0
0
0
0
0
84516 3976 2852
0
0
0
21496 1112 772
13084 1292 800
0
0
0
0
0
0
0
0
%CPU %MEM
TIME+ COMMAND
R 1200 16.7
3691:24 n0
R 100 0.0 307:25.33 dpvi-task3
R
98 0.0 303:42.33 dpvi-task2
R
96 0.0 300:14.52 dpvi-task1
R
2 0.0
4:18.44 syslog-ng
D
2 0.0
1:44.56 fpm-nfct-hf-tas
D
0 0.0
0:21.46 sensormond
R
0 0.0
0:00.01 top
show system statistics
Syntax
show system statistics [PROTO] [non-zero]
Example
NGFW{}show system statistics
show system usage
Show system usage displays the overall system usage. You can run once, or display an updated version
every INT seconds. Ctrl-C will exit a re-occurring update.
Syntax
show system usage [update INT]
Example
NGFW{} show system usage update 12
show system virtual-memory
Shows the system’s kernel memory usage in a table with the following column headings.
• name
• active_objs
• num_objs
• objsize
• objperslab
• pagesperslab
• tunables
• limit
• batchcount
• sharedfactor
• slabdata
• active_slabs
• num_slabs
• sharedavail
Syntax
show system virtual-memory
Example
NGFW{}show system virtual-memory
show system xms memory
Shows xms memory statistics.
Syntax
show system xms memory (all| SERVICE)
Example
NGFW{}show system xms memory captive-portals
xmsd memory usage:
NGFW Command Line Interface Reference
45
+ Service: captive-portals
+ captive-portal-config: 48 Bytes
Maximum amounts: 175 Bytes
Calls to alloc : 1 times
+ Service: misc
+ miscellaneous: 1383 Bytes
Maximum amounts: 1585 Bytes
Calls to alloc : 10 times
+ xmlMem: 4341373 Bytes
Maximum amounts: 85010535 Bytes
Calls to alloc : 53906 times
show terminal
Shows terminal type information.
Syntax
show terminal
Example
NGFW{}show terminal
=============
Terminal configuration:
type 6wind
columns 164
lines 46
show traffic-file
Syntax
show traffic-file FILENAME [verbose INT] [proto PROTO] [without PROTO] [pcap FILTER]
[pager]
Options
traffic-file
FILENAME
verbose
INT
proto
PROTO
without
PROTO
pcap
FILTER
pager
Show network traffic from file
Capture file name
Configure verbosity level
Verbosity level (0: minimum verbosity)
Configure captured packets protocol
Protocol name (default: all)
Configure excluded packets protocol
Protocol name (default: all)
Configure pcap-syntax filter
Pcap filter string (e.g. "src port 22")
Show all messages
Example
NGFW{}show traffic-file myfilename
show tse connection-table
Syntax
show tse connection-table TYPE
Example:
This example displays the basic IPS state synchronization by viewing the connection table on the active
and passive device.
46
Root Commands
NGFW{}show tse connection-table blocks
Second device:
NGFW{}show tse connection-table blocks
The ‘TRHA’ indicates this is a connection created by state synchronization.
show tse
Shows threat suppression engine information.
Syntax
show tse (connection-table(blocks|trusts)|rate-limit)
Example
NGFW{}show tse connection-table blocks
Blocked connections: None found.
NGFW{}show tse rate-limit
show user-disk
Syntax
show user-disk
Example
NGFW{}show user-disk
External User Disk
Status:
Mounted
Encryption: None
Capacity:
3952263168 bytes
Used:
784158720 bytes
Free:
2907357184 bytes
show users
Syntax
show users [locked|ip-locked]
Example
NGFW{}show users
USER
IDLE
myadminuser
00:00
INTERFACE LOGIN
SSH
2013-07-19 23:42:56
IP ADDRESS
198.51.100.139
TYPE
LOCAL
show version
Syntax
show version
Example
NGFW{}show version
Serial:
Software:
Digital Vaccine:
Model:
HW Serial:
HW Revision:
X-NGF-S8020F-GENERIC-0001
1.0.0.3911 Build Date: "Apr 12 2013 02:13:12" Production
3.2.0.15172
S8020F
PR2AFQ300P
A603
NGFW Command Line Interface Reference
47
Failsafe: 1.0.0.1801
System Boot Time: Sun Sept 15 21:14:57 2013
Uptime: 05:17:01
shutdown
Allows you to shutdown the system.
Syntax
shutdown
Example
NGFW{}shutdown
You are about to shutdown the device.
Please use the front panel buttons to restart the device manually.
Make sure you have Committed all your changes, and clicked the Save
Configuration button if you wish these changes to be applied when the
device is restarted.
WARNING: Are you sure you want to shutdown the system (y/n) [n]:
sms
Allows you to configure SMS settings and release SMS.
Syntax
sms must-be-ip (A.B.C.D|A.B.C.D/M)
sms unmanage
Example
NGFW{}sms unmanage
NGFW{}sms must-be-ip 192.168.1.1
Related commands
show sms
snapshot create
Allows you to manage system snapshots.
Syntax
snapshot create NAME [(reputation|manual|network)]
Default is do not include the following:
manual
Include manually defined reputation entries in snapshot
network
Include Management port configuration in snapshot
reputation
Include reputation package in snapshot
nonet
Does not restore management port configuration if present in snapshot
Example
NGFW{}snapshot create s_041713
snapshot list
Syntax
snapshot list
48
Root Commands
Example
NGFW{}snapshot list
Name
Date
OS Version DV Version Model Restore
---------------- -------------------------- ---------- ---------- ------- -----s_041713
Wednesday, April 17 2013 1.0.0.3913 3.2.0.15172 S1020F
Yes
snapshot remove
Syntax
snapshot remove
Example
NGFW{}snapshot remove s_041713
Success
snapshot restore
Restore system from saved snapshot.
Syntax
snapshot restore NAME
Example
NGFW{}snapshot restore s_041713
Success
tcpdump
Allows you to capture network traffic to the terminal or a file. You can specify a maximum packet count or
a maximum capture file size. If you record the capture to a file you must specify a maximum packet count
or maximum capture file size. Maxsize is the maximum size of the capture file in millions of bytes, which is
limited by the currently available disk allocation.
Syntax
tcpdump INTERFACE [record FILENAME [maxsizebytes 1-10000000]] [packetcount
1-10000000] [verbose 0-990000] [proto
(icmp|igmp|tcp|udp|esp|ah|pim|snp|vrrp|stp|isis|sctp)] [without
(icmp|igmp|tcp|udp|esp|ah|pim|snp|vrrp|stp|isis|sctp)] [pcap FILTER] [cponly]
[pager] [background]
tcpdump stop
Example
NGFW{}tcpdump mgmt count 2
NGFW{}tcpdump bridge0 record mycapturefile count 100 proto tcp without udp pcap "dst
port 443" background
NGFW{}tcpdump6: listening on bridge0, link-type EN10MB (Ethernet), capture size
65535 bytes
100 packets captured
100 packets received by filter
0 packets dropped by kernel
NGFW{}tcpdump stop
All tcpdump processes stopped.
NGFW Command Line Interface Reference
49
traceroute
Traceroute shows you the path a packet of information takes from your computer to your designation. It
lists all the routers it passes through until it reaches its destination, or fails. Traceroute tells you how long
router to router hops take.
Syntax
traceroute (A.B.C.D|HOSTNAME) [from A.B.C.D] [mgmt]
(traceroute|traceroute6) X:X::X:X [from X:X::X:X] [mgmt]
Example
NGFW{}traceroute 192.168.140.254
traceroute: Warning: ip checksums disabled
traceroute to 192.168.140.254 (192.168.140.254), 30 hops max, 46 byte packets
1 192.168.140.254 (192.168.140.254) 0.256 ms 0.249 ms 0.233 ms
traceroute6
Trace IPv6 network routes.
Example
NGFW{}traceroute6 192.168.140.1
user-disk
The external user-disk is available to mount, unmount, and format. Only a user-disk that the user manually
formats and mounts will be “auto-mounted” by the device at boot. The one exception to this is after an
initial install, the external cfast present in the box at the time of install will be “auto-mounted”.
The user-disk can be encrypted, but only if the system master-key has been set. Changing the encryption
status on the user-disk causes a ‘format’ to occur and erases any existing data.
User-disk encryption can also be enabled and disabled from the LSM at System->Settings->Log
Configuration.
Modify settings for the external user-disk.
Syntax
user-disk (encryption (enable|disable) | format | mount | unmount)
Example
NGFW{}user-disk unmount
WARNING: Unmounting the external user disk will disable snapshot and packet capture,
and traffic related logs will be stored in memory only.
Do you want to continue (y/n)? [n]: y
Success: User disk unmounted.
Example
NGFW{}user-disk mount
Note: The external user disk will be used for snapshots, packet captures and traffic
related logs. The external user disk will be automatically mounted on rebooted.
Do you want to continue (y/n)? [n]: y
Success: User disk mounted.
Example
NGFW{}user-disk format
WARNING: This action will erase all existing data on the external user disk!
Do you want to continue (y/n)? [n]: y
Success: User disk format completed.
50
Root Commands
Example
NGFW{}user-disk encryption enable
WARNING: Changing the encryption status of the user disk will erase all traffic log,
snapshot, and packet capture data on the disk.
Do you want to continue (y/n)? [n]: y
Success: User disk encryption enabled.
Related commands
show user-disk
master-key
NGFW Command Line Interface Reference
51
52
Root Commands
4
Log Configure Commands
Enter the log-configure command to access the log configuration context. Enter a question mark (?) at
the NGFW{log-configure} prompt to display a list of valid command entries. Then enter help
commandname to display help for a specific command.
display
Displays log configuration settings.
Syntax
display [log-sessions] [xml|verbose]
Example
NGFW{log-configure}display
# LOG EMAIL SETTINGS
email set sleepSeconds
300
email set maxRequeue
2016
# LOG ROTATE SETTINGS
rotate set sleepSeconds
rotate set defaultFiles
rotate set defaultCheckRecords
rotate set maxFileSize
600
5
500
100 MB
# LOG FILE DISK ALLOCATION
log-storage external 90%
log-storage ramdisk 25%
# LOG FILE ALLOCATION SETTINGS
# INTERNAL DISK
log-file-size system
50%
log-file-size audit
50%
#
---#
Total 100%
# EXTERNAL DISK (USER-DISK)
log-file-size fwAlert
20%
log-file-size fwBlock
20%
log-file-size ipsAlert
10%
log-file-size ipsBlock
10%
log-file-size reputationAlert 5%
log-file-size reputationBlock 5%
log-file-size visibility
20%
log-file-size quarantine
5%
log-file-size vpn
5%
#
---#
Total 100%
email
Allows you to set logging email daemon parameters.
Syntax
email set sleepSeconds SLEEPSEC
email set maxRequeue MAXREQUEUE
NGFW Command Line Interface Reference
53
email set queueFile QUEUEFILE
email set deadletter DEADLETTER
email delete (sleepSeconds|maxRequeue|queueFile|deadletter)
Example
NGFW{log-configure}email
NGFW{log-configure}email
NGFW{log-configure}email
NGFW{log-configure}email
NGFW{log-configure}email
NGFW{log-configure}email
NGFW{log-configure}email
NGFW{log-configure}email
set sleepSeconds 600
delete sleepSeconds
set maxRequeue 1
delete maxRequeue
set queueFile myqueuefile
delete queueFile
set deadletter mydeadletterfile
delete deadletter
log-file-size
Set log file allocation as a percentage of the total 100 percent allowed for all log files.
# LOG FILE ALLOCATION SETTINGS
# INTERNAL DISK
log-file-size system
50%
log-file-size audit
50%
#
---#
Total 100%
Syntax
log-file-size FILE_NAME USAGE[%]
log-file-size
(audit|fwAlert|fwBlock|ipsAlert|ipsBlock|quarantine|reputationAlert|reputationBlock|
system|visibility|vpn) USAGE[%]
system and audit log files are kept on the internal disk
fwAlert, fwBlock, ipsAlert, ipsBlock, quarantine, reputationAlert, reputationBlock,
visibility, and vpn log files are kept on the external or ramdisk drive
Example
NGFW{log-configure}log-file-size system 50
NGFW{log-configure}log-file-size fwAlert 20
NGFW{log-configure}log-file-size audit 60
ERROR: This would over allocate (110%) the Internal log disk!
log-storage
Set local log file allocation of external CFast disk space. Usage value can range from 50 to 99 percent.
Syntax
log-storage external USAGE[%]
log-storage ramdisk USAGE[%]
Example
NGFW{log-configure}log-storage external 90
log-test
Sends a test message to the logging system(s).
Syntax
log-test (all|audit|vpn|quarantine|logID LOGID) [emergency [MESSAGE]]
log-test (all|audit|vpn|quarantine|logID LOGID) [alert [MESSAGE]]
54
Log Configure Commands
log-test
log-test
log-test
log-test
log-test
log-test
log-test
(all|audit|vpn|quarantine|logID
(all|audit|vpn|quarantine|logID
(all|audit|vpn|quarantine|logID
(all|audit|vpn|quarantine|logID
(all|audit|vpn|quarantine|logID
(all|audit|vpn|quarantine|logID
(all|audit|vpn|quarantine|logID
LOGID)
LOGID)
LOGID)
LOGID)
LOGID)
LOGID)
LOGID)
[critical [MESSAGE]]
[error [MESSAGE]]
[warning [MESSAGE]]
[notice [MESSAGE]]
[info [MESSAGE]]
[debug [MESSAGE]]
[msg MESSAGE]
Valid entries:
all
All log systems
audit
Audit system
vpn
VPN (IPsec) system
quarantine Quarantine system
logID
LogID system
LOGID
Log-session ID to test
SEVERITY
Set Severity level for log message (default: INFO)
Possible values for SEVERITY are:
emergency
EMERG level
alert
ALERT level
critical
CRIT level
error
ERR level
warning
WARNING level
notice
NOTICE level
info
INFO level (default)
debug
DEBUG level
msg
Override default message
MESSAGE
Message to send to logging system
Example
NGFW{log-configure}log-test logID 1 msg "my test message for logging"
NGFW{log-configure}log-test all
rotate
Sets log rotation parameters.
Syntax
rotate
rotate
rotate
rotate
rotate
rotate
rotate
rotate
rotate
rotate
rotate
rotate
rotate
rotate
rotate
(set|delete)
(set|delete)
(set|delete)
(set|delete)
(set|delete)
(set|delete)
(set|delete)
(set|delete)
(set|delete)
(set|delete)
(set|delete)
(set|delete)
(set|delete)
(set|delete)
(set|delete)
sleepSeconds
SLEEPSEC
defaultFiles
NUMFILES
defaultCheckRecords
NUMRECORDS
defaultCheckRecords (100-65535)
defaultFiles (2-20)
maxFileSize (10-500MB)
sleepSeconds (1-65535)
audit [Files (2-20)] [Records (100-65535)]
fwAlert [Files (2-20)] [Records (100-65535)]
fwBlock [Files (2-20)] [Records (100-65535)]
ipsAlert [Files (2-20)] [Records (100-65535)]
ipsBlock [Files (2-20)] [Records (100-65535)]
quarantine [Files (2-20)] [Records (100-65535)]
reputationAlert [Files (2-20)] [Records (100-65535)]
reputationBlock [Files (2-20)] [Records (100-65535)]
system [Files (2-20)] [Records (100-65535)]
visibility [Files (2-20)] [Records (100-65535)]
vpn [Files (2-20)] [Records (100-65535)]
Logrotation sleep time between checks
Number of seconds logrotation waits between checks
Default number of logrotation files
Number of logrotation files (2 - 20)
Default number of records between log daemon size checks
Number of records between log daemon size checks (100 - 65535)
NGFW Command Line Interface Reference
55
maxFileSize
MAXFILESIZE
MB
FILE_NAME
Files
Records
delete
Max size a 'rotated' log file
Max log rotation file size in MB (10 - 500)
Megabytes
Local log file name
Number of logrotation files
Number of records between log daemon size checks
Delete the logrotation parameter
Example
NGFW{log-configure}rotate
NGFW{log-configure}rotate
NGFW{log-configure}rotate
NGFW{log-configure}rotate
NGFW{log-configure}rotate
NGFW{log-configure}rotate
NGFW{log-configure}rotate
NGFW{log-configure}rotate
56
Log Configure Commands
set sleepSeconds 10
set visibility Files 5 Records 500
set vpn Files 5 Records 500
delete vpn Records
delete vpn Files
delete visibility
set defaultCheckRecords 500
set defaultFiles 5
5
Edit Running Configuration Commands
Enter the edit command to access the configuration mode. In edit mode, you can perform numerous
configurations, such as firewall rules and policies, and authentication. Once you have executed the edit
command the CLI prompt will appear as NGFW{running}. Configuration options, and sub contexts are
available until you exit. To exit the edit configuration mode, enter exit.
The configuration mode enables administrators with the appropriate credentials to write configuration
changes to the active (running) configuration. The logon account used to configure the device must either
be associated with the Superuser role or the Administrator role to edit the configuration context. The
configuration mode has different context levels that provide access to a specific set of configuration
commands.
Configuration Contexts by Function
Monitor/System
Table 5-1
Monitor and System Commands
running-blockedStreams Context Commands
NGFW{running}blockedStreams
running-cluster Context Commands
running-cluster-tct Context Commands
NGFW{running}cluster
NGFW{running-cluster}tct
running-dns Context Commands
NGFW{running}dns
running-gen Context Commands
NGFW{running}gen
running-high-availability Context Commands
NGFW{running}high-availability
running-log Context Commands
NGFW{running}log
running-mgmt Context Commands
NGFW{running}interface mgmt
running-ntp Context Commands
NGFW{running}ntp
running-snmp Context Commands
NGFW{running}snmp
Network
Table 5-2
Network Commands
running-agglinkX Context Commands
NGFW{running}interface agglink0
running-bridgeX Context Commands
NGFW{running}interface bridge0
running-greX Context Commands
NGFW{running}interface gre0
running-l2tp-serverX Context Commands
NGFW{running}l2tp-server0
running-l2tpX Context Commands
NGFW{running}interface l2tp0
running-loopbackX Context Commands
NGFW{running}interface loopback0
running-pppoeX Context Commands
NGFW{running}interface pppoe0
running-pptpX Context Commands
NGFW{running}interface pptp0
running-vlanX Context Commands
NGFW{running}interface vlan0
running-ethernetX Context Commands
NGFW{running}interface ethernet1
running-segmentX Context Commands
NGFW{running}segment0
NGFW Command Line Interface Reference
57
Table 5-2
Network Commands
running-dhcp-relay Context Commands
NGFW{running}dhcp relay
running-dhcp-server Context Commands
NGFW{running}dhcp server
running-dhcp-server-X Context Commands
NGFW{running-dhcp-server}scope myscope
Policy
Table 5-3
Policy Commands
(immediate commit context)
running-actionsets Context Commands
running-actionsets-X Context Commands
running-addressgroups Context Commands
running-addressgroups-X Context Commands
(immediate commit context)
running-app-filter-mgmt Context Commands
(immediate commit context)
running-app-groups Context Commands
running-app-groups-X Context Commands
NGFW{running}addressgroups
NGFW{running-addressgroups}addressgroup
myaddressgroups
NGFW{running}application-filter-mgmt
NGFW{running}application-groups
NGFW{running-app-groups}application-grou
p FaceBook
(immediate commit context)
running-autodv Context Commands
running-autodv-calendar Context Commands
running-autodv-periodic Context Commands
NGFW{running}autodv
NGFW{running-autodv}calendar
NGFW{running-autodv}periodic
running-captive-portal Context Commands
running-captive-portal-rule-X Context Commands
NGFW{running}captive-portal
NGFW{running-captive-portal}rule 20000
running-dnat Context Commands
running-dnat-rule-X Context Commands
NGFW{running}dst-nat
NGFW{running-dnat}rule 1
running-firewall Context Commands
running-firewall-rule-X Context Commands
NGFW{running}firewall
NGFW{running-firewall}rule myrule1
running-global-inspection Context Commands
NGFW{running}global-inspection
(immediate commit context)
running-ips Context Commands
running-ips-X Context Commands
NGFW{running}ips
NGFW{running-ips}profile 1
(immediate commit context)
running-notifycontacts (email) Context Commands
running-notifycontacts-X (SNMP) Context Commands
58
NGFW{running}actionsets
NGFW{running-actionsets}actionset
myactionset1
NGFW{running-notifycontacts}contact
mycontact1 email
NGFW{running-notifycontacts}contact
mycontact1 snmp secret 192.168.1.1
(immediate commit context)
running-rep Context Commands
running-rep-X (group X) Context Commands
running-rep-X (profile X) Context Commands
NGFW{running}rep
NGFW{running-rep}group 1
NGFW{running-rep}profile abc
running-schedules Context Commands
running-schedules-X Context Commands
NGFW{running}schedules
NGFW{running-schedules}schedule myhours1
running-services Context Commands
running-services-X Context Commands
NGFW{running}services
NGFW{running-services}service myservice1
Edit Running Configuration Commands
Table 5-3
Policy Commands
running-snat Context Commands
running-snat-rule-X Context Commands
NGFW{running}src-nat
NGFW{running-snat}rule snat1
running-zones Context Commands
running-zones-X Context Commands
NGFW{running}zones
NGFW{running-zones}zone myzone1
Authentication
Table 5-4
Authentication Commands
running-aaa Context Commands
running-aaa-ldap-group-X Context Commands
running-aaa-radius-group-X Context Commands
NGFW{running-aaa}
NGFW{running-aaa}ldap-group mygroup
NGFW{running-aaa}radius-group mygroup
running-certificates Context Commands
running-certificates-crl Context Commands
NGFW{running}certificates
NGFW{running-certificates}crl
Routing
Table 5-5
Routing Commands
running-bgp-X Context Commands
NGFW{running}router bgp 1
running-multicast-registration Context Commands
NGFW{running}multicast-registration
running-ospf Context Commands
NGFW{running}router ospf
running-ospfv3 Context Commands
NGFW{running}router ospfv3
running-pim-smv4 Context Commands
NGFW{running}router pim-smv4
running-pim-smv6 Context Commands
NGFW{running}router pim-smv6
running-rip Context Commands
NGFW{running}router rip
running-ripng Context Commands
NGFW{running}router ripng
running-route-map Context Commands
NGFW{running}route-map mymap permit 10
running-smr Context Commands
NGFW{running}router smr
VPN
Table 5-6
VPN Commands
running-ipsec Context Commands
NGFW{running}vpn ipsec
running-manual-sa Context Commands
NGFW{running}vpn ipsec
NGFW{running-ipsec}manual
Edit Context Commands
aaa
Enter Authentication and Authorization and Auditing context mode.
Syntax
aaa
NGFW Command Line Interface Reference
59
Example
NGFW{}edit
NGFW{running}aaa
NGFW{running-aaa}help
NGFW{running-aaa}display user fred xml
<?xml version="1.0"?>
<record>
<index>
<user>fred</user>
</index>
<parameters>
<password>$password$</password>
<epoch>1373049840</epoch>
</parameters>
</record>
NGFW{running-aaa}exit
Related commands
running-aaa Context Commands
actionsets
Enters action sets context mode. Changes are committed and take effect immediately.
Syntax
actionsets
Example
NGFW{}edit
NGFW{running}actionsets
NGFW{running-actionsets}help
Example
NGFW{running-actionsets}actionset myactionset
NGFW{running-actionsets-myactionset}help
NGFW{running-actionsets-myactionset}?
Valid entries at this position are:
action
Set action type, available value: permit, rate-limit, block, trust
allow-access
Allow quarantined host to access defined IP
bytes-to-capture
Set bytes to capture for packet trace
contact
Add a notify contact
delete
Delete file or configuration item
display
Display file or configuration item
help
Display help information
http-block
Set quarantine option to block HTTP traffic
http-custom
Set or clear HTTP custom text display option
http-redirect
Set redirect URL for HTTP redirect option
http-showdesc
Set or clear HTTP show desc display option
http-showname
Set or clear HTTP show name display option
limit-quarantine
Add IP for limit quarantine
limit-rate
Set the rate value for rate-limit action
no-quarantine
Add IP for no quarantine
nonhttp-block
Set quarantine option to block non-HTTP traffic
packet-trace
Enable/disable packet trace option
priority
Set packet trace priority
quarantine
Set quarantine option, available value: no, immediate, threshold
tcp-reset
Set tcp reset option for block action, can be disable, source,
dest or both
60
Edit Running Configuration Commands
threshold
verbosity
Set quarantine threshold value
Set packet trace verbosity
Related commands
running-actionsets Context Commands
addressgroups
Enters address group context.
Syntax
addressgroups
Example
NGFW{running}addressgroups
NGFW{running-addressgroups}help
NGFW{running-addressgroups}?
Valid entries at this position are:
addressgroup
Create or enter an address group context
delete
Delete address group parameters
help
Display help information
rename
Rename address group
Related commands
running-addressgroups Context Commands
application-filter-mgmt
Enters application filter management context.
Syntax
application-filter-mgmt
Example
NGFW{}edit
NGFW{running}application-filter-mgmt
Entering Immediate Commit Feature. Changes take effect immediately.
NGFW{running-app-filter-mgmt}help
Valid commands are:
display
filter FILTERNUMBER SYS_ENABLE_OR_DISABLE
filter FILTERNUMBER afcstate AFC_ENABLE_OR_DISABLE
filter FILTERNUMBER SYS_ENABLE_OR_DISABLE afcstate AFC_ENABLE_OR_DISABLE
help [full|COMMAND]
Related commands
running-app-filter-mgmt Context Commands
application-groups
Enters the application-group context mode. Application groups can be associated with firewall rules and
can only be defined by the LSM not the CLI. There are CLI commands that are similar in syntax to security
categories, but the criteria parameter is deliberately obfuscated. Also, like security categories, application
group queries are not editable from the CLI.
NGFW Command Line Interface Reference
61
NOTE: Attempting to create an application group from the CLI will result in an error while parsing the
CRITERIASTRING parameter.
The CRITERIASTRING format is deliberately obfuscated and not supported to prevent users from creating
or editing application group criteria from the CLI. Support for setting and getting criteria through the
obfuscated format is included so that users can still copy output of CLI display commands and paste them
back in.
Syntax
application-groups
Example
NGFW{running}application-groups
Entering Immediate Commit Feature. Changes take effect immediately.
NGFW{running-app-groups}help
Valid commands are:
application-group NEWAPPNAME CRITERIASTRING
application-group APPNAME
delete application-group APPNAME
display
help [full|COMMAND]
rename application-group APPNAME NEWAPPNAME
Related commands
running-app-groups Context Commands
application-visibility
Enables or Disables application visibility.
Syntax
application-visibility (enable|disable)
Example
NGFW{running}application-visibility ?
Valid entries at this position are:
disable
Disable application visibility
enable
Enable application visibility
autodv
Enters auto digital vaccine context mode.
Syntax
autodv
Example
NGFW{running}autodv
Entering Immediate Commit Feature. Changes take effect immediately.
NGFW{running-autodv}help
Valid commands are:
calendar
delete proxy
delete proxy-password
delete proxy-username
disable
62
Edit Running Configuration Commands
display
enable
help [full|COMMAND]
list
periodic
proxy ADDR port PORT
proxy-password PASSWD
proxy-username USER
update
NGFW{running-autodv}?
Valid entries at this position are:
calendar
Enter Calender Style
delete
Delete file or configuration item
disable
Disable service
display
Display file or configuration item
enable
Enable service
help
Display help information
list
List Installed DVs
periodic
Enter Periodic Style
proxy
Configure proxy
proxy-password
Proxy password
proxy-username
Proxy username
update
Update AutoDV
Related commands
running-autodv Context Commands
blockedStreams
Enters blockedStreams context mode.
Syntax
blockedStreams
Example
NGFW{running}blockedStreams
NGFW{running-blockedStreams}help
Valid commands are:
flushallstreams
flushstreams
help [full|COMMAND]
list
Related command
running-blockedStreams Context Commands
captive-portal
Enters captive portal context mode.
Syntax
captive-portal
Example
NGFW{running}captive-portal
NGFW{running-captive-portal}help
Valid commands are:
NGFW Command Line Interface Reference
63
delete rule all|RULEID
help [full|COMMAND]
rename rule RULEID NEWRULEID
rule (auto|RULEID) [POSITION_VALUE]
set max-session-time MINUTES
set inactive-timeout MINUTES
set port PORT
set certificate CERTNAME
set login-page|status-page foreground-color|background-color HEX|COLOR
set login-page header-HTML|footer-HTML|failed-HTML
set status-page foreground-color|background-color HEX|COLOR
set status-page main-HTML
reset max-session-time|inactive-timeout|port|certificate
reset login-page|status-page foreground-color|background-color
reset login-page header-HTML|footer-HTML|failed-HTML
reset status-page main-HTML
Related commands
running-captive-portal Context Commands
certificates
Enters certificates context mode.
Syntax
certificates
Example
NGFW{running}certificates
NGFW{running-certificates}help
Valid commands are:
# Enter context
crl
# Other commands
ca-certificate CANAME
cert-request CERTREQUEST [key-size SIZE]
certificate CERTNAME
delete ca-certificate (all|CANAME)
delete cert-request (all|CERTREQUEST)
delete certificate (all|CERTNAME)
display ca-certificate CANAME [pem|text]
display cert-request CERTNAME
display certificate CERTNAME [pem|text]
display private-key CERTNAME
help [full|COMMAND]
private-key CERTNAME
Related commands
running-certificates Context Commands
cluster
Enters cluster context mode.
Syntax
cluster
64
Edit Running Configuration Commands
Example
NGFW{running}cluster
NGFW{running-cluster}help
Valid commands are:
check CHECK_TYPE enable|disable
cluster-name NAME
delete standby
enable|disable
help [full|COMMAND]
member-id ID
member-name NAME
standby
tct
NGFW{running-cluster}?
Valid entries at this position are:
check
Perform consistency check
cluster-name
Apply Cluster Name
delete
Delete file or configuration item
disable
Disable clustering
enable
Enable clustering
help
Display help information
member-id
Cluster Member ID
member-name
Cluster member name
standby
Set the device on standby
tct
Enter cluster traffic context
Related commands
running-cluster Context Commands
delete
Deletes file or configuration item.
Syntax
delete
delete
delete
delete
delete
delete
delete
delete
delete
delete
delete
delete
delete
delete
delete
delete
delete
delete
delete
delete
delete
delete
delete
SEGNAME
interface agglinkX
interface bridgeX
interface greX
interface l2tpX
interface loopbackX
interface pppoeX
interface pptpX
interface vlanX
interface vrrpvXgY
ip access-list NAME (permit|deny) A.B.C.D/M
ip prefix-list NAME (permit|deny) A.B.C.D/M [ge GE-VALUE] [le LE-VALUE]
ipv6 access-list NAME (permit|deny) X.X.X.X/M
l2tp-serverX
route-map ROUTE-MAP-NAME
route-map ROUTE-MAP-NAME permit|deny ENTRY-POSITION
router bgp
router ospf
router ospfv3
router pim-smv6
router rip
router ripng
router smr
NGFW Command Line Interface Reference
65
Example
NGFW{running}delete
NGFW{running}delete
NGFW{running}delete
NGFW{running}delete
NGFW{running}delete
NGFW{running}delete
NGFW{running}delete
NGFW{running}delete
NGFW{running}delete
NGFW{running}delete
NGFW{running}delete
NGFW{running}delete
NGFW{running}delete
NGFW{running}delete
NGFW{running}delete
NGFW{running}delete
NGFW{running}delete
NGFW{running}delete
NGFW{running}delete
NGFW{running}delete
NGFW{running}delete
NGFW{running}delete
segment78
interface agglink0
interface bridge0
interface gre0
interface l2tp0
interface loopback0
interface pppoe0
interface pptp0
interface vlan0
ip access-list myaccesslist permit 0.0.0.0/0
ip prefix-list myprefixlist permit 192.168.0.0/16 ge 24 le 24
ipv6 access-list myipv6accesslist permit 100:0:0:0:0:0:0:0/64
l2tp-server0
route-map myroutemap
route-map myroutemap permit 1
router bgp
router ospf
router ospfv3
router pim-smv6
router rip
router ripng
router smr
dhcp
Enters DHCP context mode.
Syntax
dhcp relay
dhcp server
Example
NGFW{running}dhcp
Valid entries at this position are:
relay
Enter DHCP relay context
server
Server
Related commands
running-dhcp-relay Context Commands
running-dhcp-server Context Commands
dns
Enters DNS context mode.
Syntax
dns
Example
NGFW{running}dns
NGFW{running-dns}help
Valid commands are:
delete domain-name
delete name-server all|A.B.C.D|X:X::X:X
delete proxy cache cleaning interval
delete proxy cache forwarder all|A.B.C.D|X:X::X:X
66
Edit Running Configuration Commands
delete proxy cache maximum negative ttl
delete proxy cache maximum ttl
delete proxy cache size
domain-name NAME
domain-search primary NAME
help [full|COMMAND]
name-server A.B.C.D|X:X::X:X
proxy cache cleaning interval cache cleaning interval in minutes
proxy cache forwarder A.B.C.D|X:X::X:X
proxy cache maximum negative ttl cache maximum negative TTL in minutes
proxy cache maximum ttl cache maximum TTL in minutes
proxy cache size cache size in megabytes
proxy enable|disable
NGFW{running-dns}?
Valid entries at this position are:
delete
Delete file or configuration item
domain-name
Configure domain name
domain-search
Configure domain search
help
Display help information
name-server
Configure DNS server
proxy
Configure proxy
proxy
Enable or disable proxy
Related commands
running-dns Context Commands
dst-nat
Enters destination NAT context mode.
Syntax
dst-nat
Example
NGFW{running}dst-nat
NGFW{running-dnat}help
Valid commands are:
delete rule all|DSTNATRULEID
help [full|COMMAND]
rule (auto|DSTNATRULEID) [POSITION_VALUE]
NGFW{running-dnat}?
Valid entries at this position are:
delete
Delete destination NAT rule(s)
help
Display help information
rename
Rename destination NAT rule
rule
Create or enter a rule context
Related commands
running-dnat Context Commands
firewall
Enters firewall context mode.
Syntax
firewall
NGFW Command Line Interface Reference
67
Example
NGFW{running}firewall
NGFW{running-firewall}help
Valid commands are:
default-block-rule DEFACTIONSET
delete rule all|XRULEID
help [full|COMMAND]
rename rule XRULEID NEWRULEID
rule (auto|RULEID) [POSITION_VALUE]
NGFW{running-firewall}?
Valid entries at this position are:
default-block-rule
Apply action set for default block rule
delete
Delete firewall rule
help
Display help information
rename
Rename a firewall rule
rule
Create or enter a rule context
Related commands
running-firewall Context Commands
gen
Enters general context mode.
Usage
gen
Example
NGFW{running}gen
NGFW{running-gen}help
Valid commands are:
# System commands
timezone (GMT|(REGION CITY))
# Manage context
display [xml]
# Other commands
arp A.B.C.D INTERFACE MAC
auto-restart enable|disable
delete arp all|(ENTRY INTERFACE)
delete host NAME|all
delete ndp all|(ENTRY INTERFACE)
ephemeral-port-range default|(LOWRANGE HIGHRANGE)
forwarding ipv4|ipv6 enable|disable
help [full|COMMAND]
host NAME A.B.C.D|X:X::X:X
https enable|disable
inband-management enable|disable
management-service all|dns|email|ldap|ntp|radius|remote-syslog|snmp management
|network
ndp X:X::X:X INTERFACE MAC
ssh enable|disable
xmsd remote (port PORT [address A.B.C.D])|disable
NGFW{running-gen}?
Valid entries at this position are:
68
Edit Running Configuration Commands
arp
auto-restart
Configure static ARP entry
Enable/disable automatic restart on detection of critical
problem
delete
Delete file or configuration item
display
Display general context
ephemeral-port-range Set the range of the ephemeral port (default is 32768-61000)
forwarding
Enable or disable IPv4/IPv6 forwarding
help
Display help information
host
Configure static address to host name association
https
Enable or disable WEB server configuration
inband-management
Inband Management
management-service
Management of a service to use management port or network port
ndp
Configure static NDP entry
ssh
Enable or disable ssh service
timezone
Display or configure time zone
Related commands
running-gen Context Commands
global-inspection
Enters global-inspection context mode.
Syntax
global-inspection
Example
NGFW{running}global-inspection
NGFW{running-global-inspection}help
Valid commands are:
default-inspection (ips-profile IPSPROFILE|none)|(reputation-profile
REPPROFILE|none)
unknown-app (ips-profile IPSPROFILE|none)|(reputation-profile REPPROFILE|none)
display [xml]
help [full|COMMAND]
NGFW{running-global-inspection}?
Valid entries at this position are:
default-inspection
Apply default inspection profile
display
Display global inspection profile configuration
help
Display help information
unknown-app
Apply inspection profile during application detection phase
Related commands
running-global-inspection Context Commands
high-availability
Enters high-availability context mode.
Syntax
high-availability
Examples
NGFW{running}high-availability
NGFW{running-high-availability}help
Valid commands are:
delete failover-group base-mac
NGFW Command Line Interface Reference
69
delete failover-group name
enable|disable
failover-group base-mac X:X:X:X:X:X
failover-group name NAME
help [full|COMMAND]
state-sync (global [enable|disable])|(FEATURE [enable|disable|(log-level SEVERITY)])
NGFW{running-high-availability}?
Valid entries at this position are:
delete
Delete file or configuration item
disable
Disable high-availability
enable
Enable high-availability
failover-group
Failover Group
help
Display help information
state-sync
State synchronization
NGFW{running-high-availability}help state-sync
Enable or disable high-availability (enable|disable)
Syntax: state-sync (global [enable|disable])|(FEATURE [enable|disable|(log-level
SEVERITY)])
state-sync
State synchronization
global
Turn state synchronization on or off
enable
Enable state synchronization
disable
Disable state synchronization
FEATURE
Specify a state synchronization table
Possible values for FEATURE are:
firewall
Firewall state synchronization table
ips
IPS state synchronization table
routing
Routing state synchronization table
log-level
Specify logging level
SEVERITY
Log service severity
Possible values for SEVERITY are:
emergency
Panic condition messages
alert
Immediate problem condition messages
critical
Critical condition messages
error
Error messages
warning
Warning messages
notice
Special condition messages
info
Informational messages
debug
Debug messages
none
Turn off messages
NGFW{running-high-availability}state-sync ?
Valid entries at this position are:
firewall
Firewall state synchronization table
ips
IPS state synchronization table
routing
Routing state synchronization table
global
Turn state synchronization on or off
Related commands
running-high-availability Context Commands
interface
Enters interface context mode. The X represents a number to be entered, such as bridge2.
Syntax
# Enter context
interface agglinkX
70
Edit Running Configuration Commands
interface
interface
interface
interface
interface
interface
interface
interface
interface
bridgeX
ethernetX
greX
l2tpX
loopbackX
mgmt
pppoeX
pptpX
vlanX
Example
NGFW{running}interface bridge2
NGFW{running-bridge2}?
Valid entries at this position are:
arp/ndp
Enable or disable ARP and NDP on interface
autoconfv6
Enable or disable IPv6 autoconfiguration on interface
bind
Bind bridged network interface over ethernet/VLAN/agglink
delete
Delete file or configuration item
description
Enter description for the interface
help
Display help information
ip
Configure IP settings
ipaddress
Configure IP address
ipv6
Configure IPv6 settings
mtu
Configure interface MTU
prefix
Configure IPv6 prefix
ra-autoconf-level
Modify IPv6 Router Advertisement autoconfiguration level
ra-interval
Modify IPv6 Router Advertisement interval value
ra-interval-transmit
Modify IPv6 Router Advertisement interval transmit
ra-lifetime
Modify IPv6 Router Advertisement prefix lifetime
ra-mtu
Modify IPv6 Router Advertisement MTU value
ra-transmit-mode
Modify IPv6 Router Advertisement transmit mode
router-advert
Configure IPv6 Router Advertisement parameters
shutdown
Shutdown logical interface state
tcp4mss
Configure interface TCP MSS for IPv4
tcp6mss
Configure interface TCP MSS for IPv6
NGFW{running-bridge2}help
Related commands
running-agglinkX Context Commands
running-bridgeX Context Commands
running-ethernetX Context Commands
running-greX Context Commands
running-l2tpX Context Commands
running-loopbackX Context Commands
running-mgmt Context Commands
running-pppoeX Context Commands
running-pptpX Context Commands
running-vlanX Context Commands
ip
IP configuration mode.
NGFW Command Line Interface Reference
71
Syntax
ip access-list NAME (permit|deny) A.B.C.D/M
ip as-path access-list NAME (permit|deny) ASN_FILTER
delete ip as-path access-list NAME (permit|deny) ASN_FILTER
ip community-list NAME (permit|deny)
((AA:NN)|internet|local-as|no-advertise|no-export)
delete ip community-list NAME (permit|deny)
((AA:NN)|internet|local-as|no-advertise|no-export)
ip prefix-list NAME (permit|deny) A.B.C.D/M [ge GE-VALUE] [le LE-VALUE]
ip route A.B.C.D/M A.B.C.D|INTERFACE [DISTANCE]
ipv6 route X:X::X:X/M (X:X::X:X[%INTERFACE])|INTERFACE [DISTANCE]
display ip route
Valid entries:
access-list
as-path
community-list
prefix-list
route
Access list
AS Path access list
Community list
Prefix list
Add an IPv4 static route
Example
NGFW{running}ip access-list myaccesslist permit 0.0.0.0/0
NGFW{running}ip as-path access-list myasnaccesslist permit ^64496$
NGFW{running}delete ip as-path access-list myasnaccesslist permit ^64496$
NGFW{running}ip community-list mycommunitylist permit 64496:100
NGFW{running}ip community-list mycommunitylist permit internet
NGFW{running}delete ip community-list mycommunitylist permit 64496:100
NGFW{running}ip prefix-list myprefixlist permit 192.168.0.0/16 ge 24 le 24
NGFW{running}ip route 192.168.1.0/24 192.0.2.1 1
NGFW{running}ip route 192.168.1.0/24 ethernet5 1
NGFW{running}display ip route
# IPV4 ROUTES
ip route 192.168.1.0/24 192.0.2.1 1
ip route 192.168.1.0/24 ethernet5
ips
Enters IPS profile context mode.
Syntax
ips
Example
NGFW{running}ips
Entering Immediate Commit Feature. Changes take effect immediately.
NGFW{running-ips}help
Valid commands are:
# Enter context
display-categoryrules
# Other commands
afc-mode AFCMODE
afc-severity SEVERITY
connection-table TIMEOUTTYPE SECONDS
delete profile XPROFILENAME
deployment-choices
display
gzip-decompression enable|disable
help [full|COMMAND]
72
Edit Running Configuration Commands
profile PROFILENAME
quarantine-duration DURATION
rename profile XPROFILENAME NEWPROFILENAME
NGFW{running-ips}?
Valid entries at this position are:
afc-mode
AFC mode
afc-severity
AFC severity
connection-table
Connection table timeout
delete
Delete a profile
deployment-choices
Get deployment choices
display
Display all ips configuration and profiles
display-categoryrules
Display category rules for all profiles
gzip-decompression
GZIP decompression mode
help
Display help information
profile
Create/enter a IPS profile
quarantine-duration
Quarantine duration
rename
Rename a profile
Related commands
running-ips Context Commands
ipv6
IPv6 configuration
Syntax
ipv6 access-list NAME (permit|deny) X:X::X:X/M
ipv6 route X:X::X:X/M (X:X::X:X[%INTERFACE])|INTERFACE [DISTANCE]
display ipv6 route
Valid entries:
ipv6
IPv6 configuration
route
Add static route
X:X::X:X/M
Unicast IPv6 prefix address
X:X::X:X
IPv6 address
INTERFACE
Interface name
DISTANCE
The distance value (1-255)
Example
NGFW{running}ipv6 access-list myipv6accesslist permit 100:0:0:0:0:0:0:0/64
NGFW{running}ipv6 route 2001:2:0:0:0:0:0:0/48 ethernet5 1
NGFW{running}ipv6 route 2001:2:0:0:0:0:0:0/48 100:0:0:0:0:0:0:1 1
NGFW{running}display ipv6 route
# IPV6 ROUTES
ipv6 route 2001:2::/48 ethernet5
ipv6 route 2001:2::/48 100::1
l2tp-serverX
Enters L2TP Server context mode. The X represents a number, for example server0.
Syntax
l2tp-serverX
Example
NGFW{running}l2tp-server0
NGFW{running-l2tp-server0}help
NGFW Command Line Interface Reference
73
Valid commands are:
auth enable|disable
auth shared-secret A.B.C.D|any secret-key
bind none|any|(A.B.C.D [port])
delete auth shared-secret A.B.C.D|all
help [full|COMMAND]
hiding enable|disable
sequencing enable|disable
NGFW{running-l2tp-server0}?
Valid entries at this position are:
auth
Authenticated configuration
bind
Configure bind service of L2TP server
delete
Delete file or configuration item
help
Display help information
hiding
Enable or disable hiding configuration
sequencing
Enable or disable sequence configuration
Related commands
running-l2tp-serverX Context Commands
log
Enters log context mode. Note that the 'Management Console' notification contact for the Audit log can
not be modified.
Syntax
log
Example
NGFW{running}log
NGFW{running-log}help
Valid commands are:
delete log audit CONTACT-NAME
delete log quarantine CONTACT-NAME
delete log system CONTACT-NAME
delete log vpn CONTACT-NAME
delete log-option fib events|kernel|memory|packet [recv|send]
delete log-option ppp( all)|( DEL-PPP-LOG-OPTION){1,10}
delete log-option xmsd( all)|( LOG_OPTION)
help [full|COMMAND]
log audit CONTACT-NAME [ALL|none]
log quarantine CONTACT-NAME [ALL|none]
log system CONTACT-NAME [SEVERITY]
log vpn CONTACT-NAME [SEVERITY]
log-option fib events|kernel|memory|packet [recv|send]
log-option ppp( all)|( PPP-LOG-OPTION){1,255}
log-option xmsd( all)|( LOG_OPTION)
sub-system SUBSYSTEM [SEVERITY]
NGFW{running-log}?
Valid entries at this position are:
delete
Delete file or configuration item
help
Display help information
log
Add a Notification Contact to a log service
log-option
Add service log option
sub-system
set sub-system log level
74
Edit Running Configuration Commands
NGFW{running-log}display
# LOG SERVICES
log system
"Management
#log audit
"Management
log vpn
"Management
log quarantine "Management
# SUB-SERVICES
sub-system INIT
sub-system XMS
sub-system TOS
sub-system HTTPD
sub-system GATED
sub-system LOGIN
sub-system PACEMAKER
sub-system COROSYNC
sub-system CRMADMIN
Console"
Console"
Console"
Console"
notice
ALL
info
ALL
info
notice
info
notice
none
notice
error
notice
none
Related commands
running-log Context Commands
multicast-registration
Enters multicast registration context mode.
Syntax
multicast-registration
Example
NGFW{running}multicast-registration
NGFW{running-multicast-registration}help
Valid commands are:
help [full|COMMAND]
igmp-version default|(mode MODE IGMPvX)
mld-version default|(mode MODE MLDvX)
NGFW{running-multicast-registration}?
Valid entries at this position are:
help
Display help information
igmp-version
Configure system IGMP version
mld-version
Configure system MLD version
NGFW{running-multicast-registration}igmp-version mode ?
Valid entry at this position is:
MODE
Define IGMP mode (force or default)
Related commands
running-multicast-registration Context Commands
notifycontacts
Enters notify contacts context mode.
Syntax
notifycontacts
Example
NGFW{running}notifycontacts
NGFW Command Line Interface Reference
75
Entering Immediate Commit Feature. Changes take effect immediately.
NGFW{running-notifycontacts}help
Valid commands are:
contact CONTACTNAME
contact NEWNAME email
contact NEWNAME snmp COMMUNITY IP [PORT]
delete contact XCONTACTNAME
display
email-from-address EMAIL
email-from-domain DOMAIN
email-server IP
email-threshold THRESHOLD
email-to-default-address EMAIL
help [full|COMMAND]
rename contact XCONTACTNAME NEWNAME
NGFW{running-notifycontacts}?
Valid entries at this position are:
contact
Create or edit a notify contact
delete
Delete file or configuration item
display
Display all available contacts
email-from-address
From email address
email-from-domain
From domain name
email-server
Set mail server IP
email-threshold
Set email threshold
email-to-default-address
Default to email address
help
Display help information
rename
Rename contact with new name
Related commands
running-notifycontacts (email) Context Commands
ntp
Enters NTP context mode.
Syntax
ntp
Example
NGFW{running}ntp
NGFW{running-ntp}help
Valid commands are:
delete key all|ID
delete server all|HOST
help [full|COMMAND]
key (1-65535) VALUE
ntp enable|disable
polling-interval SECONDS
server dhcp|NAME [key ID] [prefer]
NGFW{running-ntp}?
Valid entries at this position are:
delete
Delete file or configuration item
help
Display help information
key
Configure NTP authentication key
ntp
Enable or disable NTP
polling-interval
Configure minimum polling interval
76
Edit Running Configuration Commands
server
Configure remote NTP server
Related commands
running-ntp Context Commands
reputation
Enters Reputation context mode.
Syntax
reputation
Example
NGFW{running}reputation
Entering Immediate Commit Feature. Changes take effect immediately.
NGFW{running-rep}help
Valid commands are:
delete group USERGROUP
delete profile XPROFILENAME
display
group USERGROUP
help [full|COMMAND]
profile PROFILENAME
rename group USERGROUP NEWUSERGROUP
rename profile XPROFILENAME NEWPROFILENAME
NGFW{running-rep}?
Valid entries at this position are:
delete
Delete file or configuration item
display
Display all reputation profiles and groups
group
Create/enter reputation group context
help
Display help information
profile
Create/enter reputation profile context
rename
Rename a reputation profile or group
Related commands
running-rep Context Commands
route-map
Allows you to configure the route-map.
Syntax
route-map ROUTE-MAP-NAME (permit|deny) ENTRY-POSITION
Example
NGFW{running}help route-map
Enter the route-map context
Syntax: route-map ROUTE-MAP-NAME permit|deny ENTRY-POSITION
route-map
Enter the route-map context
ROUTE-MAP-NAME
Route-map name
permit
Permit the network prefix
deny
Deny the network prefix
ENTRY-POSITION
Position of the route-map entry (1-65535)
Related commands
running-route-map Context Commands
NGFW Command Line Interface Reference
77
router
Enters the specified router protocol context.
Syntax
router
router
router
router
router
router
router
router
bgp ASNUMBER
ospf
ospfv3
pim-smv4
pim-smv6
rip
ripng
smr
Valid entries:
bgp
Enter the BGP context
ASNUMBER
The autonomous system number (1-2147483647)
ospf
Enter the OSPF context
ospfv3
Enter the OSPFv3 context
pim-smv4
Enter the PIM-SM IPv4 context
pim-smv6
Enter the PIM-SM IPv6 context
rip
Enter the RIP context
ripng
Enter the RIPng context
smr
Enter the SMR context
Example
NGFW{running}router
NGFW{running}router
NGFW{running}router
NGFW{running}router
NGFW{running}router
NGFW{running}router
NGFW{running}router
NGFW{running}router
ospf
ospfv3
pim-smv4
pim-smv6
rip
ripng
smr
bgp
Related commands
running-ospf Context Commands
running-ospfv3 Context Commands
running-bgp-X Context Commands
running-rip Context Commands
running-ripng Context Commands
running-pim-smv4 Context Commands
running-pim-smv6 Context Commands
running-smr Context Commands
schedules
Enters schedules context mode.
Syntax
schedules
Example
NGFW{running}schedules
NGFW{running-schedules}help
Valid commands are:
78
Edit Running Configuration Commands
delete schedule all|SCHEDULENAME
help [full|COMMAND]
rename schedule SCHEDULENAME NEWSCHEDULENAME
schedule SCHEDULENAME
NGFW{running-schedules}?
Valid entries at this position are:
delete
Delete a schedule
help
Display help information
rename
Rename a schedule
schedule
Create or enter a schedule context
Related commands
running-schedules Context Commands
segmentX
Enters Segment context mode. The X represents a segment number, for example segment0.
Syntax
segmentX
Example
NGFW{running}segment0
NGFW{running-segment0}help
Valid commands are:
# Enter context
bind bind
delete bind|high-availability|link-down
high-availability mode
link-down breaker [wait-time WAIT-TIME]
link-down hub
link-down wire [wait-time WAIT-TIME]
restart
# Other commands
description TEXT
help [full|COMMAND]
NGFW{running-segment0}?
Valid entries at this position are:
bind
Bind ethernet port pairs to segment
delete
Delete file or configuration item
description
Enter description for the segment
help
Display help information
high-availability
Intrinsic HA Layer 2 Fallback action
link-down
Link down synchronization mode
restart
Restart both Ethernet ports of segment
NGFW{running-segment0}help bind
Bind ethernet port pairs to segment
Syntax: bind bind
bind
Bind ethernet port pairs to segment
bind
ethernet port pairs
Related commands
running-segmentX Context Commands
NGFW Command Line Interface Reference
79
services
Enters services context mode.
Syntax
services
Example
NGFW{running}services
NGFW{running-services}help
Valid commands are:
delete service all|USERSERVICENAME
help [full|COMMAND]
rename service USERSERVICENAME NEWSERVICENAME
restore-default
service SERVICENAME
NGFW{running-services}?
Valid entries at this position are:
delete
Delete service(s)
help
Display help information
rename
Rename service
restore-default
Restore default services
service
Create or enter a service context
Related commands
running-services Context Commands
snmp
Enters SNMP context mode.
Syntax
snmp
Example
NGFW{running}snmp
NGFW{running-snmp}help
Valid commands are:
authtrap enable|disable
community COMMUNITY SOURCE
delete community COMMUNITY|all
delete trapsession (HOST ver VERSION)|all
delete username (USERNAME|all)
engineID ENGINE-ID
help [full|COMMAND]
snmp enable|disable
trapsession HOST [port PORT] ver 2c COMMUNITY [inform]
trapsession HOST [port PORT] ver 3 USERNAME level noAuthNoPriv [inform]
trapsession HOST [port PORT] ver 3 USERNAME level authNoPriv authtype AUTHTYPE
AUTHPASS [inform]
trapsession HOST [port PORT] ver 3 USERNAME level authPriv authtype AUTHTYPE
AUTHPASS privproto PRIVPROTO [PRIVPASS] [inform]
username USERNAME level noAuthNoPriv
username USERNAME level authNoPriv authtype AUTHTYPE AUTHPASS
username USERNAME level authPriv authtype AUTHTYPE AUTHPASS privproto PRIVPROTO
[PRIVPASS]
NGFW{running-snmp}?
80
Edit Running Configuration Commands
Valid entries at this position are:
authtrap
Configure SNMP authentication failure trap
community
Configure SNMP read-only community
delete
Delete file or configuration item
engineID
Configure SNMPv3 engine ID
help
Display help information
snmp
Enable or disable SNMP
trapsession
Configure a trap/inform
username
Configure SNMPv3 USM read-only user
Related commands
running-snmp Context Commands
src-nat
Enters source NAT context mode.
Syntax
src-nat
Example
NGFW{running}src-nat
NGFW{running-snat}help
Valid commands are:
delete rule all|SRCNATRULEID
help [full|COMMAND]
rule (auto|SRCNATRULEID) [POSITION_VALUE]
NGFW{running-snat}?
Valid entries at this position are:
delete
Delete source NAT rule(s)
help
Display help information
rename
Rename source NAT rule
rule
Create or enter a rule context
Related commands
running-snat Context Commands
vpn
Enters VPN context mode.
Syntax
vpn ipsec
Example
NGFW{running}vpn ipsec
NGFW{running-ipsec}help
Valid commands are:
delete log vpn CONTACT-NAME
delete phase1 proposal (all|NAME)
delete phase2 proposal (all|NAME)
delete policy (all|NAME)
delete pre-shared-keys (all|A.B.C.D|X:X::X:X|HOSTNAME) [vrf-id ID|any]
delete retransmit-timeout
delete retransmit-tries
delete trust (all|CANAME)
delete user
NGFW Command Line Interface Reference
81
delete vpn (all|NAME)
help [full|COMMAND]
ipsec enable|disable
log vpn CONTACT-NAME [SEVERITY]
manual
phase1 VERSION proposal NAME
phase2 VERSION proposal NAME
policy NAME [PRIORITY]
pre-shared-key local A.B.C.D|X:X::X:X|LFQDN remote A.B.C.D|X:X::X:X|RFQDN|any
retransmit-timeout TIMEOUT
retransmit-tries COUNT
trust CANAME
user
vpn NAME
NGFW{running-ipsec}?
Valid entries at this position are:
delete
Delete file or configuration item
help
Display help information
ipsec
Enable or disable IPsec
log
Add a Notification Contact to a log service
manual
Enter manual Security Association context
phase1
Enter Phase1 proposal context
phase2
Enter Phase2 proposal context
policy
Enter IPSec Policy context
pre-shared-key
Configure pre-shared key (start with 0x for hexadecimal key)
retransmit-timeout Configure IKEv2 Dead Peer Detection retransmission timeout in
seconds
retransmit-tries
Configure IKEv2 Dead Peer Detection maximum retransmission
tries
trust
Configure certification authority trust
user
Enter VPN user context
vpn
Enter VPN context
Related commands
running-ipsec Context Commands
zones
Enters security zone context mode.
Syntax
zones
Example
NGFW{running}zones
NGFW{running-zones}help
Valid commands are:
delete zone all|ZONENAME
help [full|COMMAND]
rename zone ZONENAME NEWZONENAME
zone ZONENAME
NGFW{running-zones}?
Valid entries at this
delete
help
rename
zone
82
position are:
Delete security zone(s)
Display help information
Rename a specified zone
Enter security zone context
Edit Running Configuration Commands
Related commands
running-zones Context Commands
Contexts and Related Commands
running-aaa Context Commands
NGFW{running-aaa}delete
Delete file or configuration item.
Syntax
delete
delete
delete
delete
delete
ldap-group (LDAPNAME|all)
radius-group (RADIUSNAME|all)
role (ROLE|all)
user (USER|all)
user-group (USERGROUP|all)
Example
NGFW{running}aaa
NGFW{running-aaa}delete
NGFW{running-aaa}delete
NGFW{running-aaa}delete
NGFW{running-aaa}delete
NGFW{running-aaa}delete
ldap-group group1
radius-group group1
role myrole1
user myuser1
user-group group1
NGFW{running-aaa}display
Display configuration.
Syntax
display ldap-group LDAPGROUP [xml]
display ldap-schema
(active-directory|novell-edirectory|fedora-ds|rfc2798|rfc2307nis|samba|custom) [xml]
display login-settings [xml]
display password-settings [xml]
display radius-group RADIUSGROUP [xml]
display remote-login-group [xml]
display role USER [xml]
display user USER [xml]
display usergroup USERGROUP [xml]
Example
NGFW{running-aaa}display
NGFW{running-aaa}display
NGFW{running-aaa}display
NGFW{running-aaa}display
NGFW{running-aaa}display
NGFW{running-aaa}display
NGFW{running-aaa}display
NGFW{running-aaa}display
NGFW{running-aaa}display
ldap-group group1
ldap-schema active-directory
login-settings
password-settings
radius-group group1
remote-login-group
role superuserRole
user myuser1
usergroup group1
NGFW{running-aaa}ldap-group
Configure LDAP group. Maximum number of groups is two.
NGFW Command Line Interface Reference
83
Syntax
ldap-group LDAPNAME
Example
NGFW{running-aaa}ldap-group mygroup
NGFW{running-aaa}ldap-schema
Configure LDAP schema.
Syntax
ldap-schema SCHEMA
SCHEMA
(active-directory|novell-edirectory|fedora-ds|rfc2798|rfc2307nis|samba|custom)
Example
NGFW{running-aaa}ldap-schema custom
NGFW{running-aaa-ldap-schema-custom}
NGFW{running-aaa}login
Configure login settings.
Syntax
login
login
login
login
maximum-attempts (0-10)
failure-action (lockout|lockout-disable|audit)
lockout-period MINUTES
lockout-period (0-1440)
Example
NGFW{running-aaa}login failure-action lockout
NGFW{running-aaa}password
Configure password settings.
Syntax
password quality (basic|maximum|none)
password expiry-time (10d|20d|30d|45d|60d|90d|6m|1y)
password expiry-action (force-change|notify-user|disable-account)
Example
NGFW{running-aaa}password quality maximum
NGFW{running-aaa}password expiry-time 30d
NGFW{running-aaa}password expiry-action force-change
NGFW{running-aaa}radius-group
Configure Radius group. Maximum number of radius groups is 2.
Syntax
radius-group RADIUSNAME
Example
NGFW{running-aaa}radius-group group1
84
Edit Running Configuration Commands
NGFW{running-aaa}remote-login-group
Configure LDAP or RADIUS group to use for either network or administrative login.
Syntax
remote-login-group (network|administrator) (GROUP|none)
Example
NGFW{running-aaa}remote-login-group administrator group1
NGFW{running-aaa}role
Configure an access role.
Syntax
role ROLE [OLDROLE]
Example
NGFW{running-aaa}role myrole1
NGFW{running-aaa}user
Configure a name identified user.
Syntax
user NAME
Example
NGFW{running-aaa}user myuser1
NGFW{running-aaa}user-group
Configure a name identified usergroup.
Syntax
user-group GROUPNAME
Example
NGFW{running-aaa}user-group group1
running-aaa-ldap-group-X Context Commands
NGFW{running-aaa-ldap-group-mygroup1}base-dn
Configure base distinguished name (DN).
Syntax
base-dn DN
Example
NGFW{running-aaa}ldap-group mygroup1
NGFW{running-aaa-ldap-group-mygroup1}base-dn DC=example,DC=com
NGFW{running-aaa-ldap-group-mygroup1}bind-dn
Configure bind distinguished name (DN).
NGFW Command Line Interface Reference
85
Syntax
bind-dn DN
Example
NGFW{running-aaa-ldap-group-mygroup1}bind-dn CN=admin,OU=People,DC=example,DC=com
NGFW{running-aaa-ldap-group-mygroup1}bind-password
Configure LDAP bind password.
Syntax
bind-password PASSWORD
Example
NGFW{running-aaa-ldap-group-mygroup1}bind-password mysecret
NGFW{running-aaa-ldap-group-mygroup1}delete
Delete file or configuration item.
Syntax
delete server (ADDRESS|all)
Example
NGFW{running-aaa-ldap-group-mygroup1}delete server 192.168.1.1
NGFW{running-aaa-ldap-group-mygroup1}port
Configure LDAP port.
Syntax
port <0-65535>
Example
NGFW{running-aaa-ldap-group-mygroup1}port 389
NGFW{running-aaa-ldap-group-mygroup1}retries
Configure server(s) retries.
Syntax
retries RETRY
Example
NGFW{running-aaa-ldap-group-mygroup1}retries 3
NGFW{running-aaa-ldap-group-mygroup1}schema
Configure Schema.
Syntax
schema(active-directory|fedora-ds|novell-edirectory|rfc2307nis|rfc2798|samba|custom)
Example
NGFW{running-aaa-ldap-group-mygroup1}schema active-directory
86
Edit Running Configuration Commands
NGFW{running-aaa-ldap-group-mygroup1}server
Configure LDAP server address.
Syntax
server (A.B.C.D|X:X::X:X) priority (1-6)
Example
NGFW{running-aaa-ldap-group-mygroup1}server 192.168.1.1 priority 1
NGFW{running-aaa-ldap-group-mygroup1}server 192.168.1.2 priority 2
NGFW{running-aaa-ldap-group-mygroup1}timeout
Configure timeout.
Syntax
timeout SECONDS
Example
NGFW{running-aaa-ldap-group-mygroup1}timeout 10
NGFW{running-aaa-ldap-group-mygroup1}tls
Configure TLS.
Syntax
tls (enable|disable)
tls start-tls (enable|disable)
tls require-valid-server-cert (enable|disable)
Example
NGFW{running-aaa-ldap-group-mygroup1}tls enable
NGFW{running-aaa-ldap-group-mygroup1}tls require-valid-server-cert enable
NGFW{running-aaa-ldap-group-mygroup1}tls start-tls enable
NGFW{running-aaa-ldap-group-mygroup1}version
Configure LDAP version.
Syntax
version (2|3)
Example
NGFW{running-aaa-ldap-group-mygroup1}version 3
running-aaa-radius-group-X Context Commands
NGFW{running-aaa-radius-group-2}default-usergroup
Default usergroup.
Syntax
default-usergroup GROUP|none
Example
NGFW{running-aaa}radius-group 2
NGFW{running-aaa-radius-group-2}default-usergroup administrator
NGFW Command Line Interface Reference
87
NGFW{running-aaa-radius-group-2}delete
Delete file or configuration item.
Syntax
delete server (A.B.C.D|X:X::X:X|all)
Example
NGFW{running-aaa-radius-group-2}delete server 192.168.1.1
NGFW{running-aaa-radius-group-2}retries
Configure server retries.
Syntax
retries (0-5)
Example
NGFW{running-aaa-radius-group-2}retries 3
NGFW{running-aaa-radius-group-2}server
Configure server.
Syntax
server (A.B.C.D|X:X::X:X) [PORT] password PASSWORD priority (1-6) timeout (0-300)
[nas-id NASID]
Example
NGFW{running-aaa-radius-group-2}server 192.168.1.1 1812 password mysecret priority 1
timeout 10 nas-id 1
NGFW{running-aaa-radius-group-2}server 192.168.1.7 1812 password mysecret priority 2
timeout 10 nas-id 1
running-actionsets Context Commands
Immediate Commit Feature. Changes take effect immediately.
NGFW{running-actionsets}actionset
Enter an action set context with defined name.
Syntax
actionset ACTIONSETNAME
Example
NGFW{running}actionsets
NGFW{running-actionsets}actionset myactionset1
NGFW{running-actionsets}delete
Delete file or configuration item.
Syntax
delete actionset ACTIONSETNAME
Example
NGFW{running-actionsets}delete actionset myactionset1
88
Edit Running Configuration Commands
NGFW{running-actionsets}rename
Rename action set oldname newname.
Syntax
rename actionset ACTIONSETNAME NEWACTIONSETNAME
Example
NGFW{running-actionsets}rename actionset myactionset1 myactionset2
running-actionsets-X Context Commands
NGFW{running-actionsets-myactionset1}action
Set action type. Available values: permit, rate-limit, block, trust.
Immediate Commit Feature. Changes take effect immediately.
Syntax
action (permit|rate-limit|block|trust)
Example
NGFW{running-actionsets}actionset myactionset1
NGFW{running-actionsets-myactionset1}action rate-limit
NGFW{running-actionsets-myactionset1}allow-access
Allow quarantined host to access defined IP.
Syntax
allow-access DESTIP
Example
NGFW{running-actionsets-myactionset1}allow-access 192.168.1.1
NGFW{running-actionsets-myactionset1}bytes-to-capture
Set bytes to capture for packet trace.
Syntax
bytes-to-capture BYTES
Example
NGFW{running-actionsets-myactionset1}bytes-to-capture 6144
NGFW{running-actionsets-myactionset1}contact
Add a notify contact.
Syntax
contact XCONTACTNAME
Example
NGFW{running-actionsets-myactionset1}contact mycontact1
NGFW{running-actionsets-myactionset1}contact "Management Console"
NGFW Command Line Interface Reference
89
NGFW{running-actionsets-myactionset1}delete
Delete file or configuration item.
Syntax
delete
delete
delete
delete
allow-access DESTIP
contact XCONTACTNAME
limit-quarantine SOURCEIP
no-quarantine SOURCEIP
Example
NGFW{running-actionsets-myactionset1}delete
NGFW{running-actionsets-myactionset1}delete
NGFW{running-actionsets-myactionset1}delete
NGFW{running-actionsets-myactionset1}delete
allow-access 192.168.1.1
contact mycontact1
limit-quarantine 192.168.1.1
no-quarantine 192.168.1.1
NGFW{running-actionsets-myactionset1}http-block
Set quarantine option to block HTTP traffic.
Syntax
http-block
Example
NGFW{running-actionsets-myactionset1}http-block
NGFW{running-actionsets-myactionset1}http-custom
Set or clear HTTP custom text display option.
Syntax
http-custom TEXT
Example
NGFW{running-actionsets-myactionset1}http-custom "my custom message"
NGFW{running-actionsets-myactionset1}http-redirect
Set redirect URL for HTTP redirect option.
Syntax
http-redirect URL
Example
NGFW{running-actionsets-myactionset1}http-redirect https://www.example.com
NGFW{running-actionsets-myactionset1}http-showdesc
Set or clear HTTP show description display option.
Syntax
http-showdesc (enable|disable)
Example
NGFW{running-actionsets-myactionset1}http-showdesc enable
90
Edit Running Configuration Commands
NGFW{running-actionsets-myactionset1}http-showname
Set or clear HTTP show name display option.
Syntax
http-showname (enable|disable)
Example
NGFW{running-actionsets-myactionset1}http-showname enable
NGFW{running-actionsets-myactionset1}limit-quarantine
Add IP for limit quarantine.
Syntax
limit-quarantine SOURCEIP
Example
NGFW{running-actionsets-myactionset1}limit-quarantine 192.168.1.1
NGFW{running-actionsets-myactionset1}limit-rate
Set the rate value for rate-limit action.
Syntax
limit-rate RATE
Example
NGFW{running-actionsets-myactionset1}limit-rate 1500
NGFW{running-actionsets-myactionset1}no-quarantine
Add IP for no quarantine.
Syntax
no-quarantine SOURCEIP
Example
NGFW{running-actionsets-myactionset1}no-quarantine 192.168.1.1
NGFW{running-actionsets-myactionset1}nonhttp-block
Set quarantine option to block non-HTTP traffic.
Syntax
nonhttp-block (enable|disable)
Example
NGFW{running-actionsets-myactionset1}nonhttp-block enable
NGFW{running-actionsets-myactionset1}packet-trace
Enable/disable packet trace option.
Syntax
packet-trace (enable|disable)
NGFW Command Line Interface Reference
91
Example
NGFW{running-actionsets-myactionset1}packet-trace enable
NGFW{running-actionsets-myactionset1}priority
Set packet trace priority.
Syntax
priority PRIORITY
Example
NGFW{running-actionsets-myactionset1}priority medium
NGFW{running-actionsets-myactionset1}quarantine
Set quarantine option. Available options: no, immediate, threshold.
Syntax
quarantine QUARANTINETYPE
Example
NGFW{running-actionsets-myactionset1}quarantine immediate
NGFW{running-actionsets-myactionset1}tcp-reset
Set tcp reset option for block action. Available options: none (disable), source, dest, or both.
Syntax
tcp-reset (none|source|dest|both)
Example
NGFW{running-actionsets-myactionset1}tcp-reset both
NGFW{running-actionsets-myactionset1}threshold
Set quarantine threshold value.
Syntax
threshold (2-10000) (1-60)
Example
NGFW{running-actionsets-myactionset1}threshold 200 5
NGFW{running-actionsets-myactionset1}verbosity
Set packet trace verbosity.
Syntax
verbosity (partial|full)
Example
NGFW{running-actionsets-myactionset1}verbosity full
92
Edit Running Configuration Commands
running-addressgroups Context Commands
NGFW{running-addressgroups}addressgroup
Create or enter an address group context.
Syntax
addressgroup GROUPNAME
Example
NGFW{running}addressgroups
NGFW{running-addressgroups}addressgroup mygroup1
NGFW{running-addressgroups-mygroup1}
NGFW{running-addressgroups}delete
Delete address group parameters.
Syntax
delete addressgroup (all|GROUPNAME)
Example
NGFW{running-addressgroups}delete addressgroup mygroup1
NGFW{running-addressgroups}delete addressgroup all
running-addressgroups-X Context Commands
NGFW{running-addressgroups-mygroup1}delete
Delete address group parameters.
Syntax
delete group (all|GROUPNAME)
delete ipaddress (all|A.B.C.D/M|X:X::X:X/M)
delete range (all|A.B.C.D|X:X::X:X)
Example
NGFW{running-addressgroups}addressgroup myaddressgroups
NGFW{running-addressgroups-mygroup1}delete range 192.168.1.100 192.168.1.200
NGFW{running-addressgroups-mygroup1}description
Apply address group description.
Syntax
description TEXT
Example
NGFW{running-addressgroups-mygroup1}description "my address group 1"
NGFW{running-addressgroups-mygroup1}group
Add a group to this group.
Syntax
group GROUPNAME
NGFW Command Line Interface Reference
93
Example
NGFW{running-addressgroups-mygroup1}group mygroup2
NGFW{running-addressgroups-mygroup1}ipaddress
Apply IPv4 or IPv6 address.
Syntax
ipaddress (A.B.C.D|A.B.C.D/M|X:X::X:X|X:X::X:X/M)
Example
NGFW{running-addressgroups-mygroup1}ipaddress 192.168.1.1
NGFW{running-addressgroups-mygroup1}ipaddress 192.168.1.0/24
NGFW{running-addressgroups-mygroup1}range
Apply IPv4 or IPv6 address range.
Syntax
range (A.B.C.D A.B.C.D)|(X:X::X:X X:X::X:X)
Example
NGFW{running-addressgroups-mygroup1}range 192.168.1.100 192.168.1.200
running-agglinkX Context Commands
NGFW{running}interface agglink0
NGFW{running-agglink0}arp/ndp
Enable or disable ARP and NDP on interface.
Syntax
arp/ndp (enable|disable)
Example
NGFW{running-agglink0}arp/ndp enable
NGFW{running-agglink0}autoconfv6
Enable or disable IPv6 auto-configuration on interface.
Syntax
autoconfv6 (enable|disable)
Example
NGFW{running-agglink0}autoconfv6 enable
NGFW{running-agglink0}bind
Bind agglink network interface over specific ethernet or bridge port.
Syntax
bind PORT mode (passive|static|active) [priority PRIORITY]
Port priority: (0-65535) default 32768, lowest value has highest priority
94
Edit Running Configuration Commands
Example
NGFW{running-agglink0}bind
NGFW{running-agglink0}bind
NGFW{running-agglink0}bind
NGFW{running-agglink0}bind
ethernet5
ethernet6
ethernet7
ethernet8
mode
mode
mode
mode
active
active
active
active
priority
priority
priority
priority
1
1
1
1
NGFW{running-agglink0}delete
Delete file or configuration item.
Syntax
delete
delete
delete
delete
delete
delete
delete
delete
delete
delete
delete
delete
delete
delete
delete
delete
delete
delete
delete
delete
delete
delete
delete
delete
delete
delete
delete
delete
delete
delete
delete
delete
delete
delete
bind (all|PORT)
ip igmp
ip igmp version
ip ospf area
ip ospf authentication mode md5 (1-255) KEY
ip ospf authentication mode text KEY
ip ospf cost (1-65535)
ip ospf dead-interval (1-65535)
ip ospf hello-interval (1-65535)
ip ospf priority (0-255)
ip ospf retransmit-interval (3-65535)
ip ospf transmit-delay (1-65535)
ip rip
ip rip authentication mode md5
ip rip authentication mode text
ip rip receive version (v1-only|v2-only|v1-or-v2)
ip rip send version (v1-only|v2-only|v1-or-v2)
ip rip split-horizon
ipaddress (all|A.B.C.D/M|X:X::X:X/M)
ipaddress dhcpv4
ipaddress dhcpv6
ipv6 mld
ipv6 mld version
ipv6 ospfv3 area
ipv6 ospfv3 cost
ipv6 ospfv3 dead-interval
ipv6 ospfv3 hello-interval
ipv6 ospfv3 priority
ipv6 ospfv3 retransmit-interval
ipv6 ospfv3 transmit-delay
ipv6 ripng
ipv6 ripng split-horizon
prefix (all|X:X::X:X/M)
shutdown
Example
NGFW{running-agglink0}delete
NGFW{running-agglink0}delete
NGFW{running-agglink0}delete
NGFW{running-agglink0}delete
NGFW{running-agglink0}delete
NGFW{running-agglink0}delete
NGFW{running-agglink0}delete
NGFW{running-agglink0}delete
NGFW{running-agglink0}delete
NGFW{running-agglink0}delete
NGFW{running-agglink0}delete
bind ethernet7
ip igmp version
ip ospf area
ip ospf authentication mode md5 1 mysecret
ip ospf authentication mode text mysecret
ip ospf cost
ip ospf dead-interval 1
ip ospf hello-interval 1
ip ospf priority 1
ip ospf retransmit-interval
ip ospf transmit-delay 1
NGFW Command Line Interface Reference
95
NGFW{running-agglink0}delete
NGFW{running-agglink0}delete
NGFW{running-agglink0}delete
NGFW{running-agglink0}delete
NGFW{running-agglink0}delete
NGFW{running-agglink0}delete
NGFW{running-agglink0}delete
NGFW{running-agglink0}delete
ip rip authentication mode md5
ip rip authentication mode text
ip rip receive version v2-only
ip rip send version v2-only
ip rip split-horizon
shutdown
ipaddress 192.168.1.1/24
ipaddress 100:0:0:0:0:0:0:1/64
NGFW{running-agglink0}description
Enter description for the interface.
Syntax
description TEXT
Example
NGFW{running-agglink0}description "Ethernet aggregated interface"
NGFW{running-agglink0}ip
Configure IP settings.
Syntax
ip
ip
ip
ip
ip
ip
ip
ip
ip
ip
ip
ip
ip
ip
ip
ip
ip
igmp
igmp version (1|2|3)
ospf area A.B.C.D|(0-4294967295)
ospf authentication mode md5 (1-255) KEY
ospf authentication mode text KEY
ospf cost (1-65535)
ospf dead-interval (1-65535)
ospf hello-interval (1-65535) [A.B.C.D]
ospf priority (0-255)
ospf retransmit-interval (3-65535)
ospf transmit-delay (1-65535)
rip
rip authentication mode md5 (0-2147483647) KEY
rip authentication mode text
rip receive version VERSION
rip send version VERSION
rip split-horizon [poison-reverse]
Example
NGFW{running-agglink0}ip igmp version 3
NGFW{running-agglink0}ip ospf area 1
NGFW{running-agglink0}ip ospf authentication mode md5 1 mysecret
NGFW{running-agglink0}ip ospf authentication mode text mysecret
NGFW{running-agglink0}ip ospf cost 1
NGFW{running-agglink0}ip ospf dead-interval 1
NGFW{running-agglink0}ip ospf hello-interval 1
NGFW{running-agglink0}ip ospf priority 1
NGFW{running-agglink0}ip ospf retransmit-interval 3
NGFW{running-agglink0}ip ospf transmit-delay 1
NGFW{running-agglink0}ip rip authentication mode md5 1 mysecret
NGFW{running-agglink0}ip rip authentication mode text
Enter key: up to 16 characters:******
NGFW{running-agglink0}ip rip receive version v2-only
NGFW{running-agglink0}ip rip send version v2-only
96
Edit Running Configuration Commands
NGFW{running-agglink0}ip rip split-horizon poison-reverse
NGFW{running-agglink0}ipaddress
Configure IP address.
Syntax
ipaddress (A.B.C.D/M|X:X::X:X/M) [primary]
ipaddress dhcpv4
Example
NGFW{running-agglink0}ipaddress 192.168.1.1/24
NGFW{running-agglink0}ipaddress 100:0:0:0:0:0:0:1/64 primary
NGFW{running-agglink0}ipv6
Configure IPv6 settings.
Syntax
ipv6
ipv6
ipv6
ipv6
ipv6
ipv6
ipv6
ipv6
ipv6
ipv6
ipv6
mld
mld version (1|2)
ospfv3 area (A.B.C.D|(0-4294967295))
ospfv3 cost (1-65535)
ospfv3 dead-interval (1-65535)
ospfv3 hello-interval (1-65535)
ospfv3 priority (0-255)
ospfv3 retransmit-interval (3-65535)
ospfv3 transmit-delay (1-65535)
ripng
ripng split-horizon [poison-reverse]
Example
NGFW{running-agglink0}ipv6
NGFW{running-agglink0}ipv6
NGFW{running-agglink0}ipv6
NGFW{running-agglink0}ipv6
NGFW{running-agglink0}ipv6
NGFW{running-agglink0}ipv6
NGFW{running-agglink0}ipv6
NGFW{running-agglink0}ipv6
NGFW{running-agglink0}ipv6
mld version 2
ospfv3 area 1
ospfv3 cost 1
ospfv3 dead-interval 1
ospfv3 hello-interval 1
ospfv3 priority 1
ospfv3 retransmit-interval 3
ospfv3 transmit-delay 1
ripng split-horizon poison-reverse
NGFW{running-agglink0}load-balance
Configure the distribution mechanism.
Syntax
load-balance (round-robin|xor-ip|xor-ip-port|xor-mac|backup)
Example
NGFW{running-agglink0}load-balance xor-ip
NGFW{running-agglink0}mac-address
Configure Ethernet MAC address.
NGFW Command Line Interface Reference
97
Syntax
mac-address (automatic|X:X:X:X:X:X)
Example
NGFW{running-agglink0}mac-address a1:b2:c3:d4:e5:f6
NGFW{running-agglink0}mac-address automatic
NGFW{running-agglink0}mtu
Configure interface MTU in bytes.
Syntax
mtu (default|VALUE)
VALUE (68-9216)
Example
NGFW{running-agglink0}mtu 1500
NGFW{running-agglink0}prefix
Configure IPv6 prefix.
Syntax
prefix X:X::X:X/M [valid-lifetime SECONDS] [preferred-lifetime SECONDS]
prefix X:X::X:X/M [valid-lifetime (1-4294967295)] [preferred-lifetime
(1-4294967295)]
Example
NGFW{running-agglink0}prefix 100:0:0:0:0:0:0:0/64 valid-lifetime 2592000
preferred-lifetime 604800
NGFW{running-agglink0}ra-autoconf-level
Modify IPv6 Router Advertisement autoconfiguration level.
Syntax
ra-autoconf-level (none|address|other|full)
Example
NGFW{running-agglink0}ra-autoconf-level full
NGFW{running-agglink0}ra-interval
Modify IPv6 Router Advertisement interval value in milliseconds.
Syntax
ra-interval (90-1800000)
Example
NGFW{running-agglink0}ra-interval 600
NGFW{running-agglink0}ra-interval-transmit
Modify IPv6 Router Advertisement interval transmit.
98
Edit Running Configuration Commands
Syntax
ra-interval-transmit (enable|disable)
Example
NGFW{running-agglink0}ra-interval-transmit enable
NGFW{running-agglink0}ra-lifetime
Modify IPv6 Router Advertisement prefix lifetime in seconds.
Syntax
ra-lifetime (0-9000000)
Example
NGFW{running-agglink0}ra-lifetime 1800
NGFW{running-agglink0}ra-mtu
Modify IPv6 Router Advertisement MTU value in bytes.
Syntax
ra-mtu (none|MTU)
MTU (68-9216)
Example
NGFW{running-agglink0}ra-mtu 1500
NGFW{running-agglink0}ra-transmit-mode
Modify IPv6 Router Advertisement transmit mode.
Syntax
ra-transmit-mode (always|never|smart)
Example
NGFW{running-agglink0}ra-transmit-mode smart
NGFW{running-agglink0}shutdown
Shutdown logical interface state.
Syntax
shutdown
Example
NGFW{running-agglink0}shutdown
NGFW{running-agglink0}tcp4mss
Configure interface TCP MSS for IPv4.
Syntax
tcp4mss (disable|automatic|VALUE)
VALUE 4-65535
NGFW Command Line Interface Reference
99
Example
NGFW{running-agglink0}tcp4mss automatic
NGFW{running-agglink0}tcp6mss
Configure interface TCP MSS for IPv6.
Syntax
tcp6mss (disable|automatic|VALUE)
VALUE 4-65535
Example
NGFW{running-agglink0}tcp6mss automatic
running-app-filter-mgmt Context Commands
Immediate Commit Feature. Changes take effect immediately.
Change management settings for an application filter.
NGFW{running}application-filter-mgmt
NGFW{running-application-filter-mgmt}filter
Syntax
filter FILTERNUMBER (enable|disable)
filter FILTERNUMBER afcstate (enable|disable)
filter FILTERNUMBER (enable|disable) afcstate (enable|disable)
Valid entries:
display
Display file or configuration item
filter
Change management settings for an application filter
help
Display help information
Example
NGFW{running-app-filter-mgmt}filter 642 afcstate enable
NGFW{running-app-filter-mgmt}filter 642 enable afcstate enable
WARNING: Are you sure you want to enable filter 642 system-wide (y/n)? [n]: y
NGFW{running-app-filter-mgmt}filter 642 disable
WARNING: Are you sure you want to disable filter 642 system-wide (y/n)? [n]: y
running-app-groups Context Commands
Immediate Commit Feature. Changes take effect immediately.
NGFW{running}application-groups
NGFW{running-app-groups}application-group
Create or enter application-group context.
Syntax
application-group NEWAPPNAME CRITERIASTRING
application-group APPNAME
Example
NGFW{running-app-groups}application-group FaceBook
100
Edit Running Configuration Commands
NGFW{running-app-groups}delete
Delete application-group.
Syntax
delete application-group APPNAME
Example
NGFW{running-app-groups}delete application-group FaceBook
NGFW{running-app-groups}rename
Rename application-group.
Syntax
rename application-group APPNAME NEWAPPNAME
Example
NGFW{running-app-groups}rename application-group FaceBook facebook1
running-app-groups-X Context Commands
Immediate Commit Feature. Changes take effect immediately.
NGFW{running-app-groups}application-group FaceBook
NGFW{running-app-groups-FaceBook}criteria
Update application-group criteria.
Syntax
criteria CRITERIASTRING
Example
NGFW{running-app-groups-FaceBook}criteria “string”
NGFW{running-app-groups-FaceBook}description
Update application-group description.
Syntax
description DESCSTRING
Example
NGFW{running-app-groups-FaceBook}description "facebook application group"
running-autodv Context Commands
Immediate Commit Feature. Changes take effect immediately.
NGFW{running}autodv
NGFW{running-autodv}calendar
Enter Calender Style.
Syntax
calendar
NGFW Command Line Interface Reference
101
Example
NGFW{running-autodv}calendar
NGFW{running-autodv}delete
Delete file or configuration item.
Syntax
delete proxy
delete proxy-password
delete proxy-username
Example
NGFW{running-autodv}delete proxy-password
NGFW{running-autodv}delete proxy-username
NGFW{running-autodv}delete proxy
NGFW{running-autodv}disable
Disable service.
Syntax
disable
Example
NGFW{running-autodv}disable
NGFW{running-autodv}enable
Enable service.
Syntax
enable
Example
NGFW{running-autodv}enable
NGFW{running-autodv}list
List Installed DVs.
Syntax
list
Example
NGFW{running-autodv}list
version 3.2.0.8458
NGFW{running-autodv}periodic
Enter Periodic Style.
Syntax
periodic
102
Edit Running Configuration Commands
Example
NGFW{running-autodv}periodic
NGFW{running-autodv}proxy
Configure proxy.
Syntax
proxy ADDR port PORT
proxy-password PASSWD
proxy-username USER
Example
NGFW{running-autodv}proxy 192.168.1.1 port 443
NGFW{running-autodv}proxy-password mypassword
NGFW{running-autodv}proxy-username myusername
NGFW{running-autodv}update
Update AutoDV.
Syntax
update
Example
NGFW{running-autodv}update
running-autodv-calendar Context Commands
Immediate Commit Feature. Changes take effect immediately.
NGFW{running-autodv}calendar
NGFW{running-autodv-calendar}day
Day of the week to update.
Syntax
day DAYNAME
Example
NGFW{running-autodv-calendar}day ?
Valid entries at this position are:
Sunday
Sunday
Monday
Monday
Tuesday
Tuesday
Wednesday
Wednesday
Thursday
Thursday
Friday
Friday
Saturday
Saturday
NGFW{running-autodv-calendar}time
time HOURS:MINUTES
Syntax
time HOURS:MINUTES
NGFW Command Line Interface Reference
103
Example
NGFW{running-autodv-calendar}time ?
Valid entry at this position is:
HOURS
Value range is 0 - 23
NGFW{running-autodv-calendar}time 17:00
running-autodv-periodic Context Commands
Immediate Commit Feature. Changes take effect immediately.
NGFW{running-autodv}periodic
NGFW{running-autodv-periodic}day
Day of the week to update.
Syntax
day (Sunday|Monday|Tuesday|Wednesday|Thursday|Friday|Saturday)
Example
NGFW{running-autodv-periodic}day Sunday
NGFW{running-autodv-periodic}period
Set number of days between update checks.
Syntax
period PERIOD
PERIOD
Value range is 0 - 99, unit is days
Example
NGFW{running-autodv-periodic}period 1
NGFW{running-autodv-periodic}time
Time of day to check for updates.
time HOURS:MINUTES
Syntax
time HOURS:MINUTES
HOURS
MINUTES
Value range is 0 - 23
Value range is 0 - 59
Example
NGFW{running-autodv-periodic}time 21:00
running-bgp-X Context Commands
NGFW{running}router bgp 1
NGFW{running-bgp-1}aggregate-address
Configure BGP aggregate entries.
Syntax
aggregate-address A.B.C.D/M [as-set] [summary-only]
104
Edit Running Configuration Commands
Example
NGFW{running-bgp-1}help aggregate-address
Configure BGP aggregate entries
Syntax: aggregate-address A.B.C.D/M [as-set] [summary-only]
aggregate-address
Configure BGP aggregate entries
A.B.C.D/M
Aggregate prefix
as-set
Generate AS set path information
summary-only
Filter more specific routes from updates
NGFW{running-bgp-1}always-compare-med
Always compare MEDs from neighbors in different AS.
Syntax
always-compare-med
NGFW{running-bgp-1}delete
Delete file or configuration item.
Syntax
delete
delete
delete
delete
delete
delete
delete
delete
delete
delete
delete
delete
delete
delete
delete
delete
delete
delete
delete
delete
delete
delete
delete
delete
delete
delete
delete
delete
delete
aggregate-address A.B.C.D/M
always-compare-med
deterministic-med
distance
local-preference
neighbor A.B.C.D peer-group NAME
neighbor (A.B.C.D|NAME)
neighbor (A.B.C.D|NAME) description
neighbor (A.B.C.D|NAME) ebgp-multihop
neighbor (A.B.C.D|NAME) password
neighbor (A.B.C.D|NAME) soft-reconfiguration inbound
neighbor (A.B.C.D|NAME) route-reflector-client
neighbor (A.B.C.D|NAME) distribute-list ACCESS-LIST-NAME (in|out)
neighbor (A.B.C.D|NAME) prefix-list PREFIX-LIST-NAME (in|out)
neighbor (A.B.C.D|NAME) filter-list FILTER-LIST-NAME (in|out)
neighbor (A.B.C.D|NAME) route-map ROUTE-MAP-NAME (in|out)
neighbor (A.B.C.D|NAME) send-community
neighbor (A.B.C.D|NAME) shutdown
neighbor (A.B.C.D|NAME) passive
neighbor (A.B.C.D|NAME) next-hop-self
neighbor (A.B.C.D|NAME) maximum-prefix
neighbor (A.B.C.D|NAME) weight
neighbor (A.B.C.D|NAME) update-source A.B.C.D
neighbor (A.B.C.D|NAME) remove-private-as
neighbor NAME peer-group
network A.B.C.D/M
redistribute (connected|ospf|rip|static)
router-id
timers
Example
NGFW{running-bgp-1}delete ?
Valid entries at this position are:
aggregate-address
Delete BGP aggregate entries
always-compare-med
Delete always compare MEDs from neighbors in different AS
deterministic-med
Delete pick the best-MED route from the neighboring AS
NGFW Command Line Interface Reference
105
distance
graceful-restart
local-preference
neighbor
network
redistribute
router-id
timers
Delete
Delete
Delete
Delete
Delete
Delete
Delete
Delete
administrative distances
BGP graceful restart
the default local preference configured
BGP neighbor
a network to announce via BGP
route redistribution from another routing protocol
the BGP router identifier
BGP timers
NGFW{running-bgp-1}deterministic-med
Pick the best-MED route from the neighboring AS.
Syntax
deterministic-med
NGFW{running-bgp-1}disable
Disable BGP.
Syntax
disable
Example
NGFW{running-bgp-1}help disable
Disable Border Gateway Protocol (BGP)
Syntax: disable
disable
Disable BGP
NGFW{running-bgp-1}distance
Define administrative distances.
Syntax
distance EXTERNAL INTERNAL LOCAL
distance (1-255) (1-255) (1-255)
Example
NGFW{running-bgp-1}help distance
Configure BGP administrative distances
Syntax: distance EXTERNAL INTERNAL LOCAL
distance
Define administrative distances
EXTERNAL
Distance for routes external to the AS (1-255)
INTERNAL
Distance for routes internal to the AS (1-255)
LOCAL
Distance for local routes (1-255)
NGFW{running-bgp-1}enable
Enable BGP.
Syntax
enable
Example
NGFW{running-bgp-1}help enable
Enable Border Gateway Protocol (BGP)
106
Edit Running Configuration Commands
Syntax: enable
enable
Enable BGP
NGFW{running-bgp-1}graceful-restart
Set the BGP graceful restart.
Syntax
graceful-restart
Example
NGFW{running-bgp-1}help graceful-restart
Configure the BGP graceful restart
Syntax: graceful-restart
graceful-restart restart-time RESTART-TIME
graceful-restart stalepath-time STALEPATH-TIME
graceful-restart
Set the BGP graceful restart
restart-time
Set the restart-time for BGP graceful restart
RESTART-TIME
BGP graceful restart time in the unit of seconds (1-3600)
stalepath-time
Set the stalepath time for BGP graceful restart
STALEPATH-TIME
BGP stalepath time in the unit of seconds (1-3600)
NGFW{running-bgp-1}local-preference
Set local preference (higher numbers take preference).
Syntax
local-preference LOCAL-PREFERENCE
LOCAL-PREFERENCE
Default local preference (0-4294967295)
Example
NGFW{running-bgp-1}local-preference 10
NGFW{running-bgp-1}neighbor
Configure BGP neighbor or peer-group.
Syntax
neighbor
neighbor
neighbor
neighbor
neighbor
neighbor
neighbor
neighbor
neighbor
neighbor
neighbor
neighbor
neighbor
neighbor
neighbor
neighbor
neighbor
neighbor
neighbor
A.B.C.D peer-group NAME
(A.B.C.D|NAME) distribute-list ACCESS-LIST-NAME (in|out)
(A.B.C.D|NAME) prefix-list PREFIX-LIST-NAME (in|out)
(A.B.C.D|NAME) filter-list FILTER-LIST-NAME (in|out)
(A.B.C.D|NAME) route-map NAME (in|out)
(A.B.C.D|NAME) send-community
(A.B.C.D|NAME) ebgp-multihop (1-255)
(A.B.C.D|NAME) description DESCRIPTION
(A.B.C.D|NAME) remote-as ASNUMBER
(A.B.C.D|NAME) password
(A.B.C.D|NAME) soft-reconfiguration inbound
(A.B.C.D|NAME) route-reflector-client
(A.B.C.D|NAME) shutdown
(A.B.C.D|NAME) passive
(A.B.C.D|NAME) next-hop-self
(A.B.C.D|NAME) maximum-prefix (1-4294967295)
(A.B.C.D|NAME) weight (0-65535)
(A.B.C.D|NAME) update-source A.B.C.D
(A.B.C.D|NAME) remove-private-as
NGFW Command Line Interface Reference
107
neighbor NAME peer-group
NGFW{running-bgp-1}network
Specify a network to announce through the BGP.
Syntax
network A.B.C.D/M
Example
NGFW{running-bgp-1}network 192.168.0.3/24
NGFW{running-bgp-1}redistribute
Redistribute routes from another routing protocol.
Syntax
redistribute (connected|ospf|rip|static) [metric VALUE] [route-map NAME]
Valid entries:
connected
ospf
rip
static
metric
VALUE
route-map
NAME
Connected
Open Shortest Path First (OSPF)
Routing Information Protocol (RIP)
Static routes
Metric for redistributed routes
Default metric (1-4294967295)
Route map reference
Pointer to route-map entries
Example
NGFW{running-bgp-1}redistribute connected
NGFW{running-bgp-1}router-id
Set the BGP router identifier.
Syntax
router-id A.B.C.D
Example
NGFW{running-bgp-1}help router-id
Syntax: router-id A.B.C.D
router-id
Set the BGP router identifier
A.B.C.D
BGP router-id in IP address format
NGFW{running-bgp-1}timers
Adjust BGP timers. The keepalive interval should be no more than one-third of holdtime.
Syntax
timers KEEPALIVE HOLDTIME
KEEPALIVE
HOLDTIME
Keepalive interval (0-65535)
Holdtime (0-65535)
Example
NGFW{running-bgp-1}timers 60 180
108
Edit Running Configuration Commands
running-blockedStreams Context Commands
NGFW{running}blockedStreams
NGFW{running-blockedStreams}flushallstreams
Flush All Reports.
Syntax
flushallstreams
Example
NGFW{running-blockedStreams}flushallstreams
NGFW{running-blockedStreams}flushstreams
Flush reports.
Syntax
flushstreams
Example
NGFW{running-blockedStreams}flushstreams
NGFW{running-blockedStreams}list
List reports.
Syntax
list
running-bridgeX Context Commands
NGFW{running}interface bridge0
NGFW{running-bridge0}arp/ndp
Enable or disable ARP and NDP on interface.
Syntax
arp/ndp (enable|disable)
Example
NGFW{running-bridge0}arp/ndp enable
NGFW{running-bridge0}autoconfv6
Enable or disable IPv6 autoconfiguration on interface.
Syntax
autoconfv6 (enable|disable)
Example
NGFW{running-bridge0}autoconfv6 enable
NGFW{running-bridge0}bind
Bind bridged network interface over ethernet/VLAN/agglink.
NGFW Command Line Interface Reference
109
Syntax
bind PORT
Example
NGFW{running-bridge0}bind
NGFW{running-bridge0}bind
NGFW{running-bridge0}bind
NGFW{running-bridge0}bind
ethernet5
ethernet6
ethernet7
ethernet8
NGFW{running-bridge0}delete
Delete file or configuration item.
Syntax
delete
delete
delete
delete
delete
delete
delete
delete
delete
delete
bind (all|PORT)
ip igmp
ip igmp version
ipaddress (all|A.B.C.D/M|X:X::X:X/M)
ipaddress dhcpv4
ipaddress dhcpv6
ipv6 mld
ipv6 mld version
prefix (all|X:X::X:X/M)
shutdown
Example
NGFW{running-bridge0}delete
NGFW{running-bridge0}delete
NGFW{running-bridge0}delete
NGFW{running-bridge0}delete
NGFW{running-bridge0}delete
NGFW{running-bridge0}delete
NGFW{running-bridge0}delete
NGFW{running-bridge0}delete
bind ethernet8
bind all
ip igmp
ipaddress 192.168.1.1/24
ipaddress 100:0:0:0:0:0:0:1/64
ipv6 mld
prefix all
shutdown
NGFW{running-bridge0}description
Enter description for the interface.
Syntax
description TEXT
Example
NGFW{running-bridge0}description "Ethernet bridged interface"
NGFW{running-bridge0}ip
Configure IP settings.
Syntax
ip
ip
ip
ip
ip
ip
ip
110
igmp
igmp
ospf
ospf
ospf
ospf
ospf
version (1|2|3)
area A.B.C.D|(0-4294967295)
authentication mode md5 KEY_ID KEY
authentication mode text KEY
cost COST
dead-interval VALUE
Edit Running Configuration Commands
ip ospf hello-interval VALUE [A.B.C.D]
ip ospf priority VALUE
ip ospf retransmit-interval VALUE
ip ospf transmit-delay VALUE
ip rip
ip rip authentication mode md5 (0-2147483647) KEY
ip rip authentication mode text
ip rip receive version VERSION
ip rip send version VERSION
ip rip split-horizon [poison-reverse]
ipaddress (A.B.C.D/M|X:X::X:X/M) [primary]
ipv6 mld
Example
NGFW{running-bridge0}ip igmp version 3
NGFW{running-bridge0}ip igmp
NGFW{running-bridge0}ipaddress
Configure IP address.
Syntax
ipaddress (A.B.C.D/M|X:X::X:X/M) [primary]
ipaddress dhcpv4
Example
NGFW{running-bridge0}ipaddress 192.168.1.1/24
NGFW{running-bridge0}ipaddress 100:0:0:0:0:0:0:1/64
NGFW{running-bridge0}ipv6
Configure IPv6 settings.
Syntax
ipv6
ipv6
ipv6
ipv6
ipv6
ipv6
ipv6
ipv6
ipv6
ipv6
ipv6
mld
mld version (1|2)
ospfv3 area A.B.C.D|(0-4294967295)
ospfv3 cost COST
ospfv3 dead-interval VALUE
ospfv3 hello-interval VALUE
ospfv3 priority VALUE
ospfv3 retransmit-interval VALUE
ospfv3 transmit-delay VALUE
ripng
ripng split-horizon [poison-reverse]
Example
NGFW{running-bridge0}ipv6 mld version 2
NGFW{running-bridge0}ipv6 ripng split-horizon poison-reverse
NGFW{running-bridge0}mtu
Configure interface MTU.
Syntax
mtu (default|VALUE)
VALUE (68-9216)
NGFW Command Line Interface Reference
111
Example
NGFW{running-bridge0}mtu 1280
NGFW{running-bridge0}prefix
Configure IPv6 prefix.
Syntax
prefix X:X::X:X/M [valid-lifetime SECONDS] [preferred-lifetime SECONDS]
SECONDS (1-4294967295)
Example
NGFW{running-bridge0}prefix 100:0:0:0:0:0:0:0/64 valid-lifetime 2592000
preferred-lifetime 604800
NGFW{running-bridge0}ra-autoconf-level
Modify IPv6 Router Advertisement autoconfiguration level.
Syntax
ra-autoconf-level AUTOCONF
AUTOCONF
Router Advert Autoconfiguration level (DHCP)
Possible values for AUTOCONF are:
none
No parameter is autoconfigured
address
Address is autoconfigured
other
Some other parameters are autoconfigured
full
Most parameters are autoconfigured
Example
NGFW{running-bridge0}help ra-autoconf-level full
NGFW{running-bridge0}ra-interval
Modify IPv6 Router Advertisement interval value in milliseconds.
Syntax
ra-interval (90-1800000)
Example
NGFW{running-bridge0}ra-interval 600
NGFW{running-bridge0}ra-interval-transmit
Modify IPv6 Router Advertisement interval transmit.
Syntax
ra-interval-transmit (enable|disable)
Example
NGFW{running-bridge0}ra-interval-transmit enable
NGFW{running-bridge0}ra-lifetime
Modify IPv6 Router Advertisement prefix lifetime in seconds.
112
Edit Running Configuration Commands
Syntax
ra-lifetime (0-9000000)
Example
NGFW{running-bridge0}ra-lifetime 1800
NGFW{running-bridge0}ra-mtu
Modify IPv6 Router Advertisement MTU value.
Syntax
ra-mtu (none|MTU)
MTU value advertised(68-9216)(0 if none)
Example
NGFW{running-bridge0}ra-mtu none
NGFW{running-bridge0}ra-mtu 1500
NGFW{running-bridge0}ra-transmit-mode
Modify IPv6 Router Advertisement transmit mode.
Syntax
ra-transmit-mode MODE
MODE
Router Advertisement Transmit mode
Possible values for MODE are:
always
Router Advert message is always sent
never
Router Advert message is never sent
smart
Router Advert message is sent if a prefix is defined
Example
NGFW{running-bridge0}ra-transmit-mode smart
NGFW{running-bridge0}shutdown
Shutdown logical interface state.
Syntax
shutdown
Example
NGFW{running-bridge0}shutdown
NGFW{running-bridge0}tcp4mss
Configure interface TCP MSS for IPv4.
Syntax
tcp4mss (disable|automatic|4-65535)
disable
automatic
(4-65535)
Disable service
Automatically select TCP MSS based on interface MTU
TCP MSS value for IPv4
Example
NGFW{running-bridge0}tcp4mss automatic
NGFW Command Line Interface Reference
113
NGFW{running-bridge0}tcp6mss
Configure interface TCP MSS for IPv6.
Syntax
tcp6mss (disable|automatic|4-65535)
disable
automatic
(4-65535)
Disable service
Automatically select TCP MSS based on interface MTU
TCP MSS value for IPv6
Example
NGFW{running-bridge0}tcp6mss automatic
running-captive-portal Context Commands
NGFW{running}captive-portal
NGFW{running-captive-portal}delete
Delete captive portal rule(s).
Syntax
delete rule (all|RULEID)
Example
NGFW{running-captive-portal}delete rule 20010
NGFW{running-captive-portal}delete rule all
NGFW{running-captive-portal}rename
Rename a captive-portal rule.
Syntax
rename rule RULEID NEWRULEID
Example
NGFW{running-captive-portal}rename rule watershed 20010
NGFW{running-captive-portal}reset
Set a Captive Portal parameter to its DEFAULT value.
Syntax
reset
reset
reset
reset
reset
(max-session-time|inactive-timeout|port|certificate)
login-page (foreground-color|background-color)
login-page (header-HTML|footer-HTML|failed-HTML)
status-page (foreground-color|background-color)
status-page main-HTML
Example
NGFW{running-captive-portal}reset certificate
NGFW{running-captive-portal}reset login-page foreground-color
NGFW{running-captive-portal}reset status-page main-HTML
NGFW{running-captive-portal}rule
Create or enter a rule context.
114
Edit Running Configuration Commands
Syntax
rule (auto|RULEID) [POSITION_VALUE]
Example
NGFW{running-captive-portal}rule auto
NGFW{running-captive-portal}rule 20010 1
NGFW{running-captive-portal}rule watershed
NGFW{running-captive-portal}set
Set a Captive Portal parameter.
Syntax
set
set
set
set
set
set
set
set
max-session-time MINUTES
inactive-timeout MINUTES
port PORT
certificate CERTNAME
(login-page|status-page) (foreground-color|background-color) (HEX|COLOR)
login-page (header-HTML|footer-HTML|failed-HTML)
status-page (foreground-color|background-color) (HEX|COLOR)
status-page main-HTML
Example
NGFW{running-captive-portal}set
NGFW{running-captive-portal}set
NGFW{running-captive-portal}set
NGFW{running-captive-portal}set
NGFW{running-captive-portal}set
inactive-timeout 60
port 8443
status-page background-color #CD88B1
status-page foreground-color #FFEFD5
status-page foreground-color DodgerBlue
running-captive-portal-rule-X Context Commands
NGFW{running-captive-portal}rule 20000
NGFW{running-captive-portal-rule-20000}delete
Delete file or configuration item.
Syntax
delete
delete
delete
delete
delete
delete
delete
delete
delete
delete
delete
delete
delete
delete
src-address include group (all|ADDRESSGROUP)
src-address include ipaddress (all|A.B.C.D/M|X:X::X:X/M)
src-address include range (all|A.B.C.D|X:X::X:X)
src-address exclude group (all|ADDRESSGROUP)
src-address exclude ipaddress (all|A.B.C.D/M|X:X::X:X/M)
src-address exclude range (all|A.B.C.D|X:X::X:X)
dst-address include group (all|ADDRESSGROUP)
dst-address include ipaddress (all|A.B.C.D/M|X:X::X:X/M)
dst-address include range (all|A.B.C.D|X:X::X:X)
dst-address exclude group (all|ADDRESSGROUP)
dst-address exclude ipaddress (all|A.B.C.D/M|X:X::X:X/M)
dst-address exclude range (all|A.B.C.D|X:X::X:X)
src-zone (include all|ZONENAME)
src-zone (exclude all|ZONENAME)
Example
NGFW{running-captive-portal-rule-20000}delete dst-address include group mygroup1
NGFW{running-captive-portal-rule-20000}delete src-address exclude ipaddress all
NGFW{running-captive-portal-rule-20000}delete dst-address include ipaddress
192.168.1.1/32
NGFW Command Line Interface Reference
115
NGFW{running-captive-portal-rule-20000}description
Apply rule description.
Syntax
description TEXT
Example
NGFW{running-captive-portal-rule-20000}description "captive portal rule"
NGFW{running-captive-portal-rule-20000}dst-address
Apply destination address.
Syntax
dst-address
dst-address
dst-address
dst-address
(include|exclude)
(include|exclude)
(include|exclude)
(include|exclude)
group ADDRESSGROUP
ipaddress (A.B.C.D|X:X::X:X)
ipaddress (A.B.C.D/M|X:X::X:X/M)
range ((A.B.C.D A.B.C.D)|(X:X::X:X X:X::X:X))
Example
NGFW{running-captive-portal-rule-20000}dst-address
NGFW{running-captive-portal-rule-20000}dst-address
NGFW{running-captive-portal-rule-20000}dst-address
NGFW{running-captive-portal-rule-20000}dst-address
192.168.1.200
include
include
exclude
include
group mygroup1
ipaddress 192.168.1.0/24
ipaddress 192.168.1.1
range 192.168.1.100
NGFW{running-captive-portal-rule-20000}move
Move rule position.
Syntax
move (after RULEID)|(before RULEID)|(to position VALUE)
Example
NGFW{running-captive-portal-rule-20000}move to position 1
NGFW{running-captive-portal-rule-20000}move before 20050
NGFW{running-captive-portal-rule-20000}move after 20040
NGFW{running-captive-portal-rule-20000}src-address
Apply source address.
Syntax
src-address
src-address
src-address
src-address
(include|exclude)
(include|exclude)
(include|exclude)
(include|exclude)
group ADDRESSGROUP
ipaddress (A.B.C.D|X:X::X:X)
ipaddress (A.B.C.D/M|X:X::X:X/M)
range ((A.B.C.D A.B.C.D)|(X:X::X:X X:X::X:X))
Example
NGFW{running-captive-portal-rule-20000}src-address
NGFW{running-captive-portal-rule-20000}dst-address
NGFW{running-captive-portal-rule-20000}dst-address
NGFW{running-captive-portal-rule-20000}dst-address
192.168.1.200
116
Edit Running Configuration Commands
include
include
exclude
include
group mygroup1
ipaddress 192.168.1.0/24
ipaddress 192.168.1.1
range 192.168.1.100
NGFW{running-captive-portal-rule-20000}src-zone
Apply source security zone.
Syntax
src-zone (include|exclude) ZONENAME
Example
NGFW{running-captive-portal-rule-20000}src-zone include myzone1
NGFW{running-captive-portal-rule-20000}src-zone exclude myzone1
running-certificates Context Commands
NGFW{running}certificates
NGFW{running-certificates}ca-certificate
Add CA certificate.
Syntax
ca-certificate CANAME
Example
NGFW{running-certificates}ca-certificate myCAname
Please enter the PEM encoded CA certificate contents (including BEGIN CERTIFICATE and
END CERTIFICATE lines):
-----BEGIN CERTIFICATE----SoIDQTCCAqoCCQDiEcSvKsrhKTANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJB
VTETMBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0
cyBQdHkgTHeRkMB4XDTA5MDQxNjE3MDUxNloDTA5MDUxNjE3MDUxNlowbDEQMA4G
A1UEBhMHVW5rbm93bjEQMA4GA1UECBMHVW5rbm93bjEQMA4GA1UEBxMHVW5rbm93
bjEQMA4GA1UEChMHVW5rbm93bjEQMA4GA1UEoxMHVW5wer93bjEQMA4GA1UEAxMH
VW5rbm93bjCCAbcwggEsBgcqhkjOOAQBMIIBHwKBgQD9f1OBHXUSKVLfSpwu7OTn
9hG3UjzvRADDHj+AplEmaUVdQCJR+1k9jVj6v8X1ujD2y5tVbNeBO4AdNG/yZmC3
a5lQpaSfn+gEexAiwk+7qdf+t8Yb+DtX58aophUPBPuD9tPFHsMCNVQTWhaRMvZ1
864rYdcq7/IiAxmd0UgBxwIVAJdgUI8VIwvMspK5gqLrhAvwWBz1AoGBAPfhoIXW
mz3ey7yrXDa4V7l5lK+7+jrqgvlXTAs9B4JnUVlXjrrUWU/mcQcQgYC0SRZxI+hM
KBYTt88JMozIpuE8FnqLVHyNKOCjrh4rs6Z1kW6jfwv6ITVi8ftiegEkO8yk8b6o
UZCJqIPf4VrlnwaSi2ZegHtVJWQBTDv+z0kqA4GEAAKBgDNS53gXgLN9qXzf5AIs
npdKIhCaP6LOMaueQM2X9p51TWee8n95Ti9pUEoZSAgXKbV235WfqaQaIXhkXM7d
D/huz80xy3Pf5EzAEYhZLanL2GF6UL7g9z0ZtHI7E1yk2ylQrB8GI/fboIp213ug
NQ9TR7THyOy9dwftwoKSXEmSMA0GCSqGSIb3DQEBBAUAA4GBAIzxQr3OK9Jzq+wh
ZfKLLd0S7PbNZH7BfO7voEGtuC5fSPqbziwmOt9FYAg+U0rvIrHQI2DxSPHoxOA9
PISrOJgU6A2+VTbkZTJB32/Zng/hTDUQUkyyjllskdmafS1b9SSs0Z7SPuLu6VDB
zR6PBzoFwaWk3nX2lYsk/gFpf07z
-----END CERTIFICATE-----
NGFW{running-certificates}cert-request
Creates a certificate request for this device.
Syntax
cert-request CERTREQUEST [key-size SIZE]
CERTREQUEST
Certificate Request identifier
key-size
Specify private key size
SIZE
Specify private key size bits
Possible values for SIZE are:
1024
1024-bit key size
1536
1536-bit key size
NGFW Command Line Interface Reference
117
2048
4096
2048-bit key size (default)
4096-bit key size
Example
NGFW{running-certificates}cert-request myrequest
(Enter 'exit' to abort the command)
Enter Common Name (string, required): www.example.com
Enter Country (two letter code or 'none')[none]: US
Enter State (string or 'none')[none]:
Enter Locality (string or 'none')[none]:
Enter Organization (string or 'none')[none]:
Enter Unit (string or 'none')[none]:
Enter E-mail (string or 'none')[none]:
Enter FQDN (a string or 'none')[none]: www.example.com
Enter User FQDN (string or 'none')[none]:
-----BEGIN CERTIFICATE REQUEST----MIICpjCCAY4CAQAwJzELMAkGA1UEBhMCVVMxGDAWBgNVBAMTD3d3dy5leGFtcGxl
LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKWIxUWcq3vk3bBt
ivmAaNXtDLT+DMASIfnIIs4b/e8nS8k2HvrlqCqgDcm98iet2vOZ7G3bzLOWPL+a
K6hJSUaqW+cz9LVMyoIM7lsWLgt+46X/EKvSGpTLNuyvupJPa76iNjgzJLxcYgEO
C3vQGIZUlG6aiJ9ABiGAPC4GpUICnJFeo9JrkDGAcKh3hFN0VZyuPgDeLssj0luo
5HL9WO/oC0E+rdYGzgU7/+B04X2mQ4LiKCV92deGvnN2Fc0DP1EHFy5hS5nVlzG1
Y6yvIYVKL2IWfdNH5U6MDd1zJLAmhRUaphLUx87yluOLl5uVPXwm/EXlE6ql2MP+
fCg10+UCAwEAAaA6MDgGCSqGSIb3DQEJDjErMCkwCwYDVR0PBAQDAgXgMBoGA1Ud
EQQTMBGCD3d3dy5leGFtcGxlLmNvbTANBgkqhkiG9w0BAQQFAAOCAQEAGXPnvwZ3
cLLSjMOtNmizrKST+YdF1EzOOkXMBh+FZigXny5tCfQccmU5ir18KE/aKbMyQeii
sSeHhI4utZvOrjLL8lcbJlEU2xnC9BGXhmbGUmWynHFziTYom7Lpv8gq+p6+B1Ox
KDxJ+cMv1Ips+g3C8zZnQsN+dLgnWCb3X3NaJos5LHu4PK48+Zl3sic94Ixw0ZQF
HHhlJe7rfg8HMEYHXMiGowSpn9vnRMVh1K0o2Cdv9aIzjm+TH+WiTV9yYX5Dqys7
c8vOS1+G6R6o5s6tHDGPNYyVfCD1W+vxdCXVGR5zLsoB5eTL7bDR1NFKu/77FvKu
dLTq8hPpOt7gvQ==
-----END CERTIFICATE REQUEST-----
NGFW{running-certificates}certificate
Add device certificate.
Syntax
certificate CERTNAME
Example
NGFW{running-certificates}certificate mycertname
Please enter the PEM encoded certificate contents (including BEGIN CERTIFICATE and
END CERTIFICATE lines):
-----BEGIN CERTIFICATE----SoIDQTCCAqoCCQDiEcSvKsrhKTANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJB
VTETMBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0
cyBQdHkgTHeRkMB4XDTA5MDQxNjE3MDUxNloDTA5MDUxNjE3MDUxNlowbDEQMA4G
A1UEBhMHVW5rbm93bjEQMA4GA1UECBMHVW5rbm93bjEQMA4GA1UEBxMHVW5rbm93
bjEQMA4GA1UEChMHVW5rbm93bjEQMA4GA1UEoxMHVW5wer93bjEQMA4GA1UEAxMH
VW5rbm93bjCCAbcwggEsBgcqhkjOOAQBMIIBHwKBgQD9f1OBHXUSKVLfSpwu7OTn
9hG3UjzvRADDHj+AplEmaUVdQCJR+1k9jVj6v8X1ujD2y5tVbNeBO4AdNG/yZmC3
a5lQpaSfn+gEexAiwk+7qdf+t8Yb+DtX58aophUPBPuD9tPFHsMCNVQTWhaRMvZ1
864rYdcq7/IiAxmd0UgBxwIVAJdgUI8VIwvMspK5gqLrhAvwWBz1AoGBAPfhoIXW
mz3ey7yrXDa4V7l5lK+7+jrqgvlXTAs9B4JnUVlXjrrUWU/mcQcQgYC0SRZxI+hM
KBYTt88JMozIpuE8FnqLVHyNKOCjrh4rs6Z1kW6jfwv6ITVi8ftiegEkO8yk8b6o
UZCJqIPf4VrlnwaSi2ZegHtVJWQBTDv+z0kqA4GEAAKBgDNS53gXgLN9qXzf5AIs
npdKIhCaP6LOMaueQM2X9p51TWee8n95Ti9pUEoZSAgXKbV235WfqaQaIXhkXM7d
D/huz80xy3Pf5EzAEYhZLanL2GF6UL7g9z0ZtHI7E1yk2ylQrB8GI/fboIp213ug
118
Edit Running Configuration Commands
NQ9TR7THyOy9dwftwoKSXEmSMA0GCSqGSIb3DQEBBAUAA4GBAIzxQr3OK9Jzq+wh
ZfKLLd0S7PbNZH7BfO7voEGtuC5fSPqbziwmOt9FYAg+U0rvIrHQI2DxSPHoxOA9
PISrOJgU6A2+VTbkZTJB32/Zng/hTDUQUkyyjllskdmafS1b9SSs0Z7SPuLu6VDB
zR6PBzoFwaWk3nX2lYsk/gFpf07z
-----END CERTIFICATE-----
NGFW{running-certificates}crl
Certificate revocation list.
Syntax
crl
Example
NGFW{running-certificates}crl
NGFW{running-certificates}delete
Delete file or configuration item.
Syntax
delete ca-certificate (all|CANAME)
delete cert-request (all|CERTREQUEST)
delete certificate (all|CERTNAME)
Example
NGFW{running-certificates}delete ca-certificate myCAname
NGFW{running-certificates}delete cert-request myrequest
NGFW{running-certificates}delete certificate mycertname
NGFW{running-certificates}display
Display file or configuration item.
Syntax
display
display
display
display
ca-certificate CANAME [pem|text]
cert-request CERTNAME
certificate CERTNAME [pem|text]
private-key CERTNAME
Example
NGFW{running-certificates}display
# CERTIFICATE AUTHORITIES
ca-certificate myCAname
-----BEGIN CERTIFICATE----SoIDQTCCAqoCCQDiEcSvKsrhKTANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJB
...
PISrOJgU6A2+VTbkZTJB32/Zng/hTDUQUkyyjllskdmafS1b9SSs0Z7SPuLu6VDB
zR6PBzoFwaWk3nX2lYsk/gFpf07z
-----END CERTIFICATE----# CERTIFICATES
certificate mycertname
-----BEGIN CERTIFICATE----SoIDQTCCAqoCCQDiEcSvKsrhKTANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJB
...
PISrOJgU6A2+VTbkZTJB32/Zng/hTDUQUkyyjllskdmafS1b9SSs0Z7SPuLu6VDB
NGFW Command Line Interface Reference
119
zR6PBzoFwaWk3nX2lYsk/gFpf07z
-----END CERTIFICATE----# CERTIFICATE REQUESTS
cert-request myrequest key-size 2048
-----BEGIN CERTIFICATE REQUEST----MIICpjCCAY4CAQAwJzELMAkGA1UEBhMCVVMxGDAWBgNVBAMTD3d3dy5leGFtcGxl
...
c8vOS1+G6R6o5s6tHDGPNYyVfCD1W+vxdCXVGR5zLsoB5eTL7bDR1NFKu/77FvKu
dLTq8hPpOt7gvQ==
-----END CERTIFICATE REQUEST----# Subject Identity #
CN= www.example.com
C = US
ST= none
L = none
O = none
OU= none
Email= none
FQDN = www.example.com
User = none
# CRL
NGFW{running-certificates}private-key
Add device certificate private-key.
Syntax
private-key CERTNAME
Example
NGFW{running-certificates}private-key mycertname
Please enter the PEM encoded private key contents (including BEGIN PRIVATE KEY and
END PRIVATE KEY lines):
-----BEGIN DSA PRIVATE KEY----S0IBvAIBAAKBgQDjfcGLU+2NKUidI0mQ7EfiEWCc2/QLDYwfyl6t3YMMVRePWYUz
Pjom3A98G8VEhE8i+Ry3VMjmrmeRTljORWh7drvA+R48QIUC0sKbHY0TjshpNKjC
EpzX3s25mn2jeH9OLajjfT4AUKk629ajnA/tyE/Dg4a3J9PMrR/BOaJXjwIVAPq+
xXo8i7Jrjuo9pdu2A+12183HAoGBAMWQMBgsyvPRfXCDh+kaokahCJRZb7olAeN4
uSPrTmEdxn9jO+bfPCOx6Paljsjflw6uevWEBja9j0AmafxYPrKY8AhngKRFohoH
0Vwp9QKT+yVsCWghrBWQYj3myvrOGg0ydw6buDNIRYY71lYoVzQKw6NddseP3Gp9
4Pch6BKyAoGAGxqWTZsPe2lp/lz3LmmbpJoLRbE9OWBa5rVCuRM21qSRDDzQ0R4X
/cWW1kIC5n6NpVEMu+b70q3NyAK8AuFN+Ezfw+LgpvCI+Ae27bjj7AJxMD8161UG
e45Qiv20THFFqw/zP7DHG6tFdT06ss6xjw+ausphZGRhU8xBBR+NF3sCFQCiAvaI
xWsrP2Z1777kgMC45lKhqg==
-----END DSA PRIVATE KEY-----
running-certificates-crl Context Commands
NGFW{running-certificates}crl
NGFW{running-certificates-crl}add
Add a CRL URI or file for a specified CA.
Syntax
add CANAME (local-import|(uri CRLURI))
120
Edit Running Configuration Commands
Example
NGFW{running-certificates-crl}help add
Valid commands are:
# Enter context
addressgroups
# Other commands
add CANAME local-import|(uri CRLURI)
NGFW{running-certificates-crl}cache
Enable or disable CRL cache fetched via HTTP.
Syntax
cache (enable|disable)
Example
NGFW{running-certificates-crl}cache enable
NGFW{running-certificates-crl}delete
Delete a CRL URI or file for a specified Certificate Authority.
Syntax
delete crl (all|CANAME)
Valid entries:
all
Delete all CRL URIs and local files
CANAME
Delete CRL URI and local files for this Certificate Authority.
Example
NGFW{running-certificates-crl}delete crl all
NGFW{running-certificates-crl}mode
Set certificate revocation mode.
Syntax
mode (required|optional)
Valid entries:
required
Fail authentication by certificate if CRL cannot be verified
optional
Allow authentication by certificate if CRL cannot be verified
Example
NGFW{running-certificates-crl}mode required
running-cluster Context Commands
NGFW{running}cluster
NGFW{running-cluster}check
Perform consistency check.
Syntax
check CHECK_TYPE (enable|disable)
NGFW Command Line Interface Reference
121
Example
NGFW{running-cluster}check config enable
NGFW{running-cluster}cluster-name
Apply cluster name.
Syntax
cluster-name NAME
Example
NGFW{running-cluster}cluster-name ?
Valid entry at this position is:
NAME
Cluster name (1-30 characters)
NGFW{running-cluster}delete
Delete file or configuration item.
Syntax
delete standby
Example
NGFW{running-cluster}delete ?
Valid entry at this position is:
standby
Remove the device from standby
NGFW{running-cluster}disable
Disable clustering.
Syntax
disable
Example
NGFW{running-cluster}disable
NGFW{running-cluster}enable
Enable clustering.
Syntax
enable
Example
NGFW{running-cluster}enable
NGFW{running-cluster}member-id
Cluster Member ID.
Syntax
member-id ID
122
Edit Running Configuration Commands
Example
NGFW{running-cluster}member-id ?
Valid entry at this position is:
ID
Member ID
NGFW{running-cluster}member-name
Cluster member name.
Syntax
member-name NAME
Example
NGFW{running-cluster}member-name ?
Valid entry at this position is:
NAME
Member name (1-30 characters)
NGFW{running-cluster}standby
Sets the device on standby.
Syntax
standby
Example
NGFW{running-cluster}standby
NGFW{running-cluster}tct
Enter cluster traffic context.
Syntax
tct
Example
NGFW{running-cluster}tct
NGFW{running-cluster-tct}
running-cluster-tct Context Commands
NGFW{running-cluster}tct
NGFW{running-cluster-tct}delete
Delete file or configuration item.
Syntax
delete ipaddress
delete multicast
Example
NGFW{running-cluster-tct}delete ?
Valid entries at this position are:
ipaddress
IPv4 address
multicast
Apply multicast IPv4 address
NGFW Command Line Interface Reference
123
NGFW{running-cluster-tct}encryption
Apply encryption hash.
Syntax
encryption (enable|disable)
encryption hash (none|MD5|SHA1|SHA256|SHA384|SHA512)
encryption cipher (none|AES256)
encryption passphrase PASSPHRASE
hash
Apply encryption hash
Possible values for HASH are:
MD5
MD5 hash algorithm
SHA1
SHA1 hash algorithm
SHA256
SHA256 hash algorithm
SHA384
SHA384 hash algorithm
SHA512
SHA512 hash algorithm
none
No hash algorithm
cipher
Apply encryption cipher
Possible values for CIPHER are:
none
No cipher algorithm
AES256
AES256 cipher algorithm
passphrase
Apply encryption passphrase
PASSPHRASE
Apply encryption passphrase
enable
Enable encryption
disable
Disable encryption
Example
NGFW{running-cluster-tct}encryption
NGFW{running-cluster-tct}encryption
NGFW{running-cluster-tct}encryption
NGFW{running-cluster-tct}encryption
NGFW{running-cluster-tct}encryption
enable
disable
hash SHA512
cipher AES256
passphrase mypassphrase
NGFW{running-cluster-tct}ipaddress
IPv4 address.
Syntax
ipaddress A.B.C.D/M
Example
NGFW{running-cluster-tct}help ipaddress
Apply IPv4 address
Syntax: ipaddress A.B.C.D/M
ipaddress
IPv4 address
A.B.C.D/M
IPv4 address with netmask
NGFW{running-cluster-tct}mgmt-port-failover
Failover to management port if HA ports unavailable.
Syntax
mgmt-port-failover (enable|disable)
Example
NGFW{running-cluster-tct}mgmt-port-failover enable
124
Edit Running Configuration Commands
NGFW{running-cluster-tct}mtu
Apply MTU.
Syntax
mtu (68-9216)
Example
NGFW{running-cluster-tct}mtu 1500
NGFW{running-cluster-tct}multicast
Apply multicast IPv4 address.
Syntax
multicast A.B.C.D
Example
NGFW{running-cluster-tct}multicast 192.168.0.32
NGFW{running-cluster-tct}physical-media
Apply physical-media settings. Auto-negotiation is the default.
Syntax
physical-media (auto-neg)|(SPEED-MODE)
auto-neg
Enable auto-negotiation (default is on)
SPEED-MODE
Set the port speed
Possible values for SPEED-MODE are:
10half
Supported port speed and mode
10full
Supported port speed and mode
100half
Supported port speed and mode
100full
Supported port speed and mode
1000full
Supported port speed and mode
Example
NGFW{running-cluster-tct}physical-media 10full
NGFW{running-cluster-tct}port
Apply multicast UDP port number.
Syntax
port N
N
Apply multicast UDP port number(1-65534)
Example
NGFW{running-cluster-tct}port 9
NGFW{running-cluster-tct}retry
Apply retry interval.
Syntax
retry N
N
Apply retry interval value(1-10)
NGFW Command Line Interface Reference
125
Example
NGFW{running-cluster-tct}retry 3
NGFW{running-cluster-tct}timeout
Apply timeout.
Syntax
timeout N
N
Apply timeout value(100-10000)
Example
NGFW{running-cluster-tct}timeout 160
NGFW{running-cluster-tct}ttl
Apply TTL.
Syntax
ttl N
N
Apply TTL value(1-255)
Example
NGFW{running-cluster-tct}ttl 2
running-dhcp-relay Context Commands
NGFW{running}dhcp relay
NGFW{running-dhcp-relay}client
Configure client interface.
Syntax
client interface (all|IFNAME)
Example
NGFW{running-dhcp-relay}help client
Configure client interface
Syntax: client interface all|IFNAME
all
Configure listening to all interfaces?
IFNAME
Configure interface
NGFW{running-dhcp-relay}delete
Delete configuration item.
Syntax
delete client interface (all|IFNAME)
delete server (all|(interface IFNAME)|(address A.B.C.D))
Example
NGFW{running-dhcp-relay}delete client interface all
NGFW{running-dhcp-relay}disable
Disable service.
126
Edit Running Configuration Commands
Syntax
disable
Example
NGFW{running-dhcp-relay}help disable
Disable DHCP relay
Syntax: disable
disable
Disable service
NGFW{running-dhcp-relay}enable
Enable service.
Syntax
enable
Example
NGFW{running-dhcp-relay}help enable
Enable DHCP relay
Syntax: enable
enable
Enable service
NGFW{running-dhcp-relay}server
Configure server interface.
Syntax
server (interface IFNAME)|(address A.B.C.D)
Example
NGFW{running-dhcp-relay}help server address
Configure server address
Syntax: server (address A.B.C.D)
A.B.C.D
Configure IPv4 address
NGFW{running-dhcp-relay}help server interface
Configure server interface
Syntax: server (interface IFNAME)
A.B.C.D
Configure IPv4 address
running-dhcp-server Context Commands
NGFW{running}dhcp server
NGFW{running-dhcp-server}delete
Delete configuration item.
Syntax
delete scope (all|NAME)
Example
NGFW{running-dhcp-server}help delete
Delete scope
Syntax: delete scope all|NAME
all
Delete all scopes
NAME
Delete scope
NGFW Command Line Interface Reference
127
NGFW{running-dhcp-server}disable
Disable server.
Syntax
disable
Example
NGFW{running-dhcp-server}disable
NGFW{running-dhcp-server}display
Display configuration item.
Syntax
display scope NAME
Example
NGFW{running-dhcp-server}help display
Valid commands are:
# Manage context
display [xml]
# Other commands
display scope NAME [xml]
NGFW{running-dhcp-server}enable
Enable server.
Syntax
enable
Example
NGFW{running-dhcp-server}enable
NGFW{running-dhcp-server}scope
Configure scope.
Syntax
scope NAME
Example
NGFW{running-dhcp-server}scope myscope
running-dhcp-server-X Context Commands
NGFW{running-dhcp-server}scope myscope
NGFW{running-dhcp-server-myscope}address-range
Configure IP address range.
Syntax
address-range A.B.C.D A.B.C.D
128
Edit Running Configuration Commands
Example
NGFW{running-dhcp-server-myscope}help address-range
Configure IP address range
Syntax: address-range A.B.C.D A.B.C.D
A.B.C.D First address
A.B.C.D Last address
NGFW{running-dhcp-server-myscope}default-gateway
Configure default gateway.
Syntax
default-gateway (myself|A.B.C.D)
Example
NGFW{running-dhcp-server-myscope}help default-gateway
Configure default gateway
Syntax: default-gateway myself|A.B.C.D
myself
Use subnets IP address as default gateway
A.B.C.D
IPv4 address
NGFW{running-dhcp-server-myscope}delete
Delete configuration item.
Syntax
delete
delete
delete
delete
delete
delete
delete
delete
delete
address-range (all|(A.B.C.D A.B.C.D))
default-gateway NAME
dns-server (all|A.B.C.D)
domain-name NAME
exclude (all|A.B.C.D)
host (all|NAME)
lease
option (all|NAME|NUMBER)
subnet A.B.C.D/M
Example
NGFW{running-dhcp-server-myscope}delete ?
Valid entries at this position are:
address-range
Delete IP address range
default-gateway
Delete default gateway
dns-server
Delete DNS server
domain-name
Delete domain name
exclude
Delete excluded IP address
host
Delete host
lease
Delete lease
option
Delete option
subnet
Delete subnet
NGFW{running-dhcp-server-myscope}dns-server
Configure DNS server.
Syntax
dns-server A.B.C.D (primary|secondary|tertiary)
NGFW Command Line Interface Reference
129
Example
NGFW{running-dhcp-server-myscope}help dns-server
Configure DNS server
Syntax: dns-server A.B.C.D primary|secondary|tertiary
A.B.C.D
IPv4 address
primary
Configure primary server
secondary
Configure secondary server
tertiary
Configure tertiary server
NGFW{running-dhcp-server-myscope}domain-name
Configure Domain Name.
Syntax
domain-name NAME
Example
NGFW{running-dhcp-server-myscope}domain-name americas
NGFW{running-dhcp-server-myscope}exclude
Configure excluded IP address.
Syntax
exclude A.B.C.D
Example
NGFW{running-dhcp-server-myscope}help exclude
Configure excluded IP address
Syntax: exclude A.B.C.D
A.B.C.D
IPv4 address
NGFW{running-dhcp-server-myscope}host
Configure host name.
Syntax
host NAME X:X:X:X:X:X A.B.C.D
Example
NGFW{running-dhcp-server-myscope}help host
Configure static IP address for client with mac address.
Syntax: host NAME X:X:X:X:X:X A.B.C.D
NAME
Configure name
X:X:X:X:X:X Ethernet MAC address (e.g 00:02:b3:39:ba:d2)
Syntax: byte(:byte){5} byte MAC address byte
A.B.C.D
IPv4 address
NGFW{running-dhcp-server-myscope}lease
Configure DHCPv4 lease in seconds.
Syntax
lease (0-1073741824)
Example
NGFW{running-dhcp-server-myscope}help lease
130
Edit Running Configuration Commands
Configure DHCPv4 lease
Syntax: lease <0-1073741824>
<0-1073741824>
Lease value in seconds (0-1073741824)
NGFW{running-dhcp-server-myscope}option
Configure options.
Syntax
option (NAME|NUMBER) text Value 1
option (NAME|NUMBER) boolean Value 1 [Value 2] [Value 3]
option (NAME|NUMBER) integer8 Value 1 [Value 2] [Value 3]
option (NAME|NUMBER) hex8 Value 1 [Value 2] [Value 3]
option (NAME|NUMBER) integer32 Value 1 [Value 2] [Value 3]
option (NAME|NUMBER) hex32 Value 1 [Value 2] [Value 3]
option (NAME|NUMBER) ipaddress (Value 1) [Value 2] [Value 3]
Refer to https://tools.ietf.org/html/rfc2132#section-3 or
https://en.wikipedia.org/wiki/Dynamic_Host_Configuration_Protocol#DHCP_options for
known option names and numbers.
Example
NGFW{running-dhcp-server-myscope}help option
option
Configure options
Syntax: option (NAME) Values
Values as specified in documents referenced above
Syntax: option (NUMBER) text Value 1
Value 1 can include up to 256 characters of any type including spaces and tabs
Syntax: option (NUMBER) boolean Value 1 [Value 2] [Value 3]
Value 1,2,3 must be string true or false
Syntax: option (NUMBER) integer8 Value 1 [Value 2] [Value 3]
Value 1,2,3 must be in integer between 0 and 255
Syntax: option (NUMBER) hex8 Value 1 [Value 2] [Value 3]
Value 1,2,3 must be in hex integer between 0 and ff and entered as (0x0-0xff)
Syntax: option (NUMBER) integer32 Value 1 [Value 2] [Value 3]
Value 1,2,3 must be in integer between 0 and 16777215
Syntax: option (NUMBER) hex32 Value 1 [Value 2] [Value 3]
Value 1,2,3 must be in hex integer between 0 and ffffff and entered as
(0x0-0xffffff)
Syntax: option (NUMBER) ipaddress (Value 1) [Value 2] [Value 3]
Value 1,2,3 can be a domain name of up to 255 characters or an IP address
NGFW{running-dhcp-server-myscope}subnet
Configure subnet.
Syntax
subnet A.B.C.D/M
Example
NGFW{running-dhcp-server-myscope}subnet ?
Valid entry at this position is:
A.B.C.D/M
IPv4 address and mask length
running-dnat Context Commands
NGFW{running}dst-nat
NGFW{running-dnat}delete
Delete destination NAT rule(s).
NGFW Command Line Interface Reference
131
Syntax
delete rule (all|DSTNATRULEID)
Example
NGFW{running-dnat}delete rule 123
NGFW{running-dnat}rename
Rename destination NAT rule.
Syntax
rename dnat DSTNATRULEID NEWDSTNATRULEID
Example
NGFW{running-dnat}rename rule 123 dnat1
NGFW{running-dnat}rule
Create or enter a rule context.
Syntax
rule (auto|DSTNATRULEID) [POSITION_VALUE]
Example
NGFW{running-dnat}rule auto
NGFW{running-dnat}rule 123
running-dnat-rule-X Context Commands
NGFW{running-dnat}rule 1
NGFW{running-dnat-rule-dnat1}delete
Delete file or configuration item.
Syntax
delete
delete
delete
delete
delete
delete
delete
delete
delete
delete
delete
delete
port
dst-zone (include|exclude) ZONENAME
src-address (include|exclude) group ADDRESSGROUP
dst-address (include|exclude) group ADDRESSGROUP
src-address (include|exclude) ipaddress A.B.C.D
dst-address (include|exclude) ipaddress A.B.C.D
src-address (include|exclude) ipaddress A.B.C.D/M
dst-address (include|exclude) ipaddress A.B.C.D/M
src-address (include|exclude) range A.B.C.D A.B.C.D
dst-address (include|exclude) range A.B.C.D A.B.C.D
translate-to ipaddress (A.B.C.D|A.B.C.D/M)
translate-to range A.B.C.D A.B.C.D
Example
NGFW{running-dnat-rule-dnat1}delete
NGFW{running-dnat-rule-dnat1}delete
NGFW{running-dnat-rule-dnat1}delete
NGFW{running-dnat-rule-dnat1}delete
132
Edit Running Configuration Commands
translate-to range 192.168.1.100 192.168.1.200
src-zone include all
dst-address include ipaddress 192.168.1.0/24
src-address exclude ipaddress 192.168.1.1
NGFW{running-dnat-rule-dnat1}description
Apply rule description.
Syntax
description TEXT
Example
NGFW{running-dnat-rule-dnat1}description "destination nat rule"
NGFW{running-dnat-rule-dnat1}dst-address
Apply destination address.
Syntax
dst-address (include|exclude) ipaddress (A.B.C.D|A.B.C.D/M)
dst-address (include|exclude) range A.B.C.D A.B.C.D
dst-address (include|exclude) group ADDRESSGROUP
Example
NGFW{running-dnat-rule-dnat1}dst-address include ipaddress 192.168.1.0/24
NGFW{running-dnat-rule-dnat1}dst-address exclude ipaddress 192.168.1.1
NGFW{running-dnat-rule-dnat1}dst-address include range 192.168.1.100 192.168.1.200
NGFW{running-dnat-rule-dnat1}move
Move rule position.
Syntax
move after DSTNATRULEID
move before DSTNATRULEID
move to position VALUE
Example
NGFW{running-dnat-rule-dnat1}move after dnat1
NGFW{running-dnat-rule-dnat1}move before dnat1
NGFW{running-dnat-rule-dnat1}move to position 1
NGFW{running-dnat-rule-dnat1}src-address
Apply source address.
Syntax
src-address (include|exclude) ipaddress (A.B.C.D|A.B.C.D/M)
src-address (include|exclude) range A.B.C.D A.B.C.D
src-address (include|exclude) group ADDRESSGROUP
Example
NGFW{running-dnat-rule-dnat1}src-address include ipaddress 192.168.1.0/24
NGFW{running-dnat-rule-dnat1}src-address exclude ipaddress 192.168.1.1
NGFW{running-dnat-rule-dnat1}src-address include range 192.168.1.100 192.168.1.200
NGFW{running-dnat-rule-dnat1}src-zone
Apply source security zone.
NGFW Command Line Interface Reference
133
Syntax
src-zone (include|exclude) ZONENAME
Example
NGFW{running-dnat-rule-dnat1}src-zone include myzone1
NGFW{running-dnat-rule-dnat1}src-zone exclude myzone1
NGFW{running-dnat-rule-dnat1}tcp
Create tcp protocol translation.
Syntax
tcp dst-port PORT [to PORT] translate-to TRANS-PORT [to TRANS-PORT]
Example
NGFW{running-dnat-rule-dnat1}tcp dst-port 80 to 81 translate-to 8080 to 8081
NGFW{running-dnat-rule-dnat1}translate-to
Apply translation.
Syntax
translate-to ipaddress (A.B.C.D|A.B.C.D/M)
translate-to range A.B.C.D A.B.C.D
Example
NGFW{running-dnat-rule-dnat1}translate-to ipaddress 192.168.1.1
NGFW{running-dnat-rule-dnat1}translate-to ipaddress 192.168.1.0/24
NGFW{running-dnat-rule-dnat1}translate-to range 192.168.1.100 192.168.1.200
NGFW{running-dnat-rule-dnat1}udp
Create udp protocol translation.
Syntax
udp dst-port PORT [to PORT] translate-to TRANS-PORT [to TRANS-PORT]
Example
NGFW{running-dnat-rule-dnat1}udp dst-port 53 translate-to 3853
running-dns Context Commands
NGFW{running}dns
NGFW{running-dns}delete
Delete file or configuration item. A secondary domain-search can only be deleted if no tertiary exists. A
primary domain-search can only be deleted if no secondary exists.
Syntax
delete
delete
delete
delete
delete
delete
delete
delete
134
domain-name
domain-search (primary|secondary|tertiary|all)
name-server (all|A.B.C.D|X:X::X:X)
proxy cache cleaning interval
proxy cache forwarder (all|A.B.C.D|X:X::X:X)
proxy cache maximum negative ttl
proxy cache maximum ttl
proxy cache size
Edit Running Configuration Commands
Example
NGFW{running-dns}delete proxy cache ?
Valid entries at this position are:
cleaning
Delete cleaning
forwarder
Delete forwarder
maximum
Delete maximum
size
Delete size
NGFW{running-dns}delete domain-search tertiary
NGFW{running-dns}delete domain-search secondary
NGFW{running-dns}delete domain-search primary
NGFW{running-dns}domain-name
Configure domain name.
Syntax
domain-name NAME
Example
NGFW{running-dns}help domain-name
Configure router domain name
Syntax: domain-name NAME
domain-name
Configure domain name
NAME
Domain name (e.g. hp.com)<1-256>
NGFW{running-dns}domain-search
Configure domain search. A secondary domain-search can only be entered after a primary is entered and
a tertiary can only be entered after a secondary is entered.
Syntax
domain-search (primary|secondary|tertiary) NAME
Example
NGFW{running-dns}domain-search primary example.com
NGFW{running-dns}domain-search secondary example.org
NGFW{running-dns}domain-search tertiary example.edu
NGFW{running-dns}name-server
Configure DNS server.
Syntax
name-server (A.B.C.D|X:X::X:X)
Example
NGFW{running-dns}help name-server
Configure DNS server
Syntax: name-server A.B.C.D|X:X::X:X
A.B.C.D
IPv4 address
X:X::X:X
IPv6 address
NGFW{running-dns}proxy
Configure proxy.
NGFW Command Line Interface Reference
135
Syntax
proxy
proxy
proxy
proxy
proxy
proxy
(enable|disable)
cache cleaning interval cache cleaning interval in minutes
cache forwarder A.B.C.D|X:X::X:X
cache maximum negative ttl cache maximum negative ttl in minutes
cache maximum ttl cache maximum ttl in minutes
cache size cache size in megabytes
Example
NGFW{running-dns}proxy enable
running-ethernetX Context Commands
NGFW{running}interface ethernet1
NGFW{running-ethernet1}arp/ndp
Enable or disable ARP and NDP on interface.
Syntax
arp/ndp (enable|disable)
Example
NGFW{running-ethernet1}arp/ndp enable
NGFW{running-ethernet1}autoconfv6
Enable or disable IPv6 autoconfiguration on interface.
Syntax
autoconfv6 (enable|disable)
Example
NGFW{running-ethernet1}autoconfv6 disable
NGFW{running-ethernet1}delete
Delete file or configuration item.
Syntax
delete
delete
delete
delete
delete
delete
delete
delete
delete
delete
delete
delete
delete
delete
delete
delete
delete
delete
136
ip
ip
ip
ip
ip
ip
ip
ip
ip
ip
ip
ip
ip
ip
ip
ip
ip
ip
igmp
igmp version
ospf area
ospf authentication mode md5 (1-255) KEY
ospf authentication mode text KEY
ospf cost (1-65535)
ospf dead-interval (1-65535)
ospf hello-interval (1-65535)
ospf priority (0-255)
ospf retransmit-interval (3-65535)
ospf transmit-delay (1-65535)
pim-sm
rip
rip authentication mode md5
rip authentication mode text
rip receive version (v1-only|v2-only|v1-or-v2)
rip send version (v1-only|v2-only|v1-or-v2)
rip split-horizon
Edit Running Configuration Commands
delete
delete
delete
delete
delete
delete
delete
delete
delete
delete
delete
delete
delete
delete
delete
delete
delete
ipaddress (all|A.B.C.D/M|X:X::X:X/M)
ipaddress dhcpv4
ipaddress dhcpv6
ipv6 mld
ipv6 mld version
ipv6 ospfv3 area
ipv6 ospfv3 cost
ipv6 ospfv3 dead-interval
ipv6 ospfv3 hello-interval
ipv6 ospfv3 priority
ipv6 ospfv3 retransmit-interval
ipv6 ospfv3 transmit-delay
ipv6 pim-sm
ipv6 ripng
ipv6 ripng split-horizon
prefix (all|X:X::X:X/M)
shutdown (shutdown logical interface state)
Example
NGFW{running-ethernet1}delete ip igmp version
NGFW{running-ethernet1}delete ip ospf area
NGFW{running-ethernet1}delete ip ospf authentication mode md5 1 mysecret
NGFW{running-ethernet1}delete ip ospf authentication mode text mysecret
NGFW{running-ethernet1}delete ip ospf cost 1
NGFW{running-ethernet1}delete ip ospf dead-interval 1
NGFW{running-ethernet1}delete ip ospf hello-interval 1
NGFW{running-ethernet1}delete ip ospf priority 1
NGFW{running-ethernet1}delete ip ospf retransmit-interval
NGFW{running-ethernet1}delete ip ospf transmit-delay 1
NGFW{running-ethernet1}delete ip pim-sm
NGFW{running-ethernet1}delete ip rip authentication mode md5
NGFW{running-ethernet1}delete ip rip authentication mode text
NGFW{running-ethernet1}delete ip rip receive version v2-only
NGFW{running-ethernet1}delete ip rip send version v2-only
NGFW{running-ethernet1}delete ip rip split-horizon
NGFW{running-ethernet1}delete prefix all
NGFW{running-ethernet1}delete shutdown
NGFW{running-ethernet1}delete ipaddress dhcpv6
WARNING: This command will remove the dhcpv6 context. Do you want to continue (y/n)?
[n]: y
NGFW{running-ethernet1}delete ipaddress dhcpv4
WARNING: This command will remove the dhcpv4 context. Do you want to continue (y/n)?
[n]: y
NGFW{running-ethernet1}delete ipaddress 192.168.1.1/24
NGFW{running-ethernet1}delete ipaddress 100:0:0:0:0:0:0:1/64
NGFW{running-ethernet1}description
Enter description for the interface.
Syntax
description TEXT
Example
NGFW{running-ethernet1}description "Ethernet port 1"
NGFW Command Line Interface Reference
137
NGFW{running-ethernet1}ip
Configure IP settings.
Syntax
ip
ip
ip
ip
ip
ip
ip
ip
ip
ip
ip
ip
ip
ip
ip
ip
ip
ip
igmp
igmp version (1|2|3)
ospf area (A.B.C.D|(0-4294967295))
ospf authentication mode md5 (1-255) KEY
ospf authentication mode text KEY
ospf cost (1-65535)
ospf dead-interval (1-65535)
ospf hello-interval (1-65535) [A.B.C.D]
ospf priority (0-255)
ospf retransmit-interval (3-65535)
ospf transmit-delay (1-65535)
pim-sm
rip
rip authentication mode md5 (0-2147483647) KEY
rip authentication mode text
rip receive version VERSION (v1-only|v2-only|v1-or-v2)
rip send version VERSION
rip split-horizon [poison-reverse]
Example
NGFW{running-ethernet1}ip igmp version 3
NGFW{running-ethernet1}ip ospf area 1
NGFW{running-ethernet1}ip ospf authentication mode md5 1 mysecret
NGFW{running-ethernet1}ip ospf authentication mode text mysecret
NGFW{running-ethernet1}ip ospf cost 1
NGFW{running-ethernet1}ip ospf dead-interval 1
NGFW{running-ethernet1}ip ospf hello-interval 1
NGFW{running-ethernet1}ip ospf priority 1
NGFW{running-ethernet1}ip ospf retransmit-interval 3
NGFW{running-ethernet1}ip ospf transmit-delay 1
NGFW{running-ethernet1}ip rip authentication mode md5 1 mysecret
NGFW{running-ethernet1}ip rip authentication mode text
Enter key: up to 16 characters:******
NGFW{running-ethernet1}ip rip receive version v2-only
NGFW{running-ethernet1}ip rip send version v2-only
NGFW{running-ethernet1}ip rip split-horizon poison-reverse
NGFW{running-ethernet1}ip ?
NGFW{running-ethernet1}ipaddress
Configure IP address.
Syntax
ipaddress (A.B.C.D/M|X:X::X:X/M) [primary]
ipaddress dhcpv4
Example
NGFW{running-ethernet1}ipaddress 100:0:0:0:0:0:0:1/64 primary
NGFW{running-ethernet1}ipaddress 192.168.1.1/24
NGFW{running-ethernet1}ipaddress dhcpv4
NGFW{running-ethernet1-dhcpv4}?
Valid entries at this position are:
client
Configure client parameters
defaultroute-request
Ask for IPv4 default route or not
138
Edit Running Configuration Commands
delete
dhcp
dhcp
display
dns-request
help
ntp-request
option
Delete file or configuration item
Configure DHCPv4 client
Enable or disable DHCPv4 client service
Display DHCPv4 client context
Ask for DNS server IPv4 address or not
Display help information
Ask for NTP server IPv4 address or not
Configure DHCPv4 client option name
NGFW{running-ethernet1-dhcpv4}help
Valid commands are:
client identifier none|(hexa HEXA-ID)|(ascii ASCII-ID)
client name none|NAME
defaultroute-request enable|disable
delete option (NAME CODE)|all
dhcp enable|disable
dhcp server auto|A.B.C.D
display [xml]
dns-request enable|disable
help [full|COMMAND]
ntp-request enable|disable
option NAME CODE (boolean BOOLEAN)|(int8 INTEGER)|(uint8 INTEGER)|(int16
INTEGER)|(uint16 INTEGER)|(int32 INTEGER)|(uint32 INTEGER)|(ip-address
(A.B.C.D|DOMAIN))|(text TEXT)|(string (STRING|TEXT))|(array-of-boolean BOOLEAN,
BOOLEAN)|(array-of-int8 INTEGER, INTEGER)|(array-of-uint8 INTEGER,
INTEGER)|(array-of-int16 INTEGER, INTEGER)|(array-of-uint16 INTEGER,
INTEGER)|(array-of-int32 INTEGER, INTEGER)|(array-of-uint32 INTEGER,
INTEGER)|(array-of-ip-address (A.B.C.D, A.B.C.D|DOMAIN, DOMAIN))
NGFW{running-ethernet1}ipv6
Configure IPv6 settings.
Syntax
ipv6
ipv6
ipv6
ipv6
ipv6
ipv6
ipv6
ipv6
ipv6
ipv6
ipv6
ipv6
mld
mld version (1|2)
ospfv3 area (A.B.C.D|(0-4294967295))
ospfv3 cost (1-65535)
ospfv3 dead-interval (1-65535)
ospfv3 hello-interval (1-65535)
ospfv3 priority (0-255)
ospfv3 retransmit-interval (3-65535)
ospfv3 transmit-delay (1-65535)
pim-sm
ripng
ripng split-horizon [poison-reverse]
Example
NGFW{running-ethernet1}ipv6 mld version 2
NGFW{running-ethernet1}ipv6 ospfv3 area 1
NGFW{running-ethernet1}ipv6 ospfv3 cost 1
NGFW{running-ethernet1}ipv6 ospfv3 dead-interval 1
NGFW{running-ethernet1}ipv6 ospfv3 hello-interval 1
NGFW{running-ethernet1}ipv6 ospfv3 priority 1
NGFW{running-ethernet1}ipv6 ospfv3 retransmit-interval 3
NGFW{running-ethernet1}ipv6 ospfv3 transmit-delay 1
NGFW{running-ethernet1}ipv6 ripng split-horizon poison-reverse
NGFW{running-ethernet1}help ipv6 ripng split-horizon
Enable split-horizon / poison-reverse on this interface
Syntax: ipv6 ripng split-horizon [poison-reverse]
NGFW Command Line Interface Reference
139
ipv6
ripng
split-horizon
poison-reverse
Configure IPv6 settings
Configure RIPng over the interface
Enable split-horizon
Enable poison-reverse
NGFW{running-ethernet1}mtu
Configure interface MTU.
Syntax
mtu (default|(68-9216))
Example
NGFW{running-ethernet1}mtu 1500
NGFW{running-ethernet1}physical-media
Apply physical-media settings. Auto-negotiation is the default or specify a supported port speed and
mode.
Syntax
physical-media (auto-neg|10half|10full|100half|100full|1000full)
Example
NGFW{running-ethernet1}physical-media 1000full
NGFW{running-ethernet1}physical-media auto-neg
NGFW{running-ethernet1}prefix
Configure IPv6 prefix.
Syntax
prefix X:X::X:X/M [valid-lifetime SECONDS] [preferred-lifetime SECONDS]
X:X::X:X/M
valid-lifetime
(1-4294967295)
preferred-lifetime
(1-4294967295)
IPv6 prefix
Configure valid lifetime
Valid lifetime in seconds (default is 2592000)
Configure preferred lifetime
Preferred lifetime in seconds
(default is 604800 - cannot exceed valid lifetime)
Example
NGFW{running-ethernet1}prefix 100:0:0:0:0:0:0:0/64 valid-lifetime 2592000
preferred-lifetime 604800
NGFW{running-ethernet1}ra-autoconf-level
Modify IPv6 Router Advertisement autoconfiguration level (DHCP).
Syntax
ra-autoconf-level AUTOCONF
Possible values for AUTOCONF are:
none
No parameter is autoconfigured
address
Address is autoconfigured
other
Some other parameters are autoconfigured
full
Most parameters are autoconfigured
140
Edit Running Configuration Commands
Example
NGFW{running-ethernet1}ra-autoconf-level full
NGFW{running-ethernet1}ra-interval
Modify IPv6 Router Advertisement interval value.
Syntax
ra-interval MILLISECONDS
ra-interval (90-1800000)
Example
NGFW{running-ethernet1}ra-interval 600
NGFW{running-ethernet1}ra-interval-transmit
Modify IPv6 Router Advertisement interval transmit.
Syntax
ra-interval-transmit (enable|disable)
Example
NGFW{running-ethernet1}ra-interval-transmit enable
NGFW{running-ethernet1}ra-lifetime
Modify IPv6 Router Advertisement prefix lifetime in seconds.
Syntax
ra-lifetime SECONDS
ra-lifetime (0-9000000)
Example
NGFW{running-ethernet1}ra-lifetime 1800
NGFW{running-ethernet1}ra-mtu
Modify IPv6 Router Advertisement MTU value.
Syntax
ra-mtu (none|(68-9216))
MTU value advertised (0 if none)
Example
NGFW{running-ethernet1}ra-mtu 1500
NGFW{running-ethernet1}ra-transmit-mode
Modify IPv6 Router Advertisement transmit mode.
Syntax
ra-transmit-mode MODE
Possible values for MODE are:
always
Router Advert message is always sent
never
Router Advert message is never sent
NGFW Command Line Interface Reference
141
smart
Router Advert message is sent if a prefix is defined
Example
NGFW{running-ethernet1}ra-transmit-mode smart
NGFW{running-ethernet1}restart
Restart Ethernet port.
Syntax
restart
Example
NGFW{running-ethernet1}restart
NGFW{running-ethernet1}shutdown
Shutdown logical interface state.
Syntax
shutdown
Example
NGFW{running-ethernet1}shutdown
NGFW{running-ethernet1}tcp4mss
Configure interface TCP MSS for IPv4.
Syntax
tcp4mss (disable|automatic|(4-65535))
Valid entries:
disable
Disable service
automatic
Automatically select TCP MSS based on interface MTU
VALUE
TCP MSS value for IPv4
Example
NGFW{running-ethernet1}tcp4mss automatic
NGFW{running-ethernet1}tcp6mss
Configure interface TCP MSS for IPv6.
Syntax
tcp6mss (disable|automatic|(4-65535))
Valid entries:
disable
Disable service
automatic
Automatically select TCP MSS based on interface MTU
TCP MSS value for IPv6
Example
NGFW{running-ethernet1}tcp6mss automatic
142
Edit Running Configuration Commands
running-firewall Context Commands
NGFW{running}firewall
NGFW{running-firewall}default-block-rule
Apply action set for default block rule.
Syntax
default-block-rule DEFACTIONSET
Example
NGFW{running-firewall}default-block-rule "Block + Notify + Trace"
NGFW{running-firewall}delete
Delete firewall rule.
Syntax
delete rule (all|XRULEID)
Example
NGFW{running-firewall}delete rule myrule1
NGFW{running-firewall}delete rule myrule1
NGFW{running-firewall}rename
Rename a firewall rule.
Syntax
rename rule XRULEID NEWRULEID
Example
NGFW{running-firewall}rename rule myrule1 myrule2
NGFW{running-firewall}rule
Create or enter a rule context.
Syntax
rule (auto|RULEID) [POSITION_VALUE]
Example
NGFW{running-firewall}rule auto
NGFW{running-firewall}rule myrule1
running-firewall-rule-X Context Commands
NGFW{running-firewall}rule myrule1
NGFW{running-firewall-rule-myrule1}action
Apply action set.
Syntax
action ACTIONSETNAME
NGFW Command Line Interface Reference
143
Example
NGFW{running-firewall-rule-myrule1}action "Permit + Notify + Trace"
NGFW{running-firewall-rule-myrule1}application-group
Apply application group.
Syntax
application-group APPGROUPNAME
application-group ANONYMOUS CRITERIASTRING
Example
NGFW{running-firewall-rule-myrule1}application-group facebook
NGFW{running-firewall-rule-myrule1}application-group ANONYMOUS
NGFW{running-firewall-rule-myrule1}delete
Delete file or configuration item.
Syntax
delete
delete
delete
delete
delete
delete
delete
delete
delete
delete
delete
delete
delete
delete
delete
delete
delete
delete
delete
delete
delete
delete
delete
delete
delete
delete
delete
delete
delete
delete
delete
delete
delete
delete
delete
delete
delete
delete
144
application-group
comment
profile
schedule (include all|SCHEDULENAME)
schedule (exclude all|SCHEDULENAME)
services include (service all|SERVICENAME)
services include (protocol all|PROTONUM)
services include port all
services include tcp (all|PORT) [to PORT]
services include udp (all|PORT) [to PORT]
services include (icmp all|(CODENAME)|(TYPE [CODE]))
services include (icmpv6 all|(CODENAME6)|(TYPE6 [CODE6]))
services exclude (service all|SERVICENAME)
services exclude (protocol all|PROTONUM)
services exclude port all
services exclude tcp (all|PORT) [to PORT]
services exclude udp (all|PORT) [to PORT]
services exclude (icmp all|(CODENAME)|(TYPE [CODE]))
services exclude (icmpv6 all|(CODENAME6)|(TYPE6 [CODE6]))
src-address include group (all|SADDRESSGROUP)
src-address include (ipaddress all|A.B.C.D/M|X:X::X:X/M)
src-address include range (all|A.B.C.D|X:X::X:X)
src-address include ((any4)|(any6))
src-address exclude group (all|SADDRESSGROUP)
src-address exclude (ipaddress all|A.B.C.D/M|X:X::X:X/M)
src-address exclude range (all|A.B.C.D|X:X::X:X)
src-address exclude ((any4)|(any6))
dst-address include group (all|DADDRESSGROUP)
dst-address include (ipaddress all|A.B.C.D/M|X:X::X:X/M)
dst-address include range (all|A.B.C.D|X:X::X:X)
dst-address include ((any4)|(any6))
dst-address exclude group (all|DADDRESSGROUP)
dst-address exclude (ipaddress all|A.B.C.D/M|X:X::X:X/M)
dst-address exclude range (all|A.B.C.D|X:X::X:X)
dst-address exclude ((any4)|(any6))
src-zone (include all|ZONENAME)
src-zone (exclude all|ZONENAME)
dst-zone (include all|ZONENAME)
Edit Running Configuration Commands
delete
delete
delete
delete
delete
dst-zone (exclude all|ZONENAME)
user (include all|USERNAME)
user (exclude all|USERNAME)
user-group (include all|IN_GRP_NAME|IN_DN_GRP_NAME)
user-group (exclude all|EX_GRP_NAME|EX_DN_GRP_NAME)
Example
NGFW{running-firewall-rule-myrule1}delete
NGFW{running-firewall-rule-myrule1}delete
NGFW{running-firewall-rule-myrule1}delete
NGFW{running-firewall-rule-myrule1}delete
NGFW{running-firewall-rule-myrule1}delete
NGFW{running-firewall-rule-myrule1}delete
NGFW{running-firewall-rule-myrule1}delete
NGFW{running-firewall-rule-myrule1}delete
NGFW{running-firewall-rule-myrule1}delete
192.168.1.0/24
NGFW{running-firewall-rule-myrule1}delete
192.168.1.0/24
NGFW{running-firewall-rule-myrule1}delete
NGFW{running-firewall-rule-myrule1}delete
NGFW{running-firewall-rule-myrule1}delete
NGFW{running-firewall-rule-myrule1}delete
application-group
schedule exclude myhours1
schedule include all
services include port all
services include service http
services exclude icmp any
dst-zone include myzone1
src-zone include myzone1
src-address include ipaddress
dst-address include ipaddress
services include port tcp 443
user include all
user exclude myuser1
user-group include mygroup
NGFW{running-firewall-rule-myrule1}description
Apply rule description.
Syntax
description TEXT
Example
NGFW{running-firewall-rule-myrule1}description "My Firewall Policy"
NGFW{running-firewall-rule-myrule1}disable
Disable rule.
Syntax
disable
Example
NGFW{running-firewall-rule-myrule1}disable
NGFW{running-firewall-rule-myrule1}dst-address
Apply destination addresses.
Syntax
dst-address
dst-address
dst-address
dst-address
dst-address
(include|exclude)
(include|exclude)
(include|exclude)
(include|exclude)
(include|exclude)
(any4|any6)
group ADDRESSGROUP
ipaddress (A.B.C.D|X:X::X:X)
ipaddress (A.B.C.D/M|X:X::X:X/M)
range ((A.B.C.D A.B.C.D)|(X:X::X:X X:X::X:X))
Example
NGFW{running-firewall-rule-myrule1}dst-address exclude ipaddress 192.168.1.1
NGFW{running-firewall-rule-myrule1}dst-address include ipaddress 192.168.1.0/24
NGFW Command Line Interface Reference
145
NGFW{running-firewall-rule-myrule1}dst-address include range 192.168.1.100
192.168.1.200
NGFW{running-firewall-rule-myrule1}dst-address include group mygroup1
NGFW{running-firewall-rule-myrule1}dst-zone
Apply destination security zone.
Syntax
dst-zone (include|exclude) ZONENAME
Example
NGFW{running-firewall-rule-myrule1}dst-zone include myzone1
NGFW{running-firewall-rule-myrule1}dst-zone exclude myzone1
NGFW{running-firewall-rule-myrule1}enable
Enable rule.
Syntax
enable
Example
NGFW{running-firewall-rule-myrule1}enable
NGFW{running-firewall-rule-myrule1}move
Move firewall rule position in the rule table.
Syntax
move after XRULEID
move before XRULEID
move to position VALUE
Example
NGFW{running-firewall-rule-myrule1}move after myrule2
NGFW{running-firewall-rule-myrule1}move before myrule2
NGFW{running-firewall-rule-myrule1}move to position 1
NGFW{running-firewall-rule-myrule1}profile
Apply profile.
Syntax
profile (reputation REPPROFILE [ips IPSPROFILE])|(ips IPSPROFILE [reputation
REPPROFILE])
Example
NGFW{running-firewall-rule-myrule1}profile ips "Default IPS Profile" reputation
"Default Reputation Profile"
NGFW{running-firewall-rule-myrule1}profile ips "Default IPS Profile"
NGFW{running-firewall-rule-myrule1}profile reputation "Default Reputation Profile"
NGFW{running-firewall-rule-myrule1}schedule
Apply schedule.
146
Edit Running Configuration Commands
Syntax
schedule (include|exclude) SCHEDULENAME
Example
NGFW{running-firewall-rule-myrule1}schedule include myhours1
NGFW{running-firewall-rule-myrule1}schedule exclude myhours1
NGFW{running-firewall-rule-myrule1}services
Apply IP Services.
Syntax
services
services
services
services
services
services
(include|exclude)
(include|exclude)
(include|exclude)
(include|exclude)
(include|exclude)
(include|exclude)
(service SERVICENAME)
(protocol PROTONUM)
(port tcp PORT [to PORT])
(port udp PORT [to PORT])
(icmp ICMP-CODENAMES|(TYPE [CODE]))
(icmpv6 ICMP6-CODENAMES|(TYPE [CODE]))
Example
NGFW{running-firewall-rule-myrule1}services
NGFW{running-firewall-rule-myrule1}services
NGFW{running-firewall-rule-myrule1}services
NGFW{running-firewall-rule-myrule1}services
include
include
include
exclude
protocol 6
port tcp 443
service http
icmpv6 any
NGFW{running-firewall-rule-myrule1}src-address
Apply source addresses.
Syntax
src-address
src-address
src-address
src-address
src-address
src-address
src-address
src-address
src-address
src-address
include
include
include
include
include
exclude
exclude
exclude
exclude
exclude
(any4|any6)
group ADDRESSGROUP
ipaddress (A.B.C.D|X:X::X:X)
ipaddress (A.B.C.D/M|X:X::X:X/M)
range ((A.B.C.D A.B.C.D)|(X:X::X:X X:X::X:X))
(any4|any6)
group ADDRESSGROUP
ipaddress (A.B.C.D|X:X::X:X)
ipaddress (A.B.C.D/M|X:X::X:X/M)
range ((A.B.C.D A.B.C.D)|(X:X::X:X X:X::X:X))
Example
NGFW{running-firewall-rule-myrule1}src-address
NGFW{running-firewall-rule-myrule1}src-address
NGFW{running-firewall-rule-myrule1}src-address
192.168.1.200
NGFW{running-firewall-rule-myrule1}src-address
exclude ipaddress 192.168.1.1
include ipaddress 192.168.1.0/24
include range 192.168.1.100
include group mygroup1
NGFW{running-firewall-rule-myrule1}src-zone
Apply source security zone.
Syntax
src-zone (include|exclude) ZONENAME
Example
NGFW{running-firewall-rule-myrule1}src-zone include myzone1
NGFW{running-firewall-rule-myrule1}src-zone exclude myzone1
NGFW Command Line Interface Reference
147
NGFW{running-firewall-rule-myrule1}user
Apply user name.
Syntax
user (include|exclude) USER_NAME
Example
NGFW{running-firewall-rule-myrule1}user include myuser1
NGFW{running-firewall-rule-myrule1}user-group
Apply user group name or LDAP-group DN.
Syntax
user-group (include|exclude) (USER_GRP_NAME|LDAP_GROUP_DN)
Example
NGFW{running-firewall-rule-myrule1}user-group include group1
running-gen Context Commands
NGFW{running}gen
NGFW{running-gen}arp
Configure static ARP entry.
Syntax
arp A.B.C.D INTERFACE MAC
A.B.C.D
INTERFACE
MAC
IPv4 address
Interface name
Ethernet MAC address (e.g 00:02:b3:39:ba:d2)
Example
NGFW{running-gen}arp 192.168.1.1 ethernet5 a1:b2:c3:d4:e5:f6
NGFW{running-gen}auto-restart
Enable or disable automatic restart on detection of a critical problem.
Syntax
auto-restart (enable|disable)
Example
NGFW{running-gen}auto-restart enable
NGFW{running-gen}delete
Delete file or configuration item.
Syntax
delete arp (all|(ENTRY INTERFACE))
delete host (NAME|all)
delete ndp (all|(ENTRY INTERFACE))
Example
NGFW{running-gen}delete arp 192.168.1.1 ethernet5
148
Edit Running Configuration Commands
NGFW{running-gen}delete host myhost
NGFW{running-gen}delete ndp 100::1 ethernet5
NGFW{running-gen}delete arp all
NGFW{running-gen}help delete arp
Delete configured static ARP entry
Syntax: delete arp all|(ENTRY INTERFACE)
delete
Delete file or configuration item
arp
Delete configured static ARP entry
all
All settings
ENTRY
IPv4 address of ARP entry
INTERFACE
Interface of NDP entry
NGFW{running-gen}ephemeral-port-range
Set the range of the ephemeral port (default is 32768-61000).
Syntax
ephemeral-port-range (default|(LOWRANGE HIGHRANGE))
default
Default port range value 32768-61000 is applied
LOWRANGE
Value of the first port
HIGHRANGE
Value of the last port
Example
NGFW{running-gen}ephemeral-port-range default
NGFW{running-gen}ephemeral-port-range 32768 61000
NGFW{running-gen}forwarding
Enable or disable IPv4/IPv6 forwarding.
Syntax
forwarding (ipv4|ipv6) (enable|disable)
Example
NGFW{running-gen}forwarding ipv4 enable
NGFW{running-gen}forwarding ipv6 enable
NGFW{running-gen}host
Configure static address to host name association.
Syntax
host NAME (A.B.C.D|X:X::X:X)
Example
NGFW{running-gen}host myhost 192.168.1.1
NGFW{running-gen}host myhost 100:0:0:0:0:0:0:1
NGFW{running-gen}https
Enable or disable WEB server configuration.
Syntax
https (enable|disable)
NGFW Command Line Interface Reference
149
Example
NGFW{running-gen}https enable
NGFW{running-gen}inband-management
Inband Management.
Syntax
inband-management (enable|disable)
Example
NGFW{running-gen}inband-management enable
NGFW{running-gen}management-service
Management of a service to use the management port or the network port.
Syntax
management-service
management-service
management-service
management-service
management-service
management-service
management-service
management-service
all (management|network)
dns (management|network)
email (management|network)
ldap (management|network)
ntp (management|network)
radius (management|network)
remote-syslog (management|network)
snmp (management|network)
Example
NGFW{running-gen}management-service
NGFW{running-gen}management-service
NGFW{running-gen}management-service
NGFW{running-gen}management-service
NGFW{running-gen}management-service
all management
all network
ldap network
email network
snmp management
Example
NGFW{running-gen}help management-service
Set a management service to either use management port or network port
all
Set all management services to use management port or network port
dns
Set the DNS service to use the management port or the network port
email
Set the email service to use management port or network port
ldap
Set the LDAP service to use the management port or the network port
ntp
Set the NTP service to use the management port or the network port
radius
Set the RADIUS service to use management port or the network port
remote-syslog
Set remote syslog service to use management port or network port
snmp
Set the SNMP service to use the management port or the network port
management
Set service to use management port
network
Set service to use network port
NGFW{running-gen}ndp
Configure static NDP entry.
Syntax
ndp X:X::X:X INTERFACE MAC
X:X::X:X
IPv6 address
INTERFACE
Interface name
MAC
Ethernet MAC address (e.g 00:02:b3:39:ba:d2)
150
Edit Running Configuration Commands
Example
NGFW{running-gen}ndp 100:0:0:0:0:0:0:1 ethernet5 a1:b2:c3:d4:e5:f6
NGFW{running-gen}ssh
Enable or disable ssh service.
Syntax
ssh (enable|disable)
Example
NGFW{running-gen}ssh enable
NGFW{running-gen}timezone
Display or configure time zone.
Syntax
timezone GMT
timezone REGION CITY
REGION
(Africa|America|Antarctica|Arctic|Asia|Atlantic|Australia|Europe|Indian|Pacific)
Example
NGFW{running-gen}timezone America Chicago
NGFW{running-gen}timezone GMT
running-global-inspection Context Commands
NGFW{running}global-inspection
NGFW{running-global-inspection}default-inspection
Apply default inspection profile.
Syntax
default-inspection ips-profile (IPSPROFILE|none)
default-inspection reputation-profile (REPPROFILE|none)
Example
NGFW{running-global-inspection}default-inspection reputation-profile ?
Valid entries at this position are:
REPPROFILE
Existing reputation profile
none
Disable security profile
NGFW{running-global-inspection}unknown-app
Apply inspection profile during application detection phase.
Syntax
unknown-app (ips-profile IPSPROFILE|none)|(reputation-profile REPPROFILE|none)
Example
NGFW{running-global-inspection}unknown-app ?
Valid entries at this position are:
ips-profile
Apply IPS profile
reputation-profile
Apply reputation profile
NGFW Command Line Interface Reference
151
running-greX Context Commands
NGFW{running}interface gre0
NGFW{running-gre0}autoconfv6
Enable or disable IPv6 autoconfiguration on interface.
Syntax
autoconfv6 (enable|disable)
Example
NGFW{running-gre0}autoconfv6 enable
NGFW{running-gre0}bind
Configure the GRE tunnel encapsulation.
Syntax
bind (local global ip) (remote global ip)
bind A.B.C.D A.B.C.D
bind X:X::X:X X:X::X:X
Example
NGFW{running-gre0}bind 192.168.1.1 192.168.2.1
NGFW{running-gre0}bind 2001:2:0:0:0:0:0:1 2001:db8:0:0:0:0:0:1
NGFW{running-gre0}checksum
Enable or disable GRE Checksum.
Syntax
checksum (enable|disable)
Example
NGFW{running-gre0}checksum enable
NGFW{running-gre0}delete
Delete file or configuration item.
Syntax
delete
delete
delete
delete
delete
delete
delete
delete
delete
delete
delete
delete
delete
delete
delete
delete
152
bind
ip igmp
ip igmp version
ip ospf area
ip ospf authentication mode md5 KEY_ID KEY
ip ospf authentication mode text KEY
ip ospf cost COST
ip ospf dead-interval VALUE
ip ospf hello-interval VALUE
ip ospf priority VALUE
ip ospf retransmit-interval VALUE
ip ospf transmit-delay VALUE
ip rip
ip rip authentication mode md5
ip rip authentication mode text
ip rip receive version VERSION
Edit Running Configuration Commands
delete
delete
delete
delete
delete
delete
delete
delete
delete
delete
delete
delete
delete
delete
delete
delete
delete
delete
ip rip send version VERSION
ip rip split-horizon
ipaddress A.B.C.D
ipaddress X:X::X:X
ipaddress all
ipv6 mld
ipv6 mld version
ipv6 ospfv3 area
ipv6 ospfv3 cost
ipv6 ospfv3 dead-interval
ipv6 ospfv3 hello-interval
ipv6 ospfv3 priority
ipv6 ospfv3 retransmit-interval
ipv6 ospfv3 transmit-delay
ipv6 ripng
ipv6 ripng split-horizon
prefix all|X:X::X:X/M
shutdown
Example
NGFW{running-gre0}delete
NGFW{running-gre0}delete
NGFW{running-gre0}delete
NGFW{running-gre0}delete
NGFW{running-gre0}delete
NGFW{running-gre0}delete
NGFW{running-gre0}delete
NGFW{running-gre0}delete
NGFW{running-gre0}delete
NGFW{running-gre0}delete
NGFW{running-gre0}delete
NGFW{running-gre0}delete
NGFW{running-gre0}delete
NGFW{running-gre0}delete
NGFW{running-gre0}delete
NGFW{running-gre0}delete
NGFW{running-gre0}delete
NGFW{running-gre0}delete
NGFW{running-gre0}delete
NGFW{running-gre0}delete
NGFW{running-gre0}delete
NGFW{running-gre0}delete
NGFW{running-gre0}delete
NGFW{running-gre0}delete
NGFW{running-gre0}delete
NGFW{running-gre0}delete
NGFW{running-gre0}delete
NGFW{running-gre0}delete
NGFW{running-gre0}delete
bind
ip igmp version
ip igmp
ip ospf authentication mode md5 1 secret
ip ospf authentication mode text secret
ip ospf cost 1
ip ospf dead-interval 1
ip ospf hello-interval 1
ip ospf priority 1
ip ospf retransmit-interval 3
ip ospf transmit-delay 1
ip rip authentication mode md5
ip rip authentication mode text
ip rip receive version v2-only
ip rip send version v2-only
ip rip split-horizon poison-reverse
ip rip split-horizon
ipaddress 10.10.10.1 10.11.11.1
ipaddress 100:10:10:0:0:0:0:1 100:11:11:0:0:0:0:1
ipv6 mld version
ipv6 ospfv3 area
ipv6 ospfv3 cost
ipv6 ospfv3 dead-interval
ipv6 ospfv3 hello-interval
ipv6 ospfv3 priority
ipv6 ospfv3 retransmit-interval
ipv6 ospfv3 transmit-delay
ipv6 ripng split-horizon poison-reverse
ipv6 ripng split-horizon
NGFW{running-gre0}description
Enter description for the interface.
Syntax
description TEXT
NGFW Command Line Interface Reference
153
Example
NGFW{running-gre0}description "GRE tunnel 0"
NGFW{running-gre0}ip
Configure IP settings.
Syntax
ip
ip
ip
ip
ip
ip
ip
ip
ip
ip
ip
ip
ip
ip
ip
ip
ip
igmp
igmp version (1|2|3)
ospf area (A.B.C.D|(0-4294967295))
ospf authentication mode md5 (1-255) KEY
ospf authentication mode text KEY
ospf cost (1-65535)
ospf dead-interval (1-65535)
ospf hello-interval (1-65535) [A.B.C.D]
ospf priority (0-255)
ospf retransmit-interval (3-65535)
ospf transmit-delay (1-65535)
rip
rip authentication mode md5 (0-2147483647) KEY
rip authentication mode text
rip receive version (v1-only|v2-only|v1-or-v2)
rip send version (v1-only|v2-only|v1-or-v2)
rip split-horizon [poison-reverse]
Example
NGFW{running-gre0}ip igmp version 3
NGFW{running-gre0}ip ospf area 1
NGFW{running-gre0}ip ospf authentication mode md5 1 mysecret
NGFW{running-gre0}ip ospf authentication mode text mysecret
NGFW{running-gre0}ip ospf cost 1
NGFW{running-gre0}ip ospf dead-interval 1
NGFW{running-gre0}ip ospf hello-interval 1
NGFW{running-gre0}ip ospf priority 1
NGFW{running-gre0}ip ospf retransmit-interval 3
NGFW{running-gre0}ip ospf transmit-delay 1
NGFW{running-gre0}ip rip authentication mode md5 1 mysecret
NGFW{running-gre0}ip rip authentication mode text
Enter key: up to 16 characters:******
NGFW{running-gre0}ip rip receive version v2-only
NGFW{running-gre0}ip rip send version v2-only
NGFW{running-gre0}ip rip split-horizon poison-reverse
NGFW{running-gre0}ipaddress
Configure endpoints IP address.
Syntax
ipaddress (local gre endpoint ipaddress) (remote gre endpoint ipaddress)
ipaddress A.B.C.D A.B.C.D
ipaddress X:X::X:X X:X::X:X
Example
NGFW{running-gre0}ipaddress 10.10.10.1 10.11.11.1
NGFW{running-gre0}ipaddress 100:10:10:0:0:0:0:1 100:11:11:0:0:0:0:1
154
Edit Running Configuration Commands
NGFW{running-gre0}ipv6
Configure IPv6 settings.
Syntax
ipv6
ipv6
ipv6
ipv6
ipv6
ipv6
ipv6
ipv6
ipv6
ipv6
ipv6
mld
mld version (1|2)
ospfv3 area (A.B.C.D|(0-4294967295))
ospfv3 cost COST
ospfv3 dead-interval VALUE
ospfv3 hello-interval VALUE
ospfv3 priority VALUE
ospfv3 retransmit-interval VALUE
ospfv3 transmit-delay VALUE
ripng
ripng split-horizon [poison-reverse]
Example
NGFW{running-gre0}ipv6
NGFW{running-gre0}ipv6
NGFW{running-gre0}ipv6
NGFW{running-gre0}ipv6
NGFW{running-gre0}ipv6
NGFW{running-gre0}ipv6
NGFW{running-gre0}ipv6
NGFW{running-gre0}ipv6
NGFW{running-gre0}ipv6
mld version 2
ospfv3 area 1
ospfv3 cost 1
ospfv3 dead-interval 1
ospfv3 hello-interval 1
ospfv3 priority 1
ospfv3 retransmit-interval 3
ospfv3 transmit-delay 1
ripng split-horizon poison-reverse
NGFW{running-gre0}key
Configure GRE key.
Syntax
key (enable|disable)
key (0-4294967295)
Enable GRE key - use a default key
Disable GRE key
Set GRE key value
Example
NGFW{running-gre0}key enable
NGFW{running-gre0}mtu
Configure interface MTU.
Syntax
mtu (default|(68-9216))
Example
NGFW{running-gre0}mtu 1500
NGFW{running-gre0}shutdown
Shutdown logical interface state.
NGFW Command Line Interface Reference
155
Syntax
shutdown
Example
NGFW{running-gre0}shutdown
NGFW{running-gre0}tcp4mss
Configure interface TCP MSS for IPv4.
Syntax
tcp4mss (disable|automatic|4-65535)
disable
automatic
VALUE
Disable service
Automatically select TCP MSS based on interface MTU
TCP MSS value for IPv4
Example
NGFW{running-gre0}tcp4mss automatic
NGFW{running-gre0}tcp6mss
Configure interface TCP MSS for IPv6.
Syntax
tcp6mss (disable|automatic|4-65535)
disable
automatic
VALUE
Disable service
Automatically select TCP MSS based on interface MTU
TCP MSS value for IPv6
Example
NGFW{running-gre0}tcp6mss automatic
running-high-availability Context Commands
NGFW{running}high-availability
NGFW{running-high-availability}delete
Delete file or configuration item.
Syntax
delete failover-group base-mac
delete failover-group name
base-mac
name
Base MAC address
Failover group name
Example
NGFW{running-high-availability}delete failover-group name
NGFW{running-high-availability}disable
Disable high-availability.
Syntax
disable
156
Edit Running Configuration Commands
Example
NGFW{running-high-availability}disable
NGFW{running-high-availability}enable
Enable high-availability.
Syntax
enable
Example
NGFW{running-high-availability}enable
NGFW{running-high-availability}failover-group
Allows you to define name and MAC address for a Failover Group.
Syntax
failover-group base-mac X:X:X:X:X:X
failover-group name NAME
Example
NGFW{running-high-availability}failover-group name mygroupname
NGFW{running-high-availability}state-sync
Allows you to define state synchronization.
Syntax
state-sync global [enable|disable]
state-sync firewall [enable|disable]
state-sync firewall [log-level
(alert|critical|debug|emergency|error|info|notice|warning|none)]
state-sync ips [enable|disable]
state-sync ips [log-level
(alert|critical|debug|emergency|error|info|notice|warning|none)]
state-sync routing [enable|disable]
state-sync routing [log-level
(alert|critical|debug|emergency|error|info|notice|warning|none)]
Example
NGFW{running-high-availability}state-sync firewall enable
running-ips Context Commands
Immediate Commit Feature. Changes take effect immediately.
NGFW{running}ips
NGFW{running-ips}afc-mode
Configures AFC mode.
Syntax
afc-mode AFCMODE
Example
NGFW{running-ips}afc-mode ?
Valid entries at this position are:
NGFW Command Line Interface Reference
157
automatic
manual
Automatic AFC mode
Manual AFC mode
NGFW{running-ips}afc-severity
Configures AFC severity level.
Syntax
afc-severity SEVERITY
Example
NGFW{running-ips}afc-severity ?
Valid entries for SEVERITY:
critical
Critical severity
error
Error severity
info
Info severity
warning
Warning severity
NGFW{running-ips}connection-table
Configures connection table timeout.
Syntax
connection-table TIMEOUTTYPE SECONDS
TIMEOUTTYPE
Connection table timeout type
Possible values for TIMEOUTTYPE are:
non-tcp-timeout
Connection table non-tcp timeout
timeout
Connection table timeout
trust-timeout
Connection table trust timeout
SECONDS
Connection table timeout seconds
Example
NGFW{running-ips}connection-table trust-timeout 60
NGFW{running-ips}delete
Allows you to delete a profile.
Syntax
delete profile XPROFILENAME
Example
NGFW{running-ips}delete profile myprofile
NGFW{running-ips}deployment-choices
Gets deployment choices.
Syntax
deployment-choices
Example
NGFW{running-ips}deployment-choices ?
Name
Description:
-----------------------------------------------------------Default
"Recommended for general deployment."
158
Edit Running Configuration Commands
Aggressive
Core
Edge
Perimeter
"Offers a more aggressive security posture that may require tuning
based upon specific application protocol usage."
"Recommended for deployment in the network core."
"Recommended for deployment in a Server Farm/DMZ."
"Recommended for deployment at an Internet entry point."
NGFW{running-ips}display-categoryrules
Display category rules for all profiles.
Syntax
display-categoryrules
Example
NGFW{running-ips}display-categoryrules ?
category "Streaming Media" enabled actionset "Recommended"
category "Identity Theft" enabled actionset "Recommended"
category "Virus" enabled actionset "Recommended"
category "Spyware" enabled actionset "Recommended"
category "IM" enabled actionset "Recommended"
category "Network Equipment" enabled actionset "Recommended"
category "Traffic Normalization" enabled actionset "Recommended"
category "P2P" enabled actionset "Recommended"
category "Vulnerabilities" enabled actionset "Recommended"
category "Exploits" enabled actionset "Recommended"
category "Reconnaissance" enabled actionset "Recommended"
category "Security Policy" enabled actionset "Recommended"
NGFW{running-ips}gzip-decompression
Sets GZIP decompression mode.
Syntax
gzip-decompression (enable|disable)
Example
NGFW{running-ips}gzip-decompression enable
NGFW{running-ips}profile
Allows you to create or enter an IPS profile.
Syntax
profile PROFILENAME
Example
NGFW{running-ips}profile myprofile
NGFW{running-ips}quarantine-duration
Sets quarantine duration.
Syntax
quarantine-duration DURATION
DURATION
value between 1 to 1440 minutes
NGFW Command Line Interface Reference
159
Example
NGFW{running-ips}quarantine-duration 60
NGFW{running-ips}rename
Renames a profile.
Syntax
rename profile PROFILENAME NEWPROFILENAME
Example
NGFW{running-ips}rename profile myprofile yourprofile
running-ips-X Context Commands
Immediate Commit Feature. Changes take effect immediately.
NGFW{running-ips}profile 1
NGFW{running-ips-1}categoryrule
Enters categoryrule context.
Syntax
categoryrule
Example
NGFW{running-ips-1}categoryrule
NGFW{running-ips-1-categoryrule}
NGFW{running-ips-1-categoryrule} ?
Valid entries at this position are:
category
Custom category keyword
display
Display category rules for profile
help
Display help information
NGFW{running-ips-1-categoryrule}display
categoryrule
category "Network Equipment" enabled actionset "Recommended"
category "IM" enabled actionset "Recommended"
category "Spyware" enabled actionset "Recommended"
category "Virus" enabled actionset "Recommended"
category "Identity Theft" enabled actionset "Recommended"
category "Streaming Media" enabled actionset "Recommended"
category "Security Policy" enabled actionset "Recommended"
category "Reconnaissance" enabled actionset "Recommended"
category "Exploits" enabled actionset "Recommended"
category "Vulnerabilities" enabled actionset "Recommended"
category "P2P" enabled actionset "Recommended"
category "Traffic Normalization" enabled actionset "Recommended"
exit
NGFW{running-ips-1}delete
Delete file or configuration item.
Syntax
delete filter FILTERNUMBER
FILTERNUMBER
160
Existing filter number
Edit Running Configuration Commands
Example
NGFW{running-ips-1}delete filter 9
NGFW{running-ips-1}deployment
Change deployment.
Syntax
deployment (Aggressive|Core|Default|Edge|Perimeter)
Example
NGFW{running-ips-1}deployment Default
NGFW{running-ips-1}description
Edit description for a profile.
Syntax
description DESCRIPTION
Example
NGFW{running-ips-1}description "my description"
NGFW{running-ips-1}filter
Creates or enters a filter context.
Syntax
filter FILTERNUMBER
Example
NGFW{running-ips-1}filter 200
running-ipsec Context Commands
NGFW{running}vpn ipsec
NGFW{running-ipsec}delete
Delete file or configuration item.
Syntax
delete
delete
delete
delete
delete
delete
delete
delete
delete
delete
log vpn CONTACT-NAME
phase1 proposal (all|NAME)
phase2 proposal (all|NAME)
policy (all|NAME)
pre-shared-keys (all|A.B.C.D|X:X::X:X|HOSTNAME) [vrf-id ID|any]
retransmit-timeout
retransmit-tries
trust (all|CANAME)
user
vpn (all|NAME)
Valid entries:
log
phase1
phase2
policy
Delete
Delete
Delete
Delete
a Notification Contact from a log service
Phase1 proposal
Phase2 Proposal
IPsec Policy
NGFW Command Line Interface Reference
161
pre-shared-keys
retransmit-timeout
retransmit-tries
trust
user
vpn
Delete
Delete
Delete
Delete
delete
Delete
pre-shared-keys
Dead Peer Detection retransmit-timeout
Dead Peer Detection retransmit-tries
certification authority trust
user context
IPsec Virtual Private Networks
Example
NGFW{running-ipsec}delete phase1 proposal all
NGFW{running-ipsec}ipsec
Enables or disables IPsec.
Syntax
ipsec (enable|disable)
Example
NGFW{running-ipsec}ipsec enable
NGFW{running-ipsec}log
Add log to a log session.
Syntax
log vpn CONTACT-NAME [SEVERITY]
Valid entries:
vpn
CONTACT-NAME
Configure log for VPN (IPSec) services
Notification Contact name
Example
NGFW{running-ipsec}log vpn fred warning
NGFW{running-ipsec}manual
Enters manual Security Association context.
Syntax
manual
Example
NGFW{running-ipsec}manual
NGFW{running-manual-sa}
NGFW{running-ipsec}phase1
Enters phase1 proposal context.
Syntax
phase1 VERSION proposal NAME
Valid entries:
VERSION
1 (IKE
2 (IKE
proposal
Phase1
NAME
Phase1
162
Version 1)
Version 2)
proposal
proposal name : alphanumeric, underscore, dash excluding 'all'
Edit Running Configuration Commands
Example
NGFW{running-ipsec}phase1 1 proposal propname
NGFW{running-phase1-proposal-propname}help
NGFW{running-phase1-proposal-propname}?
NGFW{running-ipsec}phase2
Enters phase2 proposal context.
Syntax
phase2 VERSION proposal NAME
Valid entries:
VERSION
1 (IKE
2 (IKE
proposal
Phase1
NAME
Phase1
Version 1)
Version 2)
proposal
proposal name : alphanumeric, underscore, dash excluding 'all'
Example
NGFW{running-ipsec}phase2 1 proposal propname
NGFW{running-phase2-proposal-propname}
NGFW{running-ipsec}policy
Enters IPSec Policy sub-context.
Syntax
policy NAME [PRIORITY]
Valid entries:
NAME
IPsec Policy Name : alphanumeric, underscore, and dash excluding 'all'
PRIORITY
Priority for NEW policy (1-5989)
Example
NGFW{running-ipsec}policy mypolicy 1
NGFW{running-ipsec-policy-mypolicy}
NGFW{running-ipsec}pre-shared-key
Configures pre-shared key (start with 0x for hexadecimal key).
Syntax
pre-shared-key local (A.B.C.D|X:X::X:X|LFQDN) remote (A.B.C.D|X:X::X:X|RFQDN|any)
Valid entries:
local
A.B.C.D
X:X::X:X
LFQDN
remote
A.B.C.D
X:X::X:X
RFQDN
any
Configure local host
Local Peer IPv4 address
Local Peer IPv6 address
Hostname or user fqdn
Configure remote host
Remote Peer IPv4 address
Remote Peer IPv6 address
Hostname or user fqdn
any remote IP Address
Example
NGFW{running-ipsec}pre-shared-key local 100:0:0:0:0:0:0:1 remote
2001:db8:0:0:0:0:0:1
NGFW Command Line Interface Reference
163
Enter pre-shared key:**************
NGFW{running-ipsec}retransmit-timeout
Configures IKEv2 Dead Peer Detection retransmission timeout in seconds.
Syntax
retransmit-timeout TIMEOUT
TIMEOUT
Configure IKEv2 Dead Peer Detection retransmission timeout in seconds
Example
NGFW{running-ipsec}retransmit-timeout 60
NGFW{running-ipsec}retransmit-tries
Configures IKEv2 Dead Peer Detection maximum retransmission tries.
Syntax
retransmit-tries COUNT
COUNT
Configure IKEv2 Dead Peer Detection maximum retransmission tries
Example
NGFW{running-ipsec}retransmit-tries 4
NGFW{running-ipsec}trust
Configures certification authority trust.
Syntax
trust CANAME
CANAME
Certification authority name
Example
NGFW{running-ipsec}trust mycertname
NGFW{running-ipsec}user
Enter vpn user context.
Syntax
user
Example
NGFW{running-ipsec}user
NGFW{running-ipsec-user}help
NGFW{running-ipsec}vpn
Enter VPN context.
Syntax
vpn NAME
Example
NGFW{running-ipsec}vpn myvpn
NGFW{running-ipsec-vpn-myvpn}help
164
Edit Running Configuration Commands
NGFW{running-ipsec-vpn-myvpn}?
running-ipsec-policy-X Context Commands and their Usage
NGFW{running}vpn ipsec
NGFW{running-ipsec}policy myipsecpolicy
NGFW{running-ipsec-policy-myipsecpolicy}mode
Configure encapsulation mode.
Syntax
mode MODE
Example
NGFW{running-ipsec-policy-myipsecpolicy}mode tunnel
NGFW{running-ipsec-policy-myipsecpolicy}policy
Enable or Disable IPsec Policy.
Syntax
policy enable|disable
Example
NGFW{running-ipsec-policy-myipsecpolicy}policy enable
NGFW{running-ipsec-policy-myipsecpolicy}rule
Configure IPsec traffic selector.
Syntax
rule SOURCE_ADDR REMOTE_ADDR PROTOCOL
Example
NGFW{running-ipsec-policy-myipsecpolicy}rule 172.16.1.1 172.16.2.2 any
NGFW{running-ipsec-policy-myipsecpolicy}vpn-name
Configure the VPN to use for this policy.
Syntax
vpn-name VPNNAME
Example
NGFW{running-ipsec-policy-myipsecpolicy}vpn-name mytunnel
NGFW Command Line Interface Reference
165
running-ipsec-vpn-X Context Commands and their Usage
NGFW{running}vpn ipsec
NGFW{running-ipsec}vpn myvpn
NGFW{running-ipsec-vpn-myvpn}certificate
Configure certificate name.
Syntax
certificate CERTNAME
Example
NGFW{running-ipsec-vpn-myvpn}delete
Delete file or configuration item.
Syntax
delete
delete
delete
delete
delete
delete
delete
certificate
exchange-mode
identity
ip-pool
peers
proposal
user-group
Example
NGFW{running-ipsec-vpn-myvpn}dpddelay
Configure Dead Peer Detection delay in seconds.
Syntax
dpddelay (SECONDS|disable)
dpddelay ((1-99999999999999999)|disable)
Example
NGFW{running-ipsec-vpn-myvpn}dpddelay 10
NGFW{running-ipsec-vpn-myvpn}dpddelay disable
NGFW{running-ipsec-vpn-myvpn}dpdtimeout
Configure IKEv1 Dead Peer Detection timeout interval in seconds.
Syntax
dpdtimeout SECONDS
dpdtimeout (1-99999999999999999)
Example
NGFW{running-ipsec-vpn-myvpn}dpdtimeout 90
NGFW{running-ipsec-vpn-myvpn}exchange-mode
Configure Phase1 Exchange Mode.
166
Edit Running Configuration Commands
Syntax
exchange-mode (main|aggressive)
Example
NGFW{running-ipsec-vpn-myvpn}exchange-mode aggressive
NGFW{running-ipsec-vpn-myvpn}identity
Configure local and remote IKE Identities.
Syntax
identity local ((ip-address A.B.C.D|X:X::X:X|anyLADDR)|(fqdn
HOSTNAME|anyLHOSTNAME)|(user-fqdn EMAILADDRESS|anyLEMAIL)|(asn1dn
asn1dn|anyLASNDNAME)) [remote (ip-address A.B.C.D|X:X::X:X|anyRADDR)|(fqdn
HOSTNAME|anyRHOSTNAME)|(user-fqdn EMAILADDRESS|anyREMAIL)|(asn1dn
asn1dn|anyRASNDNAME)]
Example
NGFW{running-ipsec-vpn-myvpn}identity local nearside.example.com remote
farside.example.com
NGFW{running-ipsec-vpn-myvpn}ip-compression
Enable or disable IP Compression.
Syntax
ip-compression (enable|disable)
Example
NGFW{running-ipsec-vpn-myvpn}ip-compression enable
NGFW{running-ipsec-vpn-myvpn}ip-pool
Configure IP Pool for remote VPN clients.
Syntax
ip-pool (A.B.C.D/M|X:X::X:X/M)
Example
NGFW{running-ipsec-vpn-myvpn}ip-pool 192.168.1.0/24
NGFW{running-ipsec-vpn-myvpn}key
Configure Key exchange type.
Syntax
key (ike|manual)
Example
NGFW{running-ipsec-vpn-myvpn}key ike
NGFW{running-ipsec-vpn-myvpn}nat-traversal
Enable or disable NAT Traversal mode.
Syntax
nat-traversal (enable|disable)
NGFW Command Line Interface Reference
167
Example
NGFW{running-ipsec-vpn-myvpn}nat-traversal enable
NGFW{running-ipsec-vpn-myvpn}peer
Configure local and remote VPN Peers.
Syntax
peer local (A.B.C.D|X:X::X:X) remote (A.B.C.D|X:X::X:X)
Example
NGFW{running-ipsec-vpn-myvpn}peer local 192.168.1.1 remote 192.168.2.2
NGFW{running-ipsec-vpn-myvpn}proposal
Configure Phase1 and Phase2 IKE proposals.
Syntax
proposal PHASE1 PHASE2
Example
NGFW{running-ipsec-vpn-myvpn}proposal myphase1 myphase2
NGFW{running-ipsec-vpn-myvpn}rekey
Enable or disable rekey.
Syntax
rekey (enable|disable)
Example
NGFW{running-ipsec-vpn-myvpn}rekey enable
NGFW{running-ipsec-vpn-myvpn}type
Configure VPN type.
Syntax
type (site-to-site|client-to-site)
Example
NGFW{running-ipsec-vpn-myvpn}type site-to-site
NGFW{running-ipsec-vpn-myvpn}user-group
Configure VPN user group.
Syntax
user-group GROUP
Example
NGFW{running-ipsec-vpn-myvpn}user-group myvpngroup
168
Edit Running Configuration Commands
running-l2tp-serverX Context Commands
NGFW{running}l2tp-server0
NGFW{running-l2tp-server0}auth
Authenticated configuration.
Syntax
auth (enable|disable)
auth shared-secret (A.B.C.D|any) secret-key
Example
NGFW{running-l2tp-server0}auth enable
NGFW{running-l2tp-server0}bind
Configures bind service of L2TP server.
Syntax
bind (none|any|(A.B.C.D [port]))
Valid entries:
none
Remove bind configuration
any
Configure any bind
A.B.C.D
IPv4 address to bind
port
Port range (1024-65535)
Example
NGFW{running-l2tp-server0}bind 198.152.100.0
NGFW{running-l2tp-server0}delete
Deletes file or configuration item.
Syntax
delete auth shared-secret (A.B.C.D|all)
Valid entries:
auth
shared-secret
A.B.C.D
all
Delete authenticated configuration
Shared secret for an IPv4 address
IPv4 address
All settings
Example
NGFW{running-l2tp-server0}delete auth shared-secret all
NGFW{running-l2tp-server0}hiding
Enables or disables hiding configuration.
Syntax
hiding (enable|disable)
Example
NGFW{running-l2tp-server0}hiding enable
NGFW Command Line Interface Reference
169
NGFW{running-l2tp-server0}sequencing
Enables or disables sequence configuration.
Syntax
sequencing (enable|disable)
Example
NGFW{running-l2tp-server0}sequencing enable
running-l2tpX Context Commands
NGFW{running}interface l2tp0
NGFW{running-l2tp0}auth
Authenticated configuration.
Syntax
auth
auth
auth
auth
l2tp (enable|disable)
l2tp shared-secret SECRET
ppp reply ALGORITHM
ppp user-id NAME PASSWORD
Valid entries:
l2tp
Configure L2TP authenticated options
ppp
Configure PPP authenticated options
Valid entries for ALGORITHM:
pap
Pap authentication
chap
Chap authentication
chap-md5
Chap md5 authentication
ms-chapv2
Ms chapv2 authentication
ms-chap
Ms chap authentication
Example
NGFW{running-l2tp0}auth
NGFW{running-l2tp0}auth
NGFW{running-l2tp0}auth
NGFW{running-l2tp0}auth
l2tp enable
l2tp shared-secret secret
ppp reply chap-md5
ppp user-id myuser mypassword
NGFW{running-l2tp0}autoconfv6
Enable or disable IPv6 autoconfiguration on interface.
Syntax
autoconfv6 (enable|disable)
Example
NGFW{running-l2tp0}autoconfv6 enable
NGFW{running-l2tp0}autoconfv6 disable
NGFW{running-l2tp0}bind
Configure binding addresses of the L2TP tunnel.
Syntax
bind (none|(A.B.C.D A.B.C.D))
170
Edit Running Configuration Commands
Example
NGFW{running-l2tp0}bind 192.168.2.1 192.168.200.1
NGFW{running-l2tp0}bind none
NGFW{running-l2tp0}delete
Delete file or configuration item.
Syntax
delete
delete
delete
delete
delete
delete
delete
delete
delete
delete
delete
auth l2tp shared-secret
auth ppp reply (all|AUTH-ALGO)
auth ppp user-id
ip igmp
ip igmp version
ipv6 mld
ipv6 mld version
log-option ppp all
log-option ppp DEL-PPP-LOG-OPTION {1,10}
prefix all|X:X::X:X/M
shutdown
Example
NGFW{running-l2tp0}delete
NGFW{running-l2tp0}delete
NGFW{running-l2tp0}delete
NGFW{running-l2tp0}
NGFW{running-l2tp0}delete
NGFW{running-l2tp0}delete
NGFW{running-l2tp0}delete
NGFW{running-l2tp0}delete
NGFW{running-l2tp0}delete
NGFW{running-l2tp0}delete
auth l2tp shared-secret
auth ppp reply chap-md5
auth ppp user-id
ip igmp version
ip igmp
ipv6 mld
log-option ppp all
prefix 100::/64
shutdown
NGFW{running-l2tp0}description
Enter description for the interface.
Syntax
description TEXT
Example
NGFW{running-l2tp0}description "l2tp interface 0"
NGFW{running-l2tp0}dns-request
Configure IP DNS server address request.
Syntax
dns-request (enable|disable)
Example
NGFW{running-l2tp0}dns-request enable
NGFW{running-l2tp0}dns-request disable
NGFW Command Line Interface Reference
171
NGFW{running-l2tp0}ip
Configure IP settings.
Syntax
ip igmp
ip igmp version (1|2|3)
Example
NGFW{running-l2tp0}ip igmp
NGFW{running-l2tp0}ip igmp version 3
NGFW{running-l2tp0}ipcp
Enable or disable IPCP for IPv4.
Syntax
ipcp (enable|disable)
Example
NGFW{running-l2tp0}ipcp enable
NGFW{running-l2tp0}ipcp disable
NGFW{running-l2tp0}ipv6
Configure IPv6 settings.
Syntax
ipv6 mld
ipv6 mld version (1|2)
Example
NGFW{running-l2tp0}ipv6 mld
NGFW{running-l2tp0}ipv6cp
Enable or disable IPCP for IPv6.
Syntax
ipv6cp (enable|disable)
Example
NGFW{running-l2tp0}ipv6cp enable
NGFW{running-l2tp0}ipv6cp disable
NGFW{running-l2tp0}keep-alive
LCP keep alive period in seconds.
Syntax
keep-alive ppp disable
keep-alive ppp (default|(0-600)) [retry (0-600)]
Example
NGFW{running-l2tp0}keep-alive ppp default retry 1
NGFW{running-l2tp0}keep-alive ppp disable
172
Edit Running Configuration Commands
NGFW{running-l2tp0}log-option
Add service log option.
Syntax
log-option ppp all
log-option ppp (PPP-LOG-OPTION)
PPP-LOG-OPTION valid entries:
auth
Link authentication events
ipcp
IPCP events and negotiation
ipv6cp
IPV6CP events and negotiation
l2tp
L2TP high level events
l2tp2
L2TP more detailed events
l2tp3
L2TP packet dumps
pptp
PPTP high level events
pptp2
PPTP more detailed events
pptp3
PPTP packet dumps
lcp
LCP events and negotiation
phys
Physical layer events
radius
Radius authentication events
echo
Keep-alive events
bund
Bundle events
iface
IP interface and route management events
link
Link events
frame
Dump all incoming and outgoing frames
fsm
All state machine events (except echo and reset)
Example
NGFW{running-l2tp0}log-option ppp all
NGFW{running-l2tp0}mru
Configure interface MRU.
Syntax
mru (default|(64-65535))
Example
NGFW{running-l2tp0}mru 1500
NGFW{running-l2tp0}mru default
NGFW{running-l2tp0}mtu
Configure interface MTU.
Syntax
mtu (default|(68-9216))
Example
NGFW{running-l2tp0}mtu 1500
NGFW{running-l2tp0}prefix
Configure IPv6 prefix in seconds.
NGFW Command Line Interface Reference
173
Syntax
prefix X:X::X:X/M [valid-lifetime (1-4294967295)] [preferred-lifetime
(1-4294967295)]
Example
NGFW{running-l2tp0}prefix 100:0:0:0:0:0:0:0/64 valid-lifetime 2592000
preferred-lifetime 604800
NGFW{running-l2tp0}ra-autoconf-level
Modify IPv6 Router Advertisement autoconfiguration level.
Syntax
ra-autoconf-level AUTOCONF
Possible values for AUTOCONF are:
none
No parameter is autoconfigured
address
Address is autoconfigured
other
Some other parameters are autoconfigured
full
Most parameters are autoconfigured
Example
NGFW{running-l2tp0}ra-autoconf-level full
NGFW{running-l2tp0}ra-interval
Modify IPv6 Router Advertisement interval value in milliseconds.
Syntax
ra-interval (90-1800000)
Example
NGFW{running-l2tp0}ra-interval 600
NGFW{running-l2tp0}ra-interval-transmit
Modify IPv6 Router Advertisement interval transmit.
Syntax
ra-interval-transmit (enable|disable)
Example
NGFW{running-l2tp0}ra-interval-transmit enable
NGFW{running-l2tp0}ra-lifetime
Modify IPv6 Router Advertisement prefix lifetime in seconds.
Syntax
ra-lifetime (0-9000000)
(0 if none)
Example
NGFW{running-l2tp0}ra-lifetime 1800
174
Edit Running Configuration Commands
NGFW{running-l2tp0}ra-mtu
Modify IPv6 Router Advertisement MTU value.
Syntax
ra-mtu (none|(68-9216))
none
Not configured
(0 if none)
Example
NGFW{running-l2tp0}ra-mtu 1500
NGFW{running-l2tp0}ra-transmit-mode
Modify IPv6 Router Advertisement transmit mode.
Syntax
ra-transmit-mode MODE
Possible values for MODE are:
always
Router Advert message is always sent
never
Router Advert message is never sent
smart
Router Advert message is sent if a prefix is defined
Example
NGFW{running-l2tp0}ra-transmit-mode smart
NGFW{running-l2tp0}sequencing
Enable the use of sequence numbers on data messages.
Syntax
sequencing (enable|disable)
Valid entries:
disable
Disable sequencing parameters
enable
Enable sequencing parameters
Example
NGFW{running-l2tp0}sequencing enable
NGFW{running-l2tp0}shutdown
Shutdown logical interface state.
Syntax
shutdown
Example
NGFW{running-l2tp0}shutdown
NGFW{running-l2tp0}tcp4mss
Configure interface TCP MSS for IPv4.
Syntax
tcp4mss (disable|automatic|VALUE)
NGFW Command Line Interface Reference
175
Valid entries:
disable
Disable service
automatic
Automatically select TCP MSS based on interface MTU
VALUE
TCP MSS value for IPv4 (4-65535)
Example
NGFW{running-l2tp0}tcp4mss automatic
NGFW{running-l2tp0}tcp6mss
Configure interface TCP MSS for IPv6.
Syntax
tcp6mss (disable|automatic|VALUE)
Valid entries:
disable
Disable service
automatic
Automatically select TCP MSS based on interface MTU
VALUE
TCP MSS value for IPv6 (4-65535)
Example
NGFW{running-l2tp0}tcp6mss automatic
running-log Context Commands
NGFW{running}log
NGFW{running-log}delete
Delete file or configuration item.
Syntax
delete
delete
delete
delete
delete
delete
delete
log audit CONTACT-NAME
log ipsec CONTACT-NAME
log quarantine CONTACT-NAME
log system CONTACT-NAME
log-option fib (events|kernel|memory|packet) [recv|send]
log-option ppp (all|DEL-PPP-LOG-OPTION){1,10}
log-option xmsd (all|LOG_OPTION)
Example
NGFW{running-log}delete log-option ?
Valid entries at this position are:
fib
Delete fib log-option
ppp
Delete PPP log options
xmsd
Delete xmsd log-options
NGFW{running-log}delete log-option fib ?
Valid entries at this position are:
events
Delete log-option fib events
kernel
Delete log-option fib kernel
memory
Delete log-option fib memory
packet
Delete log-option fib packet (include recv and send)
NGFW{running-log}delete log-option fib events ?
Valid entries at this position are:
<Enter>
Execute command
recv
Delete log-option fib packet-recv
send
Delete log-option fib packet-send
176
Edit Running Configuration Commands
NGFW{running-log}delete
NGFW{running-log}delete
NGFW{running-log}delete
NGFW{running-log}delete
NGFW{running-log}delete
log-option fib events recv
log audit mycontactname ALL
log vpn mycontactname error
log quarantine mycontactname none
log system mycontactname info
NGFW{running-log}log
Add log to a log session.
Syntax
log
log
log
log
audit CONTACT-NAME [ALL|none]
quarantine CONTACT-NAME [ALL|none]
system CONTACT-NAME [SEVERITY]
vpn CONTACT-NAME [SEVERITY]
Valid entries:
audit
Configure log for audit services
quarantine Configure log for quarantine services
system
Configure log for all services
vpn
Configure log for VPN (IPSec) services
SEVERITY
alert|critical|debug|emergency|error|info|notice|warning|none
Example
NGFW{running-log}log
NGFW{running-log}log
NGFW{running-log}log
NGFW{running-log}log
audit mycontactname ALL
vpn mycontactname error
quarantine mycontactname none
system mycontactname info
NGFW{running-log}log-option
Add service log option.
Syntax
log-option fib (events|kernel|memory|packet) [recv|send]
log-option ppp (all|PPP-LOG-OPTION)
log-option xmsd (all|LOG_OPTION)
Valid entries:
fib
Configure FIB log options
Possible values for fib
events
Enable logging fib events
kernel
Enable logging fib kernel
memory
Enable logging fib memory
packet
Enable logging fib packet (include recv and send)
ppp
Configure PPP log options
xmsd
Configure xmsd log options
Possible
all
auth
ipcp
ipv6cp
l2tp
l2tp2
l2tp3
pptp
pptp2
values for ppp PPP-LOG-OPTION:
Enable all optional log items
Link authentication events
IPCP events and negotiation
IPV6CP events and negotiation
L2TP high level events
L2TP more detailed events
L2TP packet dumps
PPTP high level events
PPTP more detailed events
NGFW Command Line Interface Reference
177
pptp3
lcp
phys
radius
echo
bund
iface
link
frame
fsm
PPTP packet dumps
LCP events and negotiation
Physical layer events
Radius authentication events
Keep-alive events
Bundle events
IP interface and route management events
Link events
Dump all incoming and outgoing frames
All state machine events (except echo and reset)
Possible values for xmsd LOG_OPTION:
ethgrp
Enable logging ethgrp
addressgroups Enable logging addressgroups
security-zones Enable logging security zones
bnet
Enable logging bnet
bridge
Enable logging bridgeport
captive-portal Enable logging captive portal
vlan
Enable logging vlan
segments
Enable logging segments
mgmt
Enable logging mgmt
interface
Enable logging interface
xms_configure Enable logging xms configure
xms_process
Enable logging xms process
xms_stream
Enable logging xms stream
aaa
Enable logging aaa
accesspoint
Enable logging accesspoint
bfd
Enable logging bfd
cron
Enable logging cron
dhcp4client
Enable logging dhcp4 client
dhcp4sever
Enable logging dhcp4 server
dhcp6client
Enable logging dhcp6 client
dhcp6server
Enable logging dhcp6 server
dhcprelay
Enable logging dhcprelay
dns
Enable logging dns
dyndns
Enable logging dyndns
eapauth
Enable logging eapauth
ethernet
Enable logging ethernet
filter
Enable logging filter
firewall
Enable logging firewall
fmipv6
Enable logging fmipv6
fw_nat
Enable logging firewall policy nat
gre
Enable logging gre
ipsec
Enable logging ipsec
l2tpserver
Enable logging l2tpserver
linkmonitor
Enable logging linkmonitor
log
Enable logging log
loopback
Enable logging loopback
lsn
Enable logging nat lsn
dstm
Enable logging dstm
mig6to4
Enable logging migration 6to4
migisatap
Enable logging migration isatap
migXin4
Enable logging migration Xin4
migXin6
Enable logging migration Xin6
mobility
Enable logging mobility
multicastreg
Enable logging multicastreg
nat
Enable logging nat
ntp
Enable logging ntp
openvpn
Enable logging openvpn
178
Edit Running Configuration Commands
osi
pdh
pim4sm
pim6sm
ports
ppp
pppoeserver
pppserver
routing
schedules
serialport
services
snmp
snoop
svti
system
qos
xmsupdate
vrf
vrrp
wifi
xipc
Enable
Enable
Enable
Enable
Enable
Enable
Enable
Enable
Enable
Enable
Enable
Enable
Enable
Enable
Enable
Enable
Enable
Enable
Enable
Enable
Enable
Enable
logging
logging
logging
logging
logging
logging
logging
logging
logging
logging
logging
logging
logging
logging
logging
logging
logging
logging
logging
logging
logging
logging
osi
pdh
pim4sm
pim6sm
ports
ppp
pppoeserver
pppserver
routing
schedules
serialport
services
snmp
snoop
svti
system
qos
xmsupdate
vrf
vrrp
wifi
xipc requests
Example
NGFW{running-log}log-option fib packet send
NGFW{running-log}log-option xmsd firewall
NGFW{running-log}log-option ppp auth
NGFW{running-log}sub-system
Sets sub-system log level.
Syntax
sub-system (COROSYNC|GATED|HTTPD|INIT|LOGIN|PACEMAKER|TOS|XMS|CRMADMIN)
[alert|critical|debug|emergency|error|info|notice|warning|none]
Possible values for SEVERITY are:
emergency
Panic condition messages (TOS critical)
alert
Immediate problem condition messages
critical
Critical condition messages
error
Error messages
warning
Warning messages
notice
Special condition messages
info
Informational messages
debug
Debug messages
debug0
TOS Debug0 messages
debug1
TOS Debug1 messages
debug2
TOS Debug2 messages
debug3
TOS Debug3 messages
none
Turn off messages
Example
NGFW{running-log}sub-system LOGIN alert
NGFW Command Line Interface Reference
179
running-loopbackX Context Commands
NGFW{running}interface loopback0
NGFW{running-loopback0}delete
Delete file or configuration item.
Syntax
delete
delete
delete
delete
delete
delete
delete
delete
delete
delete
delete
delete
delete
delete
delete
delete
delete
delete
delete
delete
delete
delete
delete
delete
delete
delete
delete
ip ospf area
ip ospf authentication mode md5 (1-255) KEY
ip ospf authentication mode text KEY
ip ospf cost (1-65535)
ip ospf dead-interval (1-65535)
ip ospf hello-interval (1-65535)
ip ospf priority (0-255)
ip ospf retransmit-interval (3-65535)
ip ospf transmit-delay (1-65535)
ip rip
ip rip authentication mode md5
ip rip authentication mode text
ip rip receive version (v1-only|v2-only|v1-or-v2)
ip rip send version (v1-only|v2-only|v1-or-v2)
ip rip split-horizon
ipaddress (all|A.B.C.D/M|X:X::X:X/M)
ipaddress dhcpv4
ipaddress dhcpv6
ipv6 ospfv3 area
ipv6 ospfv3 cost
ipv6 ospfv3 dead-interval
ipv6 ospfv3 hello-interval
ipv6 ospfv3 priority
ipv6 ospfv3 retransmit-interval
ipv6 ospfv3 transmit-delay
ipv6 ripng
ipv6 ripng split-horizon
Example
NGFW{running-loopback0}delete
NGFW{running-loopback0}delete
NGFW{running-loopback0}delete
NGFW{running-loopback0}delete
NGFW{running-loopback0}delete
NGFW{running-loopback0}delete
NGFW{running-loopback0}delete
NGFW{running-loopback0}delete
NGFW{running-loopback0}delete
NGFW{running-loopback0}delete
NGFW{running-loopback0}delete
NGFW{running-loopback0}delete
NGFW{running-loopback0}delete
NGFW{running-loopback0}delete
NGFW{running-loopback0}delete
NGFW{running-loopback0}delete
NGFW{running-loopback0}delete
NGFW{running-loopback0}delete
NGFW{running-loopback0}delete
NGFW{running-loopback0}delete
NGFW{running-loopback0}delete
NGFW{running-loopback0}delete
180
Edit Running Configuration Commands
ip rip split-horizon poison-reverse
ip rip split-horizon
ipaddress 192.168.1.1/24
ipaddress 100:0:0:0:0:0:0:1/64
ipv6 rip split-horizon poison-reverse
ipv6 rip split-horizon
ip ospf authentication mode md5 1 secret
ip ospf authentication mode text secret
ip ospf cost 1
ip ospf dead-interval 1
ip ospf hello-interval 1
ip ospf priority 1
ip ospf retransmit-interval 3
ip ospf transmit-delay 1
ip rip authentication mode md5
ip rip authentication mode text
ip rip receive version v2-only
ip rip send version v2-only
ipaddress 192.168.1.1/24
ipaddress 100:0:0:0:0:0:0:1/64
ipv6 ospfv3 area
ipv6 ospfv3 cost
NGFW{running-loopback0}delete
NGFW{running-loopback0}delete
NGFW{running-loopback0}delete
NGFW{running-loopback0}delete
NGFW{running-loopback0}delete
NGFW{running-loopback0}delete
NGFW{running-loopback0}delete
ipv6
ipv6
ipv6
ipv6
ipv6
ipv6
ipv6
ospfv3 dead-interval
ospfv3 hello-interval
ospfv3 priority
ospfv3 retransmit-interval
ospfv3 transmit-delay
ripng split-horizon poison-reverse
ripng split-horizon
NGFW{running-loopback0}description
Enter description for the interface.
Syntax
description TEXT
Example
NGFW{running-loopback0}description "loopback interface 0"
NGFW{running-loopback0}ip
Configure IP settings.
Syntax
ip
ip
ip
ip
ip
ip
ip
ip
ip
ip
ip
ip
ip
ip
ip
ospf area (A.B.C.D|(0-4294967295))
ospf authentication mode md5 (1-255) KEY
ospf authentication mode text KEY
ospf cost (1-65535)
ospf dead-interval (1-65535)
ospf hello-interval (1-65535) [A.B.C.D]
ospf priority (0-255)
ospf retransmit-interval (3-65535)
ospf transmit-delay (1-65535)
rip
rip authentication mode md5 (0-2147483647) KEY
rip authentication mode text
rip receive version (v1-only|v2-only|v1-or-v2)
rip send version (v1-only|v2-only|v1-or-v2)
rip split-horizon [poison-reverse]
Example
NGFW{running-loopback0}ip ospf area 1
NGFW{running-loopback0}ip ospf authentication mode md5 1 mysecret
NGFW{running-loopback0}ip ospf authentication mode text mysecret
NGFW{running-loopback0}ip ospf cost 1
NGFW{running-loopback0}ip ospf dead-interval 1
NGFW{running-loopback0}ip ospf hello-interval 1
NGFW{running-loopback0}ip ospf priority 1
NGFW{running-loopback0}ip ospf retransmit-interval 3
NGFW{running-loopback0}ip ospf transmit-delay 1
NGFW{running-loopback0}ip rip authentication mode md5 1 mysecret
NGFW{running-loopback0}ip rip authentication mode text
Enter key: up to 16 characters:******
NGFW{running-loopback0}ip rip receive version v2-only
NGFW{running-loopback0}ip rip send version v2-only
NGFW{running-loopback0}ip rip split-horizon poison-reverse
NGFW Command Line Interface Reference
181
NGFW{running-loopback0}ipaddress
Configure IP address.
Syntax
ipaddress (A.B.C.D/M|X:X::X:X/M) [primary]
ipaddress dhcpv4
Example
NGFW{running-loopback0}ipaddress 192.168.1.1/24
NGFW{running-loopback0}ipaddress 100:0:0:0:0:0:0:1/64 primary
NGFW{running-loopback0}ipv6
Configure IPv6 settings.
Syntax
ipv6
ipv6
ipv6
ipv6
ipv6
ipv6
ipv6
ipv6
ipv6
ospfv3 area (A.B.C.D|(0-4294967295))
ospfv3 cost COST
ospfv3 dead-interval VALUE
ospfv3 hello-interval VALUE
ospfv3 priority VALUE
ospfv3 retransmit-interval VALUE
ospfv3 transmit-delay VALUE
ripng
ripng split-horizon [poison-reverse]
Example
NGFW{running-loopback0}ipv6
NGFW{running-loopback0}ipv6
NGFW{running-loopback0}ipv6
NGFW{running-loopback0}ipv6
NGFW{running-loopback0}ipv6
NGFW{running-loopback0}ipv6
NGFW{running-loopback0}ipv6
NGFW{running-loopback0}ipv6
ospfv3 area 1
ospfv3 cost 1
ospfv3 dead-interval 1
ospfv3 hello-interval 1
ospfv3 priority 1
ospfv3 retransmit-interval 3
ospfv3 transmit-delay 1
ripng split-horizon poison-reverse
NGFW{running-loopback0}mtu
Configure interface MTU.
Syntax
mtu (default|(68-9216))
Example
NGFW{running-loopback0}mtu 1500
running-manual-sa Context Commands
NGFW{running}vpn ipsec
NGFW{running-ipsec}manual
NGFW{running-manual-sa}delete
Delete file or configuration item.
Syntax
delete sa esp all
182
Edit Running Configuration Commands
delete sa esp ((A.B.C.D|X:X::X:X) SPI)
Valid entries:
sa
esp
all
(A.B.C.D|X:X::X:X)
SPI
Configure Security Association
Delete ESP Security Associations
Delete all ESP Security Associations
Security Association remote address
Security Parameter Index
Example
NGFW{running-manual-sa}delete sa esp 192.168.2.2 1
NGFW{running-manual-sa}sa
Configure Security Association.
Syntax
sa esp (A.B.C.D A.B.C.D) SPI MODE ((CRYPTALGO CRYPTKEY)|null) AUTHALGO AUTHKEY
sa esp (X:X::X:X X:X::X:X) SPI MODE ((CRYPTALGO CRYPTKEY)|null) AUTHALGO AUTHKEY
sa esp (A.B.C.D A.B.C.D) (1-4294967295) (tunnel|transport) ((3des-cbc
CRYPTKEY)|(aes-cbc CRYPTKEY)|null) (hmac-md5 AUTHKEY|hmac-sha1 AUTHKEY)
sa esp (X:X::X:X X:X::X:X) (1-4294967295) (tunnel|transport) ((3des-cbc
CRYPTKEY)|(aes-cbc CRYPTKEY)|null) (hmac-md5 AUTHKEY|hmac-sha1 AUTHKEY)
Valid entries:
esp
ESP security association
A.B.C.D
Security Association source IPv4 address
A.B.C.D
Security Association destination IPv4 address
X:X::X:X
Security Association source IPv6 address
X:X::X:X
Security Association destination IPv6 address
SPI
Security Parameter Index from 1 to 2^32-1 (e.g. 0x1 or 1 to 0xffffffff or
4294967295)
MODE
IPsec processing mode
Possible values for MODE are:
tunnel
Tunnel mode
transport
Transport mode
CRYPTALGO
IPsec encryption algorithm
Possible values for CRYPTALGO are:
3des-cbc
Triple DES
aes-cbc
AES
CRYPTKEY
Encryption key
format: ASCII string ("abcdefgh1234#=+...")
hexadecimal value (0x123456789abcdef0)
192 bits (24 bytes) for 3des-cbc
128/192/256 bits (16/24/32 bytes) for aes-cbc
null
ESP_NULL encryption (RFC2410)
AUTHALGO
IPsec authentication algorithm
Possible values for AUTHALGO are:
hmac-md5
HMAC-MD5
hmac-sha1
HMAC-SHA1
AUTHKEY
Authentication/integrity key
format: ASCII string ("abcdefgh1234#=+...")
hexadecimal value (0x123456789abcdef0)
length: 128 bits (16 bytes) for hmac-md5
160 bits (20 bytes) for hmac-sha1
Example
NGFW{running-manual-sa}sa esp 192.168.1.1 192.168.2.2 1 tunnel aes-cbc
0x4d7acaf0c08349ebbcbd86a2093eadf69786537755fc3ea23835c2d71450fdf5 hmac-sha1
0x6a4a71232e102e404979f8edef925a51b1ac098d
NGFW Command Line Interface Reference
183
running-mgmt Context Commands
NGFW{running}interface mgmt
NGFW{running-mgmt}delete
Delete file or configuration item.
Syntax
delete
delete
delete
delete
delete
delete
delete
delete
host (location|contact)
ip-filter ACTION SERVICE4 [ip ADDRESS4]
ip-filter ACTION SERVICE6 [ip ADDRESS6]
ip-filter ACTION ip (ADDRESS4|ADDRESS6)
ipaddress all|A.B.C.D/M|X:X::X:X/M
route A.B.C.D/M [A.B.C.D]
route X:X::X:X/M [X:X::X:X]
route all
Example
NGFW{running-mgmt}delete
NGFW{running-mgmt}delete
NGFW{running-mgmt}delete
NGFW{running-mgmt}delete
NGFW{running-mgmt}delete
NGFW{running-mgmt}delete
NGFW{running-mgmt}delete
host contact
host location
ip-filter deny https ip 2001:2::1/128
ip-filter deny ip 192.168.1.1/32
route 192.168.0.0/24 192.168.0.2
route 2001:2::/48 100::2
route all
NGFW{running-mgmt}description
Enter description for the management interface.
Syntax
description TEXT
Example
NGFW{running-mgmt}description "management interface"
NGFW{running-mgmt}host
Configure the firewall host settings.
Syntax
host (name|location|contact) VALUE
Example
NGFW{running-mgmt}host contact "mycontact"
NGFW{running-mgmt}host location "mylocation"
NGFW{running-mgmt}host name "myfirewallname"
NGFW{running-mgmt}ip-filter
Create management IP filter rules.
Syntax
ip-filter (allow|deny) default
ip-filter (allow|deny) (https|icmp|snmp|ssh|ip) [ip
A.B.C.D/M|X:X::X:X/M|A.B.C.D|X:X::X:X]
184
Edit Running Configuration Commands
ip-filter (allow|deny) ip (A.B.C.D/M|X:X::X:X/M|A.B.C.D|X:X::X:X)
Valid entries:
allow
Allow IPv4/IPv6 rule
deny
Deny IPv4/IPv6 rule
default
Default rule
Possible values for service are:
https
allow/deny HTTPS. This will affect SMS which uses HTTPS
ssh
allow/deny SSH
icmp
allow/deny ICMP/ICMPv6
snmp
allow/deny SNMP
ip
IP address
A.B.C.D/M
X:X::X:X/M
A.B.C.D
X:X::X:X
IPv4
IPv6
IPv4
IPv6
address with netmask
address with prefix length
address
address
Example
NGFW{running-mgmt}ip-filter
NGFW{running-mgmt}ip-filter
NGFW{running-mgmt}ip-filter
NGFW{running-mgmt}ip-filter
allow default
allow https ip 192.168.1.0/24
deny ip 192.168.1.1
deny https ip 2001:2:0:0:0:0:0:1
NGFW{running-mgmt}ipaddress
Configure IP address.
Syntax
ipaddress (A.B.C.D/M|X:X::X:X/M)
Example
NGFW{running-mgmt}ipaddress 192.168.1.1/24
NGFW{running-mgmt}ipaddress 100:0:0:0:0:0:0:1/64
NGFW{running-mgmt}physical-media
Configure physical-media settings.
Syntax
physical-media (auto-neg)|(10half|10full|100half|100full|1000full)
Valid entries:
auto-neg
Enable auto-negotiation (default is on)
SPEED-MODE
Set the port speed
Possible values for SPEED-MODE are:
10half
Supported port speed and mode
10full
Supported port speed and mode
100half
Supported port speed and mode
100full
Supported port speed and mode
1000full
Supported port speed and mode
Example
NGFW{running-mgmt}physical-media auto-neg
NGFW{running-mgmt}physical-media 1000full
NGFW Command Line Interface Reference
185
NGFW{running-mgmt}route
Add IPv4/IPv6 static route.
Syntax
route A.B.C.D/M A.B.C.D [DISTANCE]
route X:X::X:X/M X:X::X:X [DISTANCE]
A.B.C.D/M
X:X::X:X/M
Unicast IPv4 prefix address
Unicast IPv6 prefix address
Example
NGFW{running-mgmt}route 192.168.0.0/24 192.168.0.2 1
NGFW{running-mgmt}route 2001:2:0:0:0:0:0:0/48 100:0:0:0:0:0:0:2
running-multicast-registration Context Commands
NGFW{running}multicast-registration
NGFW{running-multicast-registration}igmp-version
Configure system IGMP version.
Syntax
igmp-version default
igmp-version mode (force|default) (igmpv1|igmpv2|igmpv3)
Valid entries:
default
Restore default IGMP version (igmpv3)
mode
Define IGMP version mode (force or default)
IGMPvX
Define IGMP version
Example
NGFW{running-multicast-registration}igmp-version mode default igmpv3
NGFW{running-multicast-registration}mld-version
Configure system MLD version.
Syntax
mld-version default
mld-version mode (force|default) (mldv1|mldv2)
Valid entries:
default
Restore default MLD version (mldv2)
mode
Define MLD version mode
MODE
Define MLD mode (force or default)
MLDvX
Define MLD version
Example
NGFW{running-multicast-registration}mld-version mode default mldv2
running-notifycontacts (email) Context Commands
Immediate Commit Feature. Changes take effect immediately.
NGFW{running}notifycontacts
NGFW{running-notifycontacts}contact
Create or edit a notify contact.
186
Edit Running Configuration Commands
Syntax
contact CONTACTNAME
contact NEWNAME email
contact NEWNAME snmp COMMUNITY IP [PORT]
Example
NGFW{running-notifycontacts}contact mycontact1 email
NGFW{running-notifycontacts}contact mycontact1 snmp mysecret 192.168.1.1
NGFW{running-notifycontacts}delete
Delete a contact.
Syntax
delete contact XCONTACTNAME
Example
NGFW{running-notifycontacts}delete contact mycontact1
WARNING: Are you sure you want to delete this contact (y/n)? [n]: y
NGFW{running-notifycontacts}email-from-address
From email address.
Syntax
email-from-address EMAIL
Example
NGFW{running-notifycontacts}email-from-address mycontact@example.com
NGFW{running-notifycontacts}email-from-domain
From domain name.
Syntax
email-from-domain DOMAIN
Example
NGFW{running-notifycontacts}email-from-domain example.com
NGFW{running-notifycontacts}email-server
Set mail server IP.
Syntax
email-server IP
Example
NGFW{running-notifycontacts}email-server 192.168.1.1
NGFW{running-notifycontacts}email-threshold
Set email threshold in minutes.
NGFW Command Line Interface Reference
187
Syntax
email-threshold THRESHOLD
Example
NGFW{running-notifycontacts}email-threshold 1
NGFW{running-notifycontacts}email-to-default-address
Default to email address.
Syntax
email-to-default-address EMAIL
Example
NGFW{running-notifycontacts}email-to-default-address mycontact@example.com
NGFW{running-notifycontacts}rename
Rename contact with new name.
Syntax
rename contact XCONTACTNAME NEWNAME
Example
NGFW{running-notifycontacts}rename contact mycontact1 mycontact2
running-notifycontacts-X (SNMP) Context Commands
Immediate Commit Feature. Changes take effect immediately.
NGFW{running-notifycontacts}contact mycontact1
NGFW{running-notifycontacts-mycontact1}community
Sets SNMPv2 community name.
Syntax
community COMMUNITY
COMMUNITY
SNMPv2 community name (1-32 characters)
Example
NGFW{running-notifycontacts-mycontact1}community mysecret
NGFW{running-notifycontacts-mycontact1}host
Sets SNMP host IP.
Syntax
host IP
Example
NGFW{running-notifycontacts-mycontact1}host 192.168.1.1
NGFW{running-notifycontacts-mycontact1}period
Set contact aggregation period in minutes.
188
Edit Running Configuration Commands
Syntax
period PERIOD
Example
NGFW{running-notifycontacts-mycontact1}period 1
NGFW{running-notifycontacts-mycontact1}port
Set SNMP host port.
Syntax
port PORT
Example
NGFW{running-notifycontacts-mycontact1}port 162
running-ntp Context Commands
NGFW{running}ntp
NGFW{running-ntp}delete
Delete file or configuration item.
Syntax
delete key (all|ID)
delete server (all|HOST)
Valid entries:
key
Delete key from configuration
all
Delete all keys
ID
Key identifier
server
all
HOST
Delete remote NTP server
Delete all servers
Remote server address or name
Example
NGFW{running-ntp}delete
NGFW{running-ntp}delete
NGFW{running-ntp}delete
NGFW{running-ntp}delete
key 1
key all
server all
server 192.168.1.1
NGFW{running-ntp}key
Configure NTP authentication key.
Syntax
key (1-65535) VALUE
Valid entries:
(1-65535)
Key ID, required for authentication
VALUE
Key value (1-32 characters)
Example
NGFW{running-ntp}key 1 myauthkey
NGFW Command Line Interface Reference
189
NGFW{running-ntp}ntp
Enable or disable NTP service.
Syntax
ntp (enable|disable)
Example
NGFW{running-ntp}ntp enable
NGFW{running-ntp}polling-interval
Configure NTP server minimum polling interval.
Syntax
polling-interval SECONDS
SECONDS
Interval in seconds
Possible values for SECONDS are:
2
2 seconds
4
4 seconds
8
8 seconds
16
16 seconds
32
32 seconds
64
64 seconds
Example
NGFW{running-ntp}polling-interval 16
NGFW{running-ntp}server
Configure remote NTP server.
Syntax
server (dhcp|A.B.C.D|X:X::X:X|FQDN) [key ID] [prefer]
dhcp
NAME
key
ID
prefer
Get server address from dhcp
NTP remote server
Key to be used
Key identifier
Mark server as preferred
Example
NGFW{running-ntp}server 192.168.1.1 key 1 prefer
running-phase1-proposal-X Context Commands and their Usage
NGFW{running}vpn ipsec
NGFW{running-ipsec}phase1 2 proposal myphase1
NGFW{running-phase1-proposal-myphase1}auth
ISAKMP authentication mechanism.
Syntax
auth local (pre-shared-key|rsasig) remote
(eap-mschapv2|pre-shared-key|rsasig|eap-radius) [xauth (local|radius)]
190
Edit Running Configuration Commands
Example
NGFW{running-phase1-proposal-myphase1}auth local pre-shared-key remote
pre-shared-key
NGFW{running-phase1-proposal-myphase1}dh-group
ISAKMP Diffie-Hellman group.
Syntax
dh-group (1|2|5|14)
Example
NGFW{running-phase1-proposal-myphase1}dh-group 5
NGFW{running-phase1-proposal-myphase1}encryption
ISAKMP encryption algorithm.
Syntax
encryption (3des|aes128|aes192|aes256)
Example
NGFW{running-phase1-proposal-myphase1}encryption aes256
NGFW{running-phase1-proposal-myphase1}hash
ISAKMP hash algorithm.
Syntax
hash (md5|sha1)
Example
NGFW{running-phase1-proposal-myphase1}hash sha1
NGFW{running-phase1-proposal-myphase1}lifetime
ISAKMP security association lifetime. 86400 seconds commonly used in phase 1 is 24 hours.
Syntax
lifetime LIFE-DURATION LIFE-UNIT
lifetime (1-65535) (min|sec|hour)
Example
NGFW{running-phase1-proposal-myphase1}lifetime 24 hour
running-phase1-proposal-X Context Commands and their Usage
NGFW{running}vpn ipsec
NGFW{running-ipsec}phase2 2 proposal myphase2
NGFW{running-phase2-proposal-myphase2}auth2
IPsec authentication algorithm.
NGFW Command Line Interface Reference
191
Syntax
auth2 (hmac-md5|hmac-sha1) [hmac-sha1|hmac-md5]
Example
NGFW{running-phase2-proposal-myphase2}auth2 hmac-sha1
NGFW{running-phase2-proposal-myphase2}auth2 hmac-md5 hmac-sha1
NGFW{running-phase2-proposal-myphase2}auth2 hmac-sha1 hmac-md5
NGFW{running-phase2-proposal-myphase2}dh-group
Perfect Forward Secrecy Diffie-Hellman group.
Syntax
dh-group (1|2|5|14|none)
Example
NGFW{running-phase2-proposal-myphase2}dh-group 5
NGFW{running-phase2-proposal-myphase2}encryption2
IPsec encryption algorithm.
Syntax
encryption2 (3des|aes128|aes192|aes256|null) [3des|aes128|aes192|aes256|null]{0,4}
Example
NGFW{running-phase2-proposal-myphase2}encryption2 aes256 aes192 aes128 3des
NGFW{running-phase2-proposal-myphase2}encryption2 aes256
NGFW{running-phase2-proposal-myphase2}lifetime
IP security association lifetime.
Syntax
lifetime LIFE-DURATION LIFE-UNIT
lifetime (1-4,294,967,295) (hour|min|sec|byte)
Example
NGFW{running-phase2-proposal-myphase2}lifetime 4,718,592,000 byte
NGFW{running-phase2-proposal-myphase2}lifetime 3600 sec
running-ospf Context Commands
NGFW{running}router ospf
NGFW{running-ospf}area
Configure an OSPF area, area range, or virtual link.
Syntax
area
area
area
area
area
area
area
area
192
(A.B.C.D|(0-4294967295))
(A.B.C.D|(0-4294967295))
(A.B.C.D|(0-4294967295))
(A.B.C.D|(0-4294967295))
(A.B.C.D|(0-4294967295))
(A.B.C.D|(0-4294967295))
(A.B.C.D|(0-4294967295))
(A.B.C.D|(0-4294967295))
Edit Running Configuration Commands
range A.B.C.D/M [not-advertised]
(stub|nssa|tsa)
default-cost (0-16777215)
virtual-link A.B.C.D
virtual-link A.B.C.D dead-interval VALUE
virtual-link A.B.C.D hello-interval VALUE
virtual-link A.B.C.D retransmit-interval VALUE
virtual-link A.B.C.D transmit-delay VALUE
area (A.B.C.D|(0-4294967295)) virtual-link A.B.C.D authentication simple
SIMPLE-PASSWORD
area (A.B.C.D|(0-4294967295)) virtual-link A.B.C.D authentication md5 KEY-ID
MD5-KEY-STRING
(0-4294967295)
A.B.C.D
OSPF area ID as a decimal value
OSPF area ID in IP address format
Example
NGFW{running-ospf}area 1 ?
Valid entries at this position are:
default-cost
Set the summary-default cost of a NSSA or stub area
nssa
Configure a not-so-stubby area (NSSA)
range
Summarize routes matching address/mask prefix
stub
Configure a stubby area
tsa
Configure a totally stubby area (TSA)
virtual-link
Configure a virtual link
NGFW{running-ospf}default-metric
Set default metric of routes redistributed into OSPF.
Syntax
default-metric (1-16777214)
Example
NGFW{running-ospf}default-metric 1
NGFW{running-ospf}delete
Delete file or configuration item.
Syntax
delete
delete
delete
delete
delete
delete
delete
delete
delete
delete
delete
delete
delete
delete
delete
delete
delete
area AREA-ID range A.B.C.D/M
area AREA-ID (stub|nssa|tsa)
area AREA-ID default-cost
area AREA-ID virtual-link A.B.C.D
area AREA-ID virtual-link A.B.C.D dead-interval
area AREA-ID virtual-link A.B.C.D hello-interval
area AREA-ID virtual-link A.B.C.D retransmit-interval
area AREA-ID virtual-link A.B.C.D transmit-delay
area AREA-ID virtual-link A.B.C.D authentication simple
area AREA-ID virtual-link A.B.C.D authentication md5 KEY-ID
default-metric
distance VALUE
distance (external|inter-area|intra-area) <1-255>
passive-interface INTERFACE
redistribute PROTOCOL
rfc1583-compatible
router-id
Example
NGFW{running-ospf}delete distance ?
Valid entries at this position are:
VALUE
OSPF Administrative distance
external
The distance for external routes
inter-area
The distance for inter-area routes
intra-area
The distance for intra-area routes
NGFW Command Line Interface Reference
193
NGFW{running-ospf}disable
Disable Open Shortest Path First (OSPF).
Syntax
disable
Example
NGFW{running-ospf}disable
NGFW{running-ospf}distance
Set OSPF administrative distance.
Syntax
distance (1-255)
distance (external|inter-area|intra-area) (1-255)
(1-255) OSPF
external
inter-area
intra-area
Administrative distance
Configure the distance for external routes
Configure the distance for inter-area routes
Configure the distance for intra-area routes
Example
NGFW{running-ospf}distance external 1
NGFW{running-ospf}enable
Enable Open Shortest Path First (OSPF).
Syntax
enable
Example
NGFW{running-ospf}enable
NGFW{running-ospf}passive-interface
Suppress routing updates on an interface.
Syntax
passive-interface INTERFACE
Example
NGFW{running-ospf}passive-interface name
NGFW{running-ospf}redistribute
Redistribute routes from another routing protocol.
Syntax
redistribute PROTOCOL [metric-type (1-2)] [metric (0-16777214)] [route-map
ROUTE-MAP]
Possible values for PROTOCOL are:
connected
Connected
static
Static routes
194
Edit Running Configuration Commands
rip
bgp
Routing Information Protocol (RIP)
Border Gateway Protocol (BGP)
metric-type
(1-2)
metric
(0-16777214)
route-map
ROUTE-MAP
OSPF exterior metric type for redistributed routes
Set OSPF exterior type metric
Metric
Set metric for redistributed routes
Route map reference
Route map name
Example
NGFW{running-ospf}redistribute rip metric-type ?
Valid entry at this position is:
<1-2>
Set OSPF exterior type metric
NGFW{running-ospf}redistribute rip metric-type 1 route-map name
NGFW{running-ospf}rfc1583-compatible
Enable RFC-1583 compatibility (Disabled by default).
Syntax
rfc1583-compatible
Example
NGFW{running-ospf}rfc1583-compatible
NGFW{running-ospf}router-id
OSPF router-id.
Syntax
router-id A.B.C.D
A.B.C.D
OSPF router ID in IP address format
Example
NGFW{running-ospf}router-id 198.51.100.150
running-ospfv3 Context Commands
NGFW{running}router ospfv3
NGFW{running-ospfv3}area
Configure an OSPFv3 area, area range, or virtual link.
Syntax
area (A.B.C.D|(0-4294967295)) range X:X::X:X/M
area (A.B.C.D|(0-4294967295)) (stub|nssa|tsa)
area (A.B.C.D|(0-4294967295)) virtual-link A.B.C.D
area (A.B.C.D|(0-4294967295)) virtual-link A.B.C.D
area (A.B.C.D|(0-4294967295)) virtual-link A.B.C.D
[retransmit-interval VALUE]
area (A.B.C.D|(0-4294967295)) virtual-link A.B.C.D
[retransmit-interval VALUE] [transmit-delay VALUE]
area (A.B.C.D|(0-4294967295)) virtual-link A.B.C.D
[retransmit-interval VALUE] [transmit-delay VALUE]
[hello-interval VALUE]
[hello-interval VALUE]
[hello-interval VALUE]
[hello-interval VALUE]
[dead-interval VALUE]
Example
NGFW{running-ospfv3}area 2 ?
NGFW Command Line Interface Reference
195
Valid entries at
nssa
range
stub
tsa
virtual-link
this position are:
Configure a not-so-stubby area (NSSA)
Summarize routes matching address/mask (border routers only)
Configure a stubby area
Configure a totally stubby area (TSA)
Configure a virtual link over a transit area
NGFW{running-ospfv3}delete
Delete file or configuration item.
Syntax
delete
delete
delete
delete
delete
delete
delete
delete
delete
delete
area AREA-ID AREA-TYPE
area AREA-ID range X:X::X:X/M
area AREA-ID virtual-link A.B.C.D
area AREA-ID virtual-link A.B.C.D
area AREA-ID virtual-link A.B.C.D
area AREA-ID virtual-link A.B.C.D
area AREA-ID virtual-link A.B.C.D
passive-interface INTERFACE
redistribute PROTOCOL
router-id
Valid entries:
area
passive-interface
redistribute
router-id
dead-interval
hello-interval
retransmit-interval
transmit-delay
Delete OSPFv3 area
Reactivate an interface
Delete route redistribution from another protocol
Delete OSPFv3 router ID
Example
NGFW{running-ospfv3}delete area 1 range 100:0:0:0:0:0:0:0/64
NGFW{running-ospfv3}delete redistribute ?
Valid entries at this position are:
connected
Connected
static
Static routes
ripng
Routing Information Protocol next generation (RIPng)
NGFW{running-ospfv3}disable
Disable Open Shortest Path First (OSPFv3).
Syntax
disable
Example
NGFW{running-ospfv3}disable
NGFW{running-ospfv3}enable
Enable Open Shortest Path First (OSPFv3).
Syntax
enable
Example
NGFW{running-ospfv3}enable
196
Edit Running Configuration Commands
NGFW{running-ospfv3}nsf
OSPFv3 non-stop forwarding.
Syntax
nsf (enable|disable)
enable
Enable Graceful Restarts with Grace time of 120
disable
Disable Graceful Restarts
Example
NGFW{running-ospfv3}nsf enable
NGFW{running-ospfv3}passive-interface
Suppress routing updates on an interface.
Syntax
passive-interface INTERFACE
Example
NGFW{running-ospfv3}passive-interface name
NGFW{running-ospfv3}redistribute
Redistribute routes from another routing protocol.
Syntax
redistribute PROTOCOL [metric-type (1-2)] [metric (0-16777214)] [route-map
ROUTE-MAP]
PROTOCOL
OSPFv3 protocol list
Possible values for PROTOCOL are:
connected
Connected
static
Static routes
ripng
Routing Information Protocol next generation (RIPng)
metric-type
(1-2)
(0-16777214)
route-map
ROUTE-MAP
OSPFv3 exterior metric type for redistributed routes
Set OSPFv3 exterior metric type
Set metric for redistribute routes
Route map reference
Route map name
Example
NGFW{running-ospfv3}redistribute static metric 2
NGFW{running-ospfv3}router-id
OSPFv3 router-id.
Syntax
router-id ROUTER-ID
router-id
ROUTER-ID
OSPFv3 router ID
OSPFv3 router ID in IPv4 address format
Example
NGFW{running-ospfv3}router-id 198.51.100.1
NGFW Command Line Interface Reference
197
running-pim-smv4 Context Commands
NGFW{running}router pim-smv4
NGFW{running-pim-smv4}bsr-candidate
Toggle bootstrap router (BSR) candidate.
Syntax
bsr-candidate interface INTERFACE
bsr-candidate priority (0-255)
interface
priority
Interface that has global address for Bootstrap messages
Priority of the BSR candidate
Example
NGFW{running-pim-smv4}bsr-candidate priority 2
NGFW{running-pim-smv4}delete
Delete file or configuration item.
Syntax
delete
delete
delete
delete
delete
delete
bsr-candidate
dr-priority
rp-address (all|(A.B.C.D A.B.C.D/M))
rp-candidate
rp-candidate group (all|A.B.C.D/M)
threshold
Valid entries:
bsr-candidate
dr-priority
rp-address
rp-candidate
rp-candidate
threshold
Toggle bootstrap router (BSR) candidate
Delete the DR priority set for the device
Static group-to-RP mapping
Delete the RP-candidate configuration
Toggle RP candidate
Shortest path tree switch threshold
Example
NGFW{running-pim-smv4}delete bsr-candidate
NGFW{running-pim-smv4}disable
Disable PIM-SM IPv4 on the device.
Syntax
disable
Example
NGFW{running-pim-smv4}disable
NGFW{running-pim-smv4}dr-priority
Configure the DR priority for the device.
Syntax
dr-priority (0-4294967295)
(0-4294967295) The priority used to elect the DR
198
Edit Running Configuration Commands
Example
NGFW{running-pim-smv4}dr-priority 2
NGFW{running-pim-smv4}enable
Enable PIM-SM IPv4 on the device.
Syntax
enable
Example
NGFW{running-pim-smv4}enable
NGFW{running-pim-smv4}rp-address
Static mapping of multicast groups to RP.
Syntax
rp-address A.B.C.D A.B.C.D/M
A.B.C.D
A.B.C.D/M
IPv4 address for static RP
IPv4 multicast group for static RP
Example
NGFW{running-pim-smv4}rp-address 198.51.0.100
NGFW{running-pim-smv4}rp-candidate
Toggle RP candidate.
Syntax
rp-candidate group A.B.C.D/M
rp-candidate interface INTERFACE
rp-candidate priority (0-255)
group
interface
priority
Specifies multicast group range for RP candidate
Interface that has global address for Candidate RP advertising
Priority of the RP candidate
Example
NGFW{running-pim-smv4}rp-candidate priority 1
NGFW{running-pim-smv4}threshold
Data rate that triggers shortest path tree switch.
Syntax
threshold RATE
threshold
RATE
Shortest path tree switch threshold
The rate for shortest path tree switching (1-4294967295 bytes/s).
Default: 1000 bytes/s.
Example
NGFW{running-pim-smv4}threshold 1000
NGFW Command Line Interface Reference
199
running-pim-smv6 Context Commands
NGFW{running}router pim-smv6
NGFW{running-pim-smv6}bsr-candidate
Toggle bootstrap router (BSR) candidate.
Syntax
bsr-candidate interface INTERFACE
bsr-candidate priority (0-255)
Interface
priority
Interface that has global address for Bootstrap messages
Priority of the BSR
Example
NGFW{running-pim-smv6}bsr-candidate priority 1
NGFW{running-pim-smv6}delete
Delete file or configuration item.
Syntax
delete bsr-candidate
delete dr-priority
delete rp-address (all|(X:X::X:X X:X::X:X/M))
delete rp-candidate
delete rp-candidate group (all|X:X::X:X/M)
delete threshold
Valid entries:
bsr-candidate
Toggle bootstrap router (BSR) candidate
dr-priority
Delete the DR priority set for the device
rp-address
Delete group-to-RP mapping
rp-candidate
Delete the RP-candidate configuration
rp-candidate
Toggle RP candidate
threshold
Shortest path tree switch threshold
Example
NGFW{running-pim-smv6}delete rp-address ?
Valid entries at this position are:
X:X::X:X
Specified static RP IPv6 address
all
Delete ALL group-to-RP mapping
NGFW{running-pim-smv6}disable
Disable PIM-SM IPv6 on the device.
Syntax
disable
Example
NGFW{running-pim-smv6}disable
NGFW{running-pim-smv6}dr-priority
Configure the DR priority for the device.
200
Edit Running Configuration Commands
Syntax
dr-priority (0-4294967295)
(0-4294967295) The priority used to elect the DR.
Example
NGFW{running-pim-smv6}dr-priority 2
NGFW{running-pim-smv6}enable
Enable PIM-SM IPv6 on the device.
Syntax
enable
Example
NGFW{running-pim-smv6}enable
NGFW{running-pim-smv6}rp-address
Static mapping of multicast groups to RP.
Syntax
rp-address X:X::X:X X:X::X:X/M
rp-address
X:X::X:X
X:X::X:X/M
Static group-to-RP mapping
IPv6 address for staic RP
IPv6 multicast group prefix for static RP
Example
NGFW{running-pim-smv6}rp-address ?
Valid entry at this position is:
X:X::X:X
IPv6 address for staic RP
NGFW{running-pim-smv6}rp-candidate
Toggle RP candidate.
Syntax
rp-candidate group X:X::X:X/M
rp-candidate interface INTERFACE
rp-candidate priority <0-255>
group
interface
priority
Specifies multicast group range for RP candidate
Interface that have global address for Candidate RP advertising
Priority of the RP
Example
NGFW{running-pim-smv6}rp-candidate priority 2
NGFW{running-pim-smv6}threshold
Data rate at which to perform shortest path tree switch.
Syntax
threshold RATE
threshold
Shortest path tree switch threshold
NGFW Command Line Interface Reference
201
RATE
The rate for shortest path tree switching (1-4294967295 bytes/s).
Default: 1000 bytes/s
Example
NGFW{running-pim-smv6}threshold 1000
running-pppoeX Context Commands
NGFW{running}interface pppoe0
NGFW{running-pppoe0}auth
Authenticated configuration.
Syntax
auth ppp reply (chap|chap-md5|ms-chapv2|pap|ms-chap)
auth ppp user-id USER PASSWORD
ppp
Configure PPP authenticated options
Example
NGFW{running-pppoe0}auth ppp reply chap-md5
NGFW{running-pppoe0}auth ppp user-id myuser mypassword
NGFW{running-pppoe0}autoconfv6
Enable or disable IPv6 autoconfiguration on interface.
Syntax
autoconfv6 (enable|disable)
Example
NGFW{running-pppoe0}autoconfv6 enable
NGFW{running-pppoe0}bind
Bind PPPoE interface to specific ethernet port.
Syntax
bind (none|ethernetX)
ethX
none
Ethernet port name
Do not bind this PPPoE interface
Example
NGFW{running-pppoe0}bind ethernet5
NGFW{running-pppoe0}bind none
NGFW{running-pppoe0}delete
Delete file or configuration item.
Syntax
delete
delete
delete
delete
delete
delete
202
auth ppp reply all
auth ppp reply (chap|chap-md5|ms-chapv2|pap|ms-chap)
auth ppp user-id
ip igmp
ip igmp version
ipv6 mld
Edit Running Configuration Commands
delete
delete
delete
delete
delete
ipv6 mld version
log-option ppp all
log-option ppp PPP-LOG-OPTION
prefix (all|X:X::X:X/M)
shutdown
Valid entries:
auth
Authenticated configuration
ip
Delete IP settings
ipv6
Delete IPv6
log-option
Delete service log option
prefix
Delete IPv6 prefix
shutdown
Shutdown logical interface state
Example
NGFW{running-pppoe0}delete
NGFW{running-pppoe0}delete
NGFW{running-pppoe0}delete
NGFW{running-pppoe0}delete
NGFW{running-pppoe0}delete
NGFW{running-pppoe0}delete
NGFW{running-pppoe0}delete
NGFW{running-pppoe0}delete
auth ppp reply chap-md5
auth ppp user-id
ip igmp version
ip igmp
ipv6 mld
log-option ppp auth
prefix 100::/64
shutdown
NGFW{running-pppoe0}description
Enter description for the interface.
Syntax
description TEXT
Example
NGFW{running-pppoe0}description "pppoe interface 0"
NGFW{running-pppoe0}dns-request
Configure IP DNS server address request.
Syntax
dns-request (enable|disable)
Example
NGFW{running-pppoe0}dns-request enable
NGFW{running-pppoe0}ip
Configure IP settings.
Syntax
ip igmp
ip igmp version (1|2|3)
Example
NGFW{running-pppoe0}ip igmp version 3
NGFW Command Line Interface Reference
203
NGFW{running-pppoe0}ipcp
Enable or disable IPCP for IPv4.
Syntax
ipcp (enable|disable)
Example
NGFW{running-pppoe0}ipcp enable
NGFW{running-pppoe0}ipcp disable
NGFW{running-pppoe0}ipv6
Configure IPv6 settings.
Syntax
ipv6 mld
ipv6 mld version (1|2)
Example
NGFW{running-pppoe0}ipv6 mld version 2
NGFW{running-pppoe0}ipv6cp
Enable or disable IPCP for IPv6.
Syntax
ipv6cp (enable|disable)
Example
NGFW{running-pppoe0}ipv6cp enable
NGFW{running-pppoe0}keep-alive
LCP keep alive period in seconds.
Syntax
keep-alive ppp disable
keep-alive ppp (default|(0-600)) [retry (0-600)]
Example
NGFW{running-pppoe0}keep-alive ppp default retry 1
NGFW{running-pppoe0}keep-alive ppp disable
NGFW{running-pppoe0}log-option
Add service log option.
Syntax
log-option ppp all
log-option ppp (PPP-LOG-OPTION)
PPP-LOG-OPTION valid entries:
all
Enable all optional log items
auth
Link authentication events
ipcp
IPCP events and negotiation
ipv6cp
IPV6CP events and negotiation
204
Edit Running Configuration Commands
l2tp
l2tp2
l2tp3
pptp
pptp2
pptp3
lcp
phys
radius
echo
bund
iface
link
frame
fsm
L2TP high level events
L2TP more detailed events
L2TP packet dumps
PPTP high level events
PPTP more detailed events
PPTP packet dumps
LCP events and negotiation
Physical layer events
Radius authentication events
Keep-alive events
Bundle events
IP interface and route management events
Link events
Dump all incoming and outgoing frames
All state machine events (except echo and reset)
Example
NGFW{running-pppoe0}log-option ppp auth
NGFW{running-pppoe0}mru
Configure interface MRU.
Syntax
mru (default|(64-65535))
Example
NGFW{running-pppoe0}mru 1500
NGFW{running-pppoe0}mru default
NGFW{running-pppoe0}mtu
Configure interface MTU.
Syntax
mtu (default|(68-9216))
Example
NGFW{running-pppoe0}mtu default
NGFW{running-pppoe0}mtu 1500
NGFW{running-pppoe0}prefix
Configure IPv6 prefix.
Syntax
prefix X:X::X:X/M [valid-lifetime (1-4294967295)] [preferred-lifetime
(1-4294967295)]
X:X::X:X/M
valid-lifetime
<1-4294967295>
preferred-lifetime
<1-4294967295>
(default is 604800 -
IPv6 prefix
Configure valid lifetime
Valid lifetime in seconds (default is 2592000)
Configure preferred lifetime
Preferred lifetime in seconds
cannot exceed valid lifetime)
NGFW Command Line Interface Reference
205
Example
NGFW{running-pppoe0}prefix 100:0:0:0:0:0:0:0/64 valid-lifetime 2592000
preferred-lifetime 604800
NGFW{running-pppoe0}ra-autoconf-level
Modify IPv6 Router Advertisement autoconfiguration level.
Syntax
ra-autoconf-level AUTOCONF
Possible values for AUTOCONF are:
none
No parameter is autoconfigured
address
Address is autoconfigured
other
Some other parameters are autoconfigured
full
Most parameters are autoconfigured
Example
NGFW{running-pppoe0}ra-autoconf-level full
NGFW{running-pppoe0}ra-interval
Modify IPv6 Router Advertisement interval value.
Syntax
ra-interval (90-1800000)
INTERVAL
Router Advert emission period (in milliseconds)
Example
NGFW{running-pppoe0}ra-interval 600
NGFW{running-pppoe0}ra-interval-transmit
Modify IPv6 Router Advertisement interval transmit.
Syntax
ra-interval-transmit (enable|disable)
Example
NGFW{running-pppoe0}ra-interval-transmit enable
NGFW{running-pppoe0}ra-lifetime
Modify IPv6 Router Advertisement prefix lifetime in seconds.
Syntax
ra-lifetime (0-9000000)
Example
NGFW{running-pppoe0}ra-lifetime 1800
NGFW{running-pppoe0}ra-mtu
Modify IPv6 Router Advertisement MTU value.
206
Edit Running Configuration Commands
Syntax
ra-mtu (none|(68-9216))
none
Not configured
MTU
MTU value advertised (0 if none)
Example
NGFW{running-pppoe0}ra-mtu 1500
NGFW{running-pppoe0}ra-transmit-mode
Modify IPv6 Router Advertisement transmit mode.
Syntax
ra-transmit-mode MODE
Possible values for MODE are:
always
Router Advert message is always sent
never
Router Advert message is never sent
smart
Router Advert message is sent if a prefix is defined
Example
NGFW{running-pppoe0}ra-transmit-mode smart
NGFW{running-pppoe0}service
Configure PPPoE service name.
Syntax
service (none|NAME)
Example
NGFW{running-pppoe0}service myPPPoEservice
NGFW{running-pppoe0}service none
NGFW{running-pppoe0}shutdown
Shutdown logical interface state.
Syntax
shutdown
Example
NGFW{running-pppoe0}shutdown
NGFW{running-pppoe0}tcp4mss
Configure interface TCP MSS for IPv4.
Syntax
tcp4mss (disable|automatic|(4-65535))
Valid entries:
disable
Disable service
automatic
Automatically select TCP MSS based on interface MTU
VALUE
TCP MSS value for IPv4
NGFW Command Line Interface Reference
207
Example
NGFW{running-pppoe0}tcp4mss automatic
NGFW{running-pppoe0}tcp6mss
Configure interface TCP MSS for IPv6.
Syntax
tcp6mss (disable|automatic|(4-65535))
Valid entries:
disable
Disable service
automatic
Automatically select TCP MSS based on interface MTU
VALUE
TCP MSS value for IPv6
Example
NGFW{running-pppoe0}tcp6mss automatic
running-pptpX Context Commands
NGFW{running}interface pptp0
NGFW{running-pptp0}always-ack
Enable or disable always-ack option.
Syntax
always-ack (enable|disable)
Example
NGFW{running-pptp0}always-ack enable
NGFW{running-pptp0}always-ack disable
NGFW{running-pptp0}auth
Authenticated configuration.
Syntax
auth ppp reply ALGORITHM
auth ppp user-id USER PASSWORD
Example
NGFW{running-pptp0}auth ppp reply chap-md5
NGFW{running-pptp0}auth ppp user-id myuser mypassword
NGFW{running-pptp0}autoconfv6
Enable or disable IPv6 autoconfiguration on interface.
Syntax
autoconfv6 (enable|disable)
Example
NGFW{running-pptp0}autoconfv6 enable
208
Edit Running Configuration Commands
NGFW{running-pptp0}bind
Configure binding addresses of the pptp tunnel.
Syntax
bind (none|(A.B.C.D A.B.C.D))
Example
NGFW{running-pptp0}bind 192.168.1.1 192.168.100.1
NGFW{running-pptp0}delayed-ack
Enable or disable delayed-ack option.
Syntax
delayed-ack (enable|disable)
Example
NGFW{running-pptp0}delayed-ack enable
NGFW{running-pptp0}delete
Delete file or configuration item.
Syntax
delete
delete
delete
delete
delete
delete
delete
delete
delete
delete
delete
auth ppp reply all
auth ppp reply (chap|chap-md5|ms-chapv2|pap|ms-chap)
auth ppp user-id
ip igmp
ip igmp version
ipv6 mld
ipv6 mld version
log-option ppp all
log-option ppp PPP-LOG-OPTION
prefix (all|X:X::X:X/M)
shutdown
Example
NGFW{running-pptp0}delete
NGFW{running-pptp0}delete
NGFW{running-pptp0}delete
NGFW{running-pptp0}delete
NGFW{running-pptp0}delete
NGFW{running-pptp0}delete
NGFW{running-pptp0}delete
NGFW{running-pptp0}delete
auth ppp reply chap-md5
auth ppp user-id
ip igmp version
ip igmp
ipv6 mld
log-option ppp all
prefix 100::/64
shutdown
NGFW{running-pptp0}description
Enter description for the interface.
Syntax
description TEXT
Example
NGFW{running-pptp0}description "pptp interface 0"
NGFW Command Line Interface Reference
209
NGFW{running-pptp0}dns-request
Configure IP DNS server address request.
Syntax
dns-request (enable|disable)
Example
NGFW{running-pptp0}dns-request enable
NGFW{running-pptp0}dns-request disable
NGFW{running-pptp0}ip
Configure IP settings.
Syntax
ip igmp
ip igmp version (1|2|3)
Example
NGFW{running-pptp0}ip igmp version 3
NGFW{running-pptp0}ipcp
Enable or disable IPCP for IPv4.
Syntax
ipcp (enable|disable)
Example
NGFW{running-pptp0}ipcp enable
NGFW{running-pptp0}ipcp disable
NGFW{running-pptp0}ipv6
Configure IPv6 settings.
Syntax
ipv6 mld
ipv6 mld version (1|2)
Example
NGFW{running-pptp0}ipv6 mld version 2
NGFW{running-pptp0}ipv6cp
Enable or disable IPCP for IPv6.
Syntax
ipv6cp (enable|disable)
Example
NGFW{running-pptp0}ipv6cp enable
210
Edit Running Configuration Commands
NGFW{running-pptp0}keep-alive
LCP keep alive period in seconds.
Syntax
keep-alive ppp disable
keep-alive ppp (default|(0-600)) [retry (0-600)]
Example
NGFW{running-pptp0}keep-alive ppp default retry 1
NGFW{running-pptp0}keep-alive ppp disable
NGFW{running-pptp0}log-option
Add service log option.
Syntax
log-option ppp all
log-option ppp (PPP-LOG-OPTION)
PPP-LOG-OPTION valid entries:
all
Enable all optional log items
auth
Link authentication events
ipcp
IPCP events and negotiation
ipv6cp
IPV6CP events and negotiation
l2tp
L2TP high level events
l2tp2
L2TP more detailed events
l2tp3
L2TP packet dumps
pptp
PPTP high level events
pptp2
PPTP more detailed events
pptp3
PPTP packet dumps
lcp
LCP events and negotiation
phys
Physical layer events
radius
Radius authentication events
echo
Keep-alive events
bund
Bundle events
iface
IP interface and route management events
link
Link events
frame
Dump all incoming and outgoing frames
fsm
All state machine events (except echo and reset)
Example
NGFW{running-pptp0}log-option ppp all
NGFW{running-pptp0}mru
Configure interface MRU.
Syntax
mru (default|(64-65535))
Example
NGFW{running-pptp0}mru 1500
NGFW{running-pptp0}mru default
NGFW{running-pptp0}mtu
Configure interface MTU.
NGFW Command Line Interface Reference
211
Syntax
mtu (default|(68-9216))
Example
NGFW{running-pptp0}mtu 1500
NGFW{running-pptp0}prefix
Configure IPv6 prefix.
Syntax
prefix X:X::X:X/M [valid-lifetime (1-4294967295)] [preferred-lifetime
(1-4294967295)]
Example
NGFW{running-pptp0}prefix 100:0:0:0:0:0:0:0/64 valid-lifetime 2592000
preferred-lifetime 604800
NGFW{running-pptp0}ra-autoconf-level
Modify IPv6 Router Advertisement autoconfiguration level.
Syntax
ra-autoconf-level (none|address|other|full)
Valid entries:
none
No parameter is autoconfigured
address
Address is autoconfigured
other
Some other parameters are autoconfigured
full
Most parameters are autoconfigured
Example
NGFW{running-pptp0}ra-autoconf-level full
NGFW{running-pptp0}ra-autoconf-level ?
NGFW{running-pptp0}ra-interval
Modify IPv6 Router Advertisement interval value in milliseconds.
Syntax
ra-interval (90-1800000)
Example
NGFW{running-pptp0}ra-interval 600
NGFW{running-pptp0}ra-interval-transmit
Modify IPv6 Router Advertisement interval transmit.
Syntax
ra-interval-transmit (enable|disable)
Example
NGFW{running-pptp0}ra-interval-transmit enable
212
Edit Running Configuration Commands
NGFW{running-pptp0}ra-lifetime
Modify IPv6 Router Advertisement prefix lifetime in seconds.
Syntax
ra-lifetime (0-9000000)
Example
NGFW{running-pptp0}ra-lifetime 1800
NGFW{running-pptp0}ra-mtu
Modify IPv6 Router Advertisement MTU value.
Syntax
ra-mtu (none|(68-9216))
Example
NGFW{running-pptp0}ra-mtu 1500
NGFW{running-pptp0}ra-transmit-mode
Modify IPv6 Router Advertisement transmit mode.
Syntax
ra-transmit-mode (always|never|smart)
Valid entries:
always
Router Advert message is always sent
never
Router Advert message is never sent
smart
Router Advert message is sent if a prefix is defined
Example
NGFW{running-pptp0}ra-transmit-mode smart
NGFW{running-pptp0}shutdown
Shutdown logical interface state.
Syntax
shutdown
Example
NGFW{running-pptp0}shutdown
NGFW{running-pptp0}tcp4mss
Configure interface TCP MSS for IPv4.
Syntax
tcp4mss (disable|automatic|(4-65535)
Example
NGFW{running-pptp0}tcp4mss automatic
NGFW Command Line Interface Reference
213
NGFW{running-pptp0}tcp6mss
Configure interface TCP MSS for IPv6.
Syntax
tcp6mss (disable|automatic|(4-65535)
Example
NGFW{running-pptp0}tcp6mss automatic
NGFW{running-pptp0}windowing
Enable or disable windowing option.
Syntax
windowing (enable|disable)
Example
NGFW{running-pptp0}windowing enable
NGFW{running-pptp0}windowing disable
running-rep Context Commands
Immediate Commit Feature. Changes take effect immediately.
NGFW{running}rep
NGFW{running-rep}delete
Delete file or configuration item.
Syntax
delete group REPGROUP
delete profile REPPROFILE
Valid entries:
group
Reputation group
profile
Delete reputation profile
Example
NGFW{running-rep}delete group myrepgroup
WARNING: Are you sure you want to delete reputation group (y/n)? [n]: y
NGFW{running-rep}delete profile myrepprofile
WARNING: Are you sure you want to delete profile (y/n)? [n]: y
NGFW{running-rep}group
Create or enter reputation group context.
Syntax
group REPGROUP
Valid entries:
REPGROUP
Reputation usergroup name
Example
NGFW{running-rep}group myrepgroup
NGFW{running-rep-myrepgroup}
NGFW{running-rep-myrepgroup}help
Valid commands are:
214
Edit Running Configuration Commands
delete domain DOMAINNAME
delete ip SOURCEIP
description DESCRIPTION
display
domain NEWDOMAINNAME
help [full|COMMAND]
ip SOURCEIP
NGFW{running-rep}profile
Create or enter reputation profile context.
Syntax
profile REPPROFILE
Example
NGFW{running-rep}profile myprofile
NGFW{running-rep-myprofile}help
Valid commands are:
CHECK-ADDRESS ACTION
action-when-pending ACTION
delete dns-except DOMAINNAME
delete filter ALLGROUPNAME
delete ip-except SOURCEIP DESTINATIONIP
display
dns-except NEWDOMAINNAME
filter ALLGROUPNAME( enable [threshold [XACTIONSETNAME]])|( disable)
help [full|COMMAND]
ip-except SOURCEIP DESTINATIONIP
NGFW{running-rep}rename
Rename a reputation profile or group.
Syntax
rename group REPGROUP NEWREPGROUP
rename profile REPPROFILE NEWREPPROFILE
Valid entries:
group
Reputation group
profile
Reputation profile
Example
NGFW{running-rep}rename profile oldname newname
running-rep-X (group X) Context Commands
Immediate Commit Feature. Changes take effect immediately.
NGFW{running-rep}group 1
NGFW{running-rep-1}delete
Delete file or configuration item.
Syntax
delete domain DOMAINNAME
delete ip (A.B.C.D|A.B.C.D/M|X:X::X:X|X:X::X:X/M)
NGFW Command Line Interface Reference
215
Valid entries:
domain
Domain name
ip
IP address IPv4/IPv6/CIDR
Example
NGFW{running-rep-1}delete domain example.com
NGFW{running-rep-1}delete ip 192.168.1.1
NGFW{running-rep-1}delete ip 100:0:0:0:0:0:0:0/64
NGFW{running-rep-1}description
Add a description to the reputation group.
Syntax
description DESCRIPTION
Example
NGFW{running-rep-1}description "Rep Group 1"
NGFW{running-rep-1}domain
New domain name.
Syntax
domain NEWDOMAIN
Example
NGFW{running-rep-1}domain example.com
NGFW{running-rep-1}ip
IP address IPv4/IPv6.
Syntax
ip (A.B.C.D|A.B.C.D/M|X:X::X:X|X:X::X:X/M)
Example
NGFW{running-rep-1}ip
NGFW{running-rep-1}ip
NGFW{running-rep-1}ip
NGFW{running-rep-1}ip
192.168.1.1
192.168.1.0/24
100:0:0:0:0:0:0:1
100:0:0:0:0:0:0:0/64
running-rep-X (profile X) Context Commands
Immediate Commit Feature. Changes take effect immediately.
NGFW{running-rep}profile abc
NGFW{running-rep-abc}action-when-pending
Set pending action to permit or drop.
Syntax
action-when-pending (permit|drop)
Example
NGFW{running-rep-abc}action-when-pending permit
216
Edit Running Configuration Commands
NGFW{running-rep-abc}check-source-address
Enables or disables check source address.
Syntax
check-source-address (enable|disable)
Valid entries:
enable
Enable check source address
disable
Disable check source address
Example
NGFW{running-rep-abc}check-source-address enable
NGFW{running-rep-abc}check-destination-address
Enables or disables check destination address.
Syntax
check-destination-address (enable|disable)
Example
NGFW{running-rep-abc}check-destination-address enable
NGFW{running-rep-abc}delete
Delete file or configuration item.
Syntax
delete dns-except DOMAINNAME
delete filter REPGROUP
delete ip-except (A.B.C.D|A.B.C.D/M|X:X::X:X|X:X::X:X/M)
(A.B.C.D|A.B.C.D/M|X:X::X:X|X:X::X:X/M)
Example
NGFW{running-rep-abc}delete
NGFW{running-rep-abc}delete
NGFW{running-rep-abc}delete
NGFW{running-rep-abc}delete
dns-except example.com
filter "myrepgroup"
ip-except 192.168.1.1 192.168.2.2
ip-except 2001:2:0:0:0:0:0:0/48 2001:db8:0:0:0:0:0:0/32
NGFW{running-rep-abc}dns-except
DNS domain exception.
Syntax
dns-except DOMAINNAME
Example
NGFW{running-rep-abc}dns-except example.com
NGFW{running-rep-abc}filter
Add a reputation filter rule.
Syntax
filter REPGROUP disable
filter REPGROUP enable [THRESHOLD [ACTIONSET]]
NGFW Command Line Interface Reference
217
Valid entries:
enable
Enable filter rule
THRESHOLD
Set threshold (0-100)
ACTIONSET
Apply action set name
disable
Disable filter rule
Example
NGFW{running-rep-abc}filter "myrepgroup" enable
NGFW{running-rep-abc}filter "myrepgroup" enable 0 "Block + Notify"
NGFW{running-rep-abc}ip-except
Add IP address exception.
Syntax
ip-except SOURCEIP DESTINATIONIP
SOURCEIP
DESTINATIONIP
A.B.C.D or A.B.C.D/M or X:X::X:X or X:X::X:X/M
A.B.C.D or A.B.C.D/M or X:X::X:X or X:X::X:X/M
Example
NGFW{running-rep-abc}ip-except 192.168.1.1 192.168.2.2
NGFW{running-rep-abc}ip-except 2001:2:0:0:0:0:0:0/48 2001:db8:0:0:0:0:0:0/32
running-rip Context Commands
NGFW{running}router rip
NGFW{running-rip}default-metric
Set default metric for imported routes.
Syntax
default-metric (1-16)
Example
NGFW{running-rip}default-metric 2
NGFW{running-rip}delete
Delete file or configuration item.
Syntax
delete
delete
delete
delete
delete
delete
delete
delete
default-metric (1-16)
distance (1-255)
equal-cost (2-255)
passive-interface INTERFACE
redistribute (connected|ospf|static|bgp)
timers basic
triggered-updates
version (1|2)
Valid entries:
default-metric
distance
equal-cost
passive-interface
redistribute
timers
218
Reset default metric for imported routes
Reset administrative distance for routes learned via RIP to
default
Reset equal-cost to default
Enable RIP routing updates on an interface
Delete redistribute routes from another routing protocol
Reset basic RIP timers to default
Edit Running Configuration Commands
triggered-updates
version
Disable triggered-updates
Reset RIP version to default
Example
NGFW{running-rip}delete
NGFW{running-rip}delete
NGFW{running-rip}delete
NGFW{running-rip}delete
NGFW{running-rip}delete
NGFW{running-rip}delete
NGFW{running-rip}delete
NGFW{running-rip}delete
default-metric 1
distance 120
equal-cost 2
passive-interface ethernet1
redistribute static
timers basic
triggered-updates
version 2
NGFW{running-rip}disable
Disable Routing Information Protocol (RIP).
Syntax
disable
Example
NGFW{running-rip}disable
NGFW{running-rip}distance
Set administrative distance for routes learned via RIP.
Syntax
distance (1-255)
Example
NGFW{running-rip}distance 120
NGFW{running-rip}distribute-list
Filter networks for RIP routing updates.
Syntax
distribute-list ACCESS-LIST (in|out) INTERFACE
Example
NGFW{running-rip}distribute-list myaccesslist in ethernet5
NGFW{running-rip}enable
Enable Routing Information Protocol (RIP).
Syntax
enable
Example
NGFW{running-rip}enable
NGFW{running-rip}equal-cost
Set the equal cost for ECMP.
NGFW Command Line Interface Reference
219
Syntax
equal-cost (2-255)
Example
NGFW{running-rip}equal-cost 2
NGFW{running-rip}passive-interface
Suppress RIP routing updates on an interface.
Syntax
passive-interface (default|INTERFACE)
Valid entries:
default
INTERFACE
"default" for all interfaces
Interface name
Example
NGFW{running-rip}passive-interface ethernet1
NGFW{running-rip}redistribute
Redistribute routes from another routing protocol.
Syntax
redistribute (connected|ospf|static|bgp) [metric (0-15)] [route-map ROUTE-MAP]
Valid entries:
connected
Connected
static
Static routes
ospf
Open Shortest Path First (OSPF)
bgp
Border Gateway Protocol (BGP)
metric
(0-15)
route-map
ROUTE-MAP
Metric
Metric for redistributed routes
Route map reference
Pointer to route-map entries
Example
NGFW{running-rip}redistribute static metric 1 route-map myroutemap1
NGFW{running-rip}timers
Set basic RIP timers.
Syntax
timers basic ROUTING-TABLE-UPDATE ROUTING-INFORMATION-TIMEOUT GARBAGE-COLLECTION
Valid entries:
basic
ROUTING-TABLE-UPDATE
ROUTING-INFORMATION-TIMEOUT
GARBAGE-COLLECTION
Set basic RIP timers
Routing table update timer value (0-65535)
Routing information timeout timer value (0-65535)
Garbage collection timer value (0-65535)
Example
NGFW{running-rip}timers basic 30 180 120
220
Edit Running Configuration Commands
NGFW{running-rip}triggered-updates
Enable RIP triggered-updates.
Syntax
triggered-updates
Example
NGFW{running-rip}triggered-updates
NGFW{running-rip}version
Set RIP version.
Syntax
version (1-2)
Example
NGFW{running-rip}version 2
running-ripng Context Commands
NGFW{running}router ripng
NGFW{running-ripng}default-metric
Set default metric for imported routes.
Syntax
default-metric DEFAULT-METRIC
DEFAULT-METRIC (1-16)
Example
NGFW{running-ripng}default-metric 1
NGFW{running-ripng}delete
Delete file or configuration item.
Syntax
delete
delete
delete
delete
delete
delete
delete
delete
default-metric DEFAULT-METRIC
distance DISTANCE
distribute-list ACCESS-LIST (in|out) INTERFACE
equal-cost COST
passive-interface INTERFACE
redistribute PROTOCOL
timers basic
triggered-updates
Valid entries:
default-metric
distance
distribute-list
equal-cost
passive-interface
redistribute
timers
triggered-updates
Reset default metric for imported routes
Reset administrative distance for routes learned via RIPng to
default
Delete RIPng distribute list entry
Reset equal-cost to default
Enable RIPng routing updates on an interface
Delete redistribute routes from another routing protocol
Reset basic RIPng timers to default
Disable triggered-updates
NGFW Command Line Interface Reference
221
Example
NGFW{running-ripng}delete triggered-updates
NGFW{running-ripng}disable
Disable Routing Information Protocol next generation (RIPng).
Syntax
disable
Example
NGFW{running-ripng}disable
NGFW{running-ripng}distance
Set administrative distance for routes learned by way of RIPng.
Syntax
distance DISTANCE
DISTANCE
Distance (1-255)
Example
NGFW{running-ripng}distance 2
NGFW{running-ripng}distribute-list
Filter networks in RIPng routing updates.
Syntax
distribute-list ACCESS-LIST (in|out) INTERFACE
Valid entries:
distribute-list
ACCESS-LIST
in
out
INTERFACE
Filter networks in RIPng routing updates
Access list name
Incoming
Outbound
Interface name
Example
NGFW{running-ripng}distribute-list mylist in ?
Valid entry at this position is:
INTERFACE
Interface name
NGFW{running-ripng}enable
Enable Routing Information Protocol next generation (RIPng).
Syntax
enable
Example
NGFW{running-ripng}enable
NGFW{running-ripng}equal-cost
Set the equal cost for ECMP.
222
Edit Running Configuration Commands
Syntax
equal-cost EQUAL-COST
EQUAL-COST (2-255)
Example
NGFW{running-ripng}equal-cost 2
NGFW{running-ripng}passive-interface
Suppress RIPng routing updates on an interface.
Syntax
passive-interface (default|INTERFACE)
default
INTERFACE
"default" for all interfaces
Interface name
Example
NGFW{running-ripng}passive-interface default
NGFW{running-ripng}redistribute
Redistribute routes from another routing protocol.
Syntax
redistribute PROTOCOL [metric (0-16)] [route-map ROUTE-MAP]
Possible values for PROTOCOL are:
connected
Connected
static
Static routes
ospfv3
Open Shortest Path First (OSPFv3)
metric
(0-16)
route-map
ROUTE-MAP
Metric
Metric for redistributed routes
Route map reference
Pointer to route-map entries
Example
NGFW{running-ripng}redistribute connected
NGFW{running-ripng}timers
Set basic RIPng timers.
Syntax
timers basic ROUTING-TABLE-UPDATE ROUTING-INFORMATION-TIMEOUT GARBAGE-COLLECTION
Valid entries:
basic
ROUTING-TABLE-UPDATE
ROUTING-INFORMATION-TIMEOUT
GARBAGE-COLLECTION
Set basic RIPng timers
Routing table update timer value (0-65535)
Routing information timeout timer value (0-65535)
Garbage collection timer value (0-65535)
Example
NGFW{running-ripng}timers basic 60 90 120
NGFW Command Line Interface Reference
223
NGFW{running-ripng}triggered-updates
Enable RIPng triggered-updates.
Syntax
triggered-updates
Example
NGFW{running-ripng}triggered-updates
running-route-map Context Commands
NGFW{running}route-map mymap permit 10
NGFW{running-route-map}delete
Delete file or configuration item.
Syntax
delete
delete
delete
delete
delete
delete
delete
delete
delete
delete
delete
match as-path
match community-list
match ip address ACCESS-LIST-NAME
match ip next-hop A.B.C.D
match metric
set as-path prepend
set comm-list
set community
set ip next-hop A.B.C.D
set local-preference
set metric
Example
NGFW{running-route-map}delete
NGFW{running-route-map}delete
NGFW{running-route-map}delete
NGFW{running-route-map}delete
NGFW{running-route-map}delete
match as-path
match community-list
match ip next-hop 198.162.0.24
match metric
set as-path prepend
NGFW{running-route-map}match
Specifies the matching condition.
Syntax
match
match
match
match
match
as-path ASPATH-LIST-NAME
community-list COMMUNITY-LIST-NAME
ip address ACCESS-LIST-NAME
ip next-hop A.B.C.D
metric (1-65535)
Example
NGFW{running-route-map}match metric 2
NGFW{running-route-map}set
Sets the route attributes.
Syntax
set as-path prepend( ASNUMBER){1,24}
set comm-list COMMUNITY-LIST-NAME delete
224
Edit Running Configuration Commands
set
set
set
set
community ((AA:NN)|internet|local-as|no-advertise|no-export)
ip next-hop A.B.C.D
local-preference (0-65535)
metric (1-65535)
Example
NGFW{running-route-map}set as-path prepend 64497
NGFW{running-route-map}set as-path prepend 64496 64511 65536 65551
running-schedules Context Commands
NGFW{running}schedules
NGFW{running-schedules}delete
Deletes a schedule.
Syntax
delete schedule (all|SCHEDULENAME)
Example
NGFW{running-schedules}delete schedule myhours1
NGFW{running-schedules}delete schedule all
NGFW{running-schedules}rename
Rename a schedule.
Syntax
rename schedule SCHEDULENAME NEWSCHEDULENAME
Example
NGFW{running-schedules}rename schedule myhours1 myhours2
NGFW{running-schedules}schedule
Create or enter a schedule context.
Syntax
schedule SCHEDULENAME
Example
NGFW{running-schedules}schedule myhours1
running-schedules-X Context Commands
NGFW{running-schedules}schedule myhours1
NGFW{running-schedule-myhours1}delete
Delete a schedule-entry.
Syntax
delete schedule-entry (all|SCHEDULENAME)
Example
NGFW{running-schedule-myhours1}delete schedule-entry -mtwtf- from 09:00 to 10:00
NGFW Command Line Interface Reference
225
NGFW{running-schedule-myhours1}description
Enter description for the segment.
Syntax
description TEXT
Example
NGFW{running-schedule-myhours1}description "After Normal Business Hours"
NGFW{running-schedule-myhours1}schedule-entry
Add a schedule entry.
Syntax
schedule-entry DAYS START-TIME
Example
NGFW{running-schedule-myhours1}schedule-entry
NGFW{running-schedule-myhours1}schedule-entry
NGFW{running-schedule-myhours1}schedule-entry
NGFW{running-schedule-myhours1}schedule-entry
s-----s
-mtwtf-mtwtf-mtwtf-
from
from
from
from
00:00
18:00
00:00
09:00
to
to
to
to
23:59
23:59
07:00
10:00
running-segmentX Context Commands
NGFW{running}segment0
NGFW{running-segment0}bind
Bind ethernet port pairs to segment.
Syntax
bind (ethernet1+ethernet2 | ethernet3+ethernet4 | ethernet5+ethernet6 |
ethernet7+ethernet8)
Example
NGFW{running-segment0}bind ethernet1+ethernet2
NGFW{running-segment0}delete
Delete binding.
Syntax
delete (bind|high-availability|link-down)
Valid entries:
bind
high-availability
link-down
Unbind ethernet port pairs
Intrinsic HA Layer 2 Fallback action
Link down synchronization mode
Example
NGFW{running-segment0}delete bind
NGFW{running-segment0}delete high-availability
NGFW{running-segment0}delete link-down
NGFW{running-segment0}description
Enter description for the segment.
226
Edit Running Configuration Commands
Syntax
description TEXT
Example
NGFW{running-segment0}description “My Segment”
NGFW{running-segment0}high-availability
Intrinsic HA Layer 2 Fallback action block or permit.
Syntax
high-availability (block|permit)
block
permit
Enable block all
Enable permit all
Example
NGFW{running-segment0}high-availability permit
NGFW{running-segment0}link-down
Link down synchronization mode.
Syntax
link-down breaker [wait-time WAIT-TIME]
link-down hub
link-down wire [wait-time WAIT-TIME]
Valid entries:
breaker
Enable breaker action
hub
Enable hub action
wire
Enable wire action
WAIT-TIME
Time to wait before synchronizing in seconds
Example
NGFW{running-segment0}link-down wire wait-time 30
NGFW{running-segment0}restart
Restart both ethernet ports of segment.
Syntax
restart
Example
NGFW{running-segment0}restart
running-services Context Commands
NGFW{running}services
NGFW{running-services}delete
Delete service(s).
Syntax
delete service (all|SERVICENAME)
NGFW Command Line Interface Reference
227
Example
NGFW{running-services}delete service myservice2
NGFW{running-services}delete service all
NGFW{running-services}rename
Rename service.
Syntax
rename service SERVICENAME NEWSERVICENAME
Example
NGFW{running-services}rename service myservice1 myservice2
NGFW{running-services}service
Create or enter a service context.
Syntax
service SERVICENAME
Example
NGFW{running-services}service myservice1
running-services-X Context Commands
NGFW{running-services}service myservice1
NGFW{running-services-myservice1}delete
Delete service parameters.
Syntax
delete
delete
delete
delete
delete
delete
delete
delete
icmp (all|NAME|NUMBER)
icmpv6 (all|NAME|NUMBER)
port tcp PORT [to LASTPORT]
port udp PORT [to LASTPORT]
port tcp all
port udp all
protocol (all|PROTONUM)
service (all|SERVICENAME)
Valid entries:
icmp
Delete
icmpv6
Delete
port
Delete
protocol
Delete
service
Delete
ICMPv4
ICMPv6
port(s)
packet protocol number(s)
member service
Example
NGFW{running-services-myservice1}delete
NGFW{running-services-myservice1}delete
NGFW{running-services-myservice1}delete
NGFW{running-services-myservice1}delete
NGFW{running-services-myservice1}delete
NGFW{running-services-myservice1}delete
NGFW{running-services-myservice1}delete
228
Edit Running Configuration Commands
icmp any
icmpv6 any
port udp 53
port tcp all
protocol 6
service http
service dns
NGFW{running-services-myservice1}description
Apply service description.
Syntax
description TEXT
Example
NGFW{running-services-myservice1}description "my service 1"
NGFW{running-services-myservice1}icmp
Apply ICMPv4.
Syntax
icmp (NAME|NUMBER)
ICMP-CODENAMES
NUMBER
Apply ICMPv4 code name
Apply ICMP type number (0-255)
Example
NGFW{running-services-myservice1}icmp any
NGFW{running-services-myservice1}icmp 0
NGFW{running-services-myservice1}icmp echo-reply
NGFW{running-services-myservice1}icmpv6
Apply ICMPv6.
Syntax
icmpv6 (NAME|NUMBER)
ICMP6-CODENAMES
NUMBER
Apply ICMPv6 code name
Apply ICMPv6 type number (0-255)
Example
NGFW{running-services-myservice1}icmpv6 any
NGFW{running-services-myservice1}icmpv6 129
NGFW{running-services-myservice1}icmpv6 echo-reply
NGFW{running-services-myservice1}port
Apply TCP or UDP port number.
Syntax
port tcp PORT [to LASTPORT]
port udp PORT [to LASTPORT]
Valid entries:
tcp
Apply TCP
PORT
Apply port number
to
Set port range to
LAST-PORT
Apply last port of range
udp
Apply UDP
Example
NGFW{running-services-myservice1}port tcp 80 to 88
NGFW{running-services-myservice1}port udp 53
NGFW Command Line Interface Reference
229
NGFW{running-services-myservice1}protocol
Apply protocol number.
Syntax
protocol IPPROTOCOL
IPPROTOCOL
Apply packet protocol number
Example
NGFW{running-services-myservice1}protocol 6
NGFW{running-services-myservice1}service
Apply member service.
Syntax
service SERVICENAME
SERVICENAME
Existing service name
Example
NGFW{running-services-myservice1}service http
NGFW{running-services-myservice1}service dns
running-smr Context Commands
NGFW{running}router smr
NGFW{running-smr}delete
Delete file or configuration item.
Syntax
delete
delete
delete
delete
dscp xmit
monitor A.B.C.D/M A.B.C.D [INTERFACE]
timer
ttl xmit
Valid entries:
dscp
Delete the DSCP value in the outbound ICMP packets
monitor
Monitored route
timer
Base timer
ttl
Delete the TTL setting for ICMP packets
Example
NGFW{running-smr}delete dscp xmit
NGFW{running-smr}delete timer
NGFW{running-smr}delete monitor 198.162.0.100/24 ?
Valid entry at this position is:
A.B.C.D
The Gateway of the route
NGFW{running-smr}dscp
Define the global DSCP value.
Syntax
dscp xmit 0xXX
xmit
0xXX
230
Define the DSCP in the outbound ICMP packets
6-bit Hexadecimal value (0x0 - 0x3f)
Edit Running Configuration Commands
Example
NGFW{running-smr}dscp xmit 0x0
NGFW{running-smr}monitor
Define monitoring parameters for a route.
Syntax
monitor A.B.C.D/M A.B.C.D MULT MAXFAILURE [A.B.C.D]
monitor A.B.C.D/M A.B.C.D MULT MAXFAILURE distance DISTANCE [A.B.C.D]
monitor
A.B.C.D/M
A.B.C.D
MULT
MAXFAILURE
A.B.C.D
distance
DISTANCE
Monitor a static route
The monitored route
The Gateway of the route
Timer multiplier for the polling (range: 1-255)
Failure limit for the polling (range: 1-16)
Probe target different from the route gateway
Administrative distance of the route
Administrative distance value (default: 10, range: 1-255)
Example
NGFW{running-smr}monitor 192.168.0.100/24 192.168.0.102 2 3
NGFW{running-smr}timer
Define time base for polling.
Syntax
timer MSEC
MSEC
base timer in milliseconds (50-300000). Default: 200
Example
NGFW{running-smr}timer 200
NGFW{running-smr}ttl
Define TTL of ICMP packets.
Syntax
ttl recv (1-255)
ttl xmit (1-255)
Valid entries:
recv
Define expected TTL of received ICMP packets
xmit
Define TTL of transmitted ICMP echo packets
Example
NGFW{running-smr}ttl recv 10
running-snat Context Commands
NGFW{running}src-nat
NGFW{running-snat}delete
Delete source NAT rule(s).
NGFW Command Line Interface Reference
231
Syntax
delete rule (all|SRCNATRULEID)
Example
NGFW{running-snat}delete rule 123
NGFW{running-snat}rename
Rename source NAT rule.
Syntax
rename rule SRCNATRULEID NEWSRCNATRULEID
Example
NGFW{running-snat}rename rule 123 snat1
NGFW{running-snat}rule
Create or enter a rule context.
Syntax
rule (auto|SRCNATRULEID) [POSITION_VALUE]
Example
NGFW{running-snat}rule 123
running-snat-rule-X Context Commands
NGFW{running-snat}rule snat1
NGFW{running-snat-rule-snat1}delete
Delete file or configuration item.
Syntax
delete
delete
delete
delete
delete
delete
delete
delete
delete
delete
delete
delete
dst-zone (include|exclude) (all|ZONENAME)
src-address (include|exclude) group ADDRESSGROUP
dst-address (include|exclude) group ADDRESSGROUP
src-address (include|exclude) ipaddress A.B.C.D
dst-address (include|exclude) ipaddress A.B.C.D
src-address (include|exclude) ipaddress A.B.C.D/M
dst-address (include|exclude) ipaddress A.B.C.D/M
src-address (include|exclude) range A.B.C.D A.B.C.D
dst-address (include|exclude) range A.B.C.D A.B.C.D
translate-to interface
translate-to ipaddress (A.B.C.D|A.B.C.D/M)
translate-to range A.B.C.D A.B.C.D
Valid entries:
dst-address
dst-zone
src-address
translate-to
Delete destination addresses
Delete destination security zone
Delete source addresses
Apply translation
Example
NGFW{running-snat-rule-snat1}delete translate-to range 192.168.1.100 192.168.1.200
NGFW{running-snat-rule-snat1}delete dst-zone include all
NGFW{running-snat-rule-snat1}delete dst-address include ipaddress 192.168.1.0/24
232
Edit Running Configuration Commands
NGFW{running-snat-rule-snat1}delete src-address exclude ipaddress 192.168.1.1
NGFW{running-snat-rule-snat1}description
Apply rule description.
Syntax
description TEXT
Example
NGFW{running-snat-rule-snat1}description "source nat rule 1"
NGFW{running-snat-rule-snat1}dst-address
Apply destination address.
Syntax
dst-address
dst-address
dst-address
dst-address
(include|exclude)
(include|exclude)
(include|exclude)
(include|exclude)
group ADDRESSGROUP
ipaddress A.B.C.D
ipaddress A.B.C.D/M
range A.B.C.D A.B.C.D
Example
NGFW{running-snat-rule-snat1}dst-address include ipaddress 192.168.1.0/24
NGFW{running-snat-rule-snat1}dst-address exclude ipaddress 192.168.1.1
NGFW{running-snat-rule-snat1}dst-address include range 192.168.1.100 192.168.1.200
NGFW{running-snat-rule-snat1}dst-zone
Apply destination security zone.
Syntax
dst-zone (include|exclude) ZONENAME
Example
NGFW{running-snat-rule-snat1}dst-zone include myzone1
NGFW{running-snat-rule-snat1}dst-zone exclude myzone1
NGFW{running-snat-rule-snat1}move
Move rule position in the rule table.
Syntax
move after SRCNATRULEID
move before SRCNATRULEID
move to position VALUE
Valid entries:
after
SRCNATRULEID
before
to
position
VALUE
Move rule position after the rule identifier
Apply source NAT rule identifier
Move rule position before the rule identifier
Move to rule position
Apply rule position
Apply rule position number
Example
NGFW{running-snat-rule-snat1}move after snat1
NGFW Command Line Interface Reference
233
NGFW{running-snat-rule-snat1}move before snat1
NGFW{running-snat-rule-snat1}move to position 1
NGFW{running-snat-rule-snat1}src-address
Apply source address.
Syntax
src-address
src-address
src-address
src-address
(include|exclude)
(include|exclude)
(include|exclude)
(include|exclude)
group ADDRESSGROUP
ipaddress A.B.C.D
ipaddress A.B.C.D/M
range A.B.C.D A.B.C.D
Example
NGFW{running-snat-rule-snat1}src-address include ipaddress 192.168.1.0/24
NGFW{running-snat-rule-snat1}src-address exclude ipaddress 192.168.1.1
NGFW{running-snat-rule-snat1}src-address include range 192.168.1.100 192.168.1.200
NGFW{running-snat-rule-snat1}translate-to
Apply translation.
Syntax
translate-to interface
translate-to ipaddress (A.B.C.D|A.B.C.D/M)
translate-to range A.B.C.D A.B.C.D
Valid entries:
interface
Apply translate interface
ipaddress
Apply IP address
range
Apply IP address range
Example
NGFW{running-snat-rule-snat1}translate-to
NGFW{running-snat-rule-snat1}translate-to
NGFW{running-snat-rule-snat1}translate-to
NGFW{running-snat-rule-snat1}translate-to
running-snmp Context Commands
NGFW{running}snmp
NGFW{running-snmp}authtrap
Enable or disable SNMP authentication failure trap.
Syntax
authtrap (enable|disable)
Example
NGFW{running-snmp}authtrap enable
NGFW{running-snmp}community
Configure SNMP read-only community.
Syntax
community COMMUNITY [SOURCE]
234
Edit Running Configuration Commands
interface
ipaddress 192.168.1.1
ipaddress 192.168.1.0/24
range 192.168.1.100 192.168.1.200
COMMUNITY
SOURCE
default
Text to identify SNMP system community
IP (A.B.C.D|X:X::X:X), subnet (A.B.C.D/M|X:X::X:X/M), or "default"
allow any IPv4/6 source
Example
NGFW{running-snmp}community mycommunity default
NGFW{running-snmp}delete
Delete file or configuration item.
Syntax
delete community (COMMUNITY|all)
delete trapsession ((A.B.C.D|X:X::X:X|FQDN) ver VERSION)|all)
delete username (USERNAME|all)
Valid entries:
community
Delete SNMP read-only community
trapsession
Delete a configured trap session
username
Delete a configured user
Example
NGFW{running-snmp}delete
NGFW{running-snmp}delete
NGFW{running-snmp}delete
NGFW{running-snmp}delete
community mycommunity
community all
trapsession 192.168.1.1 ver 3
trapsession all
NGFW{running-snmp}engineID
Configure SNMPv3 engine ID.
Syntax
engineID ENGINE-ID
ENGINE-ID
SNMPv3 Engine ID (1-32 hex octets, ex: 0x800012ef0302a11aab33f4)
Example
NGFW{running-snmp}engineID 0x800012ef0302a11aab33f4
NGFW{running-snmp}snmp
Enable or disable SNMP.
Syntax
snmp (enable|disable)
Example
NGFW{running-snmp}snmp enable
NGFW{running-snmp}trapsession
Configure SNMP v2c or v3 trap destinations.
Syntax
trapsession (A.B.C.D|X:X::X:X|FQDN) [port PORT] ver 2c COMMUNITY [inform]
trapsession (A.B.C.D|X:X::X:X|FQDN) [port PORT] ver 3 USERNAME level noAuthNoPriv
[inform]
NGFW Command Line Interface Reference
235
trapsession (A.B.C.D|X:X::X:X|FQDN) [port PORT] ver 3 USERNAME level authNoPriv
authtype (MD5|SHA) AUTHPASS [inform]
trapsession (A.B.C.D|X:X::X:X|FQDN) [port PORT] ver 3 USERNAME level authPriv
authtype (MD5|SHA) AUTHPASS privproto PRIVPROTO [PRIVPASS] [inform]
Valid entries:
HOST
IP address or DNS host name
port
Configure SNMP port
PORT
SNMP port (default 162)
ver
Configure SNMP version (2c, or 3)
2c
SNMPv2c
COMMUNITY
Text to identify SNMP system community
inform
Send information message instead of a trap
3
SNMPv3
USERNAME
Text to identify USM user name (for authentication/privacy)
level
Configure security level (noAuthNoPriv|authNoPriv/|authPriv)
noAuthNoPriv
No authentication, no privacy
authNoPriv
Authentication, no privacy
authtype
Configure authentication type (MD5|SHA)
AUTHTYPE
Authentication type
Possible values for AUTHTYPE are:
MD5
Message Digest 5
SHA
Secure Hash Algorithm
AUTHPASS
Authentication passphrase - must be at least 8 characters
authPriv
Authentication and privacy
privproto
Configure privacy protocol (DES|AES)
PRIVPROTO
Privacy protocol
Possible values for PRIVPROTO are:
DES
Data Encryption Security
AES
Advanced Encryption Security
PRIVPASS
Optional privacy passphrase - must be at least 8 characters
Example
NGFW{running-snmp}trapsession snmpserver.example.com ver 2c mycommunity inform
NGFW{running-snmp}trapsession 192.168.1.1 port 162 ver 2c mycommunity
NGFW{running-snmp}trapsession 192.168.1.1 port 162 ver 3 mysnmpusername level
authNoPriv authtype SHA mysnmppassword inform
NGFW{running-snmp}trapsession 100:0:0:0:0:0:0:1 ver 3 mysnmpusername level
authNoPriv authtype SHA mysnmppassword inform
NGFW{running-snmp}username
Configure SNMPv3 USM read-only user.
Syntax
username USERNAME level noAuthNoPriv
username USERNAME level authNoPriv authtype AUTHTYPE AUTHPASS
username USERNAME level authPriv authtype AUTHTYPE AUTHPASS privproto PRIVPROTO
[PRIVPASS]
Valid entries:
USERNAME
Text to identify USM user name (for authentication/privacy)
level
Configure security level (noAuthNoPriv|authNoPriv/|authPriv)
noAuthNoPriv
No authentication, no privacy
authNoPriv
Authentication, no privacy
authtype
Configure authentication type (MD5|SHA)
AUTHTYPE
Authentication type
Possible values for AUTHTYPE are:
MD5
Message Digest 5
SHA
Secure Hash Algorithm
236
Edit Running Configuration Commands
AUTHPASS
Authentication passphrase - must be at least 8 characters
authPriv
Authentication and privacy
privproto
Configure privacy protocol (DES|AES)
PRIVPROTO
Privacy protocol
Possible values for PRIVPROTO are:
DES
Data Encryption Security
AES
Advanced Encryption Security
PRIVPASS
Optional privacy passphrase - must be at least 8 characters
Example
NGFW{running-snmp}username mysnmpusername level noAuthNoPriv
NGFW{running-snmp}username mysnmpusername level authNoPriv authtype SHA
mysnmppassword
NGFW{running-snmp}username mysnmpusername level authPriv authtype SHA mysnmppassword
privproto AES mysnmpprivpassword
running-vlanX Context Commands
NGFW{running}interface vlan0
NGFW{running-vlan0}arp/ndp
Enable or disable ARP and NDP on interface.
Syntax
arp/ndp (enable|disable)
Example
NGFW{running-vlan0}arp/ndp enable
NGFW{running-vlan0}autoconfv6
Enable or disable IPv6 autoconfiguration on interface.
Syntax
autoconfv6 (enable|disable)
Example
NGFW{running-vlan0}autoconfv6 enable
NGFW{running-vlan0}bind
Bind an interface to vlan.
Syntax
bind PORT id vlanid
PORT
id
vlanid
Bind interface over ethernet, aggregated link or VLAN port
VLAN ID
VLAN ID
Example
NGFW{running-vlan0}bind ethernet2 ?
Valid entry at this position is:
id
VLAN ID
NGFW{running-vlan0}delete
Delete file or configuration item.
NGFW Command Line Interface Reference
237
Syntax
delete
delete
delete
delete
delete
delete
delete
delete
delete
delete
delete
delete
delete
delete
delete
delete
delete
delete
delete
delete
delete
delete
delete
delete
delete
delete
delete
delete
delete
delete
delete
delete
delete
delete
delete
delete
bind
ip igmp
ip igmp version
ip ospf area
ip ospf authentication mode md5 (1-255) KEY
ip ospf authentication mode text KEY
ip ospf cost (1-65535)
ip ospf dead-interval (1-65535)
ip ospf hello-interval (1-65535)
ip ospf priority (0-255)
ip ospf retransmit-interval (3-65535)
ip ospf transmit-delay (1-65535)
ip pim-sm
ip rip
ip rip authentication mode md5
ip rip authentication mode text
ip rip receive version (v1-only|v2-only|v1-or-v2)
ip rip send version (v1-only|v2-only|v1-or-v2)
ip rip split-horizon
ipaddress (all|A.B.C.D/M|X:X::X:X/M)
ipaddress dhcpv4
ipaddress dhcpv6
ipv6 mld
ipv6 mld version
ipv6 ospfv3 area
ipv6 ospfv3 cost
ipv6 ospfv3 dead-interval
ipv6 ospfv3 hello-interval
ipv6 ospfv3 priority
ipv6 ospfv3 retransmit-interval
ipv6 ospfv3 transmit-delay
ipv6 pim-sm
ipv6 ripng
ipv6 ripng split-horizon
prefix (all|X:X::X:X/M)
shutdown
Valid entries:
bind
Bind an interface to vlan
ip
Configure IP settings
ip
Delete IP settings
ipaddress
Delete DHCPv4 client context
ipaddress
Delete DHCPv6 client context
ipaddress
Delete IP address
ipv6
Configure IPv6 settings
ipv6
Delete IPv6
prefix
Delete IPv6 prefix
shutdown
Shutdown logical interface state
Example
NGFW{running-vlan0}delete bind
NGFW{running-vlan0}delete ip igmp
NGFW{running-vlan0}delete ip rip authentication mode md5
NGFW{running-vlan0}description
Enter description for the interface.
238
Edit Running Configuration Commands
Syntax
description TEXT
Example
NGFW{running-vlan0}description "My interface description"
NGFW{running-vlan0}ip
Configure IP settings.
Syntax
ip
ip
ip
ip
ip
ip
ip
ip
ip
ip
ip
ip
ip
ip
ip
ip
ip
ip
igmp
igmp version (1|2|3)
ospf area (A.B.C.D|(0-4294967295))
ospf authentication mode md5 (1-255) KEY
ospf authentication mode text KEY
ospf cost (1-65535)
ospf dead-interval (1-65535)
ospf hello-interval (1-65535) [A.B.C.D]
ospf priority (0-255)
ospf retransmit-interval (3-65535)
ospf transmit-delay (1-65535)
pim-sm
rip
rip authentication mode md5 (0-2147483647) KEY
rip authentication mode text
rip receive version (v1-only|v2-only|v1-or-v2)
rip send version (v1-only|v2-only|v1-or-v2)
rip split-horizon [poison-reverse]
Example
NGFW{running-vlan0}ip igmp
NGFW{running-vlan0}ip ospf area 192.168.0.24
NGFW{running-vlan0}ipaddress
Configure IP address.
Syntax
ipaddress (A.B.C.D/M|X:X::X:X/M) [primary]
ipaddress (dhcpv4|dhcpv6)
Valid entries:
A.B.C.D/M
IPv4 address with netmask length
X:X::X:X/M
IPv6 address with prefix length
dhcpv4
Configure DHCPv4 client
dhcpv6
Enter DHCPv6 client context
Example
NGFW{running-vlan0}ipaddress dhcpv4
NGFW{running-vlan0}ipv6
Configure IPv6 settings.
Syntax
ipv6 mld
NGFW Command Line Interface Reference
239
ipv6
ipv6
ipv6
ipv6
ipv6
ipv6
ipv6
ipv6
ipv6
ipv6
ipv6
mld version (1|2)
ospfv3 area (A.B.C.D|<0-4294967295>)
ospfv3 cost COST
ospfv3 dead-interval VALUE
ospfv3 hello-interval VALUE
ospfv3 priority VALUE
ospfv3 retransmit-interval VALUE
ospfv3 transmit-delay VALUE
pim-sm
ripng
ripng split-horizon (simple|poison-reverse|inactive)
Valid entries:
mld
ospfv3
pim-sm
ripng
area
<0-4294967295>
A.B.C.D
cost
COST
dead-interval
VALUE
hello-interval
VALUE
priority
VALUE
retransmit-interval
VALUE
transmit-delay
VALUE
Configure MLD settings
Configure OSPFv3 over the interface
Configure PIM-SM over the interface
Configure RIPng over the interface
Enable the interface in an OSPFv3 area
OSPFv3 area ID as a decimal value
OSPFv3 area ID in IP address format
OSPFv3 interface cost
Cost value (1-65535)
Interval after which a neighbor is declared dead
Dead interval value (1-65535)
Interval between HELLO packets
Hello interval value (1-65535)
OSPFv3 interface priority
Priority value (0-255)
Interval between retransmitting lost link state advertisements
Retransmit interval value (3-65535)
Link state transmit delay
Transmit delay value (1-65535)
Example
NGFW{running-vlan0}ipv6 mld
NGFW{running-vlan0}ipv6 ripng split-horizon simple
NGFW{running-vlan0}mtu
Configure interface MTU.
Syntax
mtu (default|VALUE)
default
VALUE
Default value is applied
Interface MTU value (68-9216)
Example
NGFW{running-vlan0}mtu default
NGFW{running-vlan0}prefix
Configure IPv6 prefix.
Syntax
prefix X:X::X:X/M [valid-lifetime (1-4294967295)] [preferred-lifetime
(1-4294967295)]
Valid entries:
X:X::X:X/M
IPv6 prefix
240
Edit Running Configuration Commands
valid-lifetime
(1-4294967295)
preferred-lifetime
(1-4294967295)
Configure valid lifetime
Valid lifetime in seconds (default is 2592000)
Configure preferred lifetime
Preferred lifetime in seconds
(default is 604800 - cannot exceed valid lifetime)
Example
NGFW{running-vlan0}prefix 2001:db8::/32
NGFW{running-vlan0}prefix 2001:db8::/32 valid-lifetime 2592000
NGFW{running-vlan0}ra-autoconf-level
Modify IPv6 Router Advertisement autoconfiguration level.
Syntax
ra-autoconf-level AUTOCONF
Valid entries:
AUTOCONF
Router Advert Autoconfiguration level (DHCP)
Possible values for AUTOCONF are:
none
No parameter is autoconfigured
address
Address is autoconfigured
other
Some other parameters are autoconfigured
full
Most parameters are autoconfigured
Example
NGFW{running-vlan0}ra-autoconf-level full
NGFW{running-vlan0}ra-interval
Modify IPv6 Router Advertisement interval value.
Syntax
ra-interval INTERVAL
Valid entries:
INTERVAL
Router Advert emission period (in milliseconds)
Example
NGFW{running-vlan0}ra-interval 240
NGFW{running-vlan0}ra-interval-transmit
Modify IPv6 Router Advertisement interval transmit.
Syntax
ra-interval-transmit (enable|disable)
Valid entries:
enable
Enable router advertisement
disable
Disable router advertisement
Example
NGFW{running-vlan0}ra-interval-transmit enable
NGFW Command Line Interface Reference
241
NGFW{running-vlan0}ra-lifetime
Modify IPv6 Router Advertisement prefix lifetime in seconds.
Syntax
ra-lifetime (0-9000000)
Example
NGFW{running-vlan0}ra-lifetime 9000000
NGFW{running-vlan0}ra-mtu
Modify IPv6 Router Advertisement MTU value.
Syntax
ra-mtu (none|MTU)
none
MTU
Not configured
MTU value advertised (68-9216)(0 if none)
Example
NGFW{running-vlan0}ra-mtu 9216
NGFW{running-vlan0}ra-transmit-mode
Modify IPv6 Router Advertisement transmit mode.
Syntax
ra-transmit-mode MODE
MODE
Router
Possible values for
always
Router
never
Router
smart
Router
Advertisement transmit mode
MODE are:
Advert message is always sent
Advert message is never sent
Advert message is sent if a prefix is defined
Example
NGFW{running-vlan0}ra-transmit-mode always
NGFW{running-vlan0}shutdown
Shutdown logical interface state.
Syntax
shutdown
Example
NGFW{running-vlan0}shutdown
NGFW{running-vlan0}tcp4mss
Configure interface TCP MSS for IPv4.
Syntax
tcp4mss (disable|automatic|VALUE)
Valid entries:
disable
Disable service
242
Edit Running Configuration Commands
automatic
VALUE
Automatically select TCP MSS based on interface MTU
TCP MSS value for IPv4 (4-65535)
Example
NGFW{running-vlan0}tcp4mss 4
NGFW{running-vlan0}tcp6mss
Configure interface TCP MSS for IPv6.
Syntax
tcp6mss (disable|automatic|VALUE)
Valid entries:
disable
Disable service
automatic
Automatically select TCP MSS based on interface MTU
VALUE
TCP MSS value for IPv6 (4-65535)
Example
NGFW{running-vlan0}tcp6mss automatic
running-zones Context Commands
NGFW{running}zones
NGFW{running-zones}delete
Delete security zone(s).
Syntax
delete zone (all|ZONENAME)
Valid entries:
zone
Delete security zone(s)
all
All settings
ZONENAME
Existing security zone name
Example
NGFW{running-zones}delete zone all
NGFW{running-zones}delete zone myzone1
NGFW{running-zones}rename
Rename a specified zone.
Syntax
rename zone ZONENAME NEWZONENAME
Valid entries:
zone
Enter security zone context
ZONENAME
Existing security zone name
NEWZONENAME
New security zone name
Example
NGFW{running-zones}rename zone myzone1 myzone2
NGFW{running-zones}zone
Enter security zone context.
NGFW Command Line Interface Reference
243
Syntax
zone ZONENAME
Example
NGFW{running-zones}zone myzone1
running-zones-X Context Commands
NGFW{running-zones}zone myzone1
NGFW{running-zones-myzone1}application-visibility
Enable or Disable application visibility.
Syntax
application-visibility (enable|disable)
Example
NGFW{running-zones-myzone1}application-visibility enable
NGFW{running-zones-myzone1}bind
Bind interfaces to zones.
Syntax
bind INTERFACE
Example
NGFW{running-zones-myzone1}bind ethernet5
NGFW{running-zones-myzone1}delete
Delete file or configuration item.
Syntax
delete bind (INTERFACE|all)
Valid entries:
bind
Bind interfaces to zones
INTERFACE Delete interface from zone
all
Delete all interfaces bound to the zone
Example
NGFW{running-zones-myzone1}delete bind ethernet5
NGFW{running-zones-myzone1}description
Enter description for the zone.
Syntax
description TEXT
Example
NGFW{running-zones-myzone1}description "my zone 1"
244
Edit Running Configuration Commands
Download PDF

advertising