advertisement
HP TippingPoint
Next Generation Firewall Command Line
Interface Reference Guide
Version1.0.1
Abstract
This reference manual describes the Next Generation Firewall Command Line Interface (CLI) and the commands you can use to configure and manage a NGFW appliance.
*5998-4803*
Part number: 5998-4803
Edition: August 2013, First
Legal and notice information
© Copyright 2013 Hewlett-Packard Development Company, L.P.
Hewlett-Packard Company makes no warranty of any kind with regard to this material, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose. Hewlett-Packard shall not be liable for errors contained herein or for incidental or consequential damages in connection with the furnishing, performance, or use of this material.
This document contains proprietary information, which is protected by copyright. No part of this document may be photocopied, reproduced, or translated into another language without the prior written consent of Hewlett-Packard. The information is provided “as is” without warranty of any kind and is subject to change without notice. The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein.
TippingPoint® , the TippingPoint logo, and Digital Vaccine® are registered trademarks of Hewlett-Packard All other company and product names may be trademarks of their respective holders. All rights reserved. This document contains confidential information, trade secrets or both, which are the property of Hewlett-Packard No part of this documentation may be reproduced in any form or by any means or used to make any derivative work (such as translation, transformation, or adaptation) without written permission from Hewlett-Packard or one of its subsidiaries.
Adobe® and Acrobat® are trademarks of Adobe Systems Incorporated.
Intel and Itanium are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries.
Microsoft, Windows, Windows NT, and Windows XP are U.S. registered trademarks of Microsoft Corporation.
Oracle® is a registered U.S. trademark of Oracle Corporation, Redwood City, California.
UNIX® is a registered trademark of The Open Group.
Printed in US or Puerto Rico
Next Generation Firewall Command Line Interface Reference Guide
Publication Part Number: 5998-4803
Table of Contents
About This Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
1 Command Line Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
2 Global Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
3 Root Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
CLI Reference Guide i
ii
4 Log Configure Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
5 Edit Running Configuration Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
CLI Reference Guide iii
iv
CLI Reference Guide v
vi
About This Guide
The Next Generation Firewall command line interface enables you to configure and manage the NGFW
Appliance from a command line. The NGFW commands can be used in custom scripts to automate tasks.
This section covers the following topics:
• Target Audience
• Related Documentation
• Document Conventions
• Customer Support
Target Audience
This guide is intended for security network administrators and specialists that have the responsibility of monitoring, managing, and improving system security. The audience for this material is expected to be familiar with the HP TippingPoint Next Generation Firewall.
Related Documentation
ccess the documentation at
http://www.hp.com/support/manuals
. For the most recent updates for your products, check the HP Networking Support web site at http://www.hp.com/networking/support.
CLI reference guide 1
2
Document Conventions
This guide uses the following document conventions.
• Typefaces
• Document Messages
Typefaces
HP TippingPoint publications use the following typographic conventions for structuring information:
Table 1-1
Document Typographic conventions
Convention
Medium blue text:
Figure 1
Blue, underlined text ( http://www.hp.com
)
Bold font
Italics font
Monospace font
Monospace, italic font
Monospace, bold font
Element
Cross-reference links and e-mail addresses
Web site addresses
• Key names
• Text typed into a GUI element, such as into a box
•
GUI elements that are clicked or selected, such as menu and list items, buttons, and check boxes. Example: Click OK to accept.
Text emphasis, important terms, variables, and publication titles.
• File and directory names
• System output
• Code
• Text typed at the command-line
• Code variables
• Command-line variables
Emphasis of file and directory names, system output, code, and text typed at the command line
Document Messages
Document messages are special text that is emphasized by font, format, and icons. This reference guide contains the following types of messages:
•
Warning
•
Caution
•
Note
•
Tip
WARNING!
Warning notes alert you to potential danger of bodily harm or other potential harmful consequences.
CAUTION:
Caution notes provide information to help minimize risk, for example, when a failure to follow directions could result in damage to equipment or loss of data.
NOTE:
Notes provide additional information to explain a concept or complete a task. Notes of specific importance in clarifying information or instructions are denoted as such.
IMPORTANT:
Another type of note that provides clarifying information or specific instructions.
TIP:
Tips provide helpful hints and shortcuts, such as suggestions about how you can perform a task more easily or more efficiently.
Customer Support
HP is committed to providing quality customer support to all of its customers. Each customer is provided with a customized support agreement that provides detailed customer and support contact information.
When you need technical support, use the following information to contact Customer Support.
Contact Information
For additional information or assistance, contact the HP Networking Support: http://www.hp.com/networking/support
Before contacting HP, collect the following information:
•
Product model names and numbers
•
Technical support registration number (if applicable)
•
Product serial numbers
•
Error messages
•
Operating system type and revision level
•
Detailed questions
HP Contact Information
For the name of the nearest HP authorized reseller, see the contact HP worldwide web site: http://www.hp.com/country/us/en/wwcontact.html
CLI reference guide 3
4
1 Command Line Interface
In addition to the Local System Manager (LSM) and the Centralized Management Capability of the
Security Management System (SMS), a Command-line Interface (CLI) can be used to configure and manage the NGFW Appliance. The CLI is accessed directly through the console or remotely through SSH.
Non-secure connections, such as Telnet, are not permitted. For the initial set up, the "superuser" account is set for the appliance. Once that is set, you can login from the console and set the management port IP address. SSH and HTTPS are then accessible at the management port IP address.
NOTE:
To access the most recent updates to the NGFW product documentation, go to http://www.hp.com/support/manuals .
This chapter covers the following topics:
Overview
Command Modes
Configuration File Versions
Overview
This chapter covers the hierarchical structure of the CLI, the command line syntax, and an overview on how to edit, save and manage configuration files. Also provided, are a list of unix like utilities for monitoring and troubleshooting the system. The show
command provides easy to read sections from log files. The display
command displays sections of the running configuration file, or can be used to list a preview of your configuration file edits before making a commitment to save.
Access to the NGFW is through the console to initially configure management access. The management port is enabled by default for SSH and LSM management access. All access is determined by group membership and the management of their roles. To configure granular levels of access, the aaa
(Authentication and Authorization and Auditing) context has the necessary utilities to modify users, groups, roles, and their capabilities.
Command Line Interface Syntax
The following syntax is used in the CLI.
Table 1-1
Command Line Syntax
Syntax Convention
UPPERCASE
(x)
[x]
|
Explanation
Uppercase replaced by a value that you supply
Parentheses indicate a mandatory argument.
Brackets indicate an optional argument.
A vertical bar indicates a logical OR - such as alternatives within parentheses or brackets.
Example:
NGFW{}traceroute ?
(displays help information)
NGFW{}traceroute (A.B.C.D|HOSTNAME) [from A.B.C.D] [mgmt]
In the above example, arguments for the Traceroute command must either use a IP address or the hostname. An optional argument can either be “from” a source IP address or the argument “mgmt”.
NGFW{}traceroute 198.162.0.1 from 198.162.0.2
NGFW{}traceroute 198.162.0.1 mgmt
NGFW Command Line Interface Reference 5
Shortcut Navigation Keys
The CLI has the ability to store typed commands in a circular memory. Typed commands can be recalled with the UP and DOWN arrow keys.
The TAB key may be used to complete partial commands. If the partial command is ambiguous, pressing the TAB key twice gives a list of possible commands.
Following is a list of shortcuts.
Table 1-2
Shortcut Keys
ENTER Run the command
!
?
UP ARROW
DOWN ARROW
Ctrl + P
Ctrl + N
Ctrl + L
Ctrl + A
Ctrl + E
Ctrl + U
Ctrl + K
Ctrl + Y
Question mark at the root prompt or after a command (separated by space) will list next valid sub-commands or command arguments.
Question mark can also be used after sub-commands for more information. A question mark immediately following a character(s)
(no space) will list commands beginning with those characters.
Exclamation mark before a command allows you to execute the command from any feature context or sub-level. For example,
NGFW{running-gen}!ping 203.0.113.0
Show the previous command
Show the next command
Show the previous command
Show the next command
Clear the screen, does not clear history
Return to the start of the command you are typing
Go to the end of the command you are typing
Cut the whole line to a special clipboard
Cut everything after the cursor to a special clipboard
Paste from the special clipboard used by Ctrl + U and Ctrl + K
Hierarchical Menu and Prompt display
Prompts will be displayed based on the context level as shown in the following table.
Table 1-3
Root, Edit and Log configuration modes
Command Line prompt
NGFW{}
NGFW{}edit
NGFW{running}
NGFW{running}firewall
NGFW{running}display
NGFW{running}commit
NGFW{running}exit
Description
Top level root command mode
From the root command line mode, enter the edit command to access configuration mode.
Configuration mode - indicated with the prompt change
Enters the firewall configuration context
View current configuration and your changes
Commits changes to the running configuration
Leaves the current context mode
6 Command Line Interface
Table 1-3
Root, Edit and Log configuration modes
Command Line prompt
NGFW{}log-configure
NGFW{log-configure}
NGFW{log-configure}help
NGFW{log-configure}exit
Description
From the root command line mode, enter the log-configure command to access the log configuration mode.
log configuration mode display list of valid commands and syntax usage leave the log configuration mode
Help
The help command provides a list of commands within the current context and the command line usage.
The help command can be executed with or without an argument.
• Enter help or ? to see a list of all commands. (question mark at any context level generates a list of available commands within the context, along with a brief description)
• Enter help
commandname
to see the syntax for a command.
• Enter
commandname
? to list the options for a command. For example, ping ?.
• Enter
string
? to show the commands or keywords that match the string. For example, s?.
Command Modes
The NGFW uses a hierarchical menu structure. Within this structure, commands are grouped by functional area within one of three command modes: Root Command mode, Edit Configuration mode (edit), and
Log Configuration mode (log-configure). At the top of the hierarchy is the Root command mode.
NGFW{} Root command line mode
NGFW{running} Edit configuration mode
NGFW{log-configure} Log configuration mode
A context i s an environment in which a set of parameters can be configured for a feature or named object. A context can be the name of an instance of an object set by the administrator, or can be the feature itself. The current context is indicated in the command prompt, and it’s visibility is determined by the user’s role.
Administrative access allows the ability to modify the configuration of the NGFW appliance. Not all contexts may be visible.
The help
and display
commands are useful in becoming familiar with the context options. The question mark (?) lists the next valid entry and help for this entry.
If the appliance is controlled by SMS, only read-only access will be available to the system resources. To determine if the SMS controls the unit, or to change the control, see the sms command usage.
Root Command Mode
When you initially enter the NGFW Appliance, either through the console or SSH, you will be placed at the top level root command line mode with the NGFW{} prompt. The commands at this level are used for managing and monitoring system operations for the various subsystems. From the root command mode, you can access the configuration mode, and the available operational commands that apply to the unit as a whole. To view the commands available at this level, type help[full|COMMAND] at the command prompt.
NGFW{}help
The default
NGFW{}
command prompt can be changed using the
host name command in the interface mgmt context of the edit mode. For example:
NGFW Command Line Interface Reference 7
NGFW{}edit
NGFW{running}interface mgmt
NGFW{running-mgmt}help host
(displays valid entries for configuring management port host settings)
NGFW{running-mgmt}host ?
(displays valid entries for host command)
NGFW{running-mgmt}host name yourhostname
For a list of root commands and their usage see the
Root Commands
NOTE:
Your membership role determines your command line interface.
Edit Configuration Mode
The configuration mode enables administrators with the appropriate credentials to write configuration changes to the active (running) configuration. The logon account used to configure the device must either be associated with the Superuser role or the Administrator role to edit the configuration context. The configuration mode has different context levels that provide access to a specific set of configuration commands. To enter the configuration mode, use the edit command. Once you have executed the edit command the CLI prompt will indicate that you are in the Edit mode, and can make configuration changes. Configuration options, and sub contexts are available for use until you exit. To exit the edit configuration mode, type exit.
When exiting the configuration mode, the following warning appears:
“WARNING: Modifications will be lost. Are you sure to exit (y/n)? [n]” y will discard any uncommitted changes you made to the configuration file, and n
will keep you in the edit context.
The display command is a helpful utility to view the current running configuration and to review your configuration changes before you save the changes.
NGFW{running} display
A commit command must be used to save your changes to the running configuration.
The command hierarchy has two types of statements. The Container statement, which contain objects and the Object statement, which are actual commands with options.
For example:
• Container statement in edit mode:
NGFW{running}log
NGFW{running-log}?
(help will list all the available entries)
• Object statement:
NGFW{running} application-visibility enable|disable
(help will display command options)
A brief overview of what you can do within the edit configuration mode:
• Issue a command that configures a setting in the candidate configuration setting. The candidate configuration allows you to make configuration changes without causing changes to the active configuration until you can review your changes and issue the commit
command.
• Enter into a container context to access additional configuration settings.
• Run the display command to see your candidate configuration settings for a context. Any modifications you make can be viewed using the display
command.
• Run the
Commit configuration. command to save any changes from your candidate configuration to the running
•
Exit
from a context.
8 Command Line Interface
NOTE:
As you move through the context menu hierarchies, the command prompt changes accordingly.
The help
or display
command can be entered at any level.
Configuration File Versions
When troubleshooting or needing to rollback a configuration, the current configuration setup can be viewed. Reviewing network configuration files should be a necessary step to becoming knowledgeable about your current system setup. When the device is initially configured, make sure the settings are saved to the persistent configuration with the
NGFW{}save-config
command. It’s also advisable to create a snapshot using the following command:
NGFW{}snapshot create orig_conf
Snapshots capture the configuration of a device, which can then be delivered to technical support for troubleshooting. Users can also use snapshots to save and re-apply configurations. Snapshots include the currently installed OS version, and cannot be restored on a device that is not running the same version of the OS. If a snapshot restore needs to be completed, use the following command:
NGFW{}snapshot restore orig_conf
A warning message is displayed, followed by an automatic reboot when snapshot restore is completed.
The NGFW Appliance CLI uses the deferred-commit model. In this capacity, the architecture maintains a set of configuration files to ensure that a working configuration is persistently maintained. This configuration set includes the following configuration files.
• Running configuration — this version is currently executing on the system. Any changes that administrators make from the edit
mode (except for IPS features, action sets and notification contacts) will take effect once they have been committed, by issuing the
Commit command. If changes are not committed, all modifications are discarded on exit
from the running context. If multiple administrators are on the system, the version that was last committed is used as the current running configuration and is visible to other administrators, once they have exited the edit mode. A warning prompt is displayed if the committed changes would overwrite configuration that was made by another administrator since the configuration was edited.
• Saved (persistent) configuration — this is the running configuration that was last committed prior to executing the save-config
command. NGFW copies the saved configuration to the start configuration when the system reboots.
• Start configuration — This is a backup copy of the configuration file saved at the time of system startup, and is loaded at the next system bootup. The rollback-config
command can be used to rollback to a persistent and running configuration that was the last known good configuration.
NOTE:
Future versions of the product will support multiple named saved configuration sets.
Utilities
The
Display
and
Show
commands are helpful for troubleshooting and monitoring the operational status of
the system. Command line usage can be found in
Root Commands
.
Display
Enter display to see your candidate configuration settings for a context. Any modifications you make can be viewed using the display
command. The output of the display command depends on where the command is executed. If executed at the configuration level, it displays the entire configuration of the unit.
Executing the display command with a configuration name parameter, or from within a context displays the contents of that particular configuration.
NGFW Command Line Interface Reference 9
Show
The show
command is most efficient in providing critical information, such as traffic usage, router platform type, operating system revision, amount of memory, and the number of interfaces. The show
command can also be used to evaluate logging, troubleshooting, tracking resources, sessions, and security settings. To view all the available show
utilities, enter the help show command at the root command level. All the available commands along with the correct command line usage are displayed.
10 Command Line Interface
2 Global Commands
Global commands can be used in any context.
commit
Initiates all pending configuration changes in the edit mode.
NOTE:
This command does not write the modifications to the startup configuration file. However, the
save-config
command can be run from the edit configuration context by using the exclamation mark.
Syntax commit
Example
NGFW{running}commit
NGFW{running}!save-config
exit
Exits the current context.
Syntax exit
Example
NGFW{running-aaa}exit
NGFW{running}
help
Displays help information.
Syntax help [full|COMMAND]
Example
NGFW{running}help log
Enter log context
Syntax: log
log Enter log context
Example
NGFW{running-firewall}help
Valid commands are:
default-block-rule DEFACTIONSET
delete rule all|XRULEID
help [full|COMMAND]
rename rule XRULEID NEWRULEID
rule (auto|RULEID) [POSITION_VALUE]
NGFW Command Line Interface Reference 11
more
Set session to display output page by page.
Syntax more (enable|disable)
Example
NGFW{running}more enable
display
Displays the current configuration, or the candidate configuration before a commit is issued. Display options vary by context, enter the "help display" command in a context to view the available options.
Syntax display display [xml]
Example
NGFW{running-aaa-user-myuser1}display
# USER ID user myuser1
12 Global Commands
3 Root Commands
The top level root command line mode displays the
NGFW{}
prompt. Commands at this level are used for managing and monitoring system operations for the various subsystems. From the root command mode, you can access the configuration mode, and the available commands that apply to the appliance as a whole. Enter help full or
help COMMANDNAME at the command prompt to display a list of available commands or help on a specific command.
NGFW{}help
The default
NGFW{}
command prompt can be changed using the
host name command in the interface mgmt context of the edit mode. For example:
NGFW{}edit
NGFW{running}interface mgmt
NGFW{running-mgmt}help host
(displays valid entries for configuring management port host settings)
NGFW{running-mgmt}host ?
(displays valid entries for host command)
NGFW{running-mgmt}host name yourhostname
boot
Manages software packages.
Syntax boot (list-image|rollback)
Example
NGFW{}boot list-image
Index Version
------------------------------------------------------
0 1.0.0.3935
1 1.0.0.2923
2 1.0.0.3932
3 1.0.0.3917
Oldest Index is 2
Factory Reset Index is 3
clear
Clears system information.
Syntax clear connection-table (blocks|trusts) clear high-availability state-sync (all|firewall|ips|routing) clear ip bgp (A.B.C.D|ASNUMBER|all|external) [soft] [in|out] clear ip bgp peer-group NAME [soft] [in|out] clear log-file
(audit|fwAlert|fwBlock|ipsAlert|ipsBlock|quarantine|reputationAlert|reputationBlock| system|visibility|vpn) clear np engine filter clear np engine packet clear np engine parse clear np engine reputation dns clear np engine reputation ip clear np engine rule clear np reassembly ip clear np reassembly tcp clear np rule-stats
NGFW Command Line Interface Reference 13
clear np softlinx clear np tier-stats clear counter policy clear rate-limit streams clear users all [locked|ip-locked] clear users (NAME|A.B.C.D|X:X::X:X) [locked]
Example
NGFW{}clear log-file vpn
Example
NGFW{}clear ip bgp 10.10.10.10 soft in
Not cleared BGP is not active
Example
NGFW{}clear ip bgp external soft
Example
NGFW{}clear users fred
date
Used alone to display the current date, or with arguments to configure the date in a 24 hour format. The date command shows the current time in the time zone configured on the device and the "gmt" argument shows the time in GMT (UTC).
Syntax date [MMDDhhmm[[CC]YY][.ss]]) date gmt
Example
NGFW{}date 071718202013.59
(sets date to July 17 2013 6:20PM 59 seconds)
edit
The edit context modifies the configuration that identifies the security policy and interfaces that you can configure for your firewall.
Edit
takes an instance of the running configuration file. This instance is your version. After making modifications to this candidate configuration version, you have the option of saving it to the running configuration, or discarding any changes you made. To discard, simply exit
. To save your candidates configuration, enter the commit command before exiting the edit context. To see commands under the edit context, see edit configuration.
NGFW{}
NGFW{}edit
NGFW{running}
NGFW{running}commit
NGFW{running}exit
NGFW{}
flush
14
Flushes the following configuration items.
Syntax flush (arp|ndp) flush ipsec sa policy NAME [id ID] flush ike sa [policy NAME [id ID]] flush bgp [ip] A.B.C.D [(in prefix-filter)|in|out|(soft [in|out])|rsclient]
Root Commands
flush bgp ip A.B.C.D [ipv4 (unicast|multicast) (in prefix-filter)|in|out|(soft
[in|out])] flush bgp ip A.B.C.D [vpnv4 unicast in|out|(soft [in|out])] flush bgp ipv6 X:X::X:X [(in prefix-filter)|in|out|(soft [in|out])|rsclient] flush bgp [ip] dampening [A.B.C.D/M|(A.B.C.D [A.B.C.D])] flush bgp [ip] external [(in prefix-filter)|in|out|(soft [in|out])] flush bgp ip external [ipv4 (unicast|multicast) (in prefix-filter)|in|out|(soft
[in|out])] flush bgp ipv6 external [(in prefix-filter)|(soft [in|out])] flush bgp ipv6 external [peer WORD (in|out)] flush bgp [ip] view WORD [soft [in|out]] flush bgp [ip|ipv6] view WORD (A.B.C.D|X:X::X:X|all) rsclient flush bgp ip view WORD [ipv4 (unicast|multicast)] (in prefix-filter)|(soft [in|out]) flush bgp [ip|ipv6] PEERAS [(in prefix-filter)|in|out|(soft [in|out])] flush bgp ip PEERAS [ipv4 (unicast|multicast) (in prefix-filter)|in|out|(soft
[in|out])] flush bgp ip PEERAS [vpnv4 unicast in|out|(soft [in|out])] flush bgp [ip|ipv6] all [(in prefix-filter)|in|out|(soft [in|out])|rsclient] flush bgp ip all [ipv4 (unicast|multicast) (in prefix-filter)|in|out|(soft
[in|out])] flush bgp ip all [vpnv4 unicast in|out|(soft [in|out])] flush bgp [ip|ipv6] peer-group [(in prefix-filter)|in|out|(soft [in|out])] flush firewall-session (all|ID) [family (ipv4|ipv6)]
Example
NGFW{}flush firewall-session 134217756
Success
NGFW{}flush ipsec sa policy mytunnel
help
Displays help information at any context level.
high-availability
Manage high-availability devices.
Syntax high-availability force (active|passive) high-availability segment force (normal|fallback)
Example
NGFW{}high-availability segment force normal
Status: OK
list
Displays traffic capture file list.
Syntax list traffic-file
Example
NGFW{}list traffic-file
log-configure
Enter log configuration context.
NGFW Command Line Interface Reference 15
Syntax log-configure
Example
NGFW{}log-configure
NGFW{log-configure}help
NGFW{log-configure}show log-file summary
Related Commands
logout
Logs you out of the system.
Syntax logout
Example
NGFW{} logout
master-key
The system master-key is used to encrypt the removable user-disk (the external CFast), and the system keystore. The user-disk holds traffic logs, packet capture data, and system snapshots. The keystore retains data such as device certificates and private keys.
The master-key has the following complexity requirements:
• Must be between 9 and 32 characters in length.
• Combination of upper and lower case alpha and numbers.
• Must contain at least one “special” char (eg: !@#$%)
• Set or clear the master key for keystore and external Cfast user-disk encryption.
Syntax master-key (clear|get|set)
Example
Get the master key for keystore and user-disk encryption
NGFW{}master-key set
WARNING: Master key will be used to encrypt the keystore and external user disk.
Do you want to continue (y/n)? [n]: y
Enter Master Key : ****************
Re-enter Master Key: ****************
Success: Master key has been set.
Example
NGFW{}master-key get
Success: My.1.MasterKey!!
Example
NGFW{}master-key clear
WARNING: Clearing master key will remove encryption from the keystore and external user disk.
Do you want to continue (y/n)? [n]: y
Success: Master key has been cleared.
16 Root Commands
ping
Test connectivity with ICMP traffic. The mgmt option uses the management interface.
Syntax ping (A.B.C.D|HOSTNAME) [count INT] [maxhop INT] [from A.B.C.D] [mgmt] [datasize INT] ping (A.B.C.D|HOSTNAME) [count (1-900000)] [maxhop (1-800)] [from A.B.C.D] [mgmt]
[datasize (64-65468)] ping6 (X:X::X:X|HOSTNAME) [count INT] [maxhop INT] [interface INTERFACE] [from
X:X::X:X] [datasize INT] ping6 (X:X::X:X|HOSTNAME) [count (1-900000)] [maxhop (1-800)] [interface INTERFACE]
[from X:X::X:X] [datasize (64-65468)]
Example
NGFW{}ping 192.168.1.1 mgmt ping using mgmt port
PING 192.168.1.1 (192.168.1.1): 56 data bytes
64 bytes from 192.168.1.1: icmp_seq=1 ttl=64 vrfid=500 time=0.4 ms
64 bytes from 192.168.1.1: icmp_seq=2 ttl=64 vrfid=500 time=0.1 ms
64 bytes from 192.168.1.1: icmp_seq=3 ttl=64 vrfid=500 time=0.1 ms
64 bytes from 192.168.1.1: icmp_seq=4 ttl=64 vrfid=500 time=0.1 ms
--- 192.168.1.1 ping statistics ---
4 packets transmitted, 4 packets received, 0% packet loss round-trip min/avg/max = 0.1/0.1/0.4 ms
ping6
Test connectivity with ICMPv6 traffic
Syntax ping6 (X:X::X:X|HOSTNAME) [count (1-900000)] [maxhop (1-800)] [interface INTERFACE]
[from X:X::X:X] [datasize (64-65468)]
Example
NGFW{}ping6 100:0:0:0:0:0:0:1 ping using data ports
PING 100:0:0:0:0:0:0:1 (100:0:0:0:0:0:0:1): 56 data bytes
64 bytes from 100:0:0:0:0:0:0:1: icmp_seq=1 ttl=64 vrfid=0 time=0.3 ms
64 bytes from 100:0:0:0:0:0:0:1: icmp_seq=2 ttl=64 vrfid=0 time=0.1 ms
64 bytes from 100:0:0:0:0:0:0:1: icmp_seq=3 ttl=64 vrfid=0 time=0.1 ms
64 bytes from 100:0:0:0:0:0:0:1: icmp_seq=4 ttl=64 vrfid=0 time=0.1 ms
--- 100:0:0:0:0:0:0:1 ping statistics ---
4 packets transmitted, 4 packets received, 0% packet loss round-trip min/avg/max = 0.1/0.1/0.3 ms
reboot
Reboots the system.
Syntax reboot
Example
NGFW{}reboot
WARNING: Are you sure you want to reboot the system (y/n) [n]:
NGFW Command Line Interface Reference 17
Reports
Configure data collection for on-box reports.
Syntax reports (reset|enable|disable)
[all|cpu|disk|fan|memory|network|rate-limiter|temperature|traffic-profile|vpn]
Valid entries: reset Delete report data enable Start data collection for reports disable Stop data collection for reports all All reports (default) cpu CPU utilization report disk Disk utilization report fan Fan speed report memory Memory utilization report network Network bandwidth report rate-limiter Rate Limiter report temperature Temperature report traffic-profile Traffic Profile report vpn VPN report
Example
NGFW{}reports enable cpu
NGFW{}reports reset cpu
WARNING: Are you sure you want to reset cpu reports (y/n)? [n]:
Related Commands
save-config
Saves the running configuration to a persistent configuration.
Syntax save-config
Example
NGFW{}save-config
WARNING: Saving will apply this configuration at the next system start. Continue
(y/n)? [n]:
service-access
Enable or disable service access.
Syntax service-access (enable|disable)
Example
NGFW{}service-access enable
Serial: X-NGF-S1020F-GENERIC-001
Salt: Zk0lenyg
NGFW{}service-access disable
18 Root Commands
set
Syntax set cli filtering rule (auto-comment|no-auto-comment|(last-auto-comment-value INT))
Example
NGFW{}set cli filtering rule auto-comment
NGFW{}set cli filtering rule no-auto-comment
show
The show command enables you to view current system configuration, status, and statistics.
Table 3-1
Show command
Command
show aaa
show agglink
show arp show autoconf dhcpv4 client show autoconf dhcpv6 client show autoconf ra
show cluster show date show dhcp relay show dhcp server lease
show dhcpv6 show dns show firewall show high-availability
show interface
show ip bgp show ip igmp
show ip mroute show ip ospf show ip pim-sm
show ip rip show ip route
show ip smr show ipv6 mld
show ipv6 mroute show ipv6 ospfv3
Description show AAA information
Show agglink status
Show Address Resolution Protocol entries
IPv4 Dynamic Host Configuration Protocol
IPv6 Dynamic Host Configuration Protocol
Show autoconfig Router Advertisement information
Show cluster status
Show the current router date and time
Show DHCPv4 Relay information
Display DHCP server leases history
Show DHCPv6 client lease
Show Domain Name Service
Displays firewall rules and sessions.
Show high-availability status
Show network interface
Show the Border Gateway Protocol information
Show Internet Group Management Protocol
Show Multicast Static IP route
Show Open Shortest Path First (OSPF) information
Show PIM-SM routing information
Show the RIP routes
Show the unicast routes
Show SMR routing information
Show IPv6 routing information for MLD group or interface
Show IPv6 routing information for multicast routes
Show the OSPFv3 unicast routes
NGFW Command Line Interface Reference 19
Table 3-1
Show command
Command
show ipv6 pim-sm
show ipv6 ripng
show ipv6 route ripng show (ip|ipv6) route show key show l2tp
show license show log-file
show log-file boot
show mfg-info
show ndp
show np engine
show np general statistics show np protocol-mix
show np reassembly show np rule-stats show np softlinx
show np tier-stats
show quarantine-list show reports show service
show sms show snmp show system buffers show system connections
show system processes
show system statistics show system usage show system virtual-memory show system xms memory
show terminal show traffic-file show tse connection-table
20 Root Commands
Description
Show ipv6 Protocol Independent Multicast - Sparse
Mode (PIM-SM) routing information
Show RIPng routing information
Show ripng route information
Show the unicast routes
Show local server SSH key information
Show Layer 2 Tunneling Protocol information
Shows the license number and status
Shows the logfiles
Shows the boot file
Show manufacturing information
Show Neighbor Discovery Protocol
Show net processor statistics
Show general network processor information
Show network processor protocol-level statistics
Show network processor reassembly statistics
Show network processor rules, number of flows, successful matches
Show network processor softlinx statistics
Show network processor throughput and utilization for each tier
Show quarantine list information
Show status of data collection for reports
Show network service information
Show status of SMS control
Show SNMP information
Show Forwarding buffer state
Show active socket information
Show system processes
Show system-wide protocol-related statistics
Show system usage
Show system virtual memory
Show xms memory usage
Show terminal settings
Show network traffic from file
Show TSE connection-table information
Table 3-1
Show command
Command
show users show version
Description
Show users information
Show device version information
show aaa
Syntax show aaa capabilities USER
Example show aaa capabilities fred
NGFW{}show aaa capabilities fred
ID NAME STATE
---------------------------------------------
1 NGFW full
2 SECURITY full
3 FIREWALLRULES full
4 SECURITYZONES full
5 APPLICATIONGROUPS full
6 ADDRESSGROUPS full
7 SERVICES full
8 SCHEDULES full
9 INSPECTIONPROFILES full
10 IPS full
11 IPREPUTATION full
12 PROFILEGROUPS full
13 CAPTIVEPORTALRULES full
14 NATRULES full
15 ACTIONSETS full
16 SYSTEM full
17 SMSMANAGED full
18 MANAGEMENT full
19 DNS full
20 IPFILTERS full
21 UPGRADE full
22 NOTIFICATION full
23 LOGGING full
24 HIGHAVAILABILITY full
25 HACONFIGURATION full
26 HASTATE full
27 SNMP full
28 TIME full
29 FIPS full
30 UPDATE full
31 PACKAGES full
32 AUTODV full
33 SNAPSHOT full
34 USERAUTH full
35 LOCALUSER full
36 USERGROUP full
37 ROLES full
38 RADIUS full
39 LDAP full
NGFW Command Line Interface Reference 21
40 CAPTIVEPORTAL full
41 GENERAL full
42 X509CERT full
43 VPN full
44 IKE full
45 IKECONFIGURATION full
46 IKESTATUS full
47 IPSEC full
48 IPSECCONFIGURATION full
49 IPSECSTATUS full
50 L2TP full
51 L2TPCONFIGURATION full
52 L2TPSTATUS full
53 REPORTING full
54 LOG full
55 FIREWALLLOG full
56 IPSLOG full
57 REPUTATIONLOG full
58 VPNLOG full
59 SYSTEMLOG full
60 AUDITLOG full
61 SECURITYREPORTS full
62 NETWORKREPORTS full
63 DEBUGTOOLS full
64 REBOOT full
65 SHUTDOWN full
66 SERVICEACCESS full
67 NETWORK full
68 INTERFACES full
69 SEGMENTS full
70 DHCPSERVER full
71 DHCPRELAY full
72 ARPNDP full
73 STATICROUTES full
74 STATICMONITOREDROUTES full
75 DYNAMICROUTING full
76 ACCESSLISTS full
77 ROUTEMAPS full
78 OSPF full
79 RIP full
80 BGP full
81 MULTICAST full
82 ROUTINGTABLE full
83 COMPACTFLASH full
84 CUSTOMCATEGORIES full
85 APPLICATIONVISIBILITY full
86 GLOBALINSPECTIONPROFILE full
87 DEBUGNP full
show agglink
Displays information about whether or not the member ports are up in the aggregated link.
Syntax show (agglink|INTERFACE)
22 Root Commands
Example
NGFW{}show agglink
#AGGLINK TABLES
Service ETHGRP is inactive
show arp
Syntax show arp
Example
NGFW{}show arp
IP Address Mac-Address Interface State
15.226.140.254 3c:e5:a6:13:7f:2a mgmt delay
show ndp
Syntax show ndp
Example
NGFW{}show ndp
IP Address Mac-Address Interface State fe80::3ee5:a6ff:fe13:7f2a 3c:e5:a6:13:7f:2a mgmt stale
show autoconf dhcpv4 client
Syntax show autoconf dhcpv4 client (current|history)
Example
NGFW{}show autoconf dhcpv4 client
Example
NGFW{}show autoconf dhcpv4 client history
# DHCPCLIENT LEASES HISTORY
Service DHCP is inactive
show autoconf dhcpv6 client
Syntax
Show autoconf dhcpv6 client
Example
NGFW{}show autoconf dhcpv6 client
Service DHCPv6 client is inactive
show autoconf ra
Syntax show autoconf ra (INTERFACE|all)
Example
NGFW{}show autoconf all
NGFW Command Line Interface Reference 23
no data
show cluster
Syntax show cluster
Example cluster.3-device23{} show cluster
Cluster Status
--------------
Name: cluster
Identifier: 3
State: Enabled
Segment HA: Normal
Master: cluster.3-device23
Members
-------
Name: cluster.3-device23
HA State: Active
show date
This command shows the GMT time or the local time and timezone for the appliance.
Syntax show date [gmt]
Example
NGFW{}show date
Sun Sept 15 04:29:59 2013 GMT
NGFW{}show date gmt
Wed Aug 21 21:51:13 2013 GMT
NGFW{}show date
Wed Aug 21 14:51:16 2013 America/Los_Angeles
show dhcp relay
Shows DHCPv4 Relay information.
Syntax show dhcp relay
Example
NGFW{}show dhcp relay
DHCP Relay is not running
show dhcp server lease
Syntax show dhcp server lease (current | history)
Example
NGFW{}show dhcp server lease current
Status: Inactive
24 Root Commands
IP Address Mac Address Start date & time End date & time
show dhcpv6
Syntax show dhcpv6
Example
NGFW{}show dhcpv6
Service DHCPv6 client is inactive
show dns
Syntax show dns
Example
NGFW{}show dns
# DNS PROXY
Proxy Disabled
# STATIC DNS
# DYNAMIC V4 DNS
# DYNAMIC V6 DNS
show firewall
Displays firewall rules and sessions.
Syntax show firewall rules [count MAX-RULES] [rule all|ID] [action-set ACTIONSET]
[src-zones SRC-ZONE] [dst-zones DST-ZONE] [services SERVICES] [schedules SCHEDULE]
[application APPS] [more] show firewall sessions [count MAX-SESSIONS] [family FAMILY] [protocol PROTOCOL]
[direction DIRECTION] [more]
Example
NGFW{}show firewall sessions
ID Protocol State Direction Source(IP:PORT) Destination(IP:PORT) Bytes Expires
------------------------------------------------------------------------------------
3469 IGMP(2) unreplied original 192.168.1.1
224.0.0.2
32 75 reply 224.0.0.2
192.168.1.1
0
NGFW{}show firewall rules
1. Rule: 20000
Action set: Permit + Notify
2. Rule: 20010
Action set: Permit + Notify
show high-availability
Syntax show high-availability (state-sync (all|FEATURE))
Example
NGFW{}show high-availability state-sync firewall
HA Synchronization State
NGFW Command Line Interface Reference 25
------------------------
Name: firewall
State: enabled
Synchronization State: Not initialized
Reason: Unable to determine synchronization state
Total Entries: 353
Added Entries: 324
Deleted Entries: 0
Related Commands high-availability force (active|passive) high-availability segment force (normal|fallback)
show interface
Syntax show interface [INTERFACE [statistics [update INT]]] show interface [INTERFACE] multicast-registration
Examples
NGFW{}show interface ha
Interface ha
MAC Address 00:10:f3:2c:81:df
Enabled Yes
Link Down
Speed 10Mbps
Auto Negotiate Enabled
Duplex Half
MTU 9216
NGFW{}show interface mgmt
Interface mgmt
IP Address A.B.C.D/24
IPv6 Address fe80::210:f3ff:fe2c:81de/64 (Link Local)
MAC Address 00:10:f3:2c:81:de
Enabled Yes
Link Up
Speed 1000Mbps
Auto Negotiate Enabled
Duplex Full
MTU 1500
NGFW{}show interface bridge1
Interface bridge1
IPv6 Address fe80::210:f3ff:fe2c:81e2/64 (Link Local)
MAC Address 00:10:f3:2c:81:e2
Enabled Yes
Link Up
MTU 1500
NGFW{}show interface multicast-registration default:
IGMP: igmpv3
MLD : mldv2 force:
IGMP: igmpv3
MLD : mldv2
26 Root Commands
show ip bgp
Syntax show ip bgp show ip bgp debug show ip bgp A.B.C.D/M show ip bgp summary show ip bgp neighbors show ip bgp neighbors A.B.C.D
show ip bgp neighbors A.B.C.D (advertised-routes|routes) show ip bgp filter-list FILTER-LIST-NAME show ip bgp prefix-list PREFIX-LIST-NAME show ip bgp route-map ROUTE-MAP-NAME show ip bgp community-list COMMUNITY-LIST-NAME show ip bgp community AA:NN|internet|local-as|no-export|no-advertise
Example
NGFW{}show ip bgp
BGP Router Default Instance (ASN 230)
BGP table version is 0, local router ID is 172.16.30.230
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale, R Removed
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
*> 99.1.0.0/24 172.16.30.99 11 32768 ?
*> 99.2.0.98/32 172.16.30.99 11 32768 ?
*> 172.16.40.0/24 172.16.20.98 0 0 98 i
Total number of prefixes 3
show ip igmp
Shows IGMP interface information or group information.
Syntax show ip igmp (interface|groups)
Example
NGFW{}show ip igmp interface ethernet2 is up
Interface address: 172.16.30.230/24
IGMP on this interface: enabled
Multicast routing on this interface: enabled
Multicast TTL threshold: 1
Current IGMP router version: 3
IGMP query interval: 125 seconds
IGMP max query response time: 100 deciseconds
Last member query response interval: 10 deciseconds
IGMP Querier: 172.16.30.230
Robustness: 2
Require Router Alert: enabled
Startup Query Interval: 312 deciseconds
Startup Query Count: 2
General Query Timer Expiry: 00:00:07
Startup Query Timer Expiry: 00:00:07
Multicast groups joined:
NGFW Command Line Interface Reference 27
show ip mroute
Shows the multicast routes.
Syntax show ip mroute
Example
NGFW{}show ip mroute
Source Group In-interface Out-interface(s)
152.168.1.2 239.255.255.2 pimreg ethernet1
show ip ospf
Displays general information about Open Shortest Path First (OSPF) routing processes.
Syntax show ip ospf ?
show ip ospf (database|interface[IFACE]|neighbor [debug]|redistribute|route[debug])
Example
NGFW{}show ip ospf
OSPF Router with ID (15.255.125.122)
OSPF Routing Process 0 [VRF 0], Router ID: 15.255.125.122
Supports only single TOS (TOS0) routes
This implementation conforms to RFC2328
RFC1583Compatibility flag is disabled
OpaqueCapability flag is enabled
SPF schedule delay 200 secs, Hold time between two SPFs 1000 secs
Refresh timer 10 secs
Kernel delay 50 ms
This router is an ASBR (injecting external routing information)
Redistribute Configuration
Maximum-Prefix is not configured
Number of external LSA 0. Checksum Sum 0x00000000
Number of opaque AS LSA 0. Checksum Sum 0x00000000
Number of areas attached to this router: 1
Area ID: 0.0.0.0 (Backbone)
Number of interfaces in this area: Total: 1, Active: 1
Number of fully adjacent neighbors in this area: 1
Area has no authentication
SPF algorithm executed 8 times (in 0 ms)
Number of LSA 3
Number of router LSA 2. Checksum Sum 0x00015328
Number of network LSA 1. Checksum Sum 0x00000b59
Number of summary LSA 0. Checksum Sum 0x00000000
Number of ASBR summary LSA 0. Checksum Sum 0x00000000
Number of NSSA LSA 0. Checksum Sum 0x00000000
Number of opaque link LSA 0. Checksum Sum 0x00000000
Number of opaque area LSA 0. Checksum Sum 0x00000000
show ip pim-sm
Syntax show ip pim-sm (interface|neighbor|rp|bsr-router)
28 Root Commands
Example
NGFW{}show ip pim-sm interface
Address Interface Mode Neighbor Hello DR DR Address
Count Intvl Pri
182.168.1.10 ethernet5 sparse 1 30 1 182.168.1.20
Example ngfw{}show ip pim-sm neighbor
Interface Address ethernet5 182.168.1.20
ngfw{}show ip pim-sm bsr-router
PIMv2 Bootstrap information
This system is the Bootstrap Router (BSR)
BSR address: 182.168.1.10
Uptime: 00:00:26, BSR Priority: 10, Hash mask length: 30
Next bootstrap message in 00:00:34 ngfw{}show ip pim-sm rp
The PIM RP Set
Group: 239.255.255.2/32
RP: 182.168.1.10
Uptime: 00:00:51, Expires: 00:01:39, Priority: 10
show ip rip
Shows the RIP routes.
Syntax show ip rip
Example
NGFW{}show ip rip
RIP Router Default Instance
Routing Protocol is "rip"
Sending updates every 30 seconds with +/-50%, next due in 29 seconds
Timeout after 180 seconds, garbage collect after 120 seconds
Mesage load balancing using 1 time slots
Default redistribution metric is 1
Redistributing:
Default version control: send version 2, receive any version
Interface Send Recv Pri RIPv1BorderGW RIPv1IngrSumy Key-chain
ethernet1 2 1 2 7 Enable Enable
Split horizon
No authentication
Routing for Networks:
ethernet1
Routing Information Sources:
Gateway BadPackets BadRoutes Distance Last Update
Distance: (default is 120)
show ip route
Syntax show ip route (bgp|connected|debug|mgmt|ospf|rip|smr|static)
NGFW Command Line Interface Reference 29
Example
NGFW{}show ip route debug
Codes: K - kernel route, C- connected, S - static, R - RIP, O - OSPF,
B - BGP, > - selected route, * - FIB route
K * 127.0.0.0/8 is directly connected, unknown(0) inactive, rej
C>* 127.0.0.0/8 is directly connected, lo
C>* 192.168.1.0/24 is directly connected, ethernet13
C>* 192.168.100.0/24 is directly connected, ethernet14
K>* 224.0.0.2/32 is directly connected, lo501
S>* 0.0.0.0/0 [1/0] [vrf 500] via 15.220.140.254, mgmt
C>* 15.220.140.0/24 [vrf 500] is directly connected, mgmt
C>* 127.0.0.0/8 [vrf 500] is directly connected, lo500
C>* 127.0.0.0/8 [vrf 501] is directly connected, lo501
C>* 169.254.0.0/24 [vrf 501] is directly connected, ha
show ip smr
Show SMR routing information.
Syntax show ip smr [status]
Example
NGFW{}show ip smr
Type Prefix NextHop Distance Probe Target
* 1.1.1.0/24 172.16.20.220 10
* 2.2.2.0/24 172.16.20.220 10
* 3.3.3.0/24 172.16.20.220 10
4.4.4.0/24 172.16.20.30 10
NGFW{} show ip smr status
3 route(s) active
1 route(s) inactive
Global round-trip avg/max 0.5/29.2 msec
10 packets/640 bytes sent last second
show ipv6 mld
Shows IPv6 routing information for MLD group or interface.
Syntax show ipv6 mld (interface|groups)
Example
NGFW{}show ipv6 mld interface ethernet1 is up
Interface address: fe80::210:f3ff:fe24:5b7e%ethernet1/64
MLD on this interface: enabled
Multicast routing on this interface: disabled
Current MLD router version: 2
MLD query interval: 125 seconds
MLD max query response time: 10 seconds
Last member query response interval: 10 deciseconds
MLD Querier: fe80::210:f3ff:fe24:5b7e%ethernet1
Robustness: 2
Require Router Alert: enabled
Startup Query Interval: 312 deciseconds
30 Root Commands
Startup Query Count: 2
General Query Timer Expiry: 00:01:19
Multicast groups joined:
NGFW{}show ipv6 mld groups
MLD Connected Group Membership
Group Address Interface Uptime ff1e:11::1 ethernet1 00:00:04
Expires
00:04:16
Last Reporter fe80::215:17ff:fe3c:edea%ethernet1
show ipv6 mroute
Shows IPv6 routing information for multicast routes.
Syntax show ipv6 mroute
Example
NGFW{}show ipv6 mroute
Source Group In-interface Out-interface(s)
2001:300::2 ff1e:11::1 pimreg ethernet1
show ipv6 ospfv3
Shows the OSPFv3 unicast routes.
Syntax show ipv6 ospfv3 (database|interface[IFACE]|neighbor[debug]|route)
Example
NGFW{}show ipv6 ospfv3
OSPFv3 Router with ID (172.16.30.230)
OSPFv3 Routing Process 0 [VRF 0] with Router-ID 172.16.30.230
Running 00:00:07
Graceful Restart: Enabled with interval 120
Status: restarting (left time 113s)
Graceful Restart Helper: Enabled
Redistribute Configuration
Maximum-Prefix is not configured
Number of AS scoped LSAs is 0
Number of AS scoped LSAs is 0
Number of areas in this router is 2
Area 0.0.0.0
Number of Area scoped LSAs is 0
Interface attached to this area: ethernet1
Area 0.0.0.9
Number of Area scoped LSAs is 0
Interface attached to this area:
show ipv6 pim-sm
Protocol Independent Multicast - Sparse Mode (PIM-SM) provides efficient communication between members of sparsely distributed groups that are common. PIM-SM is designed to limit multicast traffic so only switches interested in receiving traffic for a particular group receive the traffic .
Syntax show ipv6 pim-sm (interface|neighbor|rp|bsr-router)
NGFW Command Line Interface Reference 31
Example
NGFW{}show ipv6 pim-sm interface
Interface Mode Neighbor Hello DR
Count Interval Priority ethernet5 sparse 1 30 1
Address: fe80::210:f3ff:fe24:5b82
DR Address: this system
NGFW{}show ipv6 pim-sm neighbor
Interface Address ethernet5 fe80::210:f3ff:fe24:5b5b
PIM6v2 Bootstrap information
This system is the Bootstrap Router (BSR)
BSR address: 2001:200::10
Uptime: 00:20:00, BSR Priority: 10, Hash mask length: 126
Next bootstrap message in 00:00:00
NGFW{}show ipv6 pim-sm rp
The PIM6 RP Set
Group: ff1e:11::1/128
RP: 2001:200::10
Uptime: 00:20:22, Expires: 00:01:59, Priority: 0
show ipv6 ripng
Shows the RIPng routes.
Syntax show ipv6 ripng
Example
NGFW{}show ipv6 ripng
RIPng Router Default Instance
Routing Protocol is "RIPng"
Sending updates every 30 seconds with +/-50%, next due in 37 seconds
Timeout after 180 seconds, garbage collect after 120 seconds
Default redistribution metric is 1
Redistributing:
Default version control: send version 1, receive version 1
Interface Send Recv
ethernet1 1 1
Split horizon
Routing for Networks:
ethernet1
Routing Information Sources:
Gateway ReceivedPackets BadPackets BadRoutes Distance Last Update
Distance: (default is 120)
show ipv6 route ospfv3
Shows the OSPFv3 unicast routes.
Syntax show ipv6 route ospfv3
Example
NGFW{}show ipv6 route ospfv3
32 Root Commands
Codes: O - ospfv3, > - selected route, * - FIB route
O>* 1:1::/64 [110/2] via fe80::20c:29ff:fee0:c919, ethernet2, 00:00:28
O>* 2:2::2:2/128 [110/1] via fe80::72ca:9bff:fe76:16b1, ethernet2, 00:00:28
O>* 2100::/64 [110/2] via fe80::72ca:9bff:fe76:16b1, ethernet2, 00:00:28
O>* 2100::2/128 [110/1] via fe80::72ca:9bff:fe76:16b1, ethernet2, 00:00:28
show ipv6 route ripng
Shows the RIPng routes.
Syntax show ipv6 route ripng
Example
NGFW{}show ipv6 route ripng
Codes: K - kernel route, C - connected, S - static, R - RIPng, O - OSPFv3,
I - ISIS, B - BGP, N - NAT-PT, D - Delegated Prefix, > - selected route,
* - FIB route, b - Backup route, < - delayed route, Q - Untyped route
R>* 4100::/64 [120/2] via fe80::210:f3ff:fe26:f375, ethernet2, 00:00:07
show (ip|ipv6) route
Syntax show (ip|ipv6) route (debug|mgmt|static|connected)
Example
NGFW{}show ipv6 route static
Codes: S - static, > - selected route, * - FIB route
show key
Shows local server SSH key.
Syntax show key
Example
NGFW{}show key
show l2tp
Shows layer 2 tunneling protocol information.
Syntax show l2tp
Example
NGFW{}show l2tp
=============
Current sessions for L2TP:
L2TP server is not running.
NGFW Command Line Interface Reference 33
show license
Syntax show license
Example
NGFW{}show license
License: 1.0.0.11 (Transitional)
Feature
--------
License
Update TOS
Update DV
Auxiliary DV
ReputationDV
Status Permit Expiration Details
------ ------- ---------- --------
OK Allow 10/3/2013 Using the transitional license.
OK Allow 10/3/2013
OK Allow 10/3/2013
Info Deny Never Not licensed to use feature.
Info Deny Never Not licensed to use feature.
show log-file
The following log files are available:
• system
• audit
• fwAlert
• fwBlock
• vpn
• ipsAlert
• ipsBlock
• reputationAlert
• reputationBlock
• quarantine
show log-file FILE_NAME
Syntax show log-file audit [raw|tab|csv|rawcsv] [addUUID] [ASC|DESC|(tail [COUNT])]
[seqnum] [more] show log-file fwAlert [raw|tab|csv|rawcsv] [addUUID] [ASC|DESC|(tail [COUNT])]
[seqnum] [more] show log-file fwBlock [raw|tab|csv|rawcsv] [addUUID] [ASC|DESC|(tail [COUNT])]
[seqnum] [more] show log-file ipsAlert [raw|tab|csv|rawcsv] [addUUID] [ASC|DESC|(tail [COUNT])]
[seqnum] [more] show log-file ipsBlock [raw|tab|csv|rawcsv] [addUUID] [ASC|DESC|(tail [COUNT])]
[seqnum] [more] show log-file quarantine [raw|tab|csv|rawcsv] [addUUID] [ASC|DESC|(tail [COUNT])]
[seqnum] [more] show log-file reputationAlert [raw|tab|csv|rawcsv] [addUUID] [ASC|DESC|(tail
[COUNT])] [seqnum] [more] show log-file reputationBlock [raw|tab|csv|rawcsv] [addUUID] [ASC|DESC|(tail
[COUNT])] [seqnum] [more]
34 Root Commands
show log-file summary [raw|tab|csv|rawcsv] [addUUID] [ASC|DESC|(tail [COUNT])]
[seqnum] [more] show log-file system [raw|tab|csv|rawcsv] [addUUID] [ASC|DESC|(tail [COUNT])]
[seqnum] [more] show log-file vpn [raw|tab|csv|rawcsv] [addUUID] [ASC|DESC|(tail [COUNT])] [seqnum]
[more] show log-file boot [raw|tab|csv|rawcsv] [addUUID] [ASC|DESC|(tail [COUNT])] [seqnum]
[more] show log-file audit [raw|tab|csv|rawcsv] [addUUID] [ASC|DESC] [search
[(options)]{0,2} PATTERN] [start-time START] [end-time END] [seqnum[ [begin BEGIN]
[end END]]] [count COUNT] [more] show log-file fwAlert [raw|tab|csv|rawcsv] [addUUID] [ASC|DESC] [search
[(options)]{0,2} PATTERN] [start-time START] [end-time END] [seqnum[ [begin BEGIN]
[end END]]] [count COUNT] [more] show log-file fwBlock [raw|tab|csv|rawcsv] [addUUID] [ASC|DESC] [search
[(options)]{0,2} PATTERN] [start-time START] [end-time END] [seqnum[ [begin BEGIN]
[end END]]] [count COUNT] [more] show log-file ipsAlert [raw|tab|csv|rawcsv] [addUUID] [ASC|DESC] [search
[(options)]{0,2} PATTERN] [start-time START] [end-time END] [seqnum[ [begin BEGIN]
[end END]]] [count COUNT] [more] show log-file ipsBlock [raw|tab|csv|rawcsv] [addUUID] [ASC|DESC] [search
[(options)]{0,2} PATTERN] [start-time START] [end-time END] [seqnum[ [begin BEGIN]
[end END]]] [count COUNT] [more] show log-file quarantine [raw|tab|csv|rawcsv] [addUUID] [ASC|DESC] [search
[(options)]{0,2} PATTERN] [start-time START] [end-time END] [seqnum[ [begin BEGIN]
[end END]]] [count COUNT] [more] show log-file reputationAlert [raw|tab|csv|rawcsv] [addUUID] [ASC|DESC] [search
[(options)]{0,2} PATTERN] [start-time START] [end-time END] [seqnum[ [begin BEGIN]
[end END]]] [count COUNT] [more] show log-file reputationBlock [raw|tab|csv|rawcsv] [addUUID] [ASC|DESC] [search
[(options)]{0,2} PATTERN] [start-time START] [end-time END] [seqnum[ [begin BEGIN]
[end END]]] [count COUNT] [more] show log-file summary [raw|tab|csv|rawcsv] [addUUID] [ASC|DESC] [search
[(options)]{0,2} PATTERN] [start-time START] [end-time END] [seqnum[ [begin BEGIN]
[end END]]] [count COUNT] [more] show log-file system [raw|tab|csv|rawcsv] [addUUID] [ASC|DESC] [search
[(options)]{0,2} PATTERN] [start-time START] [end-time END] [seqnum[ [begin BEGIN]
[end END]]] [count COUNT] [more] show log-file vpn [raw|tab|csv|rawcsv] [addUUID] [ASC|DESC] [search [(options)]{0,2}
PATTERN] [start-time START] [end-time END] [seqnum[ [begin BEGIN] [end END]]] [count
COUNT] [more] show log-file boot [raw|tab|csv|rawcsv] [addUUID] [ASC|DESC] [search
[(options)]{0,2} PATTERN] [start-time START] [end-time END] [seqnum[ [begin BEGIN]
[end END]]] [count COUNT] [more] show log-file audit [raw|tab|csv|rawcsv] [addUUID] [ASC|DESC] [search COLUMN cmp
PATTERN [and|or COLUMN cmp PATTERN]{1,25}] [start-time START] [end-time END]
[seqnum[ [begin BEGIN] [end END]]] [count COUNT] [more] show log-file fwAlert [raw|tab|csv|rawcsv] [addUUID] [ASC|DESC] [search COLUMN cmp
PATTERN [and|or COLUMN cmp PATTERN]{1,25}] [start-time START] [end-time END]
[seqnum[ [begin BEGIN] [end END]]] [count COUNT] [more] show log-file fwBlock [raw|tab|csv|rawcsv] [addUUID] [ASC|DESC] [search COLUMN cmp
PATTERN [and|or COLUMN cmp PATTERN]{1,25}] [start-time START] [end-time END]
[seqnum[ [begin BEGIN] [end END]]] [count COUNT] [more]
NGFW Command Line Interface Reference 35
show log-file ipsAlert [raw|tab|csv|rawcsv] [addUUID] [ASC|DESC] [search COLUMN cmp
PATTERN [and|or COLUMN cmp PATTERN]{1,25}] [start-time START] [end-time END]
[seqnum[ [begin BEGIN] [end END]]] [count COUNT] [more] show log-file ipsBlock [raw|tab|csv|rawcsv] [addUUID] [ASC|DESC] [search COLUMN cmp
PATTERN [and|or COLUMN cmp PATTERN]{1,25}] [start-time START] [end-time END]
[seqnum[ [begin BEGIN] [end END]]] [count COUNT] [more] show log-file quarantine [raw|tab|csv|rawcsv] [addUUID] [ASC|DESC] [search COLUMN cmp PATTERN [and|or COLUMN cmp PATTERN]{1,25}] [start-time START] [end-time END]
[seqnum[ [begin BEGIN] [end END]]] [count COUNT] [more] show log-file reputationAlert [raw|tab|csv|rawcsv] [addUUID] [ASC|DESC] [search
COLUMN cmp PATTERN [and|or COLUMN cmp PATTERN]{1,25}] [start-time START] [end-time
END] [seqnum[ [begin BEGIN] [end END]]] [count COUNT] [more] show log-file reputationBlock [raw|tab|csv|rawcsv] [addUUID] [ASC|DESC] [search
COLUMN cmp PATTERN [and|or COLUMN cmp PATTERN]{1,25}] [start-time START] [end-time
END] [seqnum[ [begin BEGIN] [end END]]] [count COUNT] [more] show log-file summary [raw|tab|csv|rawcsv] [addUUID] [ASC|DESC] [search COLUMN cmp
PATTERN [and|or COLUMN cmp PATTERN]{1,25}] [start-time START] [end-time END]
[seqnum[ [begin BEGIN] [end END]]] [count COUNT] [more] show log-file system [raw|tab|csv|rawcsv] [addUUID] [ASC|DESC] [search COLUMN cmp
PATTERN [and|or COLUMN cmp PATTERN]{1,25}] [start-time START] [end-time END]
[seqnum[ [begin BEGIN] [end END]]] [count COUNT] [more] show log-file vpn [raw|tab|csv|rawcsv] [addUUID] [ASC|DESC] [search COLUMN cmp
PATTERN [and|or COLUMN cmp PATTERN]{1,25}] [start-time START] [end-time END]
[seqnum[ [begin BEGIN] [end END]]] [count COUNT] [more] show log-file boot [raw|tab|csv|rawcsv] [addUUID] [ASC|DESC] [search COLUMN cmp
PATTERN [and|or COLUMN cmp PATTERN]{1,25}] [start-time START] [end-time END]
[seqnum[ [begin BEGIN] [end END]]] [count COUNT] [more] show log-file audit [raw|tab|csv|rawcsv] [addUUID] follow [seqnum] [more] show log-file fwAlert [raw|tab|csv|rawcsv] [addUUID] follow [seqnum] [more] show log-file fwBlock [raw|tab|csv|rawcsv] [addUUID] follow [seqnum] [more] show log-file ipsAlert [raw|tab|csv|rawcsv] [addUUID] follow [seqnum] [more] show log-file ipsBlock [raw|tab|csv|rawcsv] [addUUID] follow [seqnum] [more] show log-file quarantine [raw|tab|csv|rawcsv] [addUUID] follow [seqnum] [more] show log-file reputationAlert [raw|tab|csv|rawcsv] [addUUID] follow [seqnum] [more] show log-file reputationBlock [raw|tab|csv|rawcsv] [addUUID] follow [seqnum] [more] show log-file summary [raw|tab|csv|rawcsv] [addUUID] follow [seqnum] [more] show log-file system [raw|tab|csv|rawcsv] [addUUID] follow [seqnum] [more] show log-file vpn [raw|tab|csv|rawcsv] [addUUID] follow [seqnum] [more] show log-file boot [raw|tab|csv|rawcsv] [addUUID] follow [seqnum] [more] show log-file audit stat show log-file fwAlert stat show log-file fwBlock stat show log-file ipsAlert stat show log-file ipsBlock stat show log-file quarantine stat show log-file reputationAlert stat show log-file reputationBlock stat show log-file summary stat show log-file system stat show log-file vpn stat show log-file boot stat show log-file summary [verbose] show log-file boot [tail COUNT] [more] show log-file boot [search [(options)]{0,2} PATTERN] [count COUNT] [more]
Example
NGFW{}show log ipsAlert
36 Root Commands
Example
NGFW{}show log quarantine
show log-file FILE_NAME stat
Shows the beginning sequence number, ending sequence number, and number of messages for the given log file.
Syntax show log-file FILE_NAME stat
Example
NGFW{}show log ipsBlock stat
Display limited to 500 lines...
1
241097
241097
show log-file summary
Syntax show log-file summary [verbose]
Example
NGFW{}show log-file summary
File Total Entries First Entry Last Entry Allocated Used Location
--------------- -------------- -------------- -------------- ---------- ---- -----system 2902 1 2902 174.32 MB 0% internal audit 411 1 411 174.32 MB 0% internal fwAlert 2135781 42054583 44190363 700.23 MB 66% ramdisk fwBlock 0 0 0 700.23 MB 0% ramdisk ipsAlert 0 0 0 350.11 MB 0% ramdisk ipsBlock 0 0 0 350.11 MB 0% ramdisk reputationAlert 0 0 0 175.06 MB 0% ramdisk reputationBlock 0 0 0 175.06 MB 0% ramdisk visibility 0 0 0 700.23 MB 0% ramdisk quarantine 0 0 0 175.06 MB 0% ramdisk vpn 0 0 0 175.06 MB 0% ramdisk
show log-file boot
Syntax show log-file boot [tail [COUNT]] [more] show log-file boot [search [<options>]{0,2} PATTERN] [count COUNT] [more]
If using the more
option, the colon will display in the output, to indicate more information is available.
Press the Enter key for the scroll to continue, or enter a ‘q’ to exit and return to the
NGFW{}
prompt.
Example
NGFW{} show log-file audit more
2013-07-05 ...(log info is displayed)
2013-07-05 ...
...
:q
NGFW{}show log-file boot search nocase ethernet7 count 7
NGFW{}show log-file boot search invert ethernet7 count 3
NGFW{}show log-file boot search ethernet7 count 2
NGFW Command Line Interface Reference 37
ADDRCONF(NETDEV_UP): ethernet7: link is not ready device ethernet7 entered promiscuous mode
Example
To tail the last 5 lines of the boot log file:
NGFW{}show log-file boot tail 5 bridge1: port 8(ethernet7) entering disabled state bridge1: port 8(ethernet7) entering disabled state
ADDRCONF(NETDEV_UP): ethernet7: link is not ready device ethernet8 left promiscuous mode device ethernet7 left promiscuous mode
show mfg-info
Shows manufacturing information.
Syntax show mfg-info
Example
NGFW{}show mfg-info device34{}show mfg-info
ECO Version : 40AA
Manufacturer S/N : TBBC10021827
PCBA Assembly Date : 01/11/2012
Chassis Version : 00
Mfg System Revision : A905
HP Base Unit P/N : 5066-2732
HP Base Unit Revision : A1
Number of MACs : 12
MAC Address : 00:10:F3:2C:81:DE
Mgmt Port MAC Address : 00:10:F3:2C:81:DE
Ethernet1 MAC Address : 00:10:F3:2C:81:E2
HP Base Unit S/N : PR2AFQY003
Internal Disk Model : 4GB SATA Flash Drive
Internal Disk S/N : 11001420994500582125
External Disk Model : 4GB SATA Flash Drive
External Disk S/N : 00224192122400702578
BIOS Version : Z513-021
IPM Version : 1.d (working)
show np engine
Shows network processor information.
Syntax show np engine(filter|packet|parse|reputation(ip|dns)|rule) filter - Show filter-level statistics packet - Show packet-layer statistics parse - Show packet parsing statistics reputation - Show reputation statistics on either IP or DNS rule - Show rule statistics
Example
NGFW{}show np engine packet
Packet Statistics:
Rx packets OK = 275263890
Rx packets dropped = 0
38 Root Commands
Rx packets dropped no pcb = 0
Tx packets OK = 275262516
Tx packets dropped = 1374
Tx packets dropped no pcb = 0
Rx bytes OK = 14864242660
Tx bytes OK = 16515754024
show np general statistics
Shows general network processor information.
Syntax show np general statistics
Example
NGFW{}show np general statistics
General Statistics:
Incoming = 0
Outgoing = 0
Dropped = 0
Interface discards = 0
Second Tier = 0
Matched = 0
Blocked = 1376
Trusted = 0
Permitted = 0
Invalid = 0
Rate Limited = 0
show np protocol-mix
Syntax show np protocol-mix
Example
NGFW{}show np protocol-mix
Network Traffic Protocol Statistics:
Packets Bytes
================= =================
EthType:
ARP 289096 17363292
IP 75851320 16817451395
IPv6 110966 91605367
Other 47087 31256790
IpVersion:
IPv4 75851320 16817451395
IPv6 110966 91605367
Other 9010 5444502
IpProtocol:
TCP 24779397 4847827560
UDP 49956647 11260655728
ICMP 112057 42551652
IPv4 in IPv4 0 0
IPv6 In IPv4 4536 597024
GRE 276372 45779027
AH 414 63180
NGFW Command Line Interface Reference 39
Other 132843 65240426
Ipv6Protocol:
TCP 378 265014
UDP 1350 1135803
ICMPv6 3908 1406824
ICMP 0 0
IPv6 in IPv6 89760 77281416
IPv4 in IPv6 2442 1938618
GRE 1398 1106502
AH 0 0
Other 53034 44444961
show np reassembly
Syntax show np reassembly (ip|tcp)
Example
NGFW{}show np reassembly ip
Summary:
Frags incoming = 0
Frags kept = 0
Frags outgoing = 0
Frags passed thru = 0
Frags dropped (duplicate) = 0
Frags recently reassembled = 0
Frags dropped (other) = 0
Dgrams completed = 0
show np rule-stats
Syntax show np rule-stats
Example
NGFW{}show np rule-stats
Filter Flows Success % Total % Success
6281 9 0 21 0.00
6310 9 0 21 0.00
633 8 3 19 37.50
5337 8 0 19 0.00
2768 7 0 16 0.00
5881 1 0 2 0.00
Total number of flows: 42
show np softlinx
Syntax show np softlinx
Example
NGFW{}show np softlinx
SoftLinx Statistics:
Matched both softlinx and a rule = 0
Matched softlinx, but not a rule = 0
Matched a rule, but not softlinx = 0
40 Root Commands
Sleuth inspected packets = 0
Sleuth matched packets = 0
Matched HW (Sleuth) but not softLinx = 0
Sleuth gave up = 0
Sleuth bypassed = 0
Sleuth bypassed zero payload length = 0
Sleuth overflow = 0
Matched nothing = 281567607
Linx rules created = 0
Linx rules deleted = 0
Discarded by the softlinx = 0
Total packets sent to softlinx = 80
Embedded Trigger matches = 0
Engine Trigger matches = 0
Trigger matches = 0
False pkt matches = 80
Good pkt matches = 0
SoftLinx trigger match roll over = 0
Highest flow based trigger match = 0
show np tier-stats
Syntax show np tier-stats
Example
NGFW{}show np tier-stats
----------------------------------------------------------
Tier 1:
----------------------------------------------------------
Rx Mbps = 0.0 (0.0)
Tx Mbps = 0.0 (0.0)
Rx Packets/Sec = 0.0 (0.0)
Tx Packets/Sec = 0.0 (0.0)
Utilization = 0.0% (0.0%)
Ratio to next tier = 0.0% (100.0%)
----------------------------------------------------------
Tier 2:
----------------------------------------------------------
Rx Mbps = 0.0 (0.0)
Rx Packets/Sec = 0.0 (0.0)
Tx trust packets/sec = 0.0 (0.0)
Utilization = 0.0% (0.0%)
Ratio to best effort = 0.0% (0.0%)
Ratio to next tier = 0.0% (0.0%)
----------------------------------------------------------
Tier 3:
----------------------------------------------------------
Rx Mbps = 0.0 (0.0)
Rx Packets/Sec = 0.0 (0.0)
Rx Trigger match = 0.0 (0.0)
Rx Reroute = 0.0 (0.0)
Rx TCP sequence = 0.0 (0.0)
Tx trust packets/sec = 0.0 (0.0)
Utilization = 0.0% (0.0%)
Ratio to best effort = 0.0% (0.0%)
Ratio to next tier = 0.0% (0.0%)
NGFW Command Line Interface Reference 41
show quarantine-list
Syntax show quarantine-list
Example
NGFW{}show quarantine-list
IP Reason
show reports
Show the status of the data collection for reports.
Syntax show reports
Example
NGFW{}show reports
CPU Utilization: enabled
Disk Utilization: enabled
Fan Speed: enabled
Memory Utilization: enabled
Network Bandwidth: enabled
Rate Limiter: enabled
Temperature: enabled
Traffic Profile: enabled
VPN: enabled
show service
Shows the state of all the services.
Syntax show service
Example
NGFW{}show service
Service SSH is active
Service TELNET is inactive
Service HTTP is active
Service IP Forwarding is active
Service IPv6 Forwarding is active
Service SNMP is inactive
Service DNS-PROXY is inactive
Service RIP is inactive
Service RIPng is inactive
Service OSPFv2 is inactive
Service OSPFv3 is inactive
Service BGP is inactive
Service SMR is inactive
Service PIM4SM is inactive
Service PIM6SM is inactive
Service VRRP is inactive
Service Multicast-proxy is inactive
Service DHCPSERVER is inactive
Service DHCP is inactive
Service DHCP RELAY is inactive
Service DHCPv6-CLIENT is inactive
42 Root Commands
Service NTP is inactive
Service PPP-CtrlPlane is inactive
Service ETHGRP-LACP is inactive
show sms
Syntax show sms
Example
NGFW{}show sms
Device is not under SMS control
show snmp
Syntax show snmp
Example
NGFW{}show snmp
#SNMP Status
Enabled : Yes
Version : 2c, 3
Engine ID : 0x800029ee030010f327fe2e
Auth. Traps : Yes
System Name : S8020F
System Object ID : .1.3.6.1.4.1.10734.1.9.7
System ID : NGFW
System Contact : Administrator
System Location : Data Center
#SNMP Trap Sessions
Host : A.B.C.D
Version
Port
: 3
: 162
Security Name
Level
Authentication
Privacy
Inform
: trap
: authPriv
: SHA
: AES
: Yes
show system buffers
Shows forwarding buffer state information, if you have administrator privileges.
Syntax show system buffers
Example
NGFW{}show system buffers
show system connections
Syntax show system connection [ipv4|ipv6|sctp|unix]
NGFW Command Line Interface Reference 43
Example
NGFW{}show system connections ipv4
Active Internet connections (servers and established) vrfid Proto Recv-Q Send-Q Local Address Foreign Address State
0 tcp 0 0 127.0.0.1:60000 0.0.0.0:* LISTEN
0 tcp 0 0 127.0.0.1:616 0.0.0.0:* LISTEN
Example
NGFW{}show system connections unix
Active UNIX domain sockets (servers and established)
Proto RefCnt Flags Type State I-Node Path unix 2 [ ACC ] STREAM LISTENING 40709
/var/tmp/apache2/logs/fcgidsock/7095.0
unix 2 [ ACC ] STREAM LISTENING 3871 /var/tmp/segmentdsock unix 2 [ ACC ] STREAM LISTENING 2080 /var/run/nscd/socket unix 2 [ ACC ] STREAM LISTENING 379 @/com/ubuntu/upstart unix 2 [ ACC ] STREAM LISTENING 16968 /var/run/.xms.default
unix 2 [ ] DGRAM 16970 /tmp/.server.sockname
unix 2 [ ] DGRAM 17575 @/tmp/.has_xmsd
unix 2 [ ACC ] STREAM LISTENING 1436
/usr/local/var/syslog-ng.ctl
Example
NGFW{}show system connections sctp
ASSOC SOCK STY SST ST HBKT ASSOC-ID TX_QUEUE RX_QUEUE UID INODE LPORT RPORT
LADDRS <-> RADDRS HBINT INS OUTS MAXRT T1X T2X RTXC VRF
show system processes
Syntax show system processes [LEVEL] brief Brief process information detail Detailed process information extensive Extensive process information summary Active process information
Example
NGFW{}show system processes brief top - 02:23:22 up 5:08, 2 users, load average: 16.20, 16.23, 16.16
Tasks: 349 total, 6 running, 343 sleeping, 0 stopped, 0 zombie
Cpu(s): 37.8% us, 2.4% sy, 0.0% ni, 52.8% id, 0.0% wa, 0.0% hi, 6.9% si
Mem: 28681276k total, 10367048k used, 18314228k free, 100416k buffers
Swap: 0k total, 0k used, 0k free, 1638220k cached
PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
3656 root 20 0 11.1g 4.6g 3.7g R 1200 16.7 3691:24 n0
3731 root 20 0 0 0 0 R 100 0.0 307:25.33 dpvi-task3
3730 root 20 0 0 0 0 R 98 0.0 303:42.33 dpvi-task2
3729 root 20 0 0 0 0 R 96 0.0 300:14.52 dpvi-task1
2941 root 20 0 84516 3976 2852 R 2 0.0 4:18.44 syslog-ng
4436 root 20 0 0 0 0 D 2 0.0 1:44.56 fpm-nfct-hf-tas
4216 root 20 0 21496 1112 772 D 0 0.0 0:21.46 sensormond
17380 root 20 0 13084 1292 800 R 0 0.0 0:00.01 top
44 Root Commands
show system statistics
Syntax show system statistics [PROTO] [non-zero]
Example
NGFW{}show system statistics
show system usage
Show system usage displays the overall system usage. You can run once, or display an updated version every INT seconds. Ctrl-C will exit a re-occurring update.
Syntax show system usage [update INT]
Example
NGFW{} show system usage update 12
show system virtual-memory
Shows the system’s kernel memory usage in a table with the following column headings.
• name
• active_objs
• num_objs
• objsize
• objperslab
• pagesperslab
• tunables
• limit
• batchcount
• sharedfactor
• slabdata
• active_slabs
• num_slabs
• sharedavail
Syntax show system virtual-memory
Example
NGFW{}show system virtual-memory
show system xms memory
Shows xms memory statistics.
Syntax show system xms memory (all| SERVICE)
Example
NGFW{}show system xms memory captive-portals xmsd memory usage:
NGFW Command Line Interface Reference 45
+ Service: captive-portals
+ captive-portal-config: 48 Bytes
Maximum amounts: 175 Bytes
Calls to alloc : 1 times
+ Service: misc
+ miscellaneous: 1383 Bytes
Maximum amounts: 1585 Bytes
Calls to alloc : 10 times
+ xmlMem: 4341373 Bytes
Maximum amounts: 85010535 Bytes
Calls to alloc : 53906 times
show terminal
Shows terminal type information.
Syntax show terminal
Example
NGFW{}show terminal
=============
Terminal configuration: type 6wind columns 164 lines 46
show traffic-file
Syntax show traffic-file FILENAME [verbose INT] [proto PROTO] [without PROTO] [pcap FILTER]
[pager]
Options traffic-file Show network traffic from file
FILENAME Capture file name
verbose Configure verbosity level
INT Verbosity level (0: minimum verbosity)
proto Configure captured packets protocol
PROTO Protocol name (default: all)
without Configure excluded packets protocol
PROTO Protocol name (default: all)
pcap Configure pcap-syntax filter
FILTER Pcap filter string (e.g. "src port 22")
pager Show all messages
Example
NGFW{}show traffic-file myfilename
show tse connection-table
Syntax show tse connection-table TYPE
Example:
This example displays the basic IPS state synchronization by viewing the connection table on the active and passive device.
46 Root Commands
NGFW{}show tse connection-table blocks
Second device:
NGFW{}show tse connection-table blocks
The ‘TRHA’ indicates this is a connection created by state synchronization.
show tse
Shows threat suppression engine information.
Syntax show tse (connection-table(blocks|trusts)|rate-limit)
Example
NGFW{}show tse connection-table blocks
Blocked connections: None found.
NGFW{}show tse rate-limit
show user-disk
Syntax show user-disk
Example
NGFW{}show user-disk
External User Disk
Status: Mounted
Encryption: None
Capacity: 3952263168 bytes
Used: 784158720 bytes
Free: 2907357184 bytes
show users
Syntax show users [locked|ip-locked]
Example
NGFW{}show users
USER myadminuser
IDLE INTERFACE LOGIN IP ADDRESS TYPE
00:00 SSH 2013-07-19 23:42:56 198.51.100.139 LOCAL
show version
Syntax show version
Example
NGFW{}show version
Serial: X-NGF-S8020F-GENERIC-0001
Software: 1.0.0.3911 Build Date: "Apr 12 2013 02:13:12" Production
Digital Vaccine: 3.2.0.15172
Model: S8020F
HW Serial: PR2AFQ300P
HW Revision: A603
NGFW Command Line Interface Reference 47
Failsafe: 1.0.0.1801
System Boot Time: Sun Sept 15 21:14:57 2013
Uptime: 05:17:01
shutdown
Allows you to shutdown the system.
Syntax shutdown
Example
NGFW{}shutdown
You are about to shutdown the device.
Please use the front panel buttons to restart the device manually.
Make sure you have Committed all your changes, and clicked the Save
Configuration button if you wish these changes to be applied when the device is restarted.
WARNING: Are you sure you want to shutdown the system (y/n) [n]:
sms
Allows you to configure SMS settings and release SMS.
Syntax sms must-be-ip (A.B.C.D|A.B.C.D/M) sms unmanage
Example
NGFW{}sms unmanage
NGFW{}sms must-be-ip 192.168.1.1
Related commands
snapshot create
Allows you to manage system snapshots.
Syntax snapshot create NAME [(reputation|manual|network)]
Default is do not include the following: manual Include manually defined reputation entries in snapshot network reputation nonet
Include Management port configuration in snapshot
Include reputation package in snapshot
Does not restore management port configuration if present in snapshot
Example
NGFW{}snapshot create s_041713
snapshot list
Syntax snapshot list
48 Root Commands
Example
NGFW{}snapshot list
Name Date OS Version DV Version Model Restore
---------------- -------------------------- ---------- ---------- ------- ------ s_041713 Wednesday, April 17 2013 1.0.0.3913 3.2.0.15172 S1020F Yes
snapshot remove
Syntax snapshot remove
Example
NGFW{}snapshot remove s_041713
Success
snapshot restore
Restore system from saved snapshot.
Syntax snapshot restore NAME
Example
NGFW{}snapshot restore s_041713
Success
tcpdump
Allows you to capture network traffic to the terminal or a file. You can specify a maximum packet count or a maximum capture file size. If you record the capture to a file you must specify a maximum packet count or maximum capture file size. Maxsize is the maximum size of the capture file in millions of bytes, which is limited by the currently available disk allocation.
Syntax tcpdump INTERFACE [record FILENAME [maxsizebytes 1-10000000]] [packetcount
1-10000000] [verbose 0-990000] [proto
(icmp|igmp|tcp|udp|esp|ah|pim|snp|vrrp|stp|isis|sctp)] [without
(icmp|igmp|tcp|udp|esp|ah|pim|snp|vrrp|stp|isis|sctp)] [pcap FILTER] [cponly]
[pager] [background] tcpdump stop
Example
NGFW{}tcpdump mgmt count 2
NGFW{}tcpdump bridge0 record mycapturefile count 100 proto tcp without udp pcap "dst port 443" background
NGFW{}tcpdump6: listening on bridge0, link-type EN10MB (Ethernet), capture size
65535 bytes
100 packets captured
100 packets received by filter
0 packets dropped by kernel
NGFW{}tcpdump stop
All tcpdump processes stopped.
NGFW Command Line Interface Reference 49
traceroute
Traceroute shows you the path a packet of information takes from your computer to your designation. It
lists all the routers it passes through until it reaches its destination, or fails. Traceroute tells you how long router to router hops take.
Syntax traceroute (A.B.C.D|HOSTNAME) [from A.B.C.D] [mgmt]
(traceroute|traceroute6) X:X::X:X [from X:X::X:X] [mgmt]
Example
NGFW{}traceroute 192.168.140.254
traceroute: Warning: ip checksums disabled traceroute to 192.168.140.254 (192.168.140.254), 30 hops max, 46 byte packets
1 192.168.140.254 (192.168.140.254) 0.256 ms 0.249 ms 0.233 ms
traceroute6
Trace IPv6 network routes.
Example
NGFW{}traceroute6 192.168.140.1
user-disk
The external user-disk is available to mount, unmount, and format. Only a user-disk that the user manually formats and mounts will be “auto-mounted” by the device at boot. The one exception to this is after an initial install, the external cfast present in the box at the time of install will be “auto-mounted”.
The user-disk can be encrypted, but only if the system master-key
has been set. Changing the encryption status on the user-disk causes a ‘format’ to occur and erases any existing data.
User-disk encryption can also be enabled and disabled from the LSM at System->Settings->Log
Configuration.
Modify settings for the external user-disk.
Syntax user-disk (encryption (enable|disable) | format | mount | unmount)
Example
NGFW{}user-disk unmount
WARNING: Unmounting the external user disk will disable snapshot and packet capture, and traffic related logs will be stored in memory only.
Do you want to continue (y/n)? [n]: y
Success: User disk unmounted.
Example
NGFW{}user-disk mount
Note: The external user disk will be used for snapshots, packet captures and traffic related logs. The external user disk will be automatically mounted on rebooted.
Do you want to continue (y/n)? [n]: y
Success: User disk mounted.
Example
NGFW{}user-disk format
WARNING: This action will erase all existing data on the external user disk!
Do you want to continue (y/n)? [n]: y
Success: User disk format completed.
50 Root Commands
Example
NGFW{}user-disk encryption enable
WARNING: Changing the encryption status of the user disk will erase all traffic log, snapshot, and packet capture data on the disk.
Do you want to continue (y/n)? [n]: y
Success: User disk encryption enabled.
Related commands
NGFW Command Line Interface Reference 51
52 Root Commands
4 Log Configure Commands
Enter the log-configure command to access the log configuration context. Enter a question mark (?) at the NGFW{log-configure} prompt to display a list of valid command entries. Then enter help
commandname
to display help for a specific command.
display
Displays log configuration settings.
Syntax display [log-sessions] [xml|verbose]
Example
NGFW{log-configure}display
# LOG EMAIL SETTINGS email set sleepSeconds 300 email set maxRequeue 2016
# LOG ROTATE SETTINGS rotate set sleepSeconds 600 rotate set defaultFiles 5 rotate set defaultCheckRecords 500 rotate set maxFileSize 100 MB
# LOG FILE DISK ALLOCATION log-storage external 90% log-storage ramdisk 25%
# LOG FILE ALLOCATION SETTINGS
# INTERNAL DISK log-file-size system 50% log-file-size audit 50%
# ----
# Total 100%
# EXTERNAL DISK (USER-DISK) log-file-size fwAlert 20% log-file-size fwBlock 20% log-file-size ipsAlert 10% log-file-size ipsBlock 10% log-file-size reputationAlert 5% log-file-size reputationBlock 5% log-file-size visibility 20% log-file-size quarantine 5% log-file-size vpn 5%
# ----
# Total 100%
Allows you to set logging email daemon parameters.
Syntax email set sleepSeconds SLEEPSEC email set maxRequeue MAXREQUEUE
NGFW Command Line Interface Reference 53
email set queueFile QUEUEFILE email set deadletter DEADLETTER email delete (sleepSeconds|maxRequeue|queueFile|deadletter)
Example
NGFW{log-configure}email set sleepSeconds 600
NGFW{log-configure}email delete sleepSeconds
NGFW{log-configure}email set maxRequeue 1
NGFW{log-configure}email delete maxRequeue
NGFW{log-configure}email set queueFile myqueuefile
NGFW{log-configure}email delete queueFile
NGFW{log-configure}email set deadletter mydeadletterfile
NGFW{log-configure}email delete deadletter
log-file-size
Set log file allocation as a percentage of the total 100 percent allowed for all log files.
# LOG FILE ALLOCATION SETTINGS
# INTERNAL DISK log-file-size system 50% log-file-size audit 50%
# ----
# Total 100%
Syntax log-file-size FILE_NAME USAGE[%] log-file-size
(audit|fwAlert|fwBlock|ipsAlert|ipsBlock|quarantine|reputationAlert|reputationBlock| system|visibility|vpn) USAGE[%] system and audit log files are kept on the internal disk fwAlert, fwBlock, ipsAlert, ipsBlock, quarantine, reputationAlert, reputationBlock, visibility, and vpn log files are kept on the external or ramdisk drive
Example
NGFW{log-configure}log-file-size system 50
NGFW{log-configure}log-file-size fwAlert 20
NGFW{log-configure}log-file-size audit 60
ERROR: This would over allocate (110%) the Internal log disk!
log-storage
Set local log file allocation of external CFast disk space. Usage value can range from 50 to 99 percent.
Syntax log-storage external USAGE[%] log-storage ramdisk USAGE[%]
Example
NGFW{log-configure}log-storage external 90
log-test
Sends a test message to the logging system(s).
Syntax log-test (all|audit|vpn|quarantine|logID LOGID) [emergency [MESSAGE]] log-test (all|audit|vpn|quarantine|logID LOGID) [alert [MESSAGE]]
54 Log Configure Commands
log-test (all|audit|vpn|quarantine|logID LOGID) [critical [MESSAGE]] log-test (all|audit|vpn|quarantine|logID LOGID) [error [MESSAGE]] log-test (all|audit|vpn|quarantine|logID LOGID) [warning [MESSAGE]] log-test (all|audit|vpn|quarantine|logID LOGID) [notice [MESSAGE]] log-test (all|audit|vpn|quarantine|logID LOGID) [info [MESSAGE]] log-test (all|audit|vpn|quarantine|logID LOGID) [debug [MESSAGE]] log-test (all|audit|vpn|quarantine|logID LOGID) [msg MESSAGE]
Valid entries: all All log systems audit Audit system vpn VPN (IPsec) system quarantine Quarantine system logID LogID system
LOGID Log-session ID to test
SEVERITY Set Severity level for log message (default: INFO)
Possible values for SEVERITY are: emergency EMERG level alert ALERT level critical CRIT level error ERR level warning WARNING level notice NOTICE level info INFO level (default) debug DEBUG level msg Override default message
MESSAGE Message to send to logging system
Example
NGFW{log-configure}log-test logID 1 msg "my test message for logging"
NGFW{log-configure}log-test all
rotate
Sets log rotation parameters.
Syntax rotate (set|delete) defaultCheckRecords (100-65535) rotate (set|delete) defaultFiles (2-20) rotate (set|delete) maxFileSize (10-500MB) rotate (set|delete) sleepSeconds (1-65535) rotate (set|delete) audit [Files (2-20)] [Records (100-65535)] rotate (set|delete) fwAlert [Files (2-20)] [Records (100-65535)] rotate (set|delete) fwBlock [Files (2-20)] [Records (100-65535)] rotate (set|delete) ipsAlert [Files (2-20)] [Records (100-65535)] rotate (set|delete) ipsBlock [Files (2-20)] [Records (100-65535)] rotate (set|delete) quarantine [Files (2-20)] [Records (100-65535)] rotate (set|delete) reputationAlert [Files (2-20)] [Records (100-65535)] rotate (set|delete) reputationBlock [Files (2-20)] [Records (100-65535)] rotate (set|delete) system [Files (2-20)] [Records (100-65535)] rotate (set|delete) visibility [Files (2-20)] [Records (100-65535)] rotate (set|delete) vpn [Files (2-20)] [Records (100-65535)] sleepSeconds Logrotation sleep time between checks
SLEEPSEC Number of seconds logrotation waits between checks defaultFiles Default number of logrotation files
NUMFILES Number of logrotation files (2 - 20) defaultCheckRecords Default number of records between log daemon size checks
NUMRECORDS Number of records between log daemon size checks (100 - 65535)
NGFW Command Line Interface Reference 55
maxFileSize Max size a 'rotated' log file
MAXFILESIZE Max log rotation file size in MB (10 - 500)
MB Megabytes
FILE_NAME Local log file name
Files Number of logrotation files
Records Number of records between log daemon size checks delete Delete the logrotation parameter
Example
NGFW{log-configure}rotate set sleepSeconds 10
NGFW{log-configure}rotate set visibility Files 5 Records 500
NGFW{log-configure}rotate set vpn Files 5 Records 500
NGFW{log-configure}rotate delete vpn Records
NGFW{log-configure}rotate delete vpn Files
NGFW{log-configure}rotate delete visibility
NGFW{log-configure}rotate set defaultCheckRecords 500
NGFW{log-configure}rotate set defaultFiles 5
56 Log Configure Commands
5 Edit Running Configuration Commands
Enter the edit command to access the configuration mode. In edit mode, you can perform numerous configurations, such as firewall rules and policies, and authentication. Once you have executed the edit command the CLI prompt will appear as
NGFW{running}
. Configuration options, and sub contexts are available until you exit. To exit the edit configuration mode, enter exit.
The configuration mode enables administrators with the appropriate credentials to write configuration changes to the active (running) configuration. The logon account used to configure the device must either be associated with the Superuser role or the Administrator role to edit the configuration context. The configuration mode has different context levels that provide access to a specific set of configuration commands.
Configuration Contexts by Function
Monitor/System
Table 5-1
Monitor and System Commands
running-blockedStreams Context Commands
running-cluster Context Commands
running-cluster-tct Context Commands
running-dns Context Commands
running-gen Context Commands
running-high-availability Context Commands
running-log Context Commands
running-mgmt Context Commands
running-ntp Context Commands
running-snmp Context Commands
Network
Table 5-2
Network Commands
running-agglinkX Context Commands
running-bridgeX Context Commands
running-greX Context Commands
running-l2tp-serverX Context Commands
running-l2tpX Context Commands
running-loopbackX Context Commands
running-pppoeX Context Commands
running-pptpX Context Commands
running-vlanX Context Commands
running-ethernetX Context Commands
running-segmentX Context Commands
NGFW{running}blockedStreams
NGFW{running}cluster
NGFW{running-cluster}tct
NGFW{running}dns
NGFW{running}gen
NGFW{running}high-availability
NGFW{running}log
NGFW{running}interface mgmt
NGFW{running}ntp
NGFW{running}snmp
NGFW{running}interface agglink0
NGFW{running}interface bridge0
NGFW{running}interface gre0
NGFW{running}l2tp-server0
NGFW{running}interface l2tp0
NGFW{running}interface loopback0
NGFW{running}interface pppoe0
NGFW{running}interface pptp0
NGFW{running}interface vlan0
NGFW{running}interface ethernet1
NGFW{running}segment0
NGFW Command Line Interface Reference 57
Table 5-2
Network Commands
running-dhcp-relay Context Commands
running-dhcp-server Context Commands
running-dhcp-server-X Context Commands
NGFW{running}dhcp relay
NGFW{running}dhcp server
NGFW{running-dhcp-server}scope myscope
Policy
Table 5-3
Policy Commands
(immediate commit context)
running-actionsets Context Commands
running-actionsets-X Context Commands
running-addressgroups Context Commands running-addressgroups-X Context Commands
(immediate commit context)
running-app-filter-mgmt Context Commands
(immediate commit context)
running-app-groups Context Commands
running-app-groups-X Context Commands
NGFW{running}actionsets
NGFW{running-actionsets}actionset myactionset1
NGFW{running}addressgroups
NGFW{running-addressgroups}addressgroup myaddressgroups
NGFW{running}application-filter-mgmt
NGFW{running}application-groups
NGFW{running-app-groups}application-grou p FaceBook
(immediate commit context)
running-autodv Context Commands
running-autodv-calendar Context Commands
running-autodv-periodic Context Commands
running-captive-portal Context Commands
running-captive-portal-rule-X Context Commands
running-dnat Context Commands
running-dnat-rule-X Context Commands
running-firewall Context Commands running-firewall-rule-X Context Commands
running-global-inspection Context Commands
(immediate commit context)
running-ips Context Commands
running-ips-X Context Commands
(immediate commit context)
running-notifycontacts (email) Context Commands
running-notifycontacts-X (SNMP) Context Commands
(immediate commit context)
running-rep Context Commands
running-rep-X (group X) Context Commands
running-rep-X (profile X) Context Commands
running-schedules Context Commands running-schedules-X Context Commands
running-services Context Commands
running-services-X Context Commands
NGFW{running}autodv
NGFW{running-autodv}calendar
NGFW{running-autodv}periodic
NGFW{running}captive-portal
NGFW{running-captive-portal}rule 20000
NGFW{running}dst-nat
NGFW{running-dnat}rule 1
NGFW{running}firewall
NGFW{running-firewall}rule myrule1
NGFW{running}global-inspection
NGFW{running}ips
NGFW{running-ips}profile 1
NGFW{running-notifycontacts}contact mycontact1 email
NGFW{running-notifycontacts}contact mycontact1 snmp secret 192.168.1.1
NGFW{running}rep
NGFW{running-rep}group 1
NGFW{running-rep}profile abc
NGFW{running}schedules
NGFW{running-schedules}schedule myhours1
NGFW{running}services
NGFW{running-services}service myservice1
58 Edit Running Configuration Commands
Table 5-3
Policy Commands
running-snat Context Commands
running-snat-rule-X Context Commands
running-zones Context Commands
running-zones-X Context Commands
Authentication
Table 5-4
Authentication Commands
running-aaa Context Commands
running-aaa-ldap-group-X Context Commands
running-aaa-radius-group-X Context Commands
running-certificates Context Commands
running-certificates-crl Context Commands
Routing
Table 5-5
Routing Commands
running-bgp-X Context Commands
running-multicast-registration Context Commands
running-ospf Context Commands
running-ospfv3 Context Commands
running-pim-smv4 Context Commands
running-pim-smv6 Context Commands
running-rip Context Commands
running-ripng Context Commands
running-route-map Context Commands
running-smr Context Commands
VPN
Table 5-6
VPN Commands
running-ipsec Context Commands
running-manual-sa Context Commands
NGFW{running}src-nat
NGFW{running-snat}rule snat1
NGFW{running}zones
NGFW{running-zones}zone myzone1
NGFW{running-aaa}
NGFW{running-aaa}ldap-group mygroup
NGFW{running-aaa}radius-group mygroup
NGFW{running}certificates
NGFW{running-certificates}crl
NGFW{running}router bgp 1
NGFW{running}multicast-registration
NGFW{running}router ospf
NGFW{running}router ospfv3
NGFW{running}router pim-smv4
NGFW{running}router pim-smv6
NGFW{running}router rip
NGFW{running}router ripng
NGFW{running}route-map mymap permit 10
NGFW{running}router smr
NGFW{running}vpn ipsec
NGFW{running}vpn ipsec
NGFW{running-ipsec}manual
Edit Context Commands
aaa
Enter Authentication and Authorization and Auditing context mode.
Syntax aaa
NGFW Command Line Interface Reference 59
Example
NGFW{}edit
NGFW{running}aaa
NGFW{running-aaa}help
NGFW{running-aaa}display user fred xml
<?xml version="1.0"?>
<record>
<index>
<user>fred</user>
</index>
<parameters>
<password>$password$</password>
<epoch>1373049840</epoch>
</parameters>
</record>
NGFW{running-aaa}exit
Related commands
actionsets
Enters action sets context mode. Changes are committed and take effect immediately.
Syntax actionsets
Example
NGFW{}edit
NGFW{running}actionsets
NGFW{running-actionsets}help
Example
NGFW{running-actionsets}actionset myactionset
NGFW{running-actionsets-myactionset}help
NGFW{running-actionsets-myactionset}?
Valid entries at this position are: action allow-access
Set action type, available value: permit, rate-limit, block, trust
Allow quarantined host to access defined IP bytes-to-capture Set bytes to capture for packet trace contact Add a notify contact delete display help http-block http-custom http-redirect http-showdesc http-showname
Delete file or configuration item
Display file or configuration item
Display help information
Set quarantine option to block HTTP traffic
Set or clear HTTP custom text display option
Set redirect URL for HTTP redirect option
Set or clear HTTP show desc display option
Set or clear HTTP show name display option limit-quarantine Add IP for limit quarantine limit-rate Set the rate value for rate-limit action no-quarantine nonhttp-block
Add IP for no quarantine
Set quarantine option to block non-HTTP traffic packet-trace priority quarantine tcp-reset
Enable/disable packet trace option
Set packet trace priority
Set quarantine option, available value: no, immediate, threshold
Set tcp reset option for block action, can be disable, source, dest or both
60 Edit Running Configuration Commands
threshold verbosity
Set quarantine threshold value
Set packet trace verbosity
Related commands
running-actionsets Context Commands
addressgroups
Enters address group context.
Syntax addressgroups
Example
NGFW{running}addressgroups
NGFW{running-addressgroups}help
NGFW{running-addressgroups}?
Valid entries at this position are: addressgroup Create or enter an address group context delete Delete address group parameters help Display help information rename Rename address group
Related commands
running-addressgroups Context Commands
application-filter-mgmt
Enters application filter management context.
Syntax application-filter-mgmt
Example
NGFW{}edit
NGFW{running}application-filter-mgmt
Entering Immediate Commit Feature. Changes take effect immediately.
NGFW{running-app-filter-mgmt}help
Valid commands are:
display
filter FILTERNUMBER SYS_ENABLE_OR_DISABLE
filter FILTERNUMBER afcstate AFC_ENABLE_OR_DISABLE
filter FILTERNUMBER SYS_ENABLE_OR_DISABLE afcstate AFC_ENABLE_OR_DISABLE
help [full|COMMAND]
Related commands
running-app-filter-mgmt Context Commands
application-groups
Enters the application-group context mode. Application groups can be associated with firewall rules and can only be defined by the LSM not the CLI. There are CLI commands that are similar in syntax to security categories, but the criteria parameter is deliberately obfuscated. Also, like security categories, application group queries are not editable from the CLI.
NGFW Command Line Interface Reference 61
NOTE:
Attempting to create an application group from the CLI will result in an error while parsing the
CRITERIASTRING parameter.
The CRITERIASTRING format is deliberately obfuscated and not supported to prevent users from creating or editing application group criteria from the CLI. Support for setting and getting criteria through the obfuscated format is included so that users can still copy output of CLI display commands and paste them back in.
Syntax application-groups
Example
NGFW{running}application-groups
Entering Immediate Commit Feature. Changes take effect immediately.
NGFW{running-app-groups}help
Valid commands are:
application-group NEWAPPNAME CRITERIASTRING
application-group APPNAME
delete application-group APPNAME
display
help [full|COMMAND]
rename application-group APPNAME NEWAPPNAME
Related commands
running-app-groups Context Commands
application-visibility
Enables or Disables application visibility.
Syntax application-visibility (enable|disable)
Example
NGFW{running}application-visibility ?
Valid entries at this position are:
disable Disable application visibility
enable Enable application visibility
autodv
Enters auto digital vaccine context mode.
Syntax autodv
Example
NGFW{running}autodv
Entering Immediate Commit Feature. Changes take effect immediately.
NGFW{running-autodv}help
Valid commands are:
calendar
delete proxy
delete proxy-password
delete proxy-username
disable
62 Edit Running Configuration Commands
display
enable
help [full|COMMAND]
list
periodic
proxy ADDR port PORT
proxy-password PASSWD
proxy-username USER
update
NGFW{running-autodv}?
Valid entries at this position are:
calendar Enter Calender Style
delete Delete file or configuration item
disable Disable service
display Display file or configuration item
enable Enable service
help Display help information
list List Installed DVs
periodic Enter Periodic Style
proxy Configure proxy
proxy-password Proxy password
proxy-username Proxy username
update Update AutoDV
Related commands
running-autodv Context Commands
blockedStreams
Enters blockedStreams context mode.
Syntax blockedStreams
Example
NGFW{running}blockedStreams
NGFW{running-blockedStreams}help
Valid commands are:
flushallstreams
flushstreams
help [full|COMMAND]
list
Related command
running-blockedStreams Context Commands
captive-portal
Enters captive portal context mode.
Syntax captive-portal
Example
NGFW{running}captive-portal
NGFW{running-captive-portal}help
Valid commands are:
NGFW Command Line Interface Reference 63
delete rule all|RULEID
help [full|COMMAND]
rename rule RULEID NEWRULEID
rule (auto|RULEID) [POSITION_VALUE]
set max-session-time MINUTES
set inactive-timeout MINUTES
set port PORT
set certificate CERTNAME
set login-page|status-page foreground-color|background-color HEX|COLOR
set login-page header-HTML|footer-HTML|failed-HTML
set status-page foreground-color|background-color HEX|COLOR
set status-page main-HTML
reset max-session-time|inactive-timeout|port|certificate
reset login-page|status-page foreground-color|background-color
reset login-page header-HTML|footer-HTML|failed-HTML
reset status-page main-HTML
Related commands
running-captive-portal Context Commands
certificates
Enters certificates context mode.
Syntax certificates
Example
NGFW{running}certificates
NGFW{running-certificates}help
Valid commands are:
# Enter context
crl
# Other commands
ca-certificate CANAME
cert-request CERTREQUEST [key-size SIZE]
certificate CERTNAME
delete ca-certificate (all|CANAME)
delete cert-request (all|CERTREQUEST)
delete certificate (all|CERTNAME)
display ca-certificate CANAME [pem|text]
display cert-request CERTNAME
display certificate CERTNAME [pem|text]
display private-key CERTNAME
help [full|COMMAND]
private-key CERTNAME
Related commands
running-certificates Context Commands
cluster
Enters cluster context mode.
Syntax cluster
64 Edit Running Configuration Commands
Example
NGFW{running}cluster
NGFW{running-cluster}help
Valid commands are:
check CHECK_TYPE enable|disable
cluster-name NAME
delete standby
enable|disable
help [full|COMMAND]
member-id ID
member-name NAME
standby
tct
NGFW{running-cluster}?
Valid entries at this position are:
check Perform consistency check
cluster-name Apply Cluster Name
delete Delete file or configuration item
disable Disable clustering
enable Enable clustering
help Display help information
member-id Cluster Member ID
member-name Cluster member name
standby Set the device on standby
tct Enter cluster traffic context
Related commands
running-cluster Context Commands
delete
Deletes file or configuration item.
Syntax delete SEGNAME delete interface agglinkX delete interface bridgeX delete interface greX delete interface l2tpX delete interface loopbackX delete interface pppoeX delete interface pptpX delete interface vlanX delete interface vrrpvXgY delete ip access-list NAME (permit|deny) A.B.C.D/M delete ip prefix-list NAME (permit|deny) A.B.C.D/M [ge GE-VALUE] [le LE-VALUE] delete ipv6 access-list NAME (permit|deny) X.X.X.X/M delete l2tp-serverX delete route-map ROUTE-MAP-NAME delete route-map ROUTE-MAP-NAME permit|deny ENTRY-POSITION delete router bgp delete router ospf delete router ospfv3 delete router pim-smv6 delete router rip delete router ripng delete router smr
NGFW Command Line Interface Reference 65
Example
NGFW{running}delete segment78
NGFW{running}delete interface agglink0
NGFW{running}delete interface bridge0
NGFW{running}delete interface gre0
NGFW{running}delete interface l2tp0
NGFW{running}delete interface loopback0
NGFW{running}delete interface pppoe0
NGFW{running}delete interface pptp0
NGFW{running}delete interface vlan0
NGFW{running}delete ip access-list myaccesslist permit 0.0.0.0/0
NGFW{running}delete ip prefix-list myprefixlist permit 192.168.0.0/16 ge 24 le 24
NGFW{running}delete ipv6 access-list myipv6accesslist permit 100:0:0:0:0:0:0:0/64
NGFW{running}delete l2tp-server0
NGFW{running}delete route-map myroutemap
NGFW{running}delete route-map myroutemap permit 1
NGFW{running}delete router bgp
NGFW{running}delete router ospf
NGFW{running}delete router ospfv3
NGFW{running}delete router pim-smv6
NGFW{running}delete router rip
NGFW{running}delete router ripng
NGFW{running}delete router smr
dhcp
Enters DHCP context mode.
Syntax dhcp relay dhcp server
Example
NGFW{running}dhcp
Valid entries at this position are:
relay Enter DHCP relay context
server Server
Related commands
running-dhcp-relay Context Commands
running-dhcp-server Context Commands
dns
Enters DNS context mode.
Syntax dns
Example
NGFW{running}dns
NGFW{running-dns}help
Valid commands are:
delete domain-name
delete name-server all|A.B.C.D|X:X::X:X
delete proxy cache cleaning interval
delete proxy cache forwarder all|A.B.C.D|X:X::X:X
66 Edit Running Configuration Commands
delete proxy cache maximum negative ttl
delete proxy cache maximum ttl
delete proxy cache size
domain-name NAME
domain-search primary NAME
help [full|COMMAND]
name-server A.B.C.D|X:X::X:X
proxy cache cleaning interval cache cleaning interval in minutes
proxy cache forwarder A.B.C.D|X:X::X:X
proxy cache maximum negative ttl cache maximum negative TTL in minutes
proxy cache maximum ttl cache maximum TTL in minutes
proxy cache size cache size in megabytes
proxy enable|disable
NGFW{running-dns}?
Valid entries at this position are:
delete Delete file or configuration item
domain-name Configure domain name
domain-search Configure domain search
help Display help information
name-server Configure DNS server
proxy Configure proxy
proxy Enable or disable proxy
Related commands
dst-nat
Enters destination NAT context mode.
Syntax dst-nat
Example
NGFW{running}dst-nat
NGFW{running-dnat}help
Valid commands are:
delete rule all|DSTNATRULEID
help [full|COMMAND]
rule (auto|DSTNATRULEID) [POSITION_VALUE]
NGFW{running-dnat}?
Valid entries at this position are:
delete Delete destination NAT rule(s)
help Display help information
rename Rename destination NAT rule
rule Create or enter a rule context
Related commands
firewall
Enters firewall context mode.
Syntax firewall
NGFW Command Line Interface Reference 67
Example
NGFW{running}firewall
NGFW{running-firewall}help
Valid commands are:
default-block-rule DEFACTIONSET
delete rule all|XRULEID
help [full|COMMAND]
rename rule XRULEID NEWRULEID
rule (auto|RULEID) [POSITION_VALUE]
NGFW{running-firewall}?
Valid entries at this position are:
default-block-rule Apply action set for default block rule
delete Delete firewall rule
help Display help information
rename Rename a firewall rule
rule Create or enter a rule context
Related commands
running-firewall Context Commands
gen
68
Enters general context mode.
Usage gen
Example
NGFW{running}gen
NGFW{running-gen}help
Valid commands are:
# System commands timezone (GMT|(REGION CITY))
# Manage context display [xml]
# Other commands arp A.B.C.D INTERFACE MAC auto-restart enable|disable delete arp all|(ENTRY INTERFACE) delete host NAME|all delete ndp all|(ENTRY INTERFACE) ephemeral-port-range default|(LOWRANGE HIGHRANGE) forwarding ipv4|ipv6 enable|disable help [full|COMMAND] host NAME A.B.C.D|X:X::X:X https enable|disable inband-management enable|disable management-service all|dns|email|ldap|ntp|radius|remote-syslog|snmp management
|network ndp X:X::X:X INTERFACE MAC ssh enable|disable xmsd remote (port PORT [address A.B.C.D])|disable
NGFW{running-gen}?
Valid entries at this position are:
Edit Running Configuration Commands
arp auto-restart
Configure static ARP entry
Enable/disable automatic restart on detection of critical problem delete display
Delete file or configuration item
Display general context ephemeral-port-range Set the range of the ephemeral port (default is 32768-61000) forwarding Enable or disable IPv4/IPv6 forwarding help host https inband-management management-service ndp ssh timezone
Display help information
Configure static address to host name association
Enable or disable WEB server configuration
Inband Management
Management of a service to use management port or network port
Configure static NDP entry
Enable or disable ssh service
Display or configure time zone
Related commands
global-inspection
Enters global-inspection context mode.
Syntax global-inspection
Example
NGFW{running}global-inspection
NGFW{running-global-inspection}help
Valid commands are: default-inspection (ips-profile IPSPROFILE|none)|(reputation-profile
REPPROFILE|none) unknown-app (ips-profile IPSPROFILE|none)|(reputation-profile REPPROFILE|none) display [xml] help [full|COMMAND]
NGFW{running-global-inspection}?
Valid entries at this position are: default-inspection display
Apply default inspection profile
Display global inspection profile configuration help unknown-app
Display help information
Apply inspection profile during application detection phase
Related commands
running-global-inspection Context Commands
high-availability
Enters high-availability context mode.
Syntax high-availability
Examples
NGFW{running}high-availability
NGFW{running-high-availability}help
Valid commands are: delete failover-group base-mac
NGFW Command Line Interface Reference 69
delete failover-group name enable|disable failover-group base-mac X:X:X:X:X:X failover-group name NAME help [full|COMMAND] state-sync (global [enable|disable])|(FEATURE [enable|disable|(log-level SEVERITY)])
NGFW{running-high-availability}?
Valid entries at this position are: delete disable
Delete file or configuration item
Disable high-availability enable failover-group help state-sync
Enable high-availability
Failover Group
Display help information
State synchronization
NGFW{running-high-availability}help state-sync
Enable or disable high-availability (enable|disable)
Syntax: state-sync (global [enable|disable])|(FEATURE [enable|disable|(log-level
SEVERITY)])
state-sync State synchronization
global Turn state synchronization on or off
enable Enable state synchronization
disable Disable state synchronization
FEATURE Specify a state synchronization table
Possible values for FEATURE are:
firewall Firewall state synchronization table
ips IPS state synchronization table
routing Routing state synchronization table
log-level Specify logging level
SEVERITY Log service severity
Possible values for SEVERITY are:
emergency Panic condition messages
alert Immediate problem condition messages
critical Critical condition messages
error Error messages
warning Warning messages
notice Special condition messages
info Informational messages
debug Debug messages
none Turn off messages
NGFW{running-high-availability}state-sync ?
Valid entries at this position are:
firewall Firewall state synchronization table
ips IPS state synchronization table
routing Routing state synchronization table
global Turn state synchronization on or off
Related commands
running-high-availability Context Commands
interface
Enters interface context mode. The X represents a number to be entered, such as bridge2.
Syntax
# Enter context interface agglinkX
70 Edit Running Configuration Commands
interface bridgeX interface ethernetX interface greX interface l2tpX interface loopbackX interface mgmt interface pppoeX interface pptpX interface vlanX
Example
NGFW{running}interface bridge2
NGFW{running-bridge2}?
Valid entries at this position are: arp/ndp Enable or disable ARP and NDP on interface autoconfv6 Enable or disable IPv6 autoconfiguration on interface bind Bind bridged network interface over ethernet/VLAN/agglink delete Delete file or configuration item description Enter description for the interface help Display help information ip Configure IP settings ipaddress Configure IP address ipv6 Configure IPv6 settings mtu Configure interface MTU prefix Configure IPv6 prefix ra-autoconf-level Modify IPv6 Router Advertisement autoconfiguration level ra-interval Modify IPv6 Router Advertisement interval value ra-interval-transmit Modify IPv6 Router Advertisement interval transmit ra-lifetime Modify IPv6 Router Advertisement prefix lifetime ra-mtu Modify IPv6 Router Advertisement MTU value ra-transmit-mode Modify IPv6 Router Advertisement transmit mode router-advert Configure IPv6 Router Advertisement parameters shutdown Shutdown logical interface state tcp4mss Configure interface TCP MSS for IPv4 tcp6mss Configure interface TCP MSS for IPv6
NGFW{running-bridge2}help
Related commands
running-agglinkX Context Commands
running-bridgeX Context Commands
running-ethernetX Context Commands
running-l2tpX Context Commands
running-loopbackX Context Commands
running-pppoeX Context Commands
running-pptpX Context Commands
running-vlanX Context Commands
ip
IP configuration mode.
NGFW Command Line Interface Reference 71
Syntax ip access-list NAME (permit|deny) A.B.C.D/M ip as-path access-list NAME (permit|deny) ASN_FILTER delete ip as-path access-list NAME (permit|deny) ASN_FILTER ip community-list NAME (permit|deny)
((AA:NN)|internet|local-as|no-advertise|no-export) delete ip community-list NAME (permit|deny)
((AA:NN)|internet|local-as|no-advertise|no-export) ip prefix-list NAME (permit|deny) A.B.C.D/M [ge GE-VALUE] [le LE-VALUE] ip route A.B.C.D/M A.B.C.D|INTERFACE [DISTANCE] ipv6 route X:X::X:X/M (X:X::X:X[%INTERFACE])|INTERFACE [DISTANCE] display ip route
Valid entries: access-list Access list as-path AS Path access list community-list Community list prefix-list Prefix list route Add an IPv4 static route
Example
NGFW{running}ip access-list myaccesslist permit 0.0.0.0/0
NGFW{running}ip as-path access-list myasnaccesslist permit ^64496$
NGFW{running}delete ip as-path access-list myasnaccesslist permit ^64496$
NGFW{running}ip community-list mycommunitylist permit 64496:100
NGFW{running}ip community-list mycommunitylist permit internet
NGFW{running}delete ip community-list mycommunitylist permit 64496:100
NGFW{running}ip prefix-list myprefixlist permit 192.168.0.0/16 ge 24 le 24
NGFW{running}ip route 192.168.1.0/24 192.0.2.1 1
NGFW{running}ip route 192.168.1.0/24 ethernet5 1
NGFW{running}display ip route
# IPV4 ROUTES
ip route 192.168.1.0/24 192.0.2.1 1
ip route 192.168.1.0/24 ethernet5
ips
72
Enters IPS profile context mode.
Syntax ips
Example
NGFW{running}ips
Entering Immediate Commit Feature. Changes take effect immediately.
NGFW{running-ips}help
Valid commands are:
# Enter context display-categoryrules
# Other commands afc-mode AFCMODE afc-severity SEVERITY connection-table TIMEOUTTYPE SECONDS delete profile XPROFILENAME deployment-choices display gzip-decompression enable|disable help [full|COMMAND]
Edit Running Configuration Commands
profile PROFILENAME quarantine-duration DURATION rename profile XPROFILENAME NEWPROFILENAME
NGFW{running-ips}?
Valid entries at this position are: afc-mode AFC mode afc-severity AFC severity connection-table Connection table timeout delete Delete a profile deployment-choices Get deployment choices display Display all ips configuration and profiles display-categoryrules Display category rules for all profiles gzip-decompression GZIP decompression mode help Display help information profile Create/enter a IPS profile quarantine-duration Quarantine duration rename Rename a profile
Related commands
ipv6
IPv6 configuration
Syntax ipv6 access-list NAME (permit|deny) X:X::X:X/M ipv6 route X:X::X:X/M (X:X::X:X[%INTERFACE])|INTERFACE [DISTANCE] display ipv6 route
Valid entries: ipv6 IPv6 configuration route Add static route
X:X::X:X/M Unicast IPv6 prefix address
X:X::X:X IPv6 address
INTERFACE Interface name
DISTANCE The distance value (1-255)
Example
NGFW{running}ipv6 access-list myipv6accesslist permit 100:0:0:0:0:0:0:0/64
NGFW{running}ipv6 route 2001:2:0:0:0:0:0:0/48 ethernet5 1
NGFW{running}ipv6 route 2001:2:0:0:0:0:0:0/48 100:0:0:0:0:0:0:1 1
NGFW{running}display ipv6 route
# IPV6 ROUTES
ipv6 route 2001:2::/48 ethernet5
ipv6 route 2001:2::/48 100::1
l2tp-serverX
Enters L2TP Server context mode. The X represents a number, for example server0.
Syntax l2tp-serverX
Example
NGFW{running}l2tp-server0
NGFW{running-l2tp-server0}help
NGFW Command Line Interface Reference 73
Valid commands are: auth enable|disable auth shared-secret A.B.C.D|any secret-key bind none|any|(A.B.C.D [port]) delete auth shared-secret A.B.C.D|all help [full|COMMAND] hiding enable|disable sequencing enable|disable
NGFW{running-l2tp-server0}?
Valid entries at this position are: auth Authenticated configuration bind Configure bind service of L2TP server delete Delete file or configuration item help Display help information hiding Enable or disable hiding configuration sequencing Enable or disable sequence configuration
Related commands
running-l2tp-serverX Context Commands
log
Enters log context mode. Note that the 'Management Console' notification contact for the Audit log can not be modified.
Syntax log
Example
NGFW{running}log
NGFW{running-log}help
Valid commands are: delete log audit CONTACT-NAME delete log quarantine CONTACT-NAME delete log system CONTACT-NAME delete log vpn CONTACT-NAME delete log-option fib events|kernel|memory|packet [recv|send] delete log-option ppp( all)|( DEL-PPP-LOG-OPTION){1,10} delete log-option xmsd( all)|( LOG_OPTION) help [full|COMMAND] log audit CONTACT-NAME [ALL|none] log quarantine CONTACT-NAME [ALL|none] log system CONTACT-NAME [SEVERITY] log vpn CONTACT-NAME [SEVERITY] log-option fib events|kernel|memory|packet [recv|send] log-option ppp( all)|( PPP-LOG-OPTION){1,255} log-option xmsd( all)|( LOG_OPTION) sub-system SUBSYSTEM [SEVERITY]
NGFW{running-log}?
Valid entries at this position are: delete Delete file or configuration item help Display help information log Add a Notification Contact to a log service log-option Add service log option sub-system set sub-system log level
74 Edit Running Configuration Commands
NGFW{running-log}display
# LOG SERVICES
log system "Management Console" notice
#log audit "Management Console" ALL
log vpn "Management Console" info
log quarantine "Management Console" ALL
# SUB-SERVICES
sub-system INIT info
sub-system XMS notice
sub-system TOS info
sub-system HTTPD notice
sub-system GATED none
sub-system LOGIN notice
sub-system PACEMAKER error
sub-system COROSYNC notice
sub-system CRMADMIN none
Related commands
multicast-registration
Enters multicast registration context mode.
Syntax multicast-registration
Example
NGFW{running}multicast-registration
NGFW{running-multicast-registration}help
Valid commands are: help [full|COMMAND] igmp-version default|(mode MODE IGMPvX) mld-version default|(mode MODE MLDvX)
NGFW{running-multicast-registration}?
Valid entries at this position are: help Display help information igmp-version Configure system IGMP version mld-version Configure system MLD version
NGFW{running-multicast-registration}igmp-version mode ?
Valid entry at this position is:
MODE Define IGMP mode (force or default)
Related commands
running-multicast-registration Context Commands
notifycontacts
Enters notify contacts context mode.
Syntax notifycontacts
Example
NGFW{running}notifycontacts
NGFW Command Line Interface Reference 75
Entering Immediate Commit Feature. Changes take effect immediately.
NGFW{running-notifycontacts}help
Valid commands are: contact CONTACTNAME contact NEWNAME email contact NEWNAME snmp COMMUNITY IP [PORT] delete contact XCONTACTNAME display email-from-address EMAIL email-from-domain DOMAIN email-server IP email-threshold THRESHOLD email-to-default-address EMAIL help [full|COMMAND] rename contact XCONTACTNAME NEWNAME
NGFW{running-notifycontacts}?
Valid entries at this position are: contact Create or edit a notify contact delete Delete file or configuration item display Display all available contacts email-from-address From email address email-from-domain From domain name email-server Set mail server IP email-threshold Set email threshold email-to-default-address Default to email address help Display help information rename Rename contact with new name
Related commands
running-notifycontacts (email) Context Commands
ntp
76
Enters NTP context mode.
Syntax ntp
Example
NGFW{running}ntp
NGFW{running-ntp}help
Valid commands are: delete key all|ID delete server all|HOST help [full|COMMAND] key (1-65535) VALUE ntp enable|disable polling-interval SECONDS server dhcp|NAME [key ID] [prefer]
NGFW{running-ntp}?
Valid entries at this position are: delete Delete file or configuration item help Display help information key Configure NTP authentication key ntp Enable or disable NTP polling-interval Configure minimum polling interval
Edit Running Configuration Commands
server Configure remote NTP server
Related commands
reputation
Enters Reputation context mode.
Syntax reputation
Example
NGFW{running}reputation
Entering Immediate Commit Feature. Changes take effect immediately.
NGFW{running-rep}help
Valid commands are: delete group USERGROUP delete profile XPROFILENAME display group USERGROUP help [full|COMMAND] profile PROFILENAME rename group USERGROUP NEWUSERGROUP rename profile XPROFILENAME NEWPROFILENAME
NGFW{running-rep}?
Valid entries at this position are: delete display
Delete file or configuration item
Display all reputation profiles and groups group help profile rename
Create/enter reputation group context
Display help information
Create/enter reputation profile context
Rename a reputation profile or group
Related commands
route-map
Allows you to configure the route-map.
Syntax route-map ROUTE-MAP-NAME (permit|deny) ENTRY-POSITION
Example
NGFW{running}help route-map
Enter the route-map context
Syntax: route-map ROUTE-MAP-NAME permit|deny ENTRY-POSITION
route-map Enter the route-map context
ROUTE-MAP-NAME Route-map name
permit Permit the network prefix
deny Deny the network prefix
ENTRY-POSITION Position of the route-map entry (1-65535)
Related commands
running-route-map Context Commands
NGFW Command Line Interface Reference 77
router
Enters the specified router protocol context.
Syntax router bgp ASNUMBER router ospf router ospfv3 router pim-smv4 router pim-smv6 router rip router ripng router smr
Valid entries: bgp Enter the BGP context
ASNUMBER The autonomous system number (1-2147483647) ospf Enter the OSPF context ospfv3 Enter the OSPFv3 context pim-smv4 Enter the PIM-SM IPv4 context pim-smv6 Enter the PIM-SM IPv6 context rip Enter the RIP context ripng Enter the RIPng context smr Enter the SMR context
Example
NGFW{running}router ospf
NGFW{running}router ospfv3
NGFW{running}router pim-smv4
NGFW{running}router pim-smv6
NGFW{running}router rip
NGFW{running}router ripng
NGFW{running}router smr
NGFW{running}router bgp
Related commands
running-ospfv3 Context Commands
running-bgp-X Context Commands
running-ripng Context Commands
running-pim-smv4 Context Commands
running-pim-smv6 Context Commands
schedules
Enters schedules context mode.
Syntax schedules
Example
NGFW{running}schedules
NGFW{running-schedules}help
Valid commands are:
78 Edit Running Configuration Commands
delete schedule all|SCHEDULENAME
help [full|COMMAND]
rename schedule SCHEDULENAME NEWSCHEDULENAME
schedule SCHEDULENAME
NGFW{running-schedules}?
Valid entries at this position are:
delete Delete a schedule
help Display help information
rename Rename a schedule
schedule Create or enter a schedule context
Related commands
running-schedules Context Commands
segmentX
Enters Segment context mode. The X represents a segment number, for example segment0.
Syntax segmentX
Example
NGFW{running}segment0
NGFW{running-segment0}help
Valid commands are:
# Enter context bind bind delete bind|high-availability|link-down high-availability mode link-down breaker [wait-time WAIT-TIME] link-down hub link-down wire [wait-time WAIT-TIME] restart
# Other commands description TEXT help [full|COMMAND]
NGFW{running-segment0}?
Valid entries at this position are: bind Bind ethernet port pairs to segment delete Delete file or configuration item description Enter description for the segment help Display help information high-availability Intrinsic HA Layer 2 Fallback action link-down Link down synchronization mode restart Restart both Ethernet ports of segment
NGFW{running-segment0}help bind
Bind ethernet port pairs to segment
Syntax: bind bind
bind Bind ethernet port pairs to segment
bind ethernet port pairs
Related commands
running-segmentX Context Commands
NGFW Command Line Interface Reference 79
services
Enters services context mode.
Syntax services
Example
NGFW{running}services
NGFW{running-services}help
Valid commands are:
delete service all|USERSERVICENAME
help [full|COMMAND]
rename service USERSERVICENAME NEWSERVICENAME
restore-default
service SERVICENAME
NGFW{running-services}?
Valid entries at this position are:
delete Delete service(s)
help Display help information
rename Rename service
restore-default Restore default services
service Create or enter a service context
Related commands
running-services Context Commands
snmp
Enters SNMP context mode.
Syntax snmp
Example
NGFW{running}snmp
NGFW{running-snmp}help
Valid commands are:
authtrap enable|disable
community COMMUNITY SOURCE
delete community COMMUNITY|all
delete trapsession (HOST ver VERSION)|all
delete username (USERNAME|all)
engineID ENGINE-ID
help [full|COMMAND]
snmp enable|disable
trapsession HOST [port PORT] ver 2c COMMUNITY [inform]
trapsession HOST [port PORT] ver 3 USERNAME level noAuthNoPriv [inform]
trapsession HOST [port PORT] ver 3 USERNAME level authNoPriv authtype AUTHTYPE
AUTHPASS [inform]
trapsession HOST [port PORT] ver 3 USERNAME level authPriv authtype AUTHTYPE
AUTHPASS privproto PRIVPROTO [PRIVPASS] [inform]
username USERNAME level noAuthNoPriv
username USERNAME level authNoPriv authtype AUTHTYPE AUTHPASS
username USERNAME level authPriv authtype AUTHTYPE AUTHPASS privproto PRIVPROTO
[PRIVPASS]
NGFW{running-snmp}?
80 Edit Running Configuration Commands
src-nat
Enters source NAT context mode.
Syntax src-nat
Example
NGFW{running}src-nat
NGFW{running-snat}help
Valid commands are:
delete rule all|SRCNATRULEID
help [full|COMMAND]
rule (auto|SRCNATRULEID) [POSITION_VALUE]
NGFW{running-snat}?
Valid entries at this position are:
delete Delete source NAT rule(s)
help Display help information
rename Rename source NAT rule
rule Create or enter a rule context
Related commands
vpn
Valid entries at this position are:
authtrap Configure SNMP authentication failure trap
community Configure SNMP read-only community
delete Delete file or configuration item
engineID Configure SNMPv3 engine ID
help Display help information
snmp Enable or disable SNMP
trapsession Configure a trap/inform
username Configure SNMPv3 USM read-only user
Related commands
Enters VPN context mode.
Syntax vpn ipsec
Example
NGFW{running}vpn ipsec
NGFW{running-ipsec}help
Valid commands are:
delete log vpn CONTACT-NAME
delete phase1 proposal (all|NAME)
delete phase2 proposal (all|NAME)
delete policy (all|NAME)
delete pre-shared-keys (all|A.B.C.D|X:X::X:X|HOSTNAME) [vrf-id ID|any]
delete retransmit-timeout
delete retransmit-tries
delete trust (all|CANAME)
delete user
NGFW Command Line Interface Reference 81
delete vpn (all|NAME)
help [full|COMMAND]
ipsec enable|disable
log vpn CONTACT-NAME [SEVERITY]
manual
phase1 VERSION proposal NAME
phase2 VERSION proposal NAME
policy NAME [PRIORITY]
pre-shared-key local A.B.C.D|X:X::X:X|LFQDN remote A.B.C.D|X:X::X:X|RFQDN|any
retransmit-timeout TIMEOUT
retransmit-tries COUNT
trust CANAME
user
vpn NAME
NGFW{running-ipsec}?
Valid entries at this position are:
delete
help
Delete file or configuration item
Display help information
ipsec
log
manual
Enable or disable IPsec
Add a Notification Contact to a log service
Enter manual Security Association context
phase1
phase2
policy
pre-shared-key
Enter Phase1 proposal context
Enter Phase2 proposal context
Enter IPSec Policy context
Configure pre-shared key (start with 0x for hexadecimal key)
retransmit-timeout Configure IKEv2 Dead Peer Detection retransmission timeout in seconds
retransmit-tries Configure IKEv2 Dead Peer Detection maximum retransmission tries
trust
user
vpn
Configure certification authority trust
Enter VPN user context
Enter VPN context
Related commands
running-ipsec Context Commands
zones
Enters security zone context mode.
Syntax zones
Example
NGFW{running}zones
NGFW{running-zones}help
Valid commands are:
delete zone all|ZONENAME
help [full|COMMAND]
rename zone ZONENAME NEWZONENAME
zone ZONENAME
82
NGFW{running-zones}?
Valid entries at this position are:
delete
help
Delete security zone(s)
Display help information
rename
zone
Rename a specified zone
Enter security zone context
Edit Running Configuration Commands
Related commands
running-zones Context Commands
Contexts and Related Commands
running-aaa Context Commands
NGFW{running-aaa}delete
Delete file or configuration item.
Syntax delete ldap-group (LDAPNAME|all) delete radius-group (RADIUSNAME|all) delete role (ROLE|all) delete user (USER|all) delete user-group (USERGROUP|all)
Example
NGFW{running}aaa
NGFW{running-aaa}delete ldap-group group1
NGFW{running-aaa}delete radius-group group1
NGFW{running-aaa}delete role myrole1
NGFW{running-aaa}delete user myuser1
NGFW{running-aaa}delete user-group group1
NGFW{running-aaa}display
Display configuration.
Syntax display ldap-group LDAPGROUP [xml] display ldap-schema
(active-directory|novell-edirectory|fedora-ds|rfc2798|rfc2307nis|samba|custom) [xml] display login-settings [xml] display password-settings [xml] display radius-group RADIUSGROUP [xml] display remote-login-group [xml] display role USER [xml] display user USER [xml] display usergroup USERGROUP [xml]
Example
NGFW{running-aaa}display ldap-group group1
NGFW{running-aaa}display ldap-schema active-directory
NGFW{running-aaa}display login-settings
NGFW{running-aaa}display password-settings
NGFW{running-aaa}display radius-group group1
NGFW{running-aaa}display remote-login-group
NGFW{running-aaa}display role superuserRole
NGFW{running-aaa}display user myuser1
NGFW{running-aaa}display usergroup group1
NGFW{running-aaa}ldap-group
Configure LDAP group. Maximum number of groups is two.
NGFW Command Line Interface Reference 83
Syntax ldap-group LDAPNAME
Example
NGFW{running-aaa}ldap-group mygroup
NGFW{running-aaa}ldap-schema
Configure LDAP schema.
Syntax ldap-schema SCHEMA
SCHEMA
(active-directory|novell-edirectory|fedora-ds|rfc2798|rfc2307nis|samba|custom)
Example
NGFW{running-aaa}ldap-schema custom
NGFW{running-aaa-ldap-schema-custom}
NGFW{running-aaa}login
Configure login settings.
Syntax login maximum-attempts (0-10) login failure-action (lockout|lockout-disable|audit) login lockout-period MINUTES login lockout-period (0-1440)
Example
NGFW{running-aaa}login failure-action lockout
NGFW{running-aaa}password
Configure password settings.
Syntax password quality (basic|maximum|none) password expiry-time (10d|20d|30d|45d|60d|90d|6m|1y) password expiry-action (force-change|notify-user|disable-account)
Example
NGFW{running-aaa}password quality maximum
NGFW{running-aaa}password expiry-time 30d
NGFW{running-aaa}password expiry-action force-change
NGFW{running-aaa}radius-group
Configure Radius group. Maximum number of radius groups is 2.
Syntax radius-group RADIUSNAME
Example
NGFW{running-aaa}radius-group group1
84 Edit Running Configuration Commands
NGFW{running-aaa}remote-login-group
Configure LDAP or RADIUS group to use for either network or administrative login.
Syntax remote-login-group (network|administrator) (GROUP|none)
Example
NGFW{running-aaa}remote-login-group administrator group1
NGFW{running-aaa}role
Configure an access role.
Syntax role ROLE [OLDROLE]
Example
NGFW{running-aaa}role myrole1
NGFW{running-aaa}user
Configure a name identified user.
Syntax user NAME
Example
NGFW{running-aaa}user myuser1
NGFW{running-aaa}user-group
Configure a name identified usergroup.
Syntax user-group GROUPNAME
Example
NGFW{running-aaa}user-group group1
running-aaa-ldap-group-X Context Commands
NGFW{running-aaa-ldap-group-mygroup1}base-dn
Configure base distinguished name (DN).
Syntax base-dn DN
Example
NGFW{running-aaa}ldap-group mygroup1
NGFW{running-aaa-ldap-group-mygroup1}base-dn DC=example,DC=com
NGFW{running-aaa-ldap-group-mygroup1}bind-dn
Configure bind distinguished name (DN).
NGFW Command Line Interface Reference 85
Syntax bind-dn DN
Example
NGFW{running-aaa-ldap-group-mygroup1}bind-dn CN=admin,OU=People,DC=example,DC=com
NGFW{running-aaa-ldap-group-mygroup1}bind-password
Configure LDAP bind password.
Syntax bind-password PASSWORD
Example
NGFW{running-aaa-ldap-group-mygroup1}bind-password mysecret
NGFW{running-aaa-ldap-group-mygroup1}delete
Delete file or configuration item.
Syntax delete server (ADDRESS|all)
Example
NGFW{running-aaa-ldap-group-mygroup1}delete server 192.168.1.1
NGFW{running-aaa-ldap-group-mygroup1}port
Configure LDAP port.
Syntax port <0-65535>
Example
NGFW{running-aaa-ldap-group-mygroup1}port 389
NGFW{running-aaa-ldap-group-mygroup1}retries
Configure server(s) retries.
Syntax retries RETRY
Example
NGFW{running-aaa-ldap-group-mygroup1}retries 3
NGFW{running-aaa-ldap-group-mygroup1}schema
Configure Schema.
Syntax schema(active-directory|fedora-ds|novell-edirectory|rfc2307nis|rfc2798|samba|custom)
Example
NGFW{running-aaa-ldap-group-mygroup1}schema active-directory
86 Edit Running Configuration Commands
NGFW{running-aaa-ldap-group-mygroup1}server
Configure LDAP server address.
Syntax server (A.B.C.D|X:X::X:X) priority (1-6)
Example
NGFW{running-aaa-ldap-group-mygroup1}server 192.168.1.1 priority 1
NGFW{running-aaa-ldap-group-mygroup1}server 192.168.1.2 priority 2
NGFW{running-aaa-ldap-group-mygroup1}timeout
Configure timeout.
Syntax timeout SECONDS
Example
NGFW{running-aaa-ldap-group-mygroup1}timeout 10
NGFW{running-aaa-ldap-group-mygroup1}tls
Configure TLS.
Syntax tls (enable|disable) tls start-tls (enable|disable) tls require-valid-server-cert (enable|disable)
Example
NGFW{running-aaa-ldap-group-mygroup1}tls enable
NGFW{running-aaa-ldap-group-mygroup1}tls require-valid-server-cert enable
NGFW{running-aaa-ldap-group-mygroup1}tls start-tls enable
NGFW{running-aaa-ldap-group-mygroup1}version
Configure LDAP version.
Syntax version (2|3)
Example
NGFW{running-aaa-ldap-group-mygroup1}version 3
running-aaa-radius-group-X Context Commands
NGFW{running-aaa-radius-group-2}default-usergroup
Default usergroup.
Syntax default-usergroup GROUP|none
Example
NGFW{running-aaa}radius-group 2
NGFW{running-aaa-radius-group-2}default-usergroup administrator
NGFW Command Line Interface Reference 87
NGFW{running-aaa-radius-group-2}delete
Delete file or configuration item.
Syntax delete server (A.B.C.D|X:X::X:X|all)
Example
NGFW{running-aaa-radius-group-2}delete server 192.168.1.1
NGFW{running-aaa-radius-group-2}retries
Configure server retries.
Syntax retries (0-5)
Example
NGFW{running-aaa-radius-group-2}retries 3
NGFW{running-aaa-radius-group-2}server
Configure server.
Syntax server (A.B.C.D|X:X::X:X) [PORT] password PASSWORD priority (1-6) timeout (0-300)
[nas-id NASID]
Example
NGFW{running-aaa-radius-group-2}server 192.168.1.1 1812 password mysecret priority 1 timeout 10 nas-id 1
NGFW{running-aaa-radius-group-2}server 192.168.1.7 1812 password mysecret priority 2 timeout 10 nas-id 1
running-actionsets Context Commands
Immediate Commit Feature. Changes take effect immediately.
NGFW{running-actionsets}actionset
Enter an action set context with defined name.
Syntax actionset ACTIONSETNAME
Example
NGFW{running}actionsets
NGFW{running-actionsets}actionset myactionset1
NGFW{running-actionsets}delete
Delete file or configuration item.
Syntax delete actionset ACTIONSETNAME
Example
NGFW{running-actionsets}delete actionset myactionset1
88 Edit Running Configuration Commands
NGFW{running-actionsets}rename
Rename action set oldname newname.
Syntax rename actionset ACTIONSETNAME NEWACTIONSETNAME
Example
NGFW{running-actionsets}rename actionset myactionset1 myactionset2
running-actionsets-X Context Commands
NGFW{running-actionsets-myactionset1}action
Set action type. Available values: permit, rate-limit, block, trust.
Immediate Commit Feature. Changes take effect immediately.
Syntax action (permit|rate-limit|block|trust)
Example
NGFW{running-actionsets}actionset myactionset1
NGFW{running-actionsets-myactionset1}action rate-limit
NGFW{running-actionsets-myactionset1}allow-access
Allow quarantined host to access defined IP.
Syntax allow-access DESTIP
Example
NGFW{running-actionsets-myactionset1}allow-access 192.168.1.1
NGFW{running-actionsets-myactionset1}bytes-to-capture
Set bytes to capture for packet trace.
Syntax bytes-to-capture BYTES
Example
NGFW{running-actionsets-myactionset1}bytes-to-capture 6144
NGFW{running-actionsets-myactionset1}contact
Add a notify contact.
Syntax contact XCONTACTNAME
Example
NGFW{running-actionsets-myactionset1}contact mycontact1
NGFW{running-actionsets-myactionset1}contact "Management Console"
NGFW Command Line Interface Reference 89
NGFW{running-actionsets-myactionset1}delete
Delete file or configuration item.
Syntax delete allow-access DESTIP delete contact XCONTACTNAME delete limit-quarantine SOURCEIP delete no-quarantine SOURCEIP
Example
NGFW{running-actionsets-myactionset1}delete allow-access 192.168.1.1
NGFW{running-actionsets-myactionset1}delete contact mycontact1
NGFW{running-actionsets-myactionset1}delete limit-quarantine 192.168.1.1
NGFW{running-actionsets-myactionset1}delete no-quarantine 192.168.1.1
NGFW{running-actionsets-myactionset1}http-block
Set quarantine option to block HTTP traffic.
Syntax http-block
Example
NGFW{running-actionsets-myactionset1}http-block
NGFW{running-actionsets-myactionset1}http-custom
Set or clear HTTP custom text display option.
Syntax http-custom TEXT
Example
NGFW{running-actionsets-myactionset1}http-custom "my custom message"
NGFW{running-actionsets-myactionset1}http-redirect
Set redirect URL for HTTP redirect option.
Syntax http-redirect URL
Example
NGFW{running-actionsets-myactionset1}http-redirect https://www.example.com
NGFW{running-actionsets-myactionset1}http-showdesc
Set or clear HTTP show description display option.
Syntax http-showdesc (enable|disable)
Example
NGFW{running-actionsets-myactionset1}http-showdesc enable
90 Edit Running Configuration Commands
NGFW{running-actionsets-myactionset1}http-showname
Set or clear HTTP show name display option.
Syntax http-showname (enable|disable)
Example
NGFW{running-actionsets-myactionset1}http-showname enable
NGFW{running-actionsets-myactionset1}limit-quarantine
Add IP for limit quarantine.
Syntax limit-quarantine SOURCEIP
Example
NGFW{running-actionsets-myactionset1}limit-quarantine 192.168.1.1
NGFW{running-actionsets-myactionset1}limit-rate
Set the rate value for rate-limit action.
Syntax limit-rate RATE
Example
NGFW{running-actionsets-myactionset1}limit-rate 1500
NGFW{running-actionsets-myactionset1}no-quarantine
Add IP for no quarantine.
Syntax no-quarantine SOURCEIP
Example
NGFW{running-actionsets-myactionset1}no-quarantine 192.168.1.1
NGFW{running-actionsets-myactionset1}nonhttp-block
Set quarantine option to block non-HTTP traffic.
Syntax nonhttp-block (enable|disable)
Example
NGFW{running-actionsets-myactionset1}nonhttp-block enable
NGFW{running-actionsets-myactionset1}packet-trace
Enable/disable packet trace option.
Syntax packet-trace (enable|disable)
NGFW Command Line Interface Reference 91
Example
NGFW{running-actionsets-myactionset1}packet-trace enable
NGFW{running-actionsets-myactionset1}priority
Set packet trace priority.
Syntax priority PRIORITY
Example
NGFW{running-actionsets-myactionset1}priority medium
NGFW{running-actionsets-myactionset1}quarantine
Set quarantine option. Available options: no, immediate, threshold.
Syntax quarantine QUARANTINETYPE
Example
NGFW{running-actionsets-myactionset1}quarantine immediate
NGFW{running-actionsets-myactionset1}tcp-reset
Set tcp reset option for block action. Available options: none (disable), source, dest, or both.
Syntax tcp-reset (none|source|dest|both)
Example
NGFW{running-actionsets-myactionset1}tcp-reset both
NGFW{running-actionsets-myactionset1}threshold
Set quarantine threshold value.
Syntax threshold (2-10000) (1-60)
Example
NGFW{running-actionsets-myactionset1}threshold 200 5
NGFW{running-actionsets-myactionset1}verbosity
Set packet trace verbosity.
Syntax verbosity (partial|full)
Example
NGFW{running-actionsets-myactionset1}verbosity full
92 Edit Running Configuration Commands
running-addressgroups Context Commands
NGFW{running-addressgroups}addressgroup
Create or enter an address group context.
Syntax addressgroup GROUPNAME
Example
NGFW{running}addressgroups
NGFW{running-addressgroups}addressgroup mygroup1
NGFW{running-addressgroups-mygroup1}
NGFW{running-addressgroups}delete
Delete address group parameters.
Syntax delete addressgroup (all|GROUPNAME)
Example
NGFW{running-addressgroups}delete addressgroup mygroup1
NGFW{running-addressgroups}delete addressgroup all
running-addressgroups-X Context Commands
NGFW{running-addressgroups-mygroup1}delete
Delete address group parameters.
Syntax delete group (all|GROUPNAME) delete ipaddress (all|A.B.C.D/M|X:X::X:X/M) delete range (all|A.B.C.D|X:X::X:X)
Example
NGFW{running-addressgroups}addressgroup myaddressgroups
NGFW{running-addressgroups-mygroup1}delete range 192.168.1.100 192.168.1.200
NGFW{running-addressgroups-mygroup1}description
Apply address group description.
Syntax description TEXT
Example
NGFW{running-addressgroups-mygroup1}description "my address group 1"
NGFW{running-addressgroups-mygroup1}group
Add a group to this group.
Syntax group GROUPNAME
NGFW Command Line Interface Reference 93
Example
NGFW{running-addressgroups-mygroup1}group mygroup2
NGFW{running-addressgroups-mygroup1}ipaddress
Apply IPv4 or IPv6 address.
Syntax ipaddress (A.B.C.D|A.B.C.D/M|X:X::X:X|X:X::X:X/M)
Example
NGFW{running-addressgroups-mygroup1}ipaddress 192.168.1.1
NGFW{running-addressgroups-mygroup1}ipaddress 192.168.1.0/24
NGFW{running-addressgroups-mygroup1}range
Apply IPv4 or IPv6 address range.
Syntax range (A.B.C.D A.B.C.D)|(X:X::X:X X:X::X:X)
Example
NGFW{running-addressgroups-mygroup1}range 192.168.1.100 192.168.1.200
running-agglinkX Context Commands
NGFW{running}interface agglink0
NGFW{running-agglink0}arp/ndp
Enable or disable ARP and NDP on interface.
Syntax arp/ndp (enable|disable)
Example
NGFW{running-agglink0}arp/ndp enable
NGFW{running-agglink0}autoconfv6
Enable or disable IPv6 auto-configuration on interface.
Syntax autoconfv6 (enable|disable)
Example
NGFW{running-agglink0}autoconfv6 enable
NGFW{running-agglink0}bind
Bind agglink network interface over specific ethernet or bridge port.
Syntax bind PORT mode (passive|static|active) [priority PRIORITY]
Port priority: (0-65535) default 32768, lowest value has highest priority
94 Edit Running Configuration Commands
Example
NGFW{running-agglink0}bind ethernet5 mode active priority 1
NGFW{running-agglink0}bind ethernet6 mode active priority 1
NGFW{running-agglink0}bind ethernet7 mode active priority 1
NGFW{running-agglink0}bind ethernet8 mode active priority 1
NGFW{running-agglink0}delete
Delete file or configuration item.
Syntax delete bind (all|PORT) delete ip igmp delete ip igmp version delete ip ospf area delete ip ospf authentication mode md5 (1-255) KEY delete ip ospf authentication mode text KEY delete ip ospf cost (1-65535) delete ip ospf dead-interval (1-65535) delete ip ospf hello-interval (1-65535) delete ip ospf priority (0-255) delete ip ospf retransmit-interval (3-65535) delete ip ospf transmit-delay (1-65535) delete ip rip delete ip rip authentication mode md5 delete ip rip authentication mode text delete ip rip receive version (v1-only|v2-only|v1-or-v2) delete ip rip send version (v1-only|v2-only|v1-or-v2) delete ip rip split-horizon delete ipaddress (all|A.B.C.D/M|X:X::X:X/M) delete ipaddress dhcpv4 delete ipaddress dhcpv6 delete ipv6 mld delete ipv6 mld version delete ipv6 ospfv3 area delete ipv6 ospfv3 cost delete ipv6 ospfv3 dead-interval delete ipv6 ospfv3 hello-interval delete ipv6 ospfv3 priority delete ipv6 ospfv3 retransmit-interval delete ipv6 ospfv3 transmit-delay delete ipv6 ripng delete ipv6 ripng split-horizon delete prefix (all|X:X::X:X/M) delete shutdown
Example
NGFW{running-agglink0}delete bind ethernet7
NGFW{running-agglink0}delete ip igmp version
NGFW{running-agglink0}delete ip ospf area
NGFW{running-agglink0}delete ip ospf authentication mode md5 1 mysecret
NGFW{running-agglink0}delete ip ospf authentication mode text mysecret
NGFW{running-agglink0}delete ip ospf cost
NGFW{running-agglink0}delete ip ospf dead-interval 1
NGFW{running-agglink0}delete ip ospf hello-interval 1
NGFW{running-agglink0}delete ip ospf priority 1
NGFW{running-agglink0}delete ip ospf retransmit-interval
NGFW{running-agglink0}delete ip ospf transmit-delay 1
NGFW Command Line Interface Reference 95
NGFW{running-agglink0}delete ip rip authentication mode md5
NGFW{running-agglink0}delete ip rip authentication mode text
NGFW{running-agglink0}delete ip rip receive version v2-only
NGFW{running-agglink0}delete ip rip send version v2-only
NGFW{running-agglink0}delete ip rip split-horizon
NGFW{running-agglink0}delete shutdown
NGFW{running-agglink0}delete ipaddress 192.168.1.1/24
NGFW{running-agglink0}delete ipaddress 100:0:0:0:0:0:0:1/64
NGFW{running-agglink0}description
Enter description for the interface.
Syntax description TEXT
Example
NGFW{running-agglink0}description "Ethernet aggregated interface"
96
NGFW{running-agglink0}ip
Configure IP settings.
Syntax ip igmp ip igmp version (1|2|3) ip ospf area A.B.C.D|(0-4294967295) ip ospf authentication mode md5 (1-255) KEY ip ospf authentication mode text KEY ip ospf cost (1-65535) ip ospf dead-interval (1-65535) ip ospf hello-interval (1-65535) [A.B.C.D] ip ospf priority (0-255) ip ospf retransmit-interval (3-65535) ip ospf transmit-delay (1-65535) ip rip ip rip authentication mode md5 (0-2147483647) KEY ip rip authentication mode text ip rip receive version VERSION ip rip send version VERSION ip rip split-horizon [poison-reverse]
Example
NGFW{running-agglink0}ip igmp version 3
NGFW{running-agglink0}ip ospf area 1
NGFW{running-agglink0}ip ospf authentication mode md5 1 mysecret
NGFW{running-agglink0}ip ospf authentication mode text mysecret
NGFW{running-agglink0}ip ospf cost 1
NGFW{running-agglink0}ip ospf dead-interval 1
NGFW{running-agglink0}ip ospf hello-interval 1
NGFW{running-agglink0}ip ospf priority 1
NGFW{running-agglink0}ip ospf retransmit-interval 3
NGFW{running-agglink0}ip ospf transmit-delay 1
NGFW{running-agglink0}ip rip authentication mode md5 1 mysecret
NGFW{running-agglink0}ip rip authentication mode text
Enter key: up to 16 characters:******
NGFW{running-agglink0}ip rip receive version v2-only
NGFW{running-agglink0}ip rip send version v2-only
Edit Running Configuration Commands
NGFW{running-agglink0}ip rip split-horizon poison-reverse
NGFW{running-agglink0}ipaddress
Configure IP address.
Syntax ipaddress (A.B.C.D/M|X:X::X:X/M) [primary] ipaddress dhcpv4
Example
NGFW{running-agglink0}ipaddress 192.168.1.1/24
NGFW{running-agglink0}ipaddress 100:0:0:0:0:0:0:1/64 primary
NGFW{running-agglink0}ipv6
Configure IPv6 settings.
Syntax ipv6 mld ipv6 mld version (1|2) ipv6 ospfv3 area (A.B.C.D|(0-4294967295)) ipv6 ospfv3 cost (1-65535) ipv6 ospfv3 dead-interval (1-65535) ipv6 ospfv3 hello-interval (1-65535) ipv6 ospfv3 priority (0-255) ipv6 ospfv3 retransmit-interval (3-65535) ipv6 ospfv3 transmit-delay (1-65535) ipv6 ripng ipv6 ripng split-horizon [poison-reverse]
Example
NGFW{running-agglink0}ipv6 mld version 2
NGFW{running-agglink0}ipv6 ospfv3 area 1
NGFW{running-agglink0}ipv6 ospfv3 cost 1
NGFW{running-agglink0}ipv6 ospfv3 dead-interval 1
NGFW{running-agglink0}ipv6 ospfv3 hello-interval 1
NGFW{running-agglink0}ipv6 ospfv3 priority 1
NGFW{running-agglink0}ipv6 ospfv3 retransmit-interval 3
NGFW{running-agglink0}ipv6 ospfv3 transmit-delay 1
NGFW{running-agglink0}ipv6 ripng split-horizon poison-reverse
NGFW{running-agglink0}load-balance
Configure the distribution mechanism.
Syntax load-balance (round-robin|xor-ip|xor-ip-port|xor-mac|backup)
Example
NGFW{running-agglink0}load-balance xor-ip
NGFW{running-agglink0}mac-address
Configure Ethernet MAC address.
NGFW Command Line Interface Reference 97
Syntax mac-address (automatic|X:X:X:X:X:X)
Example
NGFW{running-agglink0}mac-address a1:b2:c3:d4:e5:f6
NGFW{running-agglink0}mac-address automatic
NGFW{running-agglink0}mtu
Configure interface MTU in bytes.
Syntax mtu (default|VALUE)
VALUE (68-9216)
Example
NGFW{running-agglink0}mtu 1500
NGFW{running-agglink0}prefix
Configure IPv6 prefix.
Syntax prefix X:X::X:X/M [valid-lifetime SECONDS] [preferred-lifetime SECONDS] prefix X:X::X:X/M [valid-lifetime (1-4294967295)] [preferred-lifetime
(1-4294967295)]
Example
NGFW{running-agglink0}prefix 100:0:0:0:0:0:0:0/64 valid-lifetime 2592000 preferred-lifetime 604800
NGFW{running-agglink0}ra-autoconf-level
Modify IPv6 Router Advertisement autoconfiguration level.
Syntax ra-autoconf-level (none|address|other|full)
Example
NGFW{running-agglink0}ra-autoconf-level full
NGFW{running-agglink0}ra-interval
Modify IPv6 Router Advertisement interval value in milliseconds.
Syntax ra-interval (90-1800000)
Example
NGFW{running-agglink0}ra-interval 600
NGFW{running-agglink0}ra-interval-transmit
Modify IPv6 Router Advertisement interval transmit.
98 Edit Running Configuration Commands
Syntax ra-interval-transmit (enable|disable)
Example
NGFW{running-agglink0}ra-interval-transmit enable
NGFW{running-agglink0}ra-lifetime
Modify IPv6 Router Advertisement prefix lifetime in seconds.
Syntax ra-lifetime (0-9000000)
Example
NGFW{running-agglink0}ra-lifetime 1800
NGFW{running-agglink0}ra-mtu
Modify IPv6 Router Advertisement MTU value in bytes.
Syntax ra-mtu (none|MTU)
MTU (68-9216)
Example
NGFW{running-agglink0}ra-mtu 1500
NGFW{running-agglink0}ra-transmit-mode
Modify IPv6 Router Advertisement transmit mode.
Syntax ra-transmit-mode (always|never|smart)
Example
NGFW{running-agglink0}ra-transmit-mode smart
NGFW{running-agglink0}shutdown
Shutdown logical interface state.
Syntax shutdown
Example
NGFW{running-agglink0}shutdown
NGFW{running-agglink0}tcp4mss
Configure interface TCP MSS for IPv4.
Syntax tcp4mss (disable|automatic|VALUE)
VALUE 4-65535
NGFW Command Line Interface Reference 99
Example
NGFW{running-agglink0}tcp4mss automatic
NGFW{running-agglink0}tcp6mss
Configure interface TCP MSS for IPv6.
Syntax tcp6mss (disable|automatic|VALUE)
VALUE 4-65535
Example
NGFW{running-agglink0}tcp6mss automatic
running-app-filter-mgmt Context Commands
Immediate Commit Feature. Changes take effect immediately.
Change management settings for an application filter.
NGFW{running}application-filter-mgmt
NGFW{running-application-filter-mgmt}filter
Syntax filter FILTERNUMBER (enable|disable) filter FILTERNUMBER afcstate (enable|disable) filter FILTERNUMBER (enable|disable) afcstate (enable|disable)
Valid entries: display Display file or configuration item filter help
Change management settings for an application filter
Display help information
Example
NGFW{running-app-filter-mgmt}filter 642 afcstate enable
NGFW{running-app-filter-mgmt}filter 642 enable afcstate enable
WARNING: Are you sure you want to enable filter 642 system-wide (y/n)? [n]: y
NGFW{running-app-filter-mgmt}filter 642 disable
WARNING: Are you sure you want to disable filter 642 system-wide (y/n)? [n]: y
running-app-groups Context Commands
Immediate Commit Feature. Changes take effect immediately.
NGFW{running}application-groups
NGFW{running-app-groups}application-group
Create or enter application-group context.
Syntax application-group NEWAPPNAME CRITERIASTRING application-group APPNAME
Example
NGFW{running-app-groups}application-group FaceBook
100 Edit Running Configuration Commands
NGFW{running-app-groups}delete
Delete application-group.
Syntax delete application-group APPNAME
Example
NGFW{running-app-groups}delete application-group FaceBook
NGFW{running-app-groups}rename
Rename application-group.
Syntax rename application-group APPNAME NEWAPPNAME
Example
NGFW{running-app-groups}rename application-group FaceBook facebook1
running-app-groups-X Context Commands
Immediate Commit Feature. Changes take effect immediately.
NGFW{running-app-groups}application-group FaceBook
NGFW{running-app-groups-FaceBook}criteria
Update application-group criteria.
Syntax criteria CRITERIASTRING
Example
NGFW{running-app-groups-FaceBook}criteria “string”
NGFW{running-app-groups-FaceBook}description
Update application-group description.
Syntax description DESCSTRING
Example
NGFW{running-app-groups-FaceBook}description "facebook application group"
running-autodv Context Commands
Immediate Commit Feature. Changes take effect immediately.
NGFW{running}autodv
NGFW{running-autodv}calendar
Enter Calender Style.
Syntax calendar
NGFW Command Line Interface Reference 101
Example
NGFW{running-autodv}calendar
NGFW{running-autodv}delete
Delete file or configuration item.
Syntax delete proxy delete proxy-password delete proxy-username
Example
NGFW{running-autodv}delete proxy-password
NGFW{running-autodv}delete proxy-username
NGFW{running-autodv}delete proxy
NGFW{running-autodv}disable
Disable service.
Syntax disable
Example
NGFW{running-autodv}disable
NGFW{running-autodv}enable
Enable service.
Syntax enable
Example
NGFW{running-autodv}enable
NGFW{running-autodv}list
List Installed DVs.
Syntax list
Example
NGFW{running-autodv}list
version 3.2.0.8458
NGFW{running-autodv}periodic
Enter Periodic Style.
Syntax periodic
102 Edit Running Configuration Commands
Example
NGFW{running-autodv}periodic
NGFW{running-autodv}proxy
Configure proxy.
Syntax proxy ADDR port PORT proxy-password PASSWD proxy-username USER
Example
NGFW{running-autodv}proxy 192.168.1.1 port 443
NGFW{running-autodv}proxy-password mypassword
NGFW{running-autodv}proxy-username myusername
NGFW{running-autodv}update
Update AutoDV.
Syntax update
Example
NGFW{running-autodv}update
running-autodv-calendar Context Commands
Immediate Commit Feature. Changes take effect immediately.
NGFW{running-autodv}calendar
NGFW{running-autodv-calendar}day
Day of the week to update.
Syntax day DAYNAME
Example
NGFW{running-autodv-calendar}day ?
Valid entries at this position are:
Sunday Sunday
Monday Monday
Tuesday Tuesday
Wednesday Wednesday
Thursday Thursday
Friday Friday
Saturday Saturday
NGFW{running-autodv-calendar}time time HOURS:MINUTES
Syntax time HOURS:MINUTES
NGFW Command Line Interface Reference 103
Example
NGFW{running-autodv-calendar}time ?
Valid entry at this position is:
HOURS Value range is 0 - 23
NGFW{running-autodv-calendar}time 17:00
running-autodv-periodic Context Commands
Immediate Commit Feature. Changes take effect immediately.
NGFW{running-autodv}periodic
NGFW{running-autodv-periodic}day
Day of the week to update.
Syntax day (Sunday|Monday|Tuesday|Wednesday|Thursday|Friday|Saturday)
Example
NGFW{running-autodv-periodic}day Sunday
NGFW{running-autodv-periodic}period
Set number of days between update checks.
Syntax period PERIOD
PERIOD Value range is 0 - 99, unit is days
Example
NGFW{running-autodv-periodic}period 1
NGFW{running-autodv-periodic}time
Time of day to check for updates.
time HOURS:MINUTES
Syntax time HOURS:MINUTES
HOURS Value range is 0 - 23
MINUTES Value range is 0 - 59
Example
NGFW{running-autodv-periodic}time 21:00
running-bgp-X Context Commands
NGFW{running}router bgp 1
NGFW{running-bgp-1}aggregate-address
Configure BGP aggregate entries.
Syntax aggregate-address A.B.C.D/M [as-set] [summary-only]
104 Edit Running Configuration Commands
Example
NGFW{running-bgp-1}help aggregate-address
Configure BGP aggregate entries
Syntax: aggregate-address A.B.C.D/M [as-set] [summary-only]
aggregate-address Configure BGP aggregate entries
A.B.C.D/M Aggregate prefix
as-set Generate AS set path information
summary-only Filter more specific routes from updates
NGFW{running-bgp-1}always-compare-med
Always compare MEDs from neighbors in different AS.
Syntax always-compare-med
NGFW{running-bgp-1}delete
Delete file or configuration item.
Syntax delete aggregate-address A.B.C.D/M delete always-compare-med delete deterministic-med delete distance delete local-preference delete neighbor A.B.C.D peer-group NAME delete neighbor (A.B.C.D|NAME) delete neighbor (A.B.C.D|NAME) description delete neighbor (A.B.C.D|NAME) ebgp-multihop delete neighbor (A.B.C.D|NAME) password delete neighbor (A.B.C.D|NAME) soft-reconfiguration inbound delete neighbor (A.B.C.D|NAME) route-reflector-client delete neighbor (A.B.C.D|NAME) distribute-list ACCESS-LIST-NAME (in|out) delete neighbor (A.B.C.D|NAME) prefix-list PREFIX-LIST-NAME (in|out) delete neighbor (A.B.C.D|NAME) filter-list FILTER-LIST-NAME (in|out) delete neighbor (A.B.C.D|NAME) route-map ROUTE-MAP-NAME (in|out) delete neighbor (A.B.C.D|NAME) send-community delete neighbor (A.B.C.D|NAME) shutdown delete neighbor (A.B.C.D|NAME) passive delete neighbor (A.B.C.D|NAME) next-hop-self delete neighbor (A.B.C.D|NAME) maximum-prefix delete neighbor (A.B.C.D|NAME) weight delete neighbor (A.B.C.D|NAME) update-source A.B.C.D
delete neighbor (A.B.C.D|NAME) remove-private-as delete neighbor NAME peer-group delete network A.B.C.D/M delete redistribute (connected|ospf|rip|static) delete router-id delete timers
Example
NGFW{running-bgp-1}delete ?
Valid entries at this position are:
aggregate-address Delete BGP aggregate entries
always-compare-med Delete always compare MEDs from neighbors in different AS
deterministic-med Delete pick the best-MED route from the neighboring AS
NGFW Command Line Interface Reference 105
distance Delete administrative distances
graceful-restart Delete BGP graceful restart
local-preference Delete the default local preference configured
neighbor Delete BGP neighbor
network Delete a network to announce via BGP
redistribute Delete route redistribution from another routing protocol
router-id Delete the BGP router identifier
timers Delete BGP timers
NGFW{running-bgp-1}deterministic-med
Pick the best-MED route from the neighboring AS.
Syntax deterministic-med
NGFW{running-bgp-1}disable
Disable BGP.
Syntax disable
Example
NGFW{running-bgp-1}help disable
Disable Border Gateway Protocol (BGP)
Syntax: disable
disable Disable BGP
NGFW{running-bgp-1}distance
Define administrative distances.
Syntax distance EXTERNAL INTERNAL LOCAL distance (1-255) (1-255) (1-255)
Example
NGFW{running-bgp-1}help distance
Configure BGP administrative distances
Syntax: distance EXTERNAL INTERNAL LOCAL
distance Define administrative distances
EXTERNAL Distance for routes external to the AS (1-255)
INTERNAL Distance for routes internal to the AS (1-255)
LOCAL Distance for local routes (1-255)
106
NGFW{running-bgp-1}enable
Enable BGP.
Syntax enable
Example
NGFW{running-bgp-1}help enable
Enable Border Gateway Protocol (BGP)
Edit Running Configuration Commands
Syntax: enable
enable Enable BGP
NGFW{running-bgp-1}graceful-restart
Set the BGP graceful restart.
Syntax graceful-restart
Example
NGFW{running-bgp-1}help graceful-restart
Configure the BGP graceful restart
Syntax: graceful-restart
graceful-restart restart-time RESTART-TIME
graceful-restart stalepath-time STALEPATH-TIME graceful-restart Set the BGP graceful restart restart-time Set the restart-time for BGP graceful restart
RESTART-TIME BGP graceful restart time in the unit of seconds (1-3600) stalepath-time Set the stalepath time for BGP graceful restart
STALEPATH-TIME BGP stalepath time in the unit of seconds (1-3600)
NGFW{running-bgp-1}local-preference
Set local preference (higher numbers take preference).
Syntax local-preference LOCAL-PREFERENCE
LOCAL-PREFERENCE Default local preference (0-4294967295)
Example
NGFW{running-bgp-1}local-preference 10
NGFW{running-bgp-1}neighbor
Configure BGP neighbor or peer-group.
Syntax neighbor A.B.C.D peer-group NAME neighbor (A.B.C.D|NAME) distribute-list ACCESS-LIST-NAME (in|out) neighbor (A.B.C.D|NAME) prefix-list PREFIX-LIST-NAME (in|out) neighbor (A.B.C.D|NAME) filter-list FILTER-LIST-NAME (in|out) neighbor (A.B.C.D|NAME) route-map NAME (in|out) neighbor (A.B.C.D|NAME) send-community neighbor (A.B.C.D|NAME) ebgp-multihop (1-255) neighbor (A.B.C.D|NAME) description DESCRIPTION neighbor (A.B.C.D|NAME) remote-as ASNUMBER neighbor (A.B.C.D|NAME) password neighbor (A.B.C.D|NAME) soft-reconfiguration inbound neighbor (A.B.C.D|NAME) route-reflector-client neighbor (A.B.C.D|NAME) shutdown neighbor (A.B.C.D|NAME) passive neighbor (A.B.C.D|NAME) next-hop-self neighbor (A.B.C.D|NAME) maximum-prefix (1-4294967295) neighbor (A.B.C.D|NAME) weight (0-65535) neighbor (A.B.C.D|NAME) update-source A.B.C.D
neighbor (A.B.C.D|NAME) remove-private-as
NGFW Command Line Interface Reference 107
neighbor NAME peer-group
NGFW{running-bgp-1}network
Specify a network to announce through the BGP.
Syntax network A.B.C.D/M
Example
NGFW{running-bgp-1}network 192.168.0.3/24
NGFW{running-bgp-1}redistribute
Redistribute routes from another routing protocol.
Syntax redistribute (connected|ospf|rip|static) [metric VALUE] [route-map NAME]
Valid entries: connected Connected ospf Open Shortest Path First (OSPF) rip Routing Information Protocol (RIP) static Static routes metric Metric for redistributed routes
VALUE Default metric (1-4294967295) route-map Route map reference
NAME Pointer to route-map entries
Example
NGFW{running-bgp-1}redistribute connected
NGFW{running-bgp-1}router-id
Set the BGP router identifier.
Syntax router-id A.B.C.D
Example
NGFW{running-bgp-1}help router-id
Syntax: router-id A.B.C.D
router-id Set the BGP router identifier
A.B.C.D BGP router-id in IP address format
108
NGFW{running-bgp-1}timers
Adjust BGP timers. The keepalive interval should be no more than one-third of holdtime.
Syntax timers KEEPALIVE HOLDTIME
KEEPALIVE Keepalive interval (0-65535)
HOLDTIME Holdtime (0-65535)
Example
NGFW{running-bgp-1}timers 60 180
Edit Running Configuration Commands
running-blockedStreams Context Commands
NGFW{running}blockedStreams
NGFW{running-blockedStreams}flushallstreams
Flush All Reports.
Syntax flushallstreams
Example
NGFW{running-blockedStreams}flushallstreams
NGFW{running-blockedStreams}flushstreams
Flush reports.
Syntax flushstreams
Example
NGFW{running-blockedStreams}flushstreams
NGFW{running-blockedStreams}list
List reports.
Syntax list
running-bridgeX Context Commands
NGFW{running}interface bridge0
NGFW{running-bridge0}arp/ndp
Enable or disable ARP and NDP on interface.
Syntax arp/ndp (enable|disable)
Example
NGFW{running-bridge0}arp/ndp enable
NGFW{running-bridge0}autoconfv6
Enable or disable IPv6 autoconfiguration on interface.
Syntax autoconfv6 (enable|disable)
Example
NGFW{running-bridge0}autoconfv6 enable
NGFW{running-bridge0}bind
Bind bridged network interface over ethernet/VLAN/agglink.
NGFW Command Line Interface Reference 109
Syntax bind PORT
Example
NGFW{running-bridge0}bind ethernet5
NGFW{running-bridge0}bind ethernet6
NGFW{running-bridge0}bind ethernet7
NGFW{running-bridge0}bind ethernet8
NGFW{running-bridge0}delete
Delete file or configuration item.
Syntax delete bind (all|PORT) delete ip igmp delete ip igmp version delete ipaddress (all|A.B.C.D/M|X:X::X:X/M) delete ipaddress dhcpv4 delete ipaddress dhcpv6 delete ipv6 mld delete ipv6 mld version delete prefix (all|X:X::X:X/M) delete shutdown
Example
NGFW{running-bridge0}delete bind ethernet8
NGFW{running-bridge0}delete bind all
NGFW{running-bridge0}delete ip igmp
NGFW{running-bridge0}delete ipaddress 192.168.1.1/24
NGFW{running-bridge0}delete ipaddress 100:0:0:0:0:0:0:1/64
NGFW{running-bridge0}delete ipv6 mld
NGFW{running-bridge0}delete prefix all
NGFW{running-bridge0}delete shutdown
NGFW{running-bridge0}description
Enter description for the interface.
Syntax description TEXT
Example
NGFW{running-bridge0}description "Ethernet bridged interface"
110
NGFW{running-bridge0}ip
Configure IP settings.
Syntax ip igmp ip igmp version (1|2|3) ip ospf area A.B.C.D|(0-4294967295) ip ospf authentication mode md5 KEY_ID KEY ip ospf authentication mode text KEY ip ospf cost COST ip ospf dead-interval VALUE
Edit Running Configuration Commands
ip ospf hello-interval VALUE [A.B.C.D] ip ospf priority VALUE ip ospf retransmit-interval VALUE ip ospf transmit-delay VALUE ip rip ip rip authentication mode md5 (0-2147483647) KEY ip rip authentication mode text ip rip receive version VERSION ip rip send version VERSION ip rip split-horizon [poison-reverse] ipaddress (A.B.C.D/M|X:X::X:X/M) [primary] ipv6 mld
Example
NGFW{running-bridge0}ip igmp version 3
NGFW{running-bridge0}ip igmp
NGFW{running-bridge0}ipaddress
Configure IP address.
Syntax ipaddress (A.B.C.D/M|X:X::X:X/M) [primary] ipaddress dhcpv4
Example
NGFW{running-bridge0}ipaddress 192.168.1.1/24
NGFW{running-bridge0}ipaddress 100:0:0:0:0:0:0:1/64
NGFW{running-bridge0}ipv6
Configure IPv6 settings.
Syntax ipv6 mld ipv6 mld version (1|2) ipv6 ospfv3 area A.B.C.D|(0-4294967295) ipv6 ospfv3 cost COST ipv6 ospfv3 dead-interval VALUE ipv6 ospfv3 hello-interval VALUE ipv6 ospfv3 priority VALUE ipv6 ospfv3 retransmit-interval VALUE ipv6 ospfv3 transmit-delay VALUE ipv6 ripng ipv6 ripng split-horizon [poison-reverse]
Example
NGFW{running-bridge0}ipv6 mld version 2
NGFW{running-bridge0}ipv6 ripng split-horizon poison-reverse
NGFW{running-bridge0}mtu
Configure interface MTU.
Syntax mtu (default|VALUE)
VALUE (68-9216)
NGFW Command Line Interface Reference 111
Example
NGFW{running-bridge0}mtu 1280
NGFW{running-bridge0}prefix
Configure IPv6 prefix.
Syntax prefix X:X::X:X/M [valid-lifetime SECONDS] [preferred-lifetime SECONDS]
SECONDS (1-4294967295)
Example
NGFW{running-bridge0}prefix 100:0:0:0:0:0:0:0/64 valid-lifetime 2592000 preferred-lifetime 604800
NGFW{running-bridge0}ra-autoconf-level
Modify IPv6 Router Advertisement autoconfiguration level.
Syntax ra-autoconf-level AUTOCONF
AUTOCONF Router Advert Autoconfiguration level (DHCP)
Possible values for AUTOCONF are: none No parameter is autoconfigured address Address is autoconfigured other Some other parameters are autoconfigured full Most parameters are autoconfigured
Example
NGFW{running-bridge0}help ra-autoconf-level full
NGFW{running-bridge0}ra-interval
Modify IPv6 Router Advertisement interval value in milliseconds.
Syntax ra-interval (90-1800000)
Example
NGFW{running-bridge0}ra-interval 600
NGFW{running-bridge0}ra-interval-transmit
Modify IPv6 Router Advertisement interval transmit.
Syntax ra-interval-transmit (enable|disable)
Example
NGFW{running-bridge0}ra-interval-transmit enable
112
NGFW{running-bridge0}ra-lifetime
Modify IPv6 Router Advertisement prefix lifetime in seconds.
Edit Running Configuration Commands
Syntax ra-lifetime (0-9000000)
Example
NGFW{running-bridge0}ra-lifetime 1800
NGFW{running-bridge0}ra-mtu
Modify IPv6 Router Advertisement MTU value.
Syntax ra-mtu (none|MTU)
MTU value advertised(68-9216)(0 if none)
Example
NGFW{running-bridge0}ra-mtu none
NGFW{running-bridge0}ra-mtu 1500
NGFW{running-bridge0}ra-transmit-mode
Modify IPv6 Router Advertisement transmit mode.
Syntax ra-transmit-mode MODE
MODE Router Advertisement Transmit mode
Possible values for MODE are: always never smart
Router Advert message is always sent
Router Advert message is never sent
Router Advert message is sent if a prefix is defined
Example
NGFW{running-bridge0}ra-transmit-mode smart
NGFW{running-bridge0}shutdown
Shutdown logical interface state.
Syntax shutdown
Example
NGFW{running-bridge0}shutdown
NGFW{running-bridge0}tcp4mss
Configure interface TCP MSS for IPv4.
Syntax tcp4mss (disable|automatic|4-65535) disable Disable service automatic Automatically select TCP MSS based on interface MTU
(4-65535) TCP MSS value for IPv4
Example
NGFW{running-bridge0}tcp4mss automatic
NGFW Command Line Interface Reference 113
NGFW{running-bridge0}tcp6mss
Configure interface TCP MSS for IPv6.
Syntax tcp6mss (disable|automatic|4-65535) disable Disable service automatic Automatically select TCP MSS based on interface MTU
(4-65535) TCP MSS value for IPv6
Example
NGFW{running-bridge0}tcp6mss automatic
running-captive-portal Context Commands
NGFW{running}captive-portal
NGFW{running-captive-portal}delete
Delete captive portal rule(s).
Syntax delete rule (all|RULEID)
Example
NGFW{running-captive-portal}delete rule 20010
NGFW{running-captive-portal}delete rule all
NGFW{running-captive-portal}rename
Rename a captive-portal rule.
Syntax rename rule RULEID NEWRULEID
Example
NGFW{running-captive-portal}rename rule watershed 20010
NGFW{running-captive-portal}reset
Set a Captive Portal parameter to its DEFAULT value.
Syntax reset (max-session-time|inactive-timeout|port|certificate) reset login-page (foreground-color|background-color) reset login-page (header-HTML|footer-HTML|failed-HTML) reset status-page (foreground-color|background-color) reset status-page main-HTML
Example
NGFW{running-captive-portal}reset certificate
NGFW{running-captive-portal}reset login-page foreground-color
NGFW{running-captive-portal}reset status-page main-HTML
NGFW{running-captive-portal}rule
Create or enter a rule context.
114 Edit Running Configuration Commands
Syntax rule (auto|RULEID) [POSITION_VALUE]
Example
NGFW{running-captive-portal}rule auto
NGFW{running-captive-portal}rule 20010 1
NGFW{running-captive-portal}rule watershed
NGFW{running-captive-portal}set
Set a Captive Portal parameter.
Syntax set max-session-time MINUTES set inactive-timeout MINUTES set port PORT set certificate CERTNAME set (login-page|status-page) (foreground-color|background-color) (HEX|COLOR) set login-page (header-HTML|footer-HTML|failed-HTML) set status-page (foreground-color|background-color) (HEX|COLOR) set status-page main-HTML
Example
NGFW{running-captive-portal}set inactive-timeout 60
NGFW{running-captive-portal}set port 8443
NGFW{running-captive-portal}set status-page background-color #CD88B1
NGFW{running-captive-portal}set status-page foreground-color #FFEFD5
NGFW{running-captive-portal}set status-page foreground-color DodgerBlue
running-captive-portal-rule-X Context Commands
NGFW{running-captive-portal}rule 20000
NGFW{running-captive-portal-rule-20000}delete
Delete file or configuration item.
Syntax delete src-address include group (all|ADDRESSGROUP) delete src-address include ipaddress (all|A.B.C.D/M|X:X::X:X/M) delete src-address include range (all|A.B.C.D|X:X::X:X) delete src-address exclude group (all|ADDRESSGROUP) delete src-address exclude ipaddress (all|A.B.C.D/M|X:X::X:X/M) delete src-address exclude range (all|A.B.C.D|X:X::X:X) delete dst-address include group (all|ADDRESSGROUP) delete dst-address include ipaddress (all|A.B.C.D/M|X:X::X:X/M) delete dst-address include range (all|A.B.C.D|X:X::X:X) delete dst-address exclude group (all|ADDRESSGROUP) delete dst-address exclude ipaddress (all|A.B.C.D/M|X:X::X:X/M) delete dst-address exclude range (all|A.B.C.D|X:X::X:X) delete src-zone (include all|ZONENAME) delete src-zone (exclude all|ZONENAME)
Example
NGFW{running-captive-portal-rule-20000}delete dst-address include group mygroup1
NGFW{running-captive-portal-rule-20000}delete src-address exclude ipaddress all
NGFW{running-captive-portal-rule-20000}delete dst-address include ipaddress
192.168.1.1/32
NGFW Command Line Interface Reference 115
NGFW{running-captive-portal-rule-20000}description
Apply rule description.
Syntax description TEXT
Example
NGFW{running-captive-portal-rule-20000}description "captive portal rule"
NGFW{running-captive-portal-rule-20000}dst-address
Apply destination address.
Syntax dst-address (include|exclude) group ADDRESSGROUP dst-address (include|exclude) ipaddress (A.B.C.D|X:X::X:X) dst-address (include|exclude) ipaddress (A.B.C.D/M|X:X::X:X/M) dst-address (include|exclude) range ((A.B.C.D A.B.C.D)|(X:X::X:X X:X::X:X))
Example
NGFW{running-captive-portal-rule-20000}dst-address include group mygroup1
NGFW{running-captive-portal-rule-20000}dst-address include ipaddress 192.168.1.0/24
NGFW{running-captive-portal-rule-20000}dst-address exclude ipaddress 192.168.1.1
NGFW{running-captive-portal-rule-20000}dst-address include range 192.168.1.100
192.168.1.200
NGFW{running-captive-portal-rule-20000}move
Move rule position.
Syntax move (after RULEID)|(before RULEID)|(to position VALUE)
Example
NGFW{running-captive-portal-rule-20000}move to position 1
NGFW{running-captive-portal-rule-20000}move before 20050
NGFW{running-captive-portal-rule-20000}move after 20040
NGFW{running-captive-portal-rule-20000}src-address
Apply source address.
Syntax src-address (include|exclude) group ADDRESSGROUP src-address (include|exclude) ipaddress (A.B.C.D|X:X::X:X) src-address (include|exclude) ipaddress (A.B.C.D/M|X:X::X:X/M) src-address (include|exclude) range ((A.B.C.D A.B.C.D)|(X:X::X:X X:X::X:X))
Example
NGFW{running-captive-portal-rule-20000}src-address include group mygroup1
NGFW{running-captive-portal-rule-20000}dst-address include ipaddress 192.168.1.0/24
NGFW{running-captive-portal-rule-20000}dst-address exclude ipaddress 192.168.1.1
NGFW{running-captive-portal-rule-20000}dst-address include range 192.168.1.100
192.168.1.200
116 Edit Running Configuration Commands
NGFW{running-captive-portal-rule-20000}src-zone
Apply source security zone.
Syntax src-zone (include|exclude) ZONENAME
Example
NGFW{running-captive-portal-rule-20000}src-zone include myzone1
NGFW{running-captive-portal-rule-20000}src-zone exclude myzone1
running-certificates Context Commands
NGFW{running}certificates
NGFW{running-certificates}ca-certificate
Add CA certificate.
Syntax ca-certificate CANAME
Example
NGFW{running-certificates}ca-certificate myCAname
Please enter the PEM encoded CA certificate contents (including BEGIN CERTIFICATE and
END CERTIFICATE lines):
-----BEGIN CERTIFICATE-----
SoIDQTCCAqoCCQDiEcSvKsrhKTANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJB
VTETMBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0 cyBQdHkgTHeRkMB4XDTA5MDQxNjE3MDUxNloDTA5MDUxNjE3MDUxNlowbDEQMA4G
A1UEBhMHVW5rbm93bjEQMA4GA1UECBMHVW5rbm93bjEQMA4GA1UEBxMHVW5rbm93 bjEQMA4GA1UEChMHVW5rbm93bjEQMA4GA1UEoxMHVW5wer93bjEQMA4GA1UEAxMH
VW5rbm93bjCCAbcwggEsBgcqhkjOOAQBMIIBHwKBgQD9f1OBHXUSKVLfSpwu7OTn
9hG3UjzvRADDHj+AplEmaUVdQCJR+1k9jVj6v8X1ujD2y5tVbNeBO4AdNG/yZmC3 a5lQpaSfn+gEexAiwk+7qdf+t8Yb+DtX58aophUPBPuD9tPFHsMCNVQTWhaRMvZ1
864rYdcq7/IiAxmd0UgBxwIVAJdgUI8VIwvMspK5gqLrhAvwWBz1AoGBAPfhoIXW mz3ey7yrXDa4V7l5lK+7+jrqgvlXTAs9B4JnUVlXjrrUWU/mcQcQgYC0SRZxI+hM
KBYTt88JMozIpuE8FnqLVHyNKOCjrh4rs6Z1kW6jfwv6ITVi8ftiegEkO8yk8b6o
UZCJqIPf4VrlnwaSi2ZegHtVJWQBTDv+z0kqA4GEAAKBgDNS53gXgLN9qXzf5AIs npdKIhCaP6LOMaueQM2X9p51TWee8n95Ti9pUEoZSAgXKbV235WfqaQaIXhkXM7d
D/huz80xy3Pf5EzAEYhZLanL2GF6UL7g9z0ZtHI7E1yk2ylQrB8GI/fboIp213ug
NQ9TR7THyOy9dwftwoKSXEmSMA0GCSqGSIb3DQEBBAUAA4GBAIzxQr3OK9Jzq+wh
ZfKLLd0S7PbNZH7BfO7voEGtuC5fSPqbziwmOt9FYAg+U0rvIrHQI2DxSPHoxOA9
PISrOJgU6A2+VTbkZTJB32/Zng/hTDUQUkyyjllskdmafS1b9SSs0Z7SPuLu6VDB zR6PBzoFwaWk3nX2lYsk/gFpf07z
-----END CERTIFICATE-----
NGFW{running-certificates}cert-request
Creates a certificate request for this device.
Syntax cert-request CERTREQUEST [key-size SIZE]
CERTREQUEST Certificate Request identifier key-size Specify private key size
SIZE Specify private key size bits
Possible values for SIZE are:
1024 1024-bit key size
1536 1536-bit key size
NGFW Command Line Interface Reference 117
2048 2048-bit key size (default)
4096 4096-bit key size
Example
NGFW{running-certificates}cert-request myrequest
(Enter 'exit' to abort the command)
Enter Common Name (string, required): www.example.com
Enter Country (two letter code or 'none')[none]: US
Enter State (string or 'none')[none]:
Enter Locality (string or 'none')[none]:
Enter Organization (string or 'none')[none]:
Enter Unit (string or 'none')[none]:
Enter E-mail (string or 'none')[none]:
Enter FQDN (a string or 'none')[none]: www.example.com
Enter User FQDN (string or 'none')[none]:
-----BEGIN CERTIFICATE REQUEST-----
MIICpjCCAY4CAQAwJzELMAkGA1UEBhMCVVMxGDAWBgNVBAMTD3d3dy5leGFtcGxl
LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKWIxUWcq3vk3bBt ivmAaNXtDLT+DMASIfnIIs4b/e8nS8k2HvrlqCqgDcm98iet2vOZ7G3bzLOWPL+a
K6hJSUaqW+cz9LVMyoIM7lsWLgt+46X/EKvSGpTLNuyvupJPa76iNjgzJLxcYgEO
C3vQGIZUlG6aiJ9ABiGAPC4GpUICnJFeo9JrkDGAcKh3hFN0VZyuPgDeLssj0luo
5HL9WO/oC0E+rdYGzgU7/+B04X2mQ4LiKCV92deGvnN2Fc0DP1EHFy5hS5nVlzG1
Y6yvIYVKL2IWfdNH5U6MDd1zJLAmhRUaphLUx87yluOLl5uVPXwm/EXlE6ql2MP+ fCg10+UCAwEAAaA6MDgGCSqGSIb3DQEJDjErMCkwCwYDVR0PBAQDAgXgMBoGA1Ud
EQQTMBGCD3d3dy5leGFtcGxlLmNvbTANBgkqhkiG9w0BAQQFAAOCAQEAGXPnvwZ3 cLLSjMOtNmizrKST+YdF1EzOOkXMBh+FZigXny5tCfQccmU5ir18KE/aKbMyQeii sSeHhI4utZvOrjLL8lcbJlEU2xnC9BGXhmbGUmWynHFziTYom7Lpv8gq+p6+B1Ox
KDxJ+cMv1Ips+g3C8zZnQsN+dLgnWCb3X3NaJos5LHu4PK48+Zl3sic94Ixw0ZQF
HHhlJe7rfg8HMEYHXMiGowSpn9vnRMVh1K0o2Cdv9aIzjm+TH+WiTV9yYX5Dqys7 c8vOS1+G6R6o5s6tHDGPNYyVfCD1W+vxdCXVGR5zLsoB5eTL7bDR1NFKu/77FvKu dLTq8hPpOt7gvQ==
-----END CERTIFICATE REQUEST-----
118
NGFW{running-certificates}certificate
Add device certificate.
Syntax certificate CERTNAME
Example
NGFW{running-certificates}certificate mycertname
Please enter the PEM encoded certificate contents (including BEGIN CERTIFICATE and
END CERTIFICATE lines):
-----BEGIN CERTIFICATE-----
SoIDQTCCAqoCCQDiEcSvKsrhKTANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJB
VTETMBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0 cyBQdHkgTHeRkMB4XDTA5MDQxNjE3MDUxNloDTA5MDUxNjE3MDUxNlowbDEQMA4G
A1UEBhMHVW5rbm93bjEQMA4GA1UECBMHVW5rbm93bjEQMA4GA1UEBxMHVW5rbm93 bjEQMA4GA1UEChMHVW5rbm93bjEQMA4GA1UEoxMHVW5wer93bjEQMA4GA1UEAxMH
VW5rbm93bjCCAbcwggEsBgcqhkjOOAQBMIIBHwKBgQD9f1OBHXUSKVLfSpwu7OTn
9hG3UjzvRADDHj+AplEmaUVdQCJR+1k9jVj6v8X1ujD2y5tVbNeBO4AdNG/yZmC3 a5lQpaSfn+gEexAiwk+7qdf+t8Yb+DtX58aophUPBPuD9tPFHsMCNVQTWhaRMvZ1
864rYdcq7/IiAxmd0UgBxwIVAJdgUI8VIwvMspK5gqLrhAvwWBz1AoGBAPfhoIXW mz3ey7yrXDa4V7l5lK+7+jrqgvlXTAs9B4JnUVlXjrrUWU/mcQcQgYC0SRZxI+hM
KBYTt88JMozIpuE8FnqLVHyNKOCjrh4rs6Z1kW6jfwv6ITVi8ftiegEkO8yk8b6o
UZCJqIPf4VrlnwaSi2ZegHtVJWQBTDv+z0kqA4GEAAKBgDNS53gXgLN9qXzf5AIs npdKIhCaP6LOMaueQM2X9p51TWee8n95Ti9pUEoZSAgXKbV235WfqaQaIXhkXM7d
D/huz80xy3Pf5EzAEYhZLanL2GF6UL7g9z0ZtHI7E1yk2ylQrB8GI/fboIp213ug
Edit Running Configuration Commands
NQ9TR7THyOy9dwftwoKSXEmSMA0GCSqGSIb3DQEBBAUAA4GBAIzxQr3OK9Jzq+wh
ZfKLLd0S7PbNZH7BfO7voEGtuC5fSPqbziwmOt9FYAg+U0rvIrHQI2DxSPHoxOA9
PISrOJgU6A2+VTbkZTJB32/Zng/hTDUQUkyyjllskdmafS1b9SSs0Z7SPuLu6VDB zR6PBzoFwaWk3nX2lYsk/gFpf07z
-----END CERTIFICATE-----
NGFW{running-certificates}crl
Certificate revocation list.
Syntax crl
Example
NGFW{running-certificates}crl
NGFW{running-certificates}delete
Delete file or configuration item.
Syntax delete ca-certificate (all|CANAME) delete cert-request (all|CERTREQUEST) delete certificate (all|CERTNAME)
Example
NGFW{running-certificates}delete ca-certificate myCAname
NGFW{running-certificates}delete cert-request myrequest
NGFW{running-certificates}delete certificate mycertname
NGFW{running-certificates}display
Display file or configuration item.
Syntax display ca-certificate CANAME [pem|text] display cert-request CERTNAME display certificate CERTNAME [pem|text] display private-key CERTNAME
Example
NGFW{running-certificates}display
# CERTIFICATE AUTHORITIES
ca-certificate myCAname
-----BEGIN CERTIFICATE-----
SoIDQTCCAqoCCQDiEcSvKsrhKTANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJB
...
PISrOJgU6A2+VTbkZTJB32/Zng/hTDUQUkyyjllskdmafS1b9SSs0Z7SPuLu6VDB zR6PBzoFwaWk3nX2lYsk/gFpf07z
-----END CERTIFICATE-----
# CERTIFICATES
certificate mycertname
-----BEGIN CERTIFICATE-----
SoIDQTCCAqoCCQDiEcSvKsrhKTANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJB
...
PISrOJgU6A2+VTbkZTJB32/Zng/hTDUQUkyyjllskdmafS1b9SSs0Z7SPuLu6VDB
NGFW Command Line Interface Reference 119
zR6PBzoFwaWk3nX2lYsk/gFpf07z
-----END CERTIFICATE-----
# CERTIFICATE REQUESTS
cert-request myrequest key-size 2048
-----BEGIN CERTIFICATE REQUEST-----
MIICpjCCAY4CAQAwJzELMAkGA1UEBhMCVVMxGDAWBgNVBAMTD3d3dy5leGFtcGxl
...
c8vOS1+G6R6o5s6tHDGPNYyVfCD1W+vxdCXVGR5zLsoB5eTL7bDR1NFKu/77FvKu dLTq8hPpOt7gvQ==
-----END CERTIFICATE REQUEST-----
# Subject Identity #
CN= www.example.com
C = US
ST= none
L = none
O = none
OU= none
Email= none
FQDN = www.example.com
User = none
# CRL
NGFW{running-certificates}private-key
Add device certificate private-key.
Syntax private-key CERTNAME
Example
NGFW{running-certificates}private-key mycertname
Please enter the PEM encoded private key contents (including BEGIN PRIVATE KEY and
END PRIVATE KEY lines):
-----BEGIN DSA PRIVATE KEY-----
S0IBvAIBAAKBgQDjfcGLU+2NKUidI0mQ7EfiEWCc2/QLDYwfyl6t3YMMVRePWYUz
Pjom3A98G8VEhE8i+Ry3VMjmrmeRTljORWh7drvA+R48QIUC0sKbHY0TjshpNKjC
EpzX3s25mn2jeH9OLajjfT4AUKk629ajnA/tyE/Dg4a3J9PMrR/BOaJXjwIVAPq+ xXo8i7Jrjuo9pdu2A+12183HAoGBAMWQMBgsyvPRfXCDh+kaokahCJRZb7olAeN4 uSPrTmEdxn9jO+bfPCOx6Paljsjflw6uevWEBja9j0AmafxYPrKY8AhngKRFohoH
0Vwp9QKT+yVsCWghrBWQYj3myvrOGg0ydw6buDNIRYY71lYoVzQKw6NddseP3Gp9
4Pch6BKyAoGAGxqWTZsPe2lp/lz3LmmbpJoLRbE9OWBa5rVCuRM21qSRDDzQ0R4X
/cWW1kIC5n6NpVEMu+b70q3NyAK8AuFN+Ezfw+LgpvCI+Ae27bjj7AJxMD8161UG e45Qiv20THFFqw/zP7DHG6tFdT06ss6xjw+ausphZGRhU8xBBR+NF3sCFQCiAvaI xWsrP2Z1777kgMC45lKhqg==
-----END DSA PRIVATE KEY-----
running-certificates-crl Context Commands
NGFW{running-certificates}crl
NGFW{running-certificates-crl}add
Add a CRL URI or file for a specified CA.
Syntax add CANAME (local-import|(uri CRLURI))
120 Edit Running Configuration Commands
Example
NGFW{running-certificates-crl}help add
Valid commands are:
# Enter context
addressgroups
# Other commands
add CANAME local-import|(uri CRLURI)
NGFW{running-certificates-crl}cache
Enable or disable CRL cache fetched via HTTP.
Syntax cache (enable|disable)
Example
NGFW{running-certificates-crl}cache enable
NGFW{running-certificates-crl}delete
Delete a CRL URI or file for a specified Certificate Authority.
Syntax delete crl (all|CANAME)
Valid entries: all Delete all CRL URIs and local files
CANAME Delete CRL URI and local files for this Certificate Authority.
Example
NGFW{running-certificates-crl}delete crl all
NGFW{running-certificates-crl}mode
Set certificate revocation mode.
Syntax mode (required|optional)
Valid entries: required Fail authentication by certificate if CRL cannot be verified optional Allow authentication by certificate if CRL cannot be verified
Example
NGFW{running-certificates-crl}mode required
running-cluster Context Commands
NGFW{running}cluster
NGFW{running-cluster}check
Perform consistency check.
Syntax check CHECK_TYPE (enable|disable)
NGFW Command Line Interface Reference 121
Example
NGFW{running-cluster}check config enable
NGFW{running-cluster}cluster-name
Apply cluster name.
Syntax cluster-name NAME
Example
NGFW{running-cluster}cluster-name ?
Valid entry at this position is:
NAME Cluster name (1-30 characters)
NGFW{running-cluster}delete
Delete file or configuration item.
Syntax delete standby
Example
NGFW{running-cluster}delete ?
Valid entry at this position is:
standby Remove the device from standby
NGFW{running-cluster}disable
Disable clustering.
Syntax disable
Example
NGFW{running-cluster}disable
NGFW{running-cluster}enable
Enable clustering.
Syntax enable
Example
NGFW{running-cluster}enable
NGFW{running-cluster}member-id
Cluster Member ID.
Syntax member-id ID
122 Edit Running Configuration Commands
Example
NGFW{running-cluster}member-id ?
Valid entry at this position is:
ID Member ID
NGFW{running-cluster}member-name
Cluster member name.
Syntax member-name NAME
Example
NGFW{running-cluster}member-name ?
Valid entry at this position is:
NAME Member name (1-30 characters)
NGFW{running-cluster}standby
Sets the device on standby.
Syntax standby
Example
NGFW{running-cluster}standby
NGFW{running-cluster}tct
Enter cluster traffic context.
Syntax tct
Example
NGFW{running-cluster}tct
NGFW{running-cluster-tct}
running-cluster-tct Context Commands
NGFW{running-cluster}tct
NGFW{running-cluster-tct}delete
Delete file or configuration item.
Syntax delete ipaddress delete multicast
Example
NGFW{running-cluster-tct}delete ?
Valid entries at this position are:
ipaddress IPv4 address
multicast Apply multicast IPv4 address
NGFW Command Line Interface Reference 123
NGFW{running-cluster-tct}encryption
Apply encryption hash.
Syntax encryption (enable|disable) encryption hash (none|MD5|SHA1|SHA256|SHA384|SHA512) encryption cipher (none|AES256) encryption passphrase PASSPHRASE hash Apply encryption hash
Possible values for HASH are:
MD5 MD5 hash algorithm
SHA1 SHA1 hash algorithm
SHA256 SHA256 hash algorithm
SHA384 SHA384 hash algorithm
SHA512 SHA512 hash algorithm
none No hash algorithm cipher Apply encryption cipher
Possible values for CIPHER are:
none No cipher algorithm
AES256 AES256 cipher algorithm passphrase Apply encryption passphrase
PASSPHRASE Apply encryption passphrase enable Enable encryption disable Disable encryption
Example
NGFW{running-cluster-tct}encryption enable
NGFW{running-cluster-tct}encryption disable
NGFW{running-cluster-tct}encryption hash SHA512
NGFW{running-cluster-tct}encryption cipher AES256
NGFW{running-cluster-tct}encryption passphrase mypassphrase
NGFW{running-cluster-tct}ipaddress
IPv4 address.
Syntax ipaddress A.B.C.D/M
Example
NGFW{running-cluster-tct}help ipaddress
Apply IPv4 address
Syntax: ipaddress A.B.C.D/M
ipaddress IPv4 address
A.B.C.D/M IPv4 address with netmask
NGFW{running-cluster-tct}mgmt-port-failover
Failover to management port if HA ports unavailable.
Syntax mgmt-port-failover (enable|disable)
Example
NGFW{running-cluster-tct}mgmt-port-failover enable
124 Edit Running Configuration Commands
NGFW{running-cluster-tct}mtu
Apply MTU.
Syntax mtu (68-9216)
Example
NGFW{running-cluster-tct}mtu 1500
NGFW{running-cluster-tct}multicast
Apply multicast IPv4 address.
Syntax multicast A.B.C.D
Example
NGFW{running-cluster-tct}multicast 192.168.0.32
NGFW{running-cluster-tct}physical-media
Apply physical-media settings. Auto-negotiation is the default.
Syntax physical-media (auto-neg)|(SPEED-MODE) auto-neg Enable auto-negotiation (default is on)
SPEED-MODE Set the port speed
Possible values for SPEED-MODE are:
10half Supported port speed and mode
10full Supported port speed and mode
100half Supported port speed and mode
100full Supported port speed and mode
1000full Supported port speed and mode
Example
NGFW{running-cluster-tct}physical-media 10full
NGFW{running-cluster-tct}port
Apply multicast UDP port number.
Syntax port N
N Apply multicast UDP port number(1-65534)
Example
NGFW{running-cluster-tct}port 9
NGFW{running-cluster-tct}retry
Apply retry interval.
Syntax retry N
N Apply retry interval value(1-10)
NGFW Command Line Interface Reference 125
Example
NGFW{running-cluster-tct}retry 3
NGFW{running-cluster-tct}timeout
Apply timeout.
Syntax timeout N
N Apply timeout value(100-10000)
Example
NGFW{running-cluster-tct}timeout 160
NGFW{running-cluster-tct}ttl
Apply TTL.
Syntax ttl N
N Apply TTL value(1-255)
Example
NGFW{running-cluster-tct}ttl 2
running-dhcp-relay Context Commands
NGFW{running}dhcp relay
NGFW{running-dhcp-relay}client
Configure client interface.
Syntax client interface (all|IFNAME)
Example
NGFW{running-dhcp-relay}help client
Configure client interface
Syntax: client interface all|IFNAME all Configure listening to all interfaces?
IFNAME Configure interface
NGFW{running-dhcp-relay}delete
Delete configuration item.
Syntax delete client interface (all|IFNAME) delete server (all|(interface IFNAME)|(address A.B.C.D))
Example
NGFW{running-dhcp-relay}delete client interface all
NGFW{running-dhcp-relay}disable
Disable service.
126 Edit Running Configuration Commands
Syntax disable
Example
NGFW{running-dhcp-relay}help disable
Disable DHCP relay
Syntax: disable
disable Disable service
NGFW{running-dhcp-relay}enable
Enable service.
Syntax enable
Example
NGFW{running-dhcp-relay}help enable
Enable DHCP relay
Syntax: enable
enable Enable service
NGFW{running-dhcp-relay}server
Configure server interface.
Syntax server (interface IFNAME)|(address A.B.C.D)
Example
NGFW{running-dhcp-relay}help server address
Configure server address
Syntax: server (address A.B.C.D)
A.B.C.D
Configure IPv4 address
NGFW{running-dhcp-relay}help server interface
Configure server interface
Syntax: server (interface IFNAME)
A.B.C.D
Configure IPv4 address
running-dhcp-server Context Commands
NGFW{running}dhcp server
NGFW{running-dhcp-server}delete
Delete configuration item.
Syntax delete scope (all|NAME)
Example
NGFW{running-dhcp-server}help delete
Delete scope
Syntax: delete scope all|NAME all Delete all scopes
NAME Delete scope
NGFW Command Line Interface Reference 127
NGFW{running-dhcp-server}disable
Disable server.
Syntax disable
Example
NGFW{running-dhcp-server}disable
NGFW{running-dhcp-server}display
Display configuration item.
Syntax display scope NAME
Example
NGFW{running-dhcp-server}help display
Valid commands are:
# Manage context
display [xml]
# Other commands
display scope NAME [xml]
NGFW{running-dhcp-server}enable
Enable server.
Syntax enable
Example
NGFW{running-dhcp-server}enable
NGFW{running-dhcp-server}scope
Configure scope.
Syntax scope NAME
Example
NGFW{running-dhcp-server}scope myscope
running-dhcp-server-X Context Commands
NGFW{running-dhcp-server}scope myscope
NGFW{running-dhcp-server-myscope}address-range
Configure IP address range.
Syntax address-range A.B.C.D A.B.C.D
128 Edit Running Configuration Commands
Example
NGFW{running-dhcp-server-myscope}help address-range
Configure IP address range
Syntax: address-range A.B.C.D A.B.C.D
A.B.C.D
First address
A.B.C.D
Last address
NGFW{running-dhcp-server-myscope}default-gateway
Configure default gateway.
Syntax default-gateway (myself|A.B.C.D)
Example
NGFW{running-dhcp-server-myscope}help default-gateway
Configure default gateway
Syntax: default-gateway myself|A.B.C.D
myself Use subnets IP address as default gateway
A.B.C.D
IPv4 address
NGFW{running-dhcp-server-myscope}delete
Delete configuration item.
Syntax delete address-range (all|(A.B.C.D A.B.C.D)) delete default-gateway NAME delete dns-server (all|A.B.C.D) delete domain-name NAME delete exclude (all|A.B.C.D) delete host (all|NAME) delete lease delete option (all|NAME|NUMBER) delete subnet A.B.C.D/M
Example
NGFW{running-dhcp-server-myscope}delete ?
Valid entries at this position are:
address-range Delete IP address range
default-gateway Delete default gateway
dns-server Delete DNS server
domain-name Delete domain name
exclude Delete excluded IP address
host Delete host
lease Delete lease
option Delete option
subnet Delete subnet
NGFW{running-dhcp-server-myscope}dns-server
Configure DNS server.
Syntax dns-server A.B.C.D (primary|secondary|tertiary)
NGFW Command Line Interface Reference 129
Example
NGFW{running-dhcp-server-myscope}help dns-server
Configure DNS server
Syntax: dns-server A.B.C.D primary|secondary|tertiary
A.B.C.D
IPv4 address primary secondary tertiary
Configure primary server
Configure secondary server
Configure tertiary server
NGFW{running-dhcp-server-myscope}domain-name
Configure Domain Name.
Syntax domain-name NAME
Example
NGFW{running-dhcp-server-myscope}domain-name americas
NGFW{running-dhcp-server-myscope}exclude
Configure excluded IP address.
Syntax exclude A.B.C.D
Example
NGFW{running-dhcp-server-myscope}help exclude
Configure excluded IP address
Syntax: exclude A.B.C.D
A.B.C.D
IPv4 address
NGFW{running-dhcp-server-myscope}host
Configure host name.
Syntax host NAME X:X:X:X:X:X A.B.C.D
Example
NGFW{running-dhcp-server-myscope}help host
Configure static IP address for client with mac address.
Syntax: host NAME X:X:X:X:X:X A.B.C.D
NAME Configure name
X:X:X:X:X:X Ethernet MAC address (e.g 00:02:b3:39:ba:d2)
Syntax: byte(:byte){5} byte MAC address byte
A.B.C.D IPv4 address
130
NGFW{running-dhcp-server-myscope}lease
Configure DHCPv4 lease in seconds.
Syntax lease (0-1073741824)
Example
NGFW{running-dhcp-server-myscope}help lease
Edit Running Configuration Commands
Configure DHCPv4 lease
Syntax: lease <0-1073741824>
<0-1073741824> Lease value in seconds (0-1073741824)
NGFW{running-dhcp-server-myscope}option
Configure options.
Syntax option (NAME|NUMBER) text Value 1 option (NAME|NUMBER) boolean Value 1 [Value 2] [Value 3] option (NAME|NUMBER) integer8 Value 1 [Value 2] [Value 3] option (NAME|NUMBER) hex8 Value 1 [Value 2] [Value 3] option (NAME|NUMBER) integer32 Value 1 [Value 2] [Value 3] option (NAME|NUMBER) hex32 Value 1 [Value 2] [Value 3] option (NAME|NUMBER) ipaddress (Value 1) [Value 2] [Value 3]
Refer to https://tools.ietf.org/html/rfc2132#section-3 or https://en.wikipedia.org/wiki/Dynamic_Host_Configuration_Protocol#DHCP_options for known option names and numbers.
Example
NGFW{running-dhcp-server-myscope}help option option Configure options
Syntax: option (NAME) Values
Values as specified in documents referenced above
Syntax: option (NUMBER) text Value 1
Value 1 can include up to 256 characters of any type including spaces and tabs
Syntax: option (NUMBER) boolean Value 1 [Value 2] [Value 3]
Value 1,2,3 must be string true or false
Syntax: option (NUMBER) integer8 Value 1 [Value 2] [Value 3]
Value 1,2,3 must be in integer between 0 and 255
Syntax: option (NUMBER) hex8 Value 1 [Value 2] [Value 3]
Value 1,2,3 must be in hex integer between 0 and ff and entered as (0x0-0xff)
Syntax: option (NUMBER) integer32 Value 1 [Value 2] [Value 3]
Value 1,2,3 must be in integer between 0 and 16777215
Syntax: option (NUMBER) hex32 Value 1 [Value 2] [Value 3]
Value 1,2,3 must be in hex integer between 0 and ffffff and entered as
(0x0-0xffffff)
Syntax: option (NUMBER) ipaddress (Value 1) [Value 2] [Value 3]
Value 1,2,3 can be a domain name of up to 255 characters or an IP address
NGFW{running-dhcp-server-myscope}subnet
Configure subnet.
Syntax subnet A.B.C.D/M
Example
NGFW{running-dhcp-server-myscope}subnet ?
Valid entry at this position is:
A.B.C.D/M IPv4 address and mask length
running-dnat Context Commands
NGFW{running}dst-nat
NGFW{running-dnat}delete
Delete destination NAT rule(s).
NGFW Command Line Interface Reference 131
Syntax delete rule (all|DSTNATRULEID)
Example
NGFW{running-dnat}delete rule 123
NGFW{running-dnat}rename
Rename destination NAT rule.
Syntax rename dnat DSTNATRULEID NEWDSTNATRULEID
Example
NGFW{running-dnat}rename rule 123 dnat1
NGFW{running-dnat}rule
Create or enter a rule context.
Syntax rule (auto|DSTNATRULEID) [POSITION_VALUE]
Example
NGFW{running-dnat}rule auto
NGFW{running-dnat}rule 123
running-dnat-rule-X Context Commands
NGFW{running-dnat}rule 1
NGFW{running-dnat-rule-dnat1}delete
Delete file or configuration item.
Syntax delete port delete dst-zone (include|exclude) ZONENAME delete src-address (include|exclude) group ADDRESSGROUP delete dst-address (include|exclude) group ADDRESSGROUP delete src-address (include|exclude) ipaddress A.B.C.D
delete dst-address (include|exclude) ipaddress A.B.C.D
delete src-address (include|exclude) ipaddress A.B.C.D/M delete dst-address (include|exclude) ipaddress A.B.C.D/M delete src-address (include|exclude) range A.B.C.D A.B.C.D
delete dst-address (include|exclude) range A.B.C.D A.B.C.D
delete translate-to ipaddress (A.B.C.D|A.B.C.D/M) delete translate-to range A.B.C.D A.B.C.D
Example
NGFW{running-dnat-rule-dnat1}delete translate-to range 192.168.1.100 192.168.1.200
NGFW{running-dnat-rule-dnat1}delete src-zone include all
NGFW{running-dnat-rule-dnat1}delete dst-address include ipaddress 192.168.1.0/24
NGFW{running-dnat-rule-dnat1}delete src-address exclude ipaddress 192.168.1.1
132 Edit Running Configuration Commands
NGFW{running-dnat-rule-dnat1}description
Apply rule description.
Syntax description TEXT
Example
NGFW{running-dnat-rule-dnat1}description "destination nat rule"
NGFW{running-dnat-rule-dnat1}dst-address
Apply destination address.
Syntax dst-address (include|exclude) ipaddress (A.B.C.D|A.B.C.D/M) dst-address (include|exclude) range A.B.C.D A.B.C.D
dst-address (include|exclude) group ADDRESSGROUP
Example
NGFW{running-dnat-rule-dnat1}dst-address include ipaddress 192.168.1.0/24
NGFW{running-dnat-rule-dnat1}dst-address exclude ipaddress 192.168.1.1
NGFW{running-dnat-rule-dnat1}dst-address include range 192.168.1.100 192.168.1.200
NGFW{running-dnat-rule-dnat1}move
Move rule position.
Syntax move after DSTNATRULEID move before DSTNATRULEID move to position VALUE
Example
NGFW{running-dnat-rule-dnat1}move after dnat1
NGFW{running-dnat-rule-dnat1}move before dnat1
NGFW{running-dnat-rule-dnat1}move to position 1
NGFW{running-dnat-rule-dnat1}src-address
Apply source address.
Syntax src-address (include|exclude) ipaddress (A.B.C.D|A.B.C.D/M) src-address (include|exclude) range A.B.C.D A.B.C.D
src-address (include|exclude) group ADDRESSGROUP
Example
NGFW{running-dnat-rule-dnat1}src-address include ipaddress 192.168.1.0/24
NGFW{running-dnat-rule-dnat1}src-address exclude ipaddress 192.168.1.1
NGFW{running-dnat-rule-dnat1}src-address include range 192.168.1.100 192.168.1.200
NGFW{running-dnat-rule-dnat1}src-zone
Apply source security zone.
NGFW Command Line Interface Reference 133
Syntax src-zone (include|exclude) ZONENAME
Example
NGFW{running-dnat-rule-dnat1}src-zone include myzone1
NGFW{running-dnat-rule-dnat1}src-zone exclude myzone1
NGFW{running-dnat-rule-dnat1}tcp
Create tcp protocol translation.
Syntax tcp dst-port PORT [to PORT] translate-to TRANS-PORT [to TRANS-PORT]
Example
NGFW{running-dnat-rule-dnat1}tcp dst-port 80 to 81 translate-to 8080 to 8081
NGFW{running-dnat-rule-dnat1}translate-to
Apply translation.
Syntax translate-to ipaddress (A.B.C.D|A.B.C.D/M) translate-to range A.B.C.D A.B.C.D
Example
NGFW{running-dnat-rule-dnat1}translate-to ipaddress 192.168.1.1
NGFW{running-dnat-rule-dnat1}translate-to ipaddress 192.168.1.0/24
NGFW{running-dnat-rule-dnat1}translate-to range 192.168.1.100 192.168.1.200
NGFW{running-dnat-rule-dnat1}udp
Create udp protocol translation.
Syntax udp dst-port PORT [to PORT] translate-to TRANS-PORT [to TRANS-PORT]
Example
NGFW{running-dnat-rule-dnat1}udp dst-port 53 translate-to 3853
running-dns Context Commands
NGFW{running}dns
NGFW{running-dns}delete
Delete file or configuration item. A secondary domain-search can only be deleted if no tertiary exists. A primary domain-search can only be deleted if no secondary exists.
Syntax delete domain-name delete domain-search (primary|secondary|tertiary|all) delete name-server (all|A.B.C.D|X:X::X:X) delete proxy cache cleaning interval delete proxy cache forwarder (all|A.B.C.D|X:X::X:X) delete proxy cache maximum negative ttl delete proxy cache maximum ttl delete proxy cache size
134 Edit Running Configuration Commands
Example
NGFW{running-dns}delete proxy cache ?
Valid entries at this position are:
cleaning Delete cleaning
forwarder Delete forwarder
maximum Delete maximum
size Delete size
NGFW{running-dns}delete domain-search tertiary
NGFW{running-dns}delete domain-search secondary
NGFW{running-dns}delete domain-search primary
NGFW{running-dns}domain-name
Configure domain name.
Syntax domain-name NAME
Example
NGFW{running-dns}help domain-name
Configure router domain name
Syntax: domain-name NAME
domain-name Configure domain name
NAME Domain name (e.g. hp.com)<1-256>
NGFW{running-dns}domain-search
Configure domain search. A secondary domain-search can only be entered after a primary is entered and a tertiary can only be entered after a secondary is entered.
Syntax domain-search (primary|secondary|tertiary) NAME
Example
NGFW{running-dns}domain-search primary example.com
NGFW{running-dns}domain-search secondary example.org
NGFW{running-dns}domain-search tertiary example.edu
NGFW{running-dns}name-server
Configure DNS server.
Syntax name-server (A.B.C.D|X:X::X:X)
Example
NGFW{running-dns}help name-server
Configure DNS server
Syntax: name-server A.B.C.D|X:X::X:X
A.B.C.D IPv4 address
X:X::X:X IPv6 address
NGFW{running-dns}proxy
Configure proxy.
NGFW Command Line Interface Reference 135
Syntax proxy (enable|disable) proxy cache cleaning interval cache cleaning interval in minutes proxy cache forwarder A.B.C.D|X:X::X:X proxy cache maximum negative ttl cache maximum negative ttl in minutes proxy cache maximum ttl cache maximum ttl in minutes proxy cache size cache size in megabytes
Example
NGFW{running-dns}proxy enable
running-ethernetX Context Commands
NGFW{running}interface ethernet1
NGFW{running-ethernet1}arp/ndp
Enable or disable ARP and NDP on interface.
Syntax arp/ndp (enable|disable)
Example
NGFW{running-ethernet1}arp/ndp enable
NGFW{running-ethernet1}autoconfv6
Enable or disable IPv6 autoconfiguration on interface.
Syntax autoconfv6 (enable|disable)
Example
NGFW{running-ethernet1}autoconfv6 disable
NGFW{running-ethernet1}delete
Delete file or configuration item.
Syntax delete ip igmp delete ip igmp version delete ip ospf area delete ip ospf authentication mode md5 (1-255) KEY delete ip ospf authentication mode text KEY delete ip ospf cost (1-65535) delete ip ospf dead-interval (1-65535) delete ip ospf hello-interval (1-65535) delete ip ospf priority (0-255) delete ip ospf retransmit-interval (3-65535) delete ip ospf transmit-delay (1-65535) delete ip pim-sm delete ip rip delete ip rip authentication mode md5 delete ip rip authentication mode text delete ip rip receive version (v1-only|v2-only|v1-or-v2) delete ip rip send version (v1-only|v2-only|v1-or-v2) delete ip rip split-horizon
136 Edit Running Configuration Commands
delete ipaddress (all|A.B.C.D/M|X:X::X:X/M) delete ipaddress dhcpv4 delete ipaddress dhcpv6 delete ipv6 mld delete ipv6 mld version delete ipv6 ospfv3 area delete ipv6 ospfv3 cost delete ipv6 ospfv3 dead-interval delete ipv6 ospfv3 hello-interval delete ipv6 ospfv3 priority delete ipv6 ospfv3 retransmit-interval delete ipv6 ospfv3 transmit-delay delete ipv6 pim-sm delete ipv6 ripng delete ipv6 ripng split-horizon delete prefix (all|X:X::X:X/M) delete shutdown (shutdown logical interface state)
Example
NGFW{running-ethernet1}delete ip igmp version
NGFW{running-ethernet1}delete ip ospf area
NGFW{running-ethernet1}delete ip ospf authentication mode md5 1 mysecret
NGFW{running-ethernet1}delete ip ospf authentication mode text mysecret
NGFW{running-ethernet1}delete ip ospf cost 1
NGFW{running-ethernet1}delete ip ospf dead-interval 1
NGFW{running-ethernet1}delete ip ospf hello-interval 1
NGFW{running-ethernet1}delete ip ospf priority 1
NGFW{running-ethernet1}delete ip ospf retransmit-interval
NGFW{running-ethernet1}delete ip ospf transmit-delay 1
NGFW{running-ethernet1}delete ip pim-sm
NGFW{running-ethernet1}delete ip rip authentication mode md5
NGFW{running-ethernet1}delete ip rip authentication mode text
NGFW{running-ethernet1}delete ip rip receive version v2-only
NGFW{running-ethernet1}delete ip rip send version v2-only
NGFW{running-ethernet1}delete ip rip split-horizon
NGFW{running-ethernet1}delete prefix all
NGFW{running-ethernet1}delete shutdown
NGFW{running-ethernet1}delete ipaddress dhcpv6
WARNING: This command will remove the dhcpv6 context. Do you want to continue (y/n)?
[n]: y
NGFW{running-ethernet1}delete ipaddress dhcpv4
WARNING: This command will remove the dhcpv4 context. Do you want to continue (y/n)?
[n]: y
NGFW{running-ethernet1}delete ipaddress 192.168.1.1/24
NGFW{running-ethernet1}delete ipaddress 100:0:0:0:0:0:0:1/64
NGFW{running-ethernet1}description
Enter description for the interface.
Syntax description TEXT
Example
NGFW{running-ethernet1}description "Ethernet port 1"
NGFW Command Line Interface Reference 137
NGFW{running-ethernet1}ip
Configure IP settings.
Syntax ip igmp ip igmp version (1|2|3) ip ospf area (A.B.C.D|(0-4294967295)) ip ospf authentication mode md5 (1-255) KEY ip ospf authentication mode text KEY ip ospf cost (1-65535) ip ospf dead-interval (1-65535) ip ospf hello-interval (1-65535) [A.B.C.D] ip ospf priority (0-255) ip ospf retransmit-interval (3-65535) ip ospf transmit-delay (1-65535) ip pim-sm ip rip ip rip authentication mode md5 (0-2147483647) KEY ip rip authentication mode text ip rip receive version VERSION (v1-only|v2-only|v1-or-v2) ip rip send version VERSION ip rip split-horizon [poison-reverse]
Example
NGFW{running-ethernet1}ip igmp version 3
NGFW{running-ethernet1}ip ospf area 1
NGFW{running-ethernet1}ip ospf authentication mode md5 1 mysecret
NGFW{running-ethernet1}ip ospf authentication mode text mysecret
NGFW{running-ethernet1}ip ospf cost 1
NGFW{running-ethernet1}ip ospf dead-interval 1
NGFW{running-ethernet1}ip ospf hello-interval 1
NGFW{running-ethernet1}ip ospf priority 1
NGFW{running-ethernet1}ip ospf retransmit-interval 3
NGFW{running-ethernet1}ip ospf transmit-delay 1
NGFW{running-ethernet1}ip rip authentication mode md5 1 mysecret
NGFW{running-ethernet1}ip rip authentication mode text
Enter key: up to 16 characters:******
NGFW{running-ethernet1}ip rip receive version v2-only
NGFW{running-ethernet1}ip rip send version v2-only
NGFW{running-ethernet1}ip rip split-horizon poison-reverse
NGFW{running-ethernet1}ip ?
138
NGFW{running-ethernet1}ipaddress
Configure IP address.
Syntax ipaddress (A.B.C.D/M|X:X::X:X/M) [primary] ipaddress dhcpv4
Example
NGFW{running-ethernet1}ipaddress 100:0:0:0:0:0:0:1/64 primary
NGFW{running-ethernet1}ipaddress 192.168.1.1/24
NGFW{running-ethernet1}ipaddress dhcpv4
NGFW{running-ethernet1-dhcpv4}?
Valid entries at this position are:
client Configure client parameters
defaultroute-request Ask for IPv4 default route or not
Edit Running Configuration Commands
delete Delete file or configuration item
dhcp Configure DHCPv4 client
dhcp Enable or disable DHCPv4 client service
display Display DHCPv4 client context
dns-request Ask for DNS server IPv4 address or not
help Display help information
ntp-request Ask for NTP server IPv4 address or not
option Configure DHCPv4 client option name
NGFW{running-ethernet1-dhcpv4}help
Valid commands are:
client identifier none|(hexa HEXA-ID)|(ascii ASCII-ID)
client name none|NAME
defaultroute-request enable|disable
delete option (NAME CODE)|all
dhcp enable|disable
dhcp server auto|A.B.C.D
display [xml]
dns-request enable|disable
help [full|COMMAND]
ntp-request enable|disable
option NAME CODE (boolean BOOLEAN)|(int8 INTEGER)|(uint8 INTEGER)|(int16
INTEGER)|(uint16 INTEGER)|(int32 INTEGER)|(uint32 INTEGER)|(ip-address
(A.B.C.D|DOMAIN))|(text TEXT)|(string (STRING|TEXT))|(array-of-boolean BOOLEAN,
BOOLEAN)|(array-of-int8 INTEGER, INTEGER)|(array-of-uint8 INTEGER,
INTEGER)|(array-of-int16 INTEGER, INTEGER)|(array-of-uint16 INTEGER,
INTEGER)|(array-of-int32 INTEGER, INTEGER)|(array-of-uint32 INTEGER,
INTEGER)|(array-of-ip-address (A.B.C.D, A.B.C.D|DOMAIN, DOMAIN))
NGFW{running-ethernet1}ipv6
Configure IPv6 settings.
Syntax ipv6 mld ipv6 mld version (1|2) ipv6 ospfv3 area (A.B.C.D|(0-4294967295)) ipv6 ospfv3 cost (1-65535) ipv6 ospfv3 dead-interval (1-65535) ipv6 ospfv3 hello-interval (1-65535) ipv6 ospfv3 priority (0-255) ipv6 ospfv3 retransmit-interval (3-65535) ipv6 ospfv3 transmit-delay (1-65535) ipv6 pim-sm ipv6 ripng ipv6 ripng split-horizon [poison-reverse]
Example
NGFW{running-ethernet1}ipv6 mld version 2
NGFW{running-ethernet1}ipv6 ospfv3 area 1
NGFW{running-ethernet1}ipv6 ospfv3 cost 1
NGFW{running-ethernet1}ipv6 ospfv3 dead-interval 1
NGFW{running-ethernet1}ipv6 ospfv3 hello-interval 1
NGFW{running-ethernet1}ipv6 ospfv3 priority 1
NGFW{running-ethernet1}ipv6 ospfv3 retransmit-interval 3
NGFW{running-ethernet1}ipv6 ospfv3 transmit-delay 1
NGFW{running-ethernet1}ipv6 ripng split-horizon poison-reverse
NGFW{running-ethernet1}help ipv6 ripng split-horizon
Enable split-horizon / poison-reverse on this interface
Syntax: ipv6 ripng split-horizon [poison-reverse]
NGFW Command Line Interface Reference 139
ipv6 Configure IPv6 settings
ripng Configure RIPng over the interface
split-horizon Enable split-horizon
poison-reverse Enable poison-reverse
NGFW{running-ethernet1}mtu
Configure interface MTU.
Syntax
mtu (default|(68-9216))
Example
NGFW{running-ethernet1}mtu 1500
NGFW{running-ethernet1}physical-media
Apply physical-media settings. Auto-negotiation is the default or specify a supported port speed and mode.
Syntax physical-media (auto-neg|10half|10full|100half|100full|1000full)
Example
NGFW{running-ethernet1}physical-media 1000full
NGFW{running-ethernet1}physical-media auto-neg
NGFW{running-ethernet1}prefix
Configure IPv6 prefix.
Syntax prefix X:X::X:X/M [valid-lifetime SECONDS] [preferred-lifetime SECONDS]
X:X::X:X/M IPv6 prefix valid-lifetime Configure valid lifetime
(1-4294967295) Valid lifetime in seconds (default is 2592000) preferred-lifetime Configure preferred lifetime
(1-4294967295) Preferred lifetime in seconds
(default is 604800 - cannot exceed valid lifetime)
Example
NGFW{running-ethernet1}prefix 100:0:0:0:0:0:0:0/64 valid-lifetime 2592000 preferred-lifetime 604800
140
NGFW{running-ethernet1}ra-autoconf-level
Modify IPv6 Router Advertisement autoconfiguration level (DHCP).
Syntax ra-autoconf-level AUTOCONF
Possible values for AUTOCONF are: none No parameter is autoconfigured address Address is autoconfigured other Some other parameters are autoconfigured full Most parameters are autoconfigured
Edit Running Configuration Commands
Example
NGFW{running-ethernet1}ra-autoconf-level full
NGFW{running-ethernet1}ra-interval
Modify IPv6 Router Advertisement interval value.
Syntax ra-interval MILLISECONDS ra-interval (90-1800000)
Example
NGFW{running-ethernet1}ra-interval 600
NGFW{running-ethernet1}ra-interval-transmit
Modify IPv6 Router Advertisement interval transmit.
Syntax ra-interval-transmit (enable|disable)
Example
NGFW{running-ethernet1}ra-interval-transmit enable
NGFW{running-ethernet1}ra-lifetime
Modify IPv6 Router Advertisement prefix lifetime in seconds.
Syntax ra-lifetime SECONDS ra-lifetime (0-9000000)
Example
NGFW{running-ethernet1}ra-lifetime 1800
NGFW{running-ethernet1}ra-mtu
Modify IPv6 Router Advertisement MTU value.
Syntax ra-mtu (none|(68-9216))
MTU value advertised (0 if none)
Example
NGFW{running-ethernet1}ra-mtu 1500
NGFW{running-ethernet1}ra-transmit-mode
Modify IPv6 Router Advertisement transmit mode.
Syntax ra-transmit-mode MODE
Possible values for MODE are: always Router Advert message is always sent never Router Advert message is never sent
NGFW Command Line Interface Reference 141
smart Router Advert message is sent if a prefix is defined
Example
NGFW{running-ethernet1}ra-transmit-mode smart
NGFW{running-ethernet1}restart
Restart Ethernet port.
Syntax restart
Example
NGFW{running-ethernet1}restart
NGFW{running-ethernet1}shutdown
Shutdown logical interface state.
Syntax shutdown
Example
NGFW{running-ethernet1}shutdown
NGFW{running-ethernet1}tcp4mss
Configure interface TCP MSS for IPv4.
Syntax tcp4mss (disable|automatic|(4-65535))
Valid entries: disable Disable service automatic Automatically select TCP MSS based on interface MTU
VALUE TCP MSS value for IPv4
Example
NGFW{running-ethernet1}tcp4mss automatic
NGFW{running-ethernet1}tcp6mss
Configure interface TCP MSS for IPv6.
Syntax tcp6mss (disable|automatic|(4-65535))
Valid entries: disable Disable service automatic Automatically select TCP MSS based on interface MTU
TCP MSS value for IPv6
Example
NGFW{running-ethernet1}tcp6mss automatic
142 Edit Running Configuration Commands
running-firewall Context Commands
NGFW{running}firewall
NGFW{running-firewall}default-block-rule
Apply action set for default block rule.
Syntax default-block-rule DEFACTIONSET
Example
NGFW{running-firewall}default-block-rule "Block + Notify + Trace"
NGFW{running-firewall}delete
Delete firewall rule.
Syntax delete rule (all|XRULEID)
Example
NGFW{running-firewall}delete rule myrule1
NGFW{running-firewall}delete rule myrule1
NGFW{running-firewall}rename
Rename a firewall rule.
Syntax rename rule XRULEID NEWRULEID
Example
NGFW{running-firewall}rename rule myrule1 myrule2
NGFW{running-firewall}rule
Create or enter a rule context.
Syntax rule (auto|RULEID) [POSITION_VALUE]
Example
NGFW{running-firewall}rule auto
NGFW{running-firewall}rule myrule1
running-firewall-rule-X Context Commands
NGFW{running-firewall}rule myrule1
NGFW{running-firewall-rule-myrule1}action
Apply action set.
Syntax action ACTIONSETNAME
NGFW Command Line Interface Reference 143
Example
NGFW{running-firewall-rule-myrule1}action "Permit + Notify + Trace"
NGFW{running-firewall-rule-myrule1}application-group
Apply application group.
Syntax application-group APPGROUPNAME application-group ANONYMOUS CRITERIASTRING
Example
NGFW{running-firewall-rule-myrule1}application-group facebook
NGFW{running-firewall-rule-myrule1}application-group ANONYMOUS
144
NGFW{running-firewall-rule-myrule1}delete
Delete file or configuration item.
Syntax delete application-group delete comment delete profile delete schedule (include all|SCHEDULENAME) delete schedule (exclude all|SCHEDULENAME) delete services include (service all|SERVICENAME) delete services include (protocol all|PROTONUM) delete services include port all delete services include tcp (all|PORT) [to PORT] delete services include udp (all|PORT) [to PORT] delete services include (icmp all|(CODENAME)|(TYPE [CODE])) delete services include (icmpv6 all|(CODENAME6)|(TYPE6 [CODE6])) delete services exclude (service all|SERVICENAME) delete services exclude (protocol all|PROTONUM) delete services exclude port all delete services exclude tcp (all|PORT) [to PORT] delete services exclude udp (all|PORT) [to PORT] delete services exclude (icmp all|(CODENAME)|(TYPE [CODE])) delete services exclude (icmpv6 all|(CODENAME6)|(TYPE6 [CODE6])) delete src-address include group (all|SADDRESSGROUP) delete src-address include (ipaddress all|A.B.C.D/M|X:X::X:X/M) delete src-address include range (all|A.B.C.D|X:X::X:X) delete src-address include ((any4)|(any6)) delete src-address exclude group (all|SADDRESSGROUP) delete src-address exclude (ipaddress all|A.B.C.D/M|X:X::X:X/M) delete src-address exclude range (all|A.B.C.D|X:X::X:X) delete src-address exclude ((any4)|(any6)) delete dst-address include group (all|DADDRESSGROUP) delete dst-address include (ipaddress all|A.B.C.D/M|X:X::X:X/M) delete dst-address include range (all|A.B.C.D|X:X::X:X) delete dst-address include ((any4)|(any6)) delete dst-address exclude group (all|DADDRESSGROUP) delete dst-address exclude (ipaddress all|A.B.C.D/M|X:X::X:X/M) delete dst-address exclude range (all|A.B.C.D|X:X::X:X) delete dst-address exclude ((any4)|(any6)) delete src-zone (include all|ZONENAME) delete src-zone (exclude all|ZONENAME) delete dst-zone (include all|ZONENAME)
Edit Running Configuration Commands
delete dst-zone (exclude all|ZONENAME) delete user (include all|USERNAME) delete user (exclude all|USERNAME) delete user-group (include all|IN_GRP_NAME|IN_DN_GRP_NAME) delete user-group (exclude all|EX_GRP_NAME|EX_DN_GRP_NAME)
Example
NGFW{running-firewall-rule-myrule1}delete application-group
NGFW{running-firewall-rule-myrule1}delete schedule exclude myhours1
NGFW{running-firewall-rule-myrule1}delete schedule include all
NGFW{running-firewall-rule-myrule1}delete services include port all
NGFW{running-firewall-rule-myrule1}delete services include service http
NGFW{running-firewall-rule-myrule1}delete services exclude icmp any
NGFW{running-firewall-rule-myrule1}delete dst-zone include myzone1
NGFW{running-firewall-rule-myrule1}delete src-zone include myzone1
NGFW{running-firewall-rule-myrule1}delete src-address include ipaddress
192.168.1.0/24
NGFW{running-firewall-rule-myrule1}delete dst-address include ipaddress
192.168.1.0/24
NGFW{running-firewall-rule-myrule1}delete services include port tcp 443
NGFW{running-firewall-rule-myrule1}delete user include all
NGFW{running-firewall-rule-myrule1}delete user exclude myuser1
NGFW{running-firewall-rule-myrule1}delete user-group include mygroup
NGFW{running-firewall-rule-myrule1}description
Apply rule description.
Syntax description TEXT
Example
NGFW{running-firewall-rule-myrule1}description "My Firewall Policy"
NGFW{running-firewall-rule-myrule1}disable
Disable rule.
Syntax disable
Example
NGFW{running-firewall-rule-myrule1}disable
NGFW{running-firewall-rule-myrule1}dst-address
Apply destination addresses.
Syntax dst-address (include|exclude) (any4|any6) dst-address (include|exclude) group ADDRESSGROUP dst-address (include|exclude) ipaddress (A.B.C.D|X:X::X:X) dst-address (include|exclude) ipaddress (A.B.C.D/M|X:X::X:X/M) dst-address (include|exclude) range ((A.B.C.D A.B.C.D)|(X:X::X:X X:X::X:X))
Example
NGFW{running-firewall-rule-myrule1}dst-address exclude ipaddress 192.168.1.1
NGFW{running-firewall-rule-myrule1}dst-address include ipaddress 192.168.1.0/24
NGFW Command Line Interface Reference 145
NGFW{running-firewall-rule-myrule1}dst-address include range 192.168.1.100
192.168.1.200
NGFW{running-firewall-rule-myrule1}dst-address include group mygroup1
NGFW{running-firewall-rule-myrule1}dst-zone
Apply destination security zone.
Syntax dst-zone (include|exclude) ZONENAME
Example
NGFW{running-firewall-rule-myrule1}dst-zone include myzone1
NGFW{running-firewall-rule-myrule1}dst-zone exclude myzone1
NGFW{running-firewall-rule-myrule1}enable
Enable rule.
Syntax enable
Example
NGFW{running-firewall-rule-myrule1}enable
NGFW{running-firewall-rule-myrule1}move
Move firewall rule position in the rule table.
Syntax move after XRULEID move before XRULEID move to position VALUE
Example
NGFW{running-firewall-rule-myrule1}move after myrule2
NGFW{running-firewall-rule-myrule1}move before myrule2
NGFW{running-firewall-rule-myrule1}move to position 1
NGFW{running-firewall-rule-myrule1}profile
Apply profile.
Syntax profile (reputation REPPROFILE [ips IPSPROFILE])|(ips IPSPROFILE [reputation
REPPROFILE])
Example
NGFW{running-firewall-rule-myrule1}profile ips "Default IPS Profile" reputation
"Default Reputation Profile"
NGFW{running-firewall-rule-myrule1}profile ips "Default IPS Profile"
NGFW{running-firewall-rule-myrule1}profile reputation "Default Reputation Profile"
NGFW{running-firewall-rule-myrule1}schedule
Apply schedule.
146 Edit Running Configuration Commands
Syntax schedule (include|exclude) SCHEDULENAME
Example
NGFW{running-firewall-rule-myrule1}schedule include myhours1
NGFW{running-firewall-rule-myrule1}schedule exclude myhours1
NGFW{running-firewall-rule-myrule1}services
Apply IP Services.
Syntax services (include|exclude) (service SERVICENAME) services (include|exclude) (protocol PROTONUM) services (include|exclude) (port tcp PORT [to PORT]) services (include|exclude) (port udp PORT [to PORT]) services (include|exclude) (icmp ICMP-CODENAMES|(TYPE [CODE])) services (include|exclude) (icmpv6 ICMP6-CODENAMES|(TYPE [CODE]))
Example
NGFW{running-firewall-rule-myrule1}services include protocol 6
NGFW{running-firewall-rule-myrule1}services include port tcp 443
NGFW{running-firewall-rule-myrule1}services include service http
NGFW{running-firewall-rule-myrule1}services exclude icmpv6 any
NGFW{running-firewall-rule-myrule1}src-address
Apply source addresses.
Syntax src-address include (any4|any6) src-address include group ADDRESSGROUP src-address include ipaddress (A.B.C.D|X:X::X:X) src-address include ipaddress (A.B.C.D/M|X:X::X:X/M) src-address include range ((A.B.C.D A.B.C.D)|(X:X::X:X X:X::X:X)) src-address exclude (any4|any6) src-address exclude group ADDRESSGROUP src-address exclude ipaddress (A.B.C.D|X:X::X:X) src-address exclude ipaddress (A.B.C.D/M|X:X::X:X/M) src-address exclude range ((A.B.C.D A.B.C.D)|(X:X::X:X X:X::X:X))
Example
NGFW{running-firewall-rule-myrule1}src-address exclude ipaddress 192.168.1.1
NGFW{running-firewall-rule-myrule1}src-address include ipaddress 192.168.1.0/24
NGFW{running-firewall-rule-myrule1}src-address include range 192.168.1.100
192.168.1.200
NGFW{running-firewall-rule-myrule1}src-address include group mygroup1
NGFW{running-firewall-rule-myrule1}src-zone
Apply source security zone.
Syntax src-zone (include|exclude) ZONENAME
Example
NGFW{running-firewall-rule-myrule1}src-zone include myzone1
NGFW{running-firewall-rule-myrule1}src-zone exclude myzone1
NGFW Command Line Interface Reference 147
NGFW{running-firewall-rule-myrule1}user
Apply user name.
Syntax user (include|exclude) USER_NAME
Example
NGFW{running-firewall-rule-myrule1}user include myuser1
NGFW{running-firewall-rule-myrule1}user-group
Apply user group name or LDAP-group DN.
Syntax user-group (include|exclude) (USER_GRP_NAME|LDAP_GROUP_DN)
Example
NGFW{running-firewall-rule-myrule1}user-group include group1
running-gen Context Commands
NGFW{running}gen
NGFW{running-gen}arp
Configure static ARP entry.
Syntax arp A.B.C.D INTERFACE MAC
A.B.C.D IPv4 address
INTERFACE Interface name
MAC Ethernet MAC address (e.g 00:02:b3:39:ba:d2)
Example
NGFW{running-gen}arp 192.168.1.1 ethernet5 a1:b2:c3:d4:e5:f6
NGFW{running-gen}auto-restart
Enable or disable automatic restart on detection of a critical problem.
Syntax auto-restart (enable|disable)
Example
NGFW{running-gen}auto-restart enable
148
NGFW{running-gen}delete
Delete file or configuration item.
Syntax delete arp (all|(ENTRY INTERFACE)) delete host (NAME|all) delete ndp (all|(ENTRY INTERFACE))
Example
NGFW{running-gen}delete arp 192.168.1.1 ethernet5
Edit Running Configuration Commands
NGFW{running-gen}delete host myhost
NGFW{running-gen}delete ndp 100::1 ethernet5
NGFW{running-gen}delete arp all
NGFW{running-gen}help delete arp
Delete configured static ARP entry
Syntax: delete arp all|(ENTRY INTERFACE)
delete Delete file or configuration item
arp Delete configured static ARP entry
all All settings
ENTRY IPv4 address of ARP entry
INTERFACE Interface of NDP entry
NGFW{running-gen}ephemeral-port-range
Set the range of the ephemeral port (default is 32768-61000).
Syntax ephemeral-port-range (default|(LOWRANGE HIGHRANGE)) default Default port range value 32768-61000 is applied
LOWRANGE Value of the first port
HIGHRANGE Value of the last port
Example
NGFW{running-gen}ephemeral-port-range default
NGFW{running-gen}ephemeral-port-range 32768 61000
NGFW{running-gen}forwarding
Enable or disable IPv4/IPv6 forwarding.
Syntax forwarding (ipv4|ipv6) (enable|disable)
Example
NGFW{running-gen}forwarding ipv4 enable
NGFW{running-gen}forwarding ipv6 enable
NGFW{running-gen}host
Configure static address to host name association.
Syntax host NAME (A.B.C.D|X:X::X:X)
Example
NGFW{running-gen}host myhost 192.168.1.1
NGFW{running-gen}host myhost 100:0:0:0:0:0:0:1
NGFW{running-gen}https
Enable or disable WEB server configuration.
Syntax https (enable|disable)
NGFW Command Line Interface Reference 149
Example
NGFW{running-gen}https enable
NGFW{running-gen}inband-management
Inband Management.
Syntax inband-management (enable|disable)
Example
NGFW{running-gen}inband-management enable
NGFW{running-gen}management-service
Management of a service to use the management port or the network port.
Syntax management-service all (management|network) management-service dns (management|network) management-service email (management|network) management-service ldap (management|network) management-service ntp (management|network) management-service radius (management|network) management-service remote-syslog (management|network) management-service snmp (management|network)
Example
NGFW{running-gen}management-service all management
NGFW{running-gen}management-service all network
NGFW{running-gen}management-service ldap network
NGFW{running-gen}management-service email network
NGFW{running-gen}management-service snmp management
Example
NGFW{running-gen}help management-service
Set a management service to either use management port or network port all dns
Set all management services to use management port or network port
Set the DNS service to use the management port or the network port email ldap ntp radius
Set the email service to use management port or network port
Set the LDAP service to use the management port or the network port
Set the NTP service to use the management port or the network port
Set the RADIUS service to use management port or the network port remote-syslog snmp management network
Set remote syslog service to use management port or network port
Set the SNMP service to use the management port or the network port
Set service to use management port
Set service to use network port
150
NGFW{running-gen}ndp
Configure static NDP entry.
Syntax ndp X:X::X:X INTERFACE MAC
X:X::X:X IPv6 address
INTERFACE Interface name
MAC Ethernet MAC address (e.g 00:02:b3:39:ba:d2)
Edit Running Configuration Commands
Example
NGFW{running-gen}ndp 100:0:0:0:0:0:0:1 ethernet5 a1:b2:c3:d4:e5:f6
NGFW{running-gen}ssh
Enable or disable ssh service.
Syntax ssh (enable|disable)
Example
NGFW{running-gen}ssh enable
NGFW{running-gen}timezone
Display or configure time zone.
Syntax timezone GMT timezone REGION CITY
REGION
(Africa|America|Antarctica|Arctic|Asia|Atlantic|Australia|Europe|Indian|Pacific)
Example
NGFW{running-gen}timezone America Chicago
NGFW{running-gen}timezone GMT
running-global-inspection Context Commands
NGFW{running}global-inspection
NGFW{running-global-inspection}default-inspection
Apply default inspection profile.
Syntax default-inspection ips-profile (IPSPROFILE|none) default-inspection reputation-profile (REPPROFILE|none)
Example
NGFW{running-global-inspection}default-inspection reputation-profile ?
Valid entries at this position are:
REPPROFILE Existing reputation profile none Disable security profile
NGFW{running-global-inspection}unknown-app
Apply inspection profile during application detection phase.
Syntax unknown-app (ips-profile IPSPROFILE|none)|(reputation-profile REPPROFILE|none)
Example
NGFW{running-global-inspection}unknown-app ?
Valid entries at this position are:
ips-profile Apply IPS profile
reputation-profile Apply reputation profile
NGFW Command Line Interface Reference 151
running-greX Context Commands
NGFW{running}interface gre0
NGFW{running-gre0}autoconfv6
Enable or disable IPv6 autoconfiguration on interface.
Syntax autoconfv6 (enable|disable)
Example
NGFW{running-gre0}autoconfv6 enable
NGFW{running-gre0}bind
Configure the GRE tunnel encapsulation.
Syntax bind (local global ip) (remote global ip) bind A.B.C.D A.B.C.D
bind X:X::X:X X:X::X:X
Example
NGFW{running-gre0}bind 192.168.1.1 192.168.2.1
NGFW{running-gre0}bind 2001:2:0:0:0:0:0:1 2001:db8:0:0:0:0:0:1
NGFW{running-gre0}checksum
Enable or disable GRE Checksum.
Syntax checksum (enable|disable)
Example
NGFW{running-gre0}checksum enable
152
NGFW{running-gre0}delete
Delete file or configuration item.
Syntax delete bind delete ip igmp delete ip igmp version delete ip ospf area delete ip ospf authentication mode md5 KEY_ID KEY delete ip ospf authentication mode text KEY delete ip ospf cost COST delete ip ospf dead-interval VALUE delete ip ospf hello-interval VALUE delete ip ospf priority VALUE delete ip ospf retransmit-interval VALUE delete ip ospf transmit-delay VALUE delete ip rip delete ip rip authentication mode md5 delete ip rip authentication mode text delete ip rip receive version VERSION
Edit Running Configuration Commands
delete ip rip send version VERSION delete ip rip split-horizon delete ipaddress A.B.C.D
delete ipaddress X:X::X:X delete ipaddress all delete ipv6 mld delete ipv6 mld version delete ipv6 ospfv3 area delete ipv6 ospfv3 cost delete ipv6 ospfv3 dead-interval delete ipv6 ospfv3 hello-interval delete ipv6 ospfv3 priority delete ipv6 ospfv3 retransmit-interval delete ipv6 ospfv3 transmit-delay delete ipv6 ripng delete ipv6 ripng split-horizon delete prefix all|X:X::X:X/M delete shutdown
Example
NGFW{running-gre0}delete bind
NGFW{running-gre0}delete ip igmp version
NGFW{running-gre0}delete ip igmp
NGFW{running-gre0}delete ip ospf authentication mode md5 1 secret
NGFW{running-gre0}delete ip ospf authentication mode text secret
NGFW{running-gre0}delete ip ospf cost 1
NGFW{running-gre0}delete ip ospf dead-interval 1
NGFW{running-gre0}delete ip ospf hello-interval 1
NGFW{running-gre0}delete ip ospf priority 1
NGFW{running-gre0}delete ip ospf retransmit-interval 3
NGFW{running-gre0}delete ip ospf transmit-delay 1
NGFW{running-gre0}delete ip rip authentication mode md5
NGFW{running-gre0}delete ip rip authentication mode text
NGFW{running-gre0}delete ip rip receive version v2-only
NGFW{running-gre0}delete ip rip send version v2-only
NGFW{running-gre0}delete ip rip split-horizon poison-reverse
NGFW{running-gre0}delete ip rip split-horizon
NGFW{running-gre0}delete ipaddress 10.10.10.1 10.11.11.1
NGFW{running-gre0}delete ipaddress 100:10:10:0:0:0:0:1 100:11:11:0:0:0:0:1
NGFW{running-gre0}delete ipv6 mld version
NGFW{running-gre0}delete ipv6 ospfv3 area
NGFW{running-gre0}delete ipv6 ospfv3 cost
NGFW{running-gre0}delete ipv6 ospfv3 dead-interval
NGFW{running-gre0}delete ipv6 ospfv3 hello-interval
NGFW{running-gre0}delete ipv6 ospfv3 priority
NGFW{running-gre0}delete ipv6 ospfv3 retransmit-interval
NGFW{running-gre0}delete ipv6 ospfv3 transmit-delay
NGFW{running-gre0}delete ipv6 ripng split-horizon poison-reverse
NGFW{running-gre0}delete ipv6 ripng split-horizon
NGFW{running-gre0}description
Enter description for the interface.
Syntax description TEXT
NGFW Command Line Interface Reference 153
Example
NGFW{running-gre0}description "GRE tunnel 0"
NGFW{running-gre0}ip
Configure IP settings.
Syntax ip igmp ip igmp version (1|2|3) ip ospf area (A.B.C.D|(0-4294967295)) ip ospf authentication mode md5 (1-255) KEY ip ospf authentication mode text KEY ip ospf cost (1-65535) ip ospf dead-interval (1-65535) ip ospf hello-interval (1-65535) [A.B.C.D] ip ospf priority (0-255) ip ospf retransmit-interval (3-65535) ip ospf transmit-delay (1-65535) ip rip ip rip authentication mode md5 (0-2147483647) KEY ip rip authentication mode text ip rip receive version (v1-only|v2-only|v1-or-v2) ip rip send version (v1-only|v2-only|v1-or-v2) ip rip split-horizon [poison-reverse]
Example
NGFW{running-gre0}ip igmp version 3
NGFW{running-gre0}ip ospf area 1
NGFW{running-gre0}ip ospf authentication mode md5 1 mysecret
NGFW{running-gre0}ip ospf authentication mode text mysecret
NGFW{running-gre0}ip ospf cost 1
NGFW{running-gre0}ip ospf dead-interval 1
NGFW{running-gre0}ip ospf hello-interval 1
NGFW{running-gre0}ip ospf priority 1
NGFW{running-gre0}ip ospf retransmit-interval 3
NGFW{running-gre0}ip ospf transmit-delay 1
NGFW{running-gre0}ip rip authentication mode md5 1 mysecret
NGFW{running-gre0}ip rip authentication mode text
Enter key: up to 16 characters:******
NGFW{running-gre0}ip rip receive version v2-only
NGFW{running-gre0}ip rip send version v2-only
NGFW{running-gre0}ip rip split-horizon poison-reverse
NGFW{running-gre0}ipaddress
Configure endpoints IP address.
Syntax ipaddress (local gre endpoint ipaddress) (remote gre endpoint ipaddress) ipaddress A.B.C.D A.B.C.D
ipaddress X:X::X:X X:X::X:X
Example
NGFW{running-gre0}ipaddress 10.10.10.1 10.11.11.1
NGFW{running-gre0}ipaddress 100:10:10:0:0:0:0:1 100:11:11:0:0:0:0:1
154 Edit Running Configuration Commands
NGFW{running-gre0}ipv6
Configure IPv6 settings.
Syntax ipv6 mld ipv6 mld version (1|2) ipv6 ospfv3 area (A.B.C.D|(0-4294967295)) ipv6 ospfv3 cost COST ipv6 ospfv3 dead-interval VALUE ipv6 ospfv3 hello-interval VALUE ipv6 ospfv3 priority VALUE ipv6 ospfv3 retransmit-interval VALUE ipv6 ospfv3 transmit-delay VALUE ipv6 ripng ipv6 ripng split-horizon [poison-reverse]
Example
NGFW{running-gre0}ipv6 mld version 2
NGFW{running-gre0}ipv6 ospfv3 area 1
NGFW{running-gre0}ipv6 ospfv3 cost 1
NGFW{running-gre0}ipv6 ospfv3 dead-interval 1
NGFW{running-gre0}ipv6 ospfv3 hello-interval 1
NGFW{running-gre0}ipv6 ospfv3 priority 1
NGFW{running-gre0}ipv6 ospfv3 retransmit-interval 3
NGFW{running-gre0}ipv6 ospfv3 transmit-delay 1
NGFW{running-gre0}ipv6 ripng split-horizon poison-reverse
NGFW{running-gre0}key
Configure GRE key.
Syntax key (enable|disable) key (0-4294967295)
Enable GRE key - use a default key
Disable GRE key
Set GRE key value
Example
NGFW{running-gre0}key enable
NGFW{running-gre0}mtu
Configure interface MTU.
Syntax mtu (default|(68-9216))
Example
NGFW{running-gre0}mtu 1500
NGFW{running-gre0}shutdown
Shutdown logical interface state.
NGFW Command Line Interface Reference 155
Syntax shutdown
Example
NGFW{running-gre0}shutdown
NGFW{running-gre0}tcp4mss
Configure interface TCP MSS for IPv4.
Syntax tcp4mss (disable|automatic|4-65535) disable Disable service automatic Automatically select TCP MSS based on interface MTU
VALUE TCP MSS value for IPv4
Example
NGFW{running-gre0}tcp4mss automatic
NGFW{running-gre0}tcp6mss
Configure interface TCP MSS for IPv6.
Syntax tcp6mss (disable|automatic|4-65535) disable Disable service automatic Automatically select TCP MSS based on interface MTU
VALUE TCP MSS value for IPv6
Example
NGFW{running-gre0}tcp6mss automatic
running-high-availability Context Commands
NGFW{running}high-availability
NGFW{running-high-availability}delete
Delete file or configuration item.
Syntax delete failover-group base-mac delete failover-group name base-mac Base MAC address name Failover group name
Example
NGFW{running-high-availability}delete failover-group name
NGFW{running-high-availability}disable
Disable high-availability.
Syntax disable
156 Edit Running Configuration Commands
Example
NGFW{running-high-availability}disable
NGFW{running-high-availability}enable
Enable high-availability.
Syntax enable
Example
NGFW{running-high-availability}enable
NGFW{running-high-availability}failover-group
Allows you to define name and MAC address for a Failover Group.
Syntax failover-group base-mac X:X:X:X:X:X failover-group name NAME
Example
NGFW{running-high-availability}failover-group name mygroupname
NGFW{running-high-availability}state-sync
Allows you to define state synchronization.
Syntax state-sync global [enable|disable] state-sync firewall [enable|disable] state-sync firewall [log-level
(alert|critical|debug|emergency|error|info|notice|warning|none)] state-sync ips [enable|disable] state-sync ips [log-level
(alert|critical|debug|emergency|error|info|notice|warning|none)] state-sync routing [enable|disable] state-sync routing [log-level
(alert|critical|debug|emergency|error|info|notice|warning|none)]
Example
NGFW{running-high-availability}state-sync firewall enable
running-ips Context Commands
Immediate Commit Feature. Changes take effect immediately.
NGFW{running}ips
NGFW{running-ips}afc-mode
Configures AFC mode.
Syntax afc-mode AFCMODE
Example
NGFW{running-ips}afc-mode ?
Valid entries at this position are:
NGFW Command Line Interface Reference 157
automatic Automatic AFC mode
manual Manual AFC mode
NGFW{running-ips}afc-severity
Configures AFC severity level.
Syntax afc-severity SEVERITY
Example
NGFW{running-ips}afc-severity ?
Valid entries for SEVERITY:
critical Critical severity
error Error severity
info Info severity
warning Warning severity
NGFW{running-ips}connection-table
Configures connection table timeout.
Syntax connection-table TIMEOUTTYPE SECONDS
TIMEOUTTYPE Connection table timeout type
Possible values for TIMEOUTTYPE are:
non-tcp-timeout Connection table non-tcp timeout
timeout Connection table timeout
trust-timeout Connection table trust timeout
SECONDS Connection table timeout seconds
Example
NGFW{running-ips}connection-table trust-timeout 60
NGFW{running-ips}delete
Allows you to delete a profile.
Syntax delete profile XPROFILENAME
Example
NGFW{running-ips}delete profile myprofile
NGFW{running-ips}deployment-choices
Gets deployment choices.
Syntax deployment-choices
Example
NGFW{running-ips}deployment-choices ?
Name Description:
------------------------------------------------------------
Default "Recommended for general deployment."
158 Edit Running Configuration Commands
Aggressive "Offers a more aggressive security posture that may require tuning based upon specific application protocol usage."
Core "Recommended for deployment in the network core."
Edge "Recommended for deployment in a Server Farm/DMZ."
Perimeter "Recommended for deployment at an Internet entry point."
NGFW{running-ips}display-categoryrules
Display category rules for all profiles.
Syntax display-categoryrules
Example
NGFW{running-ips}display-categoryrules ?
category "Streaming Media" enabled actionset "Recommended" category "Identity Theft" enabled actionset "Recommended" category "Virus" enabled actionset "Recommended" category "Spyware" enabled actionset "Recommended" category "IM" enabled actionset "Recommended" category "Network Equipment" enabled actionset "Recommended" category "Traffic Normalization" enabled actionset "Recommended" category "P2P" enabled actionset "Recommended" category "Vulnerabilities" enabled actionset "Recommended" category "Exploits" enabled actionset "Recommended" category "Reconnaissance" enabled actionset "Recommended" category "Security Policy" enabled actionset "Recommended"
NGFW{running-ips}gzip-decompression
Sets GZIP decompression mode.
Syntax gzip-decompression (enable|disable)
Example
NGFW{running-ips}gzip-decompression enable
NGFW{running-ips}profile
Allows you to create or enter an IPS profile.
Syntax profile PROFILENAME
Example
NGFW{running-ips}profile myprofile
NGFW{running-ips}quarantine-duration
Sets quarantine duration.
Syntax quarantine-duration DURATION
DURATION value between 1 to 1440 minutes
NGFW Command Line Interface Reference 159
Example
NGFW{running-ips}quarantine-duration 60
NGFW{running-ips}rename
Renames a profile.
Syntax rename profile PROFILENAME NEWPROFILENAME
Example
NGFW{running-ips}rename profile myprofile yourprofile
running-ips-X Context Commands
Immediate Commit Feature. Changes take effect immediately.
NGFW{running-ips}profile 1
NGFW{running-ips-1}categoryrule
Enters categoryrule context.
Syntax categoryrule
Example
NGFW{running-ips-1}categoryrule
NGFW{running-ips-1-categoryrule}
NGFW{running-ips-1-categoryrule} ?
Valid entries at this position are:
category Custom category keyword
display Display category rules for profile
help Display help information
NGFW{running-ips-1-categoryrule}display
categoryrule
category "Network Equipment" enabled actionset "Recommended"
category "IM" enabled actionset "Recommended"
category "Spyware" enabled actionset "Recommended"
category "Virus" enabled actionset "Recommended"
category "Identity Theft" enabled actionset "Recommended"
category "Streaming Media" enabled actionset "Recommended"
category "Security Policy" enabled actionset "Recommended"
category "Reconnaissance" enabled actionset "Recommended"
category "Exploits" enabled actionset "Recommended"
category "Vulnerabilities" enabled actionset "Recommended"
category "P2P" enabled actionset "Recommended"
category "Traffic Normalization" enabled actionset "Recommended"
exit
NGFW{running-ips-1}delete
Delete file or configuration item.
Syntax delete filter FILTERNUMBER
FILTERNUMBER Existing filter number
160 Edit Running Configuration Commands
Example
NGFW{running-ips-1}delete filter 9
NGFW{running-ips-1}deployment
Change deployment.
Syntax deployment (Aggressive|Core|Default|Edge|Perimeter)
Example
NGFW{running-ips-1}deployment Default
NGFW{running-ips-1}description
Edit description for a profile.
Syntax description DESCRIPTION
Example
NGFW{running-ips-1}description "my description"
NGFW{running-ips-1}filter
Creates or enters a filter context.
Syntax filter FILTERNUMBER
Example
NGFW{running-ips-1}filter 200
running-ipsec Context Commands
NGFW{running}vpn ipsec
NGFW{running-ipsec}delete
Delete file or configuration item.
Syntax delete log vpn CONTACT-NAME delete phase1 proposal (all|NAME) delete phase2 proposal (all|NAME) delete policy (all|NAME) delete pre-shared-keys (all|A.B.C.D|X:X::X:X|HOSTNAME) [vrf-id ID|any] delete retransmit-timeout delete retransmit-tries delete trust (all|CANAME) delete user delete vpn (all|NAME)
Valid entries: log Delete a Notification Contact from a log service phase1 Delete Phase1 proposal phase2 Delete Phase2 Proposal policy Delete IPsec Policy
NGFW Command Line Interface Reference 161
pre-shared-keys Delete pre-shared-keys retransmit-timeout Delete Dead Peer Detection retransmit-timeout retransmit-tries Delete Dead Peer Detection retransmit-tries trust Delete certification authority trust user delete user context vpn Delete IPsec Virtual Private Networks
Example
NGFW{running-ipsec}delete phase1 proposal all
NGFW{running-ipsec}ipsec
Enables or disables IPsec.
Syntax ipsec (enable|disable)
Example
NGFW{running-ipsec}ipsec enable
NGFW{running-ipsec}log
Add log to a log session.
Syntax log vpn CONTACT-NAME [SEVERITY]
Valid entries: vpn
CONTACT-NAME
Configure log for VPN (IPSec) services
Notification Contact name
Example
NGFW{running-ipsec}log vpn fred warning
NGFW{running-ipsec}manual
Enters manual Security Association context.
Syntax manual
Example
NGFW{running-ipsec}manual
NGFW{running-manual-sa}
162
NGFW{running-ipsec}phase1
Enters phase1 proposal context.
Syntax phase1 VERSION proposal NAME
Valid entries:
VERSION 1 (IKE Version 1) proposal
NAME
2 (IKE Version 2)
Phase1 proposal
Phase1 proposal name : alphanumeric, underscore, dash excluding 'all'
Edit Running Configuration Commands
Example
NGFW{running-ipsec}phase1 1 proposal propname
NGFW{running-phase1-proposal-propname}help
NGFW{running-phase1-proposal-propname}?
NGFW{running-ipsec}phase2
Enters phase2 proposal context.
Syntax phase2 VERSION proposal NAME
Valid entries:
VERSION 1 (IKE Version 1) proposal
NAME
2 (IKE Version 2)
Phase1 proposal
Phase1 proposal name : alphanumeric, underscore, dash excluding 'all'
Example
NGFW{running-ipsec}phase2 1 proposal propname
NGFW{running-phase2-proposal-propname}
NGFW{running-ipsec}policy
Enters IPSec Policy sub-context.
Syntax policy NAME [PRIORITY]
Valid entries:
NAME IPsec Policy Name : alphanumeric, underscore, and dash excluding 'all'
PRIORITY Priority for NEW policy (1-5989)
Example
NGFW{running-ipsec}policy mypolicy 1
NGFW{running-ipsec-policy-mypolicy}
NGFW{running-ipsec}pre-shared-key
Configures pre-shared key (start with 0x for hexadecimal key).
Syntax pre-shared-key local (A.B.C.D|X:X::X:X|LFQDN) remote (A.B.C.D|X:X::X:X|RFQDN|any)
Valid entries: local Configure local host
A.B.C.D Local Peer IPv4 address
X:X::X:X Local Peer IPv6 address
LFQDN Hostname or user fqdn remote Configure remote host
A.B.C.D Remote Peer IPv4 address
X:X::X:X Remote Peer IPv6 address
RFQDN Hostname or user fqdn any any remote IP Address
Example
NGFW{running-ipsec}pre-shared-key local 100:0:0:0:0:0:0:1 remote
2001:db8:0:0:0:0:0:1
NGFW Command Line Interface Reference 163
Enter pre-shared key:**************
NGFW{running-ipsec}retransmit-timeout
Configures IKEv2 Dead Peer Detection retransmission timeout in seconds.
Syntax retransmit-timeout TIMEOUT
TIMEOUT Configure IKEv2 Dead Peer Detection retransmission timeout in seconds
Example
NGFW{running-ipsec}retransmit-timeout 60
NGFW{running-ipsec}retransmit-tries
Configures IKEv2 Dead Peer Detection maximum retransmission tries.
Syntax retransmit-tries COUNT
COUNT Configure IKEv2 Dead Peer Detection maximum retransmission tries
Example
NGFW{running-ipsec}retransmit-tries 4
NGFW{running-ipsec}trust
Configures certification authority trust.
Syntax trust CANAME
CANAME Certification authority name
Example
NGFW{running-ipsec}trust mycertname
NGFW{running-ipsec}user
Enter vpn user context.
Syntax user
Example
NGFW{running-ipsec}user
NGFW{running-ipsec-user}help
164
NGFW{running-ipsec}vpn
Enter VPN context.
Syntax vpn NAME
Example
NGFW{running-ipsec}vpn myvpn
NGFW{running-ipsec-vpn-myvpn}help
Edit Running Configuration Commands
NGFW{running-ipsec-vpn-myvpn}?
running-ipsec-policy-X Context Commands and their Usage
NGFW{running}vpn ipsec
NGFW{running-ipsec}policy myipsecpolicy
NGFW{running-ipsec-policy-myipsecpolicy}mode
Configure encapsulation mode.
Syntax mode MODE
Example
NGFW{running-ipsec-policy-myipsecpolicy}mode tunnel
NGFW{running-ipsec-policy-myipsecpolicy}policy
Enable or Disable IPsec Policy.
Syntax policy enable|disable
Example
NGFW{running-ipsec-policy-myipsecpolicy}policy enable
NGFW{running-ipsec-policy-myipsecpolicy}rule
Configure IPsec traffic selector.
Syntax rule SOURCE_ADDR REMOTE_ADDR PROTOCOL
Example
NGFW{running-ipsec-policy-myipsecpolicy}rule 172.16.1.1 172.16.2.2 any
NGFW{running-ipsec-policy-myipsecpolicy}vpn-name
Configure the VPN to use for this policy.
Syntax vpn-name VPNNAME
Example
NGFW{running-ipsec-policy-myipsecpolicy}vpn-name mytunnel
NGFW Command Line Interface Reference 165
running-ipsec-vpn-X Context Commands and their Usage
NGFW{running}vpn ipsec
NGFW{running-ipsec}vpn myvpn
NGFW{running-ipsec-vpn-myvpn}certificate
Configure certificate name.
Syntax certificate CERTNAME
Example
NGFW{running-ipsec-vpn-myvpn}delete
Delete file or configuration item.
Syntax
delete certificate
delete exchange-mode
delete identity
delete ip-pool
delete peers
delete proposal
delete user-group
Example
NGFW{running-ipsec-vpn-myvpn}dpddelay
Configure Dead Peer Detection delay in seconds.
Syntax dpddelay (SECONDS|disable) dpddelay ((1-99999999999999999)|disable)
Example
NGFW{running-ipsec-vpn-myvpn}dpddelay 10
NGFW{running-ipsec-vpn-myvpn}dpddelay disable
NGFW{running-ipsec-vpn-myvpn}dpdtimeout
Configure IKEv1 Dead Peer Detection timeout interval in seconds.
Syntax dpdtimeout SECONDS dpdtimeout (1-99999999999999999)
Example
NGFW{running-ipsec-vpn-myvpn}dpdtimeout 90
NGFW{running-ipsec-vpn-myvpn}exchange-mode
Configure Phase1 Exchange Mode.
166 Edit Running Configuration Commands
Syntax exchange-mode (main|aggressive)
Example
NGFW{running-ipsec-vpn-myvpn}exchange-mode aggressive
NGFW{running-ipsec-vpn-myvpn}identity
Configure local and remote IKE Identities.
Syntax identity local ((ip-address A.B.C.D|X:X::X:X|anyLADDR)|(fqdn
HOSTNAME|anyLHOSTNAME)|(user-fqdn EMAILADDRESS|anyLEMAIL)|(asn1dn asn1dn|anyLASNDNAME)) [remote (ip-address A.B.C.D|X:X::X:X|anyRADDR)|(fqdn
HOSTNAME|anyRHOSTNAME)|(user-fqdn EMAILADDRESS|anyREMAIL)|(asn1dn asn1dn|anyRASNDNAME)]
Example
NGFW{running-ipsec-vpn-myvpn}identity local nearside.example.com remote farside.example.com
NGFW{running-ipsec-vpn-myvpn}ip-compression
Enable or disable IP Compression.
Syntax ip-compression (enable|disable)
Example
NGFW{running-ipsec-vpn-myvpn}ip-compression enable
NGFW{running-ipsec-vpn-myvpn}ip-pool
Configure IP Pool for remote VPN clients.
Syntax ip-pool (A.B.C.D/M|X:X::X:X/M)
Example
NGFW{running-ipsec-vpn-myvpn}ip-pool 192.168.1.0/24
NGFW{running-ipsec-vpn-myvpn}key
Configure Key exchange type.
Syntax key (ike|manual)
Example
NGFW{running-ipsec-vpn-myvpn}key ike
NGFW{running-ipsec-vpn-myvpn}nat-traversal
Enable or disable NAT Traversal mode.
Syntax nat-traversal (enable|disable)
NGFW Command Line Interface Reference 167
Example
NGFW{running-ipsec-vpn-myvpn}nat-traversal enable
NGFW{running-ipsec-vpn-myvpn}peer
Configure local and remote VPN Peers.
Syntax peer local (A.B.C.D|X:X::X:X) remote (A.B.C.D|X:X::X:X)
Example
NGFW{running-ipsec-vpn-myvpn}peer local 192.168.1.1 remote 192.168.2.2
NGFW{running-ipsec-vpn-myvpn}proposal
Configure Phase1 and Phase2 IKE proposals.
Syntax proposal PHASE1 PHASE2
Example
NGFW{running-ipsec-vpn-myvpn}proposal myphase1 myphase2
NGFW{running-ipsec-vpn-myvpn}rekey
Enable or disable rekey.
Syntax rekey (enable|disable)
Example
NGFW{running-ipsec-vpn-myvpn}rekey enable
NGFW{running-ipsec-vpn-myvpn}type
Configure VPN type.
Syntax type (site-to-site|client-to-site)
Example
NGFW{running-ipsec-vpn-myvpn}type site-to-site
NGFW{running-ipsec-vpn-myvpn}user-group
Configure VPN user group.
Syntax user-group GROUP
Example
NGFW{running-ipsec-vpn-myvpn}user-group myvpngroup
168 Edit Running Configuration Commands
running-l2tp-serverX Context Commands
NGFW{running}l2tp-server0
NGFW{running-l2tp-server0}auth
Authenticated configuration.
Syntax auth (enable|disable) auth shared-secret (A.B.C.D|any) secret-key
Example
NGFW{running-l2tp-server0}auth enable
NGFW{running-l2tp-server0}bind
Configures bind service of L2TP server.
Syntax bind (none|any|(A.B.C.D [port]))
Valid entries: none Remove bind configuration any Configure any bind
A.B.C.D IPv4 address to bind port Port range (1024-65535)
Example
NGFW{running-l2tp-server0}bind 198.152.100.0
NGFW{running-l2tp-server0}delete
Deletes file or configuration item.
Syntax delete auth shared-secret (A.B.C.D|all)
Valid entries: auth Delete authenticated configuration shared-secret Shared secret for an IPv4 address
A.B.C.D IPv4 address all All settings
Example
NGFW{running-l2tp-server0}delete auth shared-secret all
NGFW{running-l2tp-server0}hiding
Enables or disables hiding configuration.
Syntax hiding (enable|disable)
Example
NGFW{running-l2tp-server0}hiding enable
NGFW Command Line Interface Reference 169
NGFW{running-l2tp-server0}sequencing
Enables or disables sequence configuration.
Syntax sequencing (enable|disable)
Example
NGFW{running-l2tp-server0}sequencing enable
running-l2tpX Context Commands
NGFW{running}interface l2tp0
NGFW{running-l2tp0}auth
Authenticated configuration.
Syntax auth l2tp (enable|disable) auth l2tp shared-secret SECRET auth ppp reply ALGORITHM auth ppp user-id NAME PASSWORD
Valid entries: l2tp Configure L2TP authenticated options ppp Configure PPP authenticated options
Valid entries for ALGORITHM:
pap Pap authentication
chap Chap authentication
chap-md5 Chap md5 authentication
ms-chapv2 Ms chapv2 authentication
ms-chap Ms chap authentication
Example
NGFW{running-l2tp0}auth l2tp enable
NGFW{running-l2tp0}auth l2tp shared-secret secret
NGFW{running-l2tp0}auth ppp reply chap-md5
NGFW{running-l2tp0}auth ppp user-id myuser mypassword
NGFW{running-l2tp0}autoconfv6
Enable or disable IPv6 autoconfiguration on interface.
Syntax autoconfv6 (enable|disable)
Example
NGFW{running-l2tp0}autoconfv6 enable
NGFW{running-l2tp0}autoconfv6 disable
NGFW{running-l2tp0}bind
Configure binding addresses of the L2TP tunnel.
Syntax bind (none|(A.B.C.D A.B.C.D))
170 Edit Running Configuration Commands
Example
NGFW{running-l2tp0}bind 192.168.2.1 192.168.200.1
NGFW{running-l2tp0}bind none
NGFW{running-l2tp0}delete
Delete file or configuration item.
Syntax delete auth l2tp shared-secret delete auth ppp reply (all|AUTH-ALGO) delete auth ppp user-id delete ip igmp delete ip igmp version delete ipv6 mld delete ipv6 mld version delete log-option ppp all delete log-option ppp DEL-PPP-LOG-OPTION {1,10} delete prefix all|X:X::X:X/M delete shutdown
Example
NGFW{running-l2tp0}delete auth l2tp shared-secret
NGFW{running-l2tp0}delete auth ppp reply chap-md5
NGFW{running-l2tp0}delete auth ppp user-id
NGFW{running-l2tp0}
NGFW{running-l2tp0}delete ip igmp version
NGFW{running-l2tp0}delete ip igmp
NGFW{running-l2tp0}delete ipv6 mld
NGFW{running-l2tp0}delete log-option ppp all
NGFW{running-l2tp0}delete prefix 100::/64
NGFW{running-l2tp0}delete shutdown
NGFW{running-l2tp0}description
Enter description for the interface.
Syntax description TEXT
Example
NGFW{running-l2tp0}description "l2tp interface 0"
NGFW{running-l2tp0}dns-request
Configure IP DNS server address request.
Syntax dns-request (enable|disable)
Example
NGFW{running-l2tp0}dns-request enable
NGFW{running-l2tp0}dns-request disable
NGFW Command Line Interface Reference 171
NGFW{running-l2tp0}ip
Configure IP settings.
Syntax ip igmp ip igmp version (1|2|3)
Example
NGFW{running-l2tp0}ip igmp
NGFW{running-l2tp0}ip igmp version 3
NGFW{running-l2tp0}ipcp
Enable or disable IPCP for IPv4.
Syntax ipcp (enable|disable)
Example
NGFW{running-l2tp0}ipcp enable
NGFW{running-l2tp0}ipcp disable
NGFW{running-l2tp0}ipv6
Configure IPv6 settings.
Syntax ipv6 mld ipv6 mld version (1|2)
Example
NGFW{running-l2tp0}ipv6 mld
NGFW{running-l2tp0}ipv6cp
Enable or disable IPCP for IPv6.
Syntax ipv6cp (enable|disable)
Example
NGFW{running-l2tp0}ipv6cp enable
NGFW{running-l2tp0}ipv6cp disable
NGFW{running-l2tp0}keep-alive
LCP keep alive period in seconds.
Syntax keep-alive ppp disable keep-alive ppp (default|(0-600)) [retry (0-600)]
Example
NGFW{running-l2tp0}keep-alive ppp default retry 1
NGFW{running-l2tp0}keep-alive ppp disable
172 Edit Running Configuration Commands
NGFW{running-l2tp0}log-option
Add service log option.
Syntax log-option ppp all log-option ppp (PPP-LOG-OPTION)
PPP-LOG-OPTION valid entries: auth Link authentication events ipcp IPCP events and negotiation ipv6cp IPV6CP events and negotiation l2tp L2TP high level events l2tp2 L2TP more detailed events l2tp3 L2TP packet dumps pptp PPTP high level events pptp2 PPTP more detailed events pptp3 PPTP packet dumps lcp LCP events and negotiation phys Physical layer events radius Radius authentication events echo Keep-alive events bund Bundle events iface IP interface and route management events link Link events frame Dump all incoming and outgoing frames fsm All state machine events (except echo and reset)
Example
NGFW{running-l2tp0}log-option ppp all
NGFW{running-l2tp0}mru
Configure interface MRU.
Syntax mru (default|(64-65535))
Example
NGFW{running-l2tp0}mru 1500
NGFW{running-l2tp0}mru default
NGFW{running-l2tp0}mtu
Configure interface MTU.
Syntax mtu (default|(68-9216))
Example
NGFW{running-l2tp0}mtu 1500
NGFW{running-l2tp0}prefix
Configure IPv6 prefix in seconds.
NGFW Command Line Interface Reference 173
Syntax prefix X:X::X:X/M [valid-lifetime (1-4294967295)] [preferred-lifetime
(1-4294967295)]
Example
NGFW{running-l2tp0}prefix 100:0:0:0:0:0:0:0/64 valid-lifetime 2592000 preferred-lifetime 604800
NGFW{running-l2tp0}ra-autoconf-level
Modify IPv6 Router Advertisement autoconfiguration level.
Syntax ra-autoconf-level AUTOCONF
Possible values for AUTOCONF are: none address
No parameter is autoconfigured
Address is autoconfigured other full
Some other parameters are autoconfigured
Most parameters are autoconfigured
Example
NGFW{running-l2tp0}ra-autoconf-level full
NGFW{running-l2tp0}ra-interval
Modify IPv6 Router Advertisement interval value in milliseconds.
Syntax ra-interval (90-1800000)
Example
NGFW{running-l2tp0}ra-interval 600
NGFW{running-l2tp0}ra-interval-transmit
Modify IPv6 Router Advertisement interval transmit.
Syntax ra-interval-transmit (enable|disable)
Example
NGFW{running-l2tp0}ra-interval-transmit enable
NGFW{running-l2tp0}ra-lifetime
Modify IPv6 Router Advertisement prefix lifetime in seconds.
Syntax ra-lifetime (0-9000000)
(0 if none)
Example
NGFW{running-l2tp0}ra-lifetime 1800
174 Edit Running Configuration Commands
NGFW{running-l2tp0}ra-mtu
Modify IPv6 Router Advertisement MTU value.
Syntax ra-mtu (none|(68-9216)) none Not configured
(0 if none)
Example
NGFW{running-l2tp0}ra-mtu 1500
NGFW{running-l2tp0}ra-transmit-mode
Modify IPv6 Router Advertisement transmit mode.
Syntax ra-transmit-mode MODE
Possible values for MODE are: always Router Advert message is always sent never smart
Router Advert message is never sent
Router Advert message is sent if a prefix is defined
Example
NGFW{running-l2tp0}ra-transmit-mode smart
NGFW{running-l2tp0}sequencing
Enable the use of sequence numbers on data messages.
Syntax sequencing (enable|disable)
Valid entries: disable Disable sequencing parameters enable Enable sequencing parameters
Example
NGFW{running-l2tp0}sequencing enable
NGFW{running-l2tp0}shutdown
Shutdown logical interface state.
Syntax shutdown
Example
NGFW{running-l2tp0}shutdown
NGFW{running-l2tp0}tcp4mss
Configure interface TCP MSS for IPv4.
Syntax tcp4mss (disable|automatic|VALUE)
NGFW Command Line Interface Reference 175
Valid entries: disable Disable service automatic Automatically select TCP MSS based on interface MTU
VALUE TCP MSS value for IPv4 (4-65535)
Example
NGFW{running-l2tp0}tcp4mss automatic
NGFW{running-l2tp0}tcp6mss
Configure interface TCP MSS for IPv6.
Syntax tcp6mss (disable|automatic|VALUE)
Valid entries: disable Disable service automatic Automatically select TCP MSS based on interface MTU
VALUE TCP MSS value for IPv6 (4-65535)
Example
NGFW{running-l2tp0}tcp6mss automatic
running-log Context Commands
NGFW{running}log
NGFW{running-log}delete
Delete file or configuration item.
Syntax delete log audit CONTACT-NAME delete log ipsec CONTACT-NAME delete log quarantine CONTACT-NAME delete log system CONTACT-NAME delete log-option fib (events|kernel|memory|packet) [recv|send] delete log-option ppp (all|DEL-PPP-LOG-OPTION){1,10} delete log-option xmsd (all|LOG_OPTION)
Example
NGFW{running-log}delete log-option ?
Valid entries at this position are:
fib Delete fib log-option
ppp Delete PPP log options
xmsd Delete xmsd log-options
NGFW{running-log}delete log-option fib ?
Valid entries at this position are:
events Delete log-option fib events
kernel Delete log-option fib kernel
memory Delete log-option fib memory
packet Delete log-option fib packet (include recv and send)
NGFW{running-log}delete log-option fib events ?
Valid entries at this position are:
<Enter> Execute command
recv Delete log-option fib packet-recv
send Delete log-option fib packet-send
176 Edit Running Configuration Commands
NGFW{running-log}delete log-option fib events recv
NGFW{running-log}delete log audit mycontactname ALL
NGFW{running-log}delete log vpn mycontactname error
NGFW{running-log}delete log quarantine mycontactname none
NGFW{running-log}delete log system mycontactname info
NGFW{running-log}log
Add log to a log session.
Syntax log audit CONTACT-NAME [ALL|none] log quarantine CONTACT-NAME [ALL|none] log system CONTACT-NAME [SEVERITY] log vpn CONTACT-NAME [SEVERITY]
Valid entries: audit Configure log for audit services quarantine Configure log for quarantine services system Configure log for all services vpn
SEVERITY
Configure log for VPN (IPSec) services alert|critical|debug|emergency|error|info|notice|warning|none
Example
NGFW{running-log}log audit mycontactname ALL
NGFW{running-log}log vpn mycontactname error
NGFW{running-log}log quarantine mycontactname none
NGFW{running-log}log system mycontactname info
NGFW{running-log}log-option
Add service log option.
Syntax log-option fib (events|kernel|memory|packet) [recv|send] log-option ppp (all|PPP-LOG-OPTION) log-option xmsd (all|LOG_OPTION)
Valid entries: fib Configure FIB log options
Possible values for fib events Enable logging fib events kernel memory
Enable logging fib kernel
Enable logging fib memory packet Enable logging fib packet (include recv and send) ppp Configure PPP log options xmsd Configure xmsd log options
Possible values for ppp PPP-LOG-OPTION: all Enable all optional log items auth Link authentication events ipcp IPCP events and negotiation ipv6cp IPV6CP events and negotiation l2tp L2TP high level events l2tp2 L2TP more detailed events l2tp3 L2TP packet dumps pptp PPTP high level events pptp2 PPTP more detailed events
NGFW Command Line Interface Reference 177
178 pptp3 PPTP packet dumps lcp LCP events and negotiation phys Physical layer events radius Radius authentication events echo Keep-alive events bund Bundle events iface IP interface and route management events link Link events frame Dump all incoming and outgoing frames fsm All state machine events (except echo and reset)
Possible values for xmsd LOG_OPTION: ethgrp Enable logging ethgrp addressgroups Enable logging addressgroups security-zones Enable logging security zones bnet Enable logging bnet bridge Enable logging bridgeport captive-portal Enable logging captive portal vlan Enable logging vlan segments Enable logging segments mgmt Enable logging mgmt interface Enable logging interface xms_configure Enable logging xms configure xms_process Enable logging xms process xms_stream Enable logging xms stream aaa Enable logging aaa accesspoint Enable logging accesspoint bfd Enable logging bfd cron Enable logging cron dhcp4client Enable logging dhcp4 client dhcp4sever Enable logging dhcp4 server dhcp6client Enable logging dhcp6 client dhcp6server Enable logging dhcp6 server dhcprelay Enable logging dhcprelay dns Enable logging dns dyndns Enable logging dyndns eapauth Enable logging eapauth ethernet Enable logging ethernet filter Enable logging filter firewall Enable logging firewall fmipv6 Enable logging fmipv6 fw_nat Enable logging firewall policy nat gre Enable logging gre ipsec Enable logging ipsec l2tpserver Enable logging l2tpserver linkmonitor Enable logging linkmonitor log Enable logging log loopback Enable logging loopback lsn Enable logging nat lsn dstm Enable logging dstm mig6to4 Enable logging migration 6to4 migisatap Enable logging migration isatap migXin4 Enable logging migration Xin4 migXin6 Enable logging migration Xin6 mobility Enable logging mobility multicastreg Enable logging multicastreg nat Enable logging nat ntp Enable logging ntp openvpn Enable logging openvpn
Edit Running Configuration Commands
osi Enable logging osi pdh Enable logging pdh pim4sm Enable logging pim4sm pim6sm Enable logging pim6sm ports Enable logging ports ppp Enable logging ppp pppoeserver Enable logging pppoeserver pppserver Enable logging pppserver routing Enable logging routing schedules Enable logging schedules serialport Enable logging serialport services Enable logging services snmp Enable logging snmp snoop Enable logging snoop svti Enable logging svti system Enable logging system qos Enable logging qos xmsupdate Enable logging xmsupdate vrf Enable logging vrf vrrp Enable logging vrrp wifi Enable logging wifi xipc Enable logging xipc requests
Example
NGFW{running-log}log-option fib packet send
NGFW{running-log}log-option xmsd firewall
NGFW{running-log}log-option ppp auth
NGFW{running-log}sub-system
Sets sub-system log level.
Syntax sub-system (COROSYNC|GATED|HTTPD|INIT|LOGIN|PACEMAKER|TOS|XMS|CRMADMIN)
[alert|critical|debug|emergency|error|info|notice|warning|none]
Possible values for SEVERITY are: emergency Panic condition messages (TOS critical) alert Immediate problem condition messages critical Critical condition messages error Error messages warning Warning messages notice Special condition messages info Informational messages debug Debug messages debug0 TOS Debug0 messages debug1 TOS Debug1 messages debug2 TOS Debug2 messages debug3 TOS Debug3 messages none Turn off messages
Example
NGFW{running-log}sub-system LOGIN alert
NGFW Command Line Interface Reference 179
running-loopbackX Context Commands
NGFW{running}interface loopback0
NGFW{running-loopback0}delete
Delete file or configuration item.
Syntax delete ip ospf area delete ip ospf authentication mode md5 (1-255) KEY delete ip ospf authentication mode text KEY delete ip ospf cost (1-65535) delete ip ospf dead-interval (1-65535) delete ip ospf hello-interval (1-65535) delete ip ospf priority (0-255) delete ip ospf retransmit-interval (3-65535) delete ip ospf transmit-delay (1-65535) delete ip rip delete ip rip authentication mode md5 delete ip rip authentication mode text delete ip rip receive version (v1-only|v2-only|v1-or-v2) delete ip rip send version (v1-only|v2-only|v1-or-v2) delete ip rip split-horizon delete ipaddress (all|A.B.C.D/M|X:X::X:X/M) delete ipaddress dhcpv4 delete ipaddress dhcpv6 delete ipv6 ospfv3 area delete ipv6 ospfv3 cost delete ipv6 ospfv3 dead-interval delete ipv6 ospfv3 hello-interval delete ipv6 ospfv3 priority delete ipv6 ospfv3 retransmit-interval delete ipv6 ospfv3 transmit-delay delete ipv6 ripng delete ipv6 ripng split-horizon
Example
NGFW{running-loopback0}delete ip rip split-horizon poison-reverse
NGFW{running-loopback0}delete ip rip split-horizon
NGFW{running-loopback0}delete ipaddress 192.168.1.1/24
NGFW{running-loopback0}delete ipaddress 100:0:0:0:0:0:0:1/64
NGFW{running-loopback0}delete ipv6 rip split-horizon poison-reverse
NGFW{running-loopback0}delete ipv6 rip split-horizon
NGFW{running-loopback0}delete ip ospf authentication mode md5 1 secret
NGFW{running-loopback0}delete ip ospf authentication mode text secret
NGFW{running-loopback0}delete ip ospf cost 1
NGFW{running-loopback0}delete ip ospf dead-interval 1
NGFW{running-loopback0}delete ip ospf hello-interval 1
NGFW{running-loopback0}delete ip ospf priority 1
NGFW{running-loopback0}delete ip ospf retransmit-interval 3
NGFW{running-loopback0}delete ip ospf transmit-delay 1
NGFW{running-loopback0}delete ip rip authentication mode md5
NGFW{running-loopback0}delete ip rip authentication mode text
NGFW{running-loopback0}delete ip rip receive version v2-only
NGFW{running-loopback0}delete ip rip send version v2-only
NGFW{running-loopback0}delete ipaddress 192.168.1.1/24
NGFW{running-loopback0}delete ipaddress 100:0:0:0:0:0:0:1/64
NGFW{running-loopback0}delete ipv6 ospfv3 area
NGFW{running-loopback0}delete ipv6 ospfv3 cost
180 Edit Running Configuration Commands
NGFW{running-loopback0}delete ipv6 ospfv3 dead-interval
NGFW{running-loopback0}delete ipv6 ospfv3 hello-interval
NGFW{running-loopback0}delete ipv6 ospfv3 priority
NGFW{running-loopback0}delete ipv6 ospfv3 retransmit-interval
NGFW{running-loopback0}delete ipv6 ospfv3 transmit-delay
NGFW{running-loopback0}delete ipv6 ripng split-horizon poison-reverse
NGFW{running-loopback0}delete ipv6 ripng split-horizon
NGFW{running-loopback0}description
Enter description for the interface.
Syntax description TEXT
Example
NGFW{running-loopback0}description "loopback interface 0"
NGFW{running-loopback0}ip
Configure IP settings.
Syntax ip ospf area (A.B.C.D|(0-4294967295)) ip ospf authentication mode md5 (1-255) KEY ip ospf authentication mode text KEY ip ospf cost (1-65535) ip ospf dead-interval (1-65535) ip ospf hello-interval (1-65535) [A.B.C.D] ip ospf priority (0-255) ip ospf retransmit-interval (3-65535) ip ospf transmit-delay (1-65535) ip rip ip rip authentication mode md5 (0-2147483647) KEY ip rip authentication mode text ip rip receive version (v1-only|v2-only|v1-or-v2) ip rip send version (v1-only|v2-only|v1-or-v2) ip rip split-horizon [poison-reverse]
Example
NGFW{running-loopback0}ip ospf area 1
NGFW{running-loopback0}ip ospf authentication mode md5 1 mysecret
NGFW{running-loopback0}ip ospf authentication mode text mysecret
NGFW{running-loopback0}ip ospf cost 1
NGFW{running-loopback0}ip ospf dead-interval 1
NGFW{running-loopback0}ip ospf hello-interval 1
NGFW{running-loopback0}ip ospf priority 1
NGFW{running-loopback0}ip ospf retransmit-interval 3
NGFW{running-loopback0}ip ospf transmit-delay 1
NGFW{running-loopback0}ip rip authentication mode md5 1 mysecret
NGFW{running-loopback0}ip rip authentication mode text
Enter key: up to 16 characters:******
NGFW{running-loopback0}ip rip receive version v2-only
NGFW{running-loopback0}ip rip send version v2-only
NGFW{running-loopback0}ip rip split-horizon poison-reverse
NGFW Command Line Interface Reference 181
NGFW{running-loopback0}ipaddress
Configure IP address.
Syntax ipaddress (A.B.C.D/M|X:X::X:X/M) [primary] ipaddress dhcpv4
Example
NGFW{running-loopback0}ipaddress 192.168.1.1/24
NGFW{running-loopback0}ipaddress 100:0:0:0:0:0:0:1/64 primary
NGFW{running-loopback0}ipv6
Configure IPv6 settings.
Syntax ipv6 ospfv3 area (A.B.C.D|(0-4294967295)) ipv6 ospfv3 cost COST ipv6 ospfv3 dead-interval VALUE ipv6 ospfv3 hello-interval VALUE ipv6 ospfv3 priority VALUE ipv6 ospfv3 retransmit-interval VALUE ipv6 ospfv3 transmit-delay VALUE ipv6 ripng ipv6 ripng split-horizon [poison-reverse]
Example
NGFW{running-loopback0}ipv6 ospfv3 area 1
NGFW{running-loopback0}ipv6 ospfv3 cost 1
NGFW{running-loopback0}ipv6 ospfv3 dead-interval 1
NGFW{running-loopback0}ipv6 ospfv3 hello-interval 1
NGFW{running-loopback0}ipv6 ospfv3 priority 1
NGFW{running-loopback0}ipv6 ospfv3 retransmit-interval 3
NGFW{running-loopback0}ipv6 ospfv3 transmit-delay 1
NGFW{running-loopback0}ipv6 ripng split-horizon poison-reverse
NGFW{running-loopback0}mtu
Configure interface MTU.
Syntax mtu (default|(68-9216))
Example
NGFW{running-loopback0}mtu 1500
running-manual-sa Context Commands
NGFW{running}vpn ipsec
NGFW{running-ipsec}manual
NGFW{running-manual-sa}delete
Delete file or configuration item.
Syntax delete sa esp all
182 Edit Running Configuration Commands
delete sa esp ((A.B.C.D|X:X::X:X) SPI)
Valid entries: sa Configure Security Association esp Delete ESP Security Associations all Delete all ESP Security Associations
(A.B.C.D|X:X::X:X) Security Association remote address
SPI Security Parameter Index
Example
NGFW{running-manual-sa}delete sa esp 192.168.2.2 1
NGFW{running-manual-sa}sa
Configure Security Association.
Syntax sa esp (A.B.C.D A.B.C.D) SPI MODE ((CRYPTALGO CRYPTKEY)|null) AUTHALGO AUTHKEY sa esp (X:X::X:X X:X::X:X) SPI MODE ((CRYPTALGO CRYPTKEY)|null) AUTHALGO AUTHKEY sa esp (A.B.C.D A.B.C.D) (1-4294967295) (tunnel|transport) ((3des-cbc
CRYPTKEY)|(aes-cbc CRYPTKEY)|null) (hmac-md5 AUTHKEY|hmac-sha1 AUTHKEY) sa esp (X:X::X:X X:X::X:X) (1-4294967295) (tunnel|transport) ((3des-cbc
CRYPTKEY)|(aes-cbc CRYPTKEY)|null) (hmac-md5 AUTHKEY|hmac-sha1 AUTHKEY)
Valid entries: esp ESP security association
A.B.C.D Security Association source IPv4 address
A.B.C.D Security Association destination IPv4 address
X:X::X:X Security Association source IPv6 address
X:X::X:X Security Association destination IPv6 address
SPI
4294967295)
Security Parameter Index from 1 to 2^32-1 (e.g. 0x1 or 1 to 0xffffffff or
MODE IPsec processing mode
Possible values for MODE are:
tunnel Tunnel mode
transport Transport mode
CRYPTALGO IPsec encryption algorithm
Possible values for CRYPTALGO are:
3des-cbc Triple DES
aes-cbc AES
CRYPTKEY Encryption key format: ASCII string ("abcdefgh1234#=+...") hexadecimal value (0x123456789abcdef0)
192 bits (24 bytes) for 3des-cbc
128/192/256 bits (16/24/32 bytes) for aes-cbc null ESP_NULL encryption (RFC2410)
AUTHALGO IPsec authentication algorithm
Possible values for AUTHALGO are:
hmac-md5 HMAC-MD5
hmac-sha1 HMAC-SHA1
AUTHKEY Authentication/integrity key format: ASCII string ("abcdefgh1234#=+...") hexadecimal value (0x123456789abcdef0) length: 128 bits (16 bytes) for hmac-md5
160 bits (20 bytes) for hmac-sha1
Example
NGFW{running-manual-sa}sa esp 192.168.1.1 192.168.2.2 1 tunnel aes-cbc
0x4d7acaf0c08349ebbcbd86a2093eadf69786537755fc3ea23835c2d71450fdf5 hmac-sha1
0x6a4a71232e102e404979f8edef925a51b1ac098d
NGFW Command Line Interface Reference 183
running-mgmt Context Commands
NGFW{running}interface mgmt
NGFW{running-mgmt}delete
Delete file or configuration item.
Syntax delete host (location|contact) delete ip-filter ACTION SERVICE4 [ip ADDRESS4] delete ip-filter ACTION SERVICE6 [ip ADDRESS6] delete ip-filter ACTION ip (ADDRESS4|ADDRESS6) delete ipaddress all|A.B.C.D/M|X:X::X:X/M delete route A.B.C.D/M [A.B.C.D] delete route X:X::X:X/M [X:X::X:X] delete route all
Example
NGFW{running-mgmt}delete host contact
NGFW{running-mgmt}delete host location
NGFW{running-mgmt}delete ip-filter deny https ip 2001:2::1/128
NGFW{running-mgmt}delete ip-filter deny ip 192.168.1.1/32
NGFW{running-mgmt}delete route 192.168.0.0/24 192.168.0.2
NGFW{running-mgmt}delete route 2001:2::/48 100::2
NGFW{running-mgmt}delete route all
NGFW{running-mgmt}description
Enter description for the management interface.
Syntax description TEXT
Example
NGFW{running-mgmt}description "management interface"
NGFW{running-mgmt}host
Configure the firewall host settings.
Syntax host (name|location|contact) VALUE
Example
NGFW{running-mgmt}host contact "mycontact"
NGFW{running-mgmt}host location "mylocation"
NGFW{running-mgmt}host name "myfirewallname"
NGFW{running-mgmt}ip-filter
Create management IP filter rules.
Syntax ip-filter (allow|deny) default ip-filter (allow|deny) (https|icmp|snmp|ssh|ip) [ip
A.B.C.D/M|X:X::X:X/M|A.B.C.D|X:X::X:X]
184 Edit Running Configuration Commands
ip-filter (allow|deny) ip (A.B.C.D/M|X:X::X:X/M|A.B.C.D|X:X::X:X)
Valid entries: allow Allow IPv4/IPv6 rule deny Deny IPv4/IPv6 rule default Default rule
Possible values for service are: https allow/deny HTTPS. This will affect SMS which uses HTTPS ssh allow/deny SSH icmp allow/deny ICMP/ICMPv6 snmp allow/deny SNMP ip IP address
A.B.C.D/M IPv4 address with netmask
X:X::X:X/M IPv6 address with prefix length
A.B.C.D IPv4 address
X:X::X:X IPv6 address
Example
NGFW{running-mgmt}ip-filter allow default
NGFW{running-mgmt}ip-filter allow https ip 192.168.1.0/24
NGFW{running-mgmt}ip-filter deny ip 192.168.1.1
NGFW{running-mgmt}ip-filter deny https ip 2001:2:0:0:0:0:0:1
NGFW{running-mgmt}ipaddress
Configure IP address.
Syntax ipaddress (A.B.C.D/M|X:X::X:X/M)
Example
NGFW{running-mgmt}ipaddress 192.168.1.1/24
NGFW{running-mgmt}ipaddress 100:0:0:0:0:0:0:1/64
NGFW{running-mgmt}physical-media
Configure physical-media settings.
Syntax physical-media (auto-neg)|(10half|10full|100half|100full|1000full)
Valid entries: auto-neg Enable auto-negotiation (default is on)
SPEED-MODE Set the port speed
Possible values for SPEED-MODE are:
10half Supported port speed and mode
10full Supported port speed and mode
100half Supported port speed and mode
100full Supported port speed and mode
1000full Supported port speed and mode
Example
NGFW{running-mgmt}physical-media auto-neg
NGFW{running-mgmt}physical-media 1000full
NGFW Command Line Interface Reference 185
NGFW{running-mgmt}route
Add IPv4/IPv6 static route.
Syntax route A.B.C.D/M A.B.C.D [DISTANCE] route X:X::X:X/M X:X::X:X [DISTANCE]
A.B.C.D/M Unicast IPv4 prefix address
X:X::X:X/M Unicast IPv6 prefix address
Example
NGFW{running-mgmt}route 192.168.0.0/24 192.168.0.2 1
NGFW{running-mgmt}route 2001:2:0:0:0:0:0:0/48 100:0:0:0:0:0:0:2
running-multicast-registration Context Commands
NGFW{running}multicast-registration
NGFW{running-multicast-registration}igmp-version
Configure system IGMP version.
Syntax igmp-version default igmp-version mode (force|default) (igmpv1|igmpv2|igmpv3)
Valid entries: default Restore default IGMP version (igmpv3) mode Define IGMP version mode (force or default)
IGMPvX Define IGMP version
Example
NGFW{running-multicast-registration}igmp-version mode default igmpv3
NGFW{running-multicast-registration}mld-version
Configure system MLD version.
Syntax mld-version default mld-version mode (force|default) (mldv1|mldv2)
Valid entries: default Restore default MLD version (mldv2) mode Define MLD version mode
MODE Define MLD mode (force or default)
MLDvX Define MLD version
Example
NGFW{running-multicast-registration}mld-version mode default mldv2
running-notifycontacts (email) Context Commands
Immediate Commit Feature. Changes take effect immediately.
NGFW{running}notifycontacts
NGFW{running-notifycontacts}contact
Create or edit a notify contact.
186 Edit Running Configuration Commands
Syntax contact CONTACTNAME contact NEWNAME email contact NEWNAME snmp COMMUNITY IP [PORT]
Example
NGFW{running-notifycontacts}contact mycontact1 email
NGFW{running-notifycontacts}contact mycontact1 snmp mysecret 192.168.1.1
NGFW{running-notifycontacts}delete
Delete a contact.
Syntax delete contact XCONTACTNAME
Example
NGFW{running-notifycontacts}delete contact mycontact1
WARNING: Are you sure you want to delete this contact (y/n)? [n]: y
NGFW{running-notifycontacts}email-from-address
From email address.
Syntax email-from-address EMAIL
Example
NGFW{running-notifycontacts}email-from-address [email protected]
NGFW{running-notifycontacts}email-from-domain
From domain name.
Syntax email-from-domain DOMAIN
Example
NGFW{running-notifycontacts}email-from-domain example.com
NGFW{running-notifycontacts}email-server
Set mail server IP.
Syntax email-server IP
Example
NGFW{running-notifycontacts}email-server 192.168.1.1
NGFW{running-notifycontacts}email-threshold
Set email threshold in minutes.
NGFW Command Line Interface Reference 187
Syntax email-threshold THRESHOLD
Example
NGFW{running-notifycontacts}email-threshold 1
NGFW{running-notifycontacts}email-to-default-address
Default to email address.
Syntax email-to-default-address EMAIL
Example
NGFW{running-notifycontacts}email-to-default-address [email protected]
NGFW{running-notifycontacts}rename
Rename contact with new name.
Syntax rename contact XCONTACTNAME NEWNAME
Example
NGFW{running-notifycontacts}rename contact mycontact1 mycontact2
running-notifycontacts-X (SNMP) Context Commands
Immediate Commit Feature. Changes take effect immediately.
NGFW{running-notifycontacts}contact mycontact1
NGFW{running-notifycontacts-mycontact1}community
Sets SNMPv2 community name.
Syntax community COMMUNITY
COMMUNITY SNMPv2 community name (1-32 characters)
Example
NGFW{running-notifycontacts-mycontact1}community mysecret
NGFW{running-notifycontacts-mycontact1}host
Sets SNMP host IP.
Syntax host IP
Example
NGFW{running-notifycontacts-mycontact1}host 192.168.1.1
NGFW{running-notifycontacts-mycontact1}period
Set contact aggregation period in minutes.
188 Edit Running Configuration Commands
Syntax period PERIOD
Example
NGFW{running-notifycontacts-mycontact1}period 1
NGFW{running-notifycontacts-mycontact1}port
Set SNMP host port.
Syntax port PORT
Example
NGFW{running-notifycontacts-mycontact1}port 162
running-ntp Context Commands
NGFW{running}ntp
NGFW{running-ntp}delete
Delete file or configuration item.
Syntax delete key (all|ID) delete server (all|HOST)
Valid entries: key Delete key from configuration all
ID
Delete all keys
Key identifier server all
HOST
Delete remote NTP server
Delete all servers
Remote server address or name
Example
NGFW{running-ntp}delete key 1
NGFW{running-ntp}delete key all
NGFW{running-ntp}delete server all
NGFW{running-ntp}delete server 192.168.1.1
NGFW{running-ntp}key
Configure NTP authentication key.
Syntax key (1-65535) VALUE
Valid entries:
(1-65535) Key ID, required for authentication
VALUE Key value (1-32 characters)
Example
NGFW{running-ntp}key 1 myauthkey
NGFW Command Line Interface Reference 189
NGFW{running-ntp}ntp
Enable or disable NTP service.
Syntax ntp (enable|disable)
Example
NGFW{running-ntp}ntp enable
NGFW{running-ntp}polling-interval
Configure NTP server minimum polling interval.
Syntax polling-interval SECONDS
SECONDS Interval in seconds
Possible values for SECONDS are:
2
4
2 seconds
4 seconds
8
16
32
64
8 seconds
16 seconds
32 seconds
64 seconds
Example
NGFW{running-ntp}polling-interval 16
NGFW{running-ntp}server
Configure remote NTP server.
Syntax server (dhcp|A.B.C.D|X:X::X:X|FQDN) [key ID] [prefer] dhcp Get server address from dhcp
NAME NTP remote server key Key to be used
ID Key identifier prefer Mark server as preferred
Example
NGFW{running-ntp}server 192.168.1.1 key 1 prefer
running-phase1-proposal-X Context Commands and their Usage
NGFW{running}vpn ipsec
NGFW{running-ipsec}phase1 2 proposal myphase1
190
NGFW{running-phase1-proposal-myphase1}auth
ISAKMP authentication mechanism.
Syntax auth local (pre-shared-key|rsasig) remote
(eap-mschapv2|pre-shared-key|rsasig|eap-radius) [xauth (local|radius)]
Edit Running Configuration Commands
Example
NGFW{running-phase1-proposal-myphase1}auth local pre-shared-key remote pre-shared-key
NGFW{running-phase1-proposal-myphase1}dh-group
ISAKMP Diffie-Hellman group.
Syntax dh-group (1|2|5|14)
Example
NGFW{running-phase1-proposal-myphase1}dh-group 5
NGFW{running-phase1-proposal-myphase1}encryption
ISAKMP encryption algorithm.
Syntax encryption (3des|aes128|aes192|aes256)
Example
NGFW{running-phase1-proposal-myphase1}encryption aes256
NGFW{running-phase1-proposal-myphase1}hash
ISAKMP hash algorithm.
Syntax hash (md5|sha1)
Example
NGFW{running-phase1-proposal-myphase1}hash sha1
NGFW{running-phase1-proposal-myphase1}lifetime
ISAKMP security association lifetime. 86400 seconds commonly used in phase 1 is 24 hours.
Syntax lifetime LIFE-DURATION LIFE-UNIT lifetime (1-65535) (min|sec|hour)
Example
NGFW{running-phase1-proposal-myphase1}lifetime 24 hour
running-phase1-proposal-X Context Commands and their Usage
NGFW{running}vpn ipsec
NGFW{running-ipsec}phase2 2 proposal myphase2
NGFW{running-phase2-proposal-myphase2}auth2
IPsec authentication algorithm.
NGFW Command Line Interface Reference 191
Syntax auth2 (hmac-md5|hmac-sha1) [hmac-sha1|hmac-md5]
Example
NGFW{running-phase2-proposal-myphase2}auth2 hmac-sha1
NGFW{running-phase2-proposal-myphase2}auth2 hmac-md5 hmac-sha1
NGFW{running-phase2-proposal-myphase2}auth2 hmac-sha1 hmac-md5
NGFW{running-phase2-proposal-myphase2}dh-group
Perfect Forward Secrecy Diffie-Hellman group.
Syntax dh-group (1|2|5|14|none)
Example
NGFW{running-phase2-proposal-myphase2}dh-group 5
NGFW{running-phase2-proposal-myphase2}encryption2
IPsec encryption algorithm.
Syntax encryption2 (3des|aes128|aes192|aes256|null) [3des|aes128|aes192|aes256|null]{0,4}
Example
NGFW{running-phase2-proposal-myphase2}encryption2 aes256 aes192 aes128 3des
NGFW{running-phase2-proposal-myphase2}encryption2 aes256
NGFW{running-phase2-proposal-myphase2}lifetime
IP security association lifetime.
Syntax lifetime LIFE-DURATION LIFE-UNIT lifetime (1-4,294,967,295) (hour|min|sec|byte)
Example
NGFW{running-phase2-proposal-myphase2}lifetime 4,718,592,000 byte
NGFW{running-phase2-proposal-myphase2}lifetime 3600 sec
running-ospf Context Commands
NGFW{running}router ospf
NGFW{running-ospf}area
Configure an OSPF area, area range, or virtual link.
Syntax area (A.B.C.D|(0-4294967295)) range A.B.C.D/M [not-advertised] area (A.B.C.D|(0-4294967295)) (stub|nssa|tsa) area (A.B.C.D|(0-4294967295)) default-cost (0-16777215) area (A.B.C.D|(0-4294967295)) virtual-link A.B.C.D
area (A.B.C.D|(0-4294967295)) virtual-link A.B.C.D dead-interval VALUE area (A.B.C.D|(0-4294967295)) virtual-link A.B.C.D hello-interval VALUE area (A.B.C.D|(0-4294967295)) virtual-link A.B.C.D retransmit-interval VALUE area (A.B.C.D|(0-4294967295)) virtual-link A.B.C.D transmit-delay VALUE
192 Edit Running Configuration Commands
area (A.B.C.D|(0-4294967295)) virtual-link A.B.C.D authentication simple
SIMPLE-PASSWORD area (A.B.C.D|(0-4294967295)) virtual-link A.B.C.D authentication md5 KEY-ID
MD5-KEY-STRING
(0-4294967295) OSPF area ID as a decimal value
A.B.C.D
OSPF area ID in IP address format
Example
NGFW{running-ospf}area 1 ?
Valid entries at this position are:
default-cost Set the summary-default cost of a NSSA or stub area
nssa Configure a not-so-stubby area (NSSA)
range Summarize routes matching address/mask prefix
stub Configure a stubby area
tsa Configure a totally stubby area (TSA)
virtual-link Configure a virtual link
NGFW{running-ospf}default-metric
Set default metric of routes redistributed into OSPF.
Syntax default-metric (1-16777214)
Example
NGFW{running-ospf}default-metric 1
NGFW{running-ospf}delete
Delete file or configuration item.
Syntax delete area AREA-ID range A.B.C.D/M delete area AREA-ID (stub|nssa|tsa) delete area AREA-ID default-cost delete area AREA-ID virtual-link A.B.C.D
delete area AREA-ID virtual-link A.B.C.D dead-interval delete area AREA-ID virtual-link A.B.C.D hello-interval delete area AREA-ID virtual-link A.B.C.D retransmit-interval delete area AREA-ID virtual-link A.B.C.D transmit-delay delete area AREA-ID virtual-link A.B.C.D authentication simple delete area AREA-ID virtual-link A.B.C.D authentication md5 KEY-ID delete default-metric delete distance VALUE delete distance (external|inter-area|intra-area) <1-255> delete passive-interface INTERFACE delete redistribute PROTOCOL delete rfc1583-compatible delete router-id
Example
NGFW{running-ospf}delete distance ?
Valid entries at this position are:
VALUE OSPF Administrative distance
external The distance for external routes
inter-area The distance for inter-area routes
intra-area The distance for intra-area routes
NGFW Command Line Interface Reference 193
NGFW{running-ospf}disable
Disable Open Shortest Path First (OSPF).
Syntax disable
Example
NGFW{running-ospf}disable
NGFW{running-ospf}distance
Set OSPF administrative distance.
Syntax distance (1-255) distance (external|inter-area|intra-area) (1-255)
(1-255) OSPF Administrative distance external Configure the distance for external routes inter-area Configure the distance for inter-area routes intra-area Configure the distance for intra-area routes
Example
NGFW{running-ospf}distance external 1
NGFW{running-ospf}enable
Enable Open Shortest Path First (OSPF).
Syntax enable
Example
NGFW{running-ospf}enable
NGFW{running-ospf}passive-interface
Suppress routing updates on an interface.
Syntax passive-interface INTERFACE
Example
NGFW{running-ospf}passive-interface name
NGFW{running-ospf}redistribute
Redistribute routes from another routing protocol.
Syntax redistribute PROTOCOL [metric-type (1-2)] [metric (0-16777214)] [route-map
ROUTE-MAP]
Possible values for PROTOCOL are: connected Connected static Static routes
194 Edit Running Configuration Commands
rip Routing Information Protocol (RIP) bgp Border Gateway Protocol (BGP) metric-type
(1-2)
OSPF exterior metric type for redistributed routes
Set OSPF exterior type metric metric Metric
(0-16777214) Set metric for redistributed routes route-map
ROUTE-MAP
Route map reference
Route map name
Example
NGFW{running-ospf}redistribute rip metric-type ?
Valid entry at this position is:
<1-2> Set OSPF exterior type metric
NGFW{running-ospf}redistribute rip metric-type 1 route-map name
NGFW{running-ospf}rfc1583-compatible
Enable RFC-1583 compatibility (Disabled by default).
Syntax rfc1583-compatible
Example
NGFW{running-ospf}rfc1583-compatible
NGFW{running-ospf}router-id
OSPF router-id.
Syntax router-id A.B.C.D
A.B.C.D OSPF router ID in IP address format
Example
NGFW{running-ospf}router-id 198.51.100.150
running-ospfv3 Context Commands
NGFW{running}router ospfv3
NGFW{running-ospfv3}area
Configure an OSPFv3 area, area range, or virtual link.
Syntax area (A.B.C.D|(0-4294967295)) range X:X::X:X/M area (A.B.C.D|(0-4294967295)) (stub|nssa|tsa) area (A.B.C.D|(0-4294967295)) virtual-link A.B.C.D
area (A.B.C.D|(0-4294967295)) virtual-link A.B.C.D [hello-interval VALUE] area (A.B.C.D|(0-4294967295)) virtual-link A.B.C.D [hello-interval VALUE]
[retransmit-interval VALUE] area (A.B.C.D|(0-4294967295)) virtual-link A.B.C.D [hello-interval VALUE]
[retransmit-interval VALUE] [transmit-delay VALUE] area (A.B.C.D|(0-4294967295)) virtual-link A.B.C.D [hello-interval VALUE]
[retransmit-interval VALUE] [transmit-delay VALUE] [dead-interval VALUE]
Example
NGFW{running-ospfv3}area 2 ?
NGFW Command Line Interface Reference 195
Valid entries at this position are:
nssa Configure a not-so-stubby area (NSSA)
range Summarize routes matching address/mask (border routers only)
stub Configure a stubby area
tsa Configure a totally stubby area (TSA)
virtual-link Configure a virtual link over a transit area
NGFW{running-ospfv3}delete
Delete file or configuration item.
Syntax delete area AREA-ID AREA-TYPE delete area AREA-ID range X:X::X:X/M delete area AREA-ID virtual-link A.B.C.D
delete area AREA-ID virtual-link A.B.C.D dead-interval delete area AREA-ID virtual-link A.B.C.D hello-interval delete area AREA-ID virtual-link A.B.C.D retransmit-interval delete area AREA-ID virtual-link A.B.C.D transmit-delay delete passive-interface INTERFACE delete redistribute PROTOCOL delete router-id
Valid entries: area Delete OSPFv3 area passive-interface Reactivate an interface redistribute Delete route redistribution from another protocol router-id Delete OSPFv3 router ID
Example
NGFW{running-ospfv3}delete area 1 range 100:0:0:0:0:0:0:0/64
NGFW{running-ospfv3}delete redistribute ?
Valid entries at this position are:
connected Connected
static Static routes
ripng Routing Information Protocol next generation (RIPng)
NGFW{running-ospfv3}disable
Disable Open Shortest Path First (OSPFv3).
Syntax disable
Example
NGFW{running-ospfv3}disable
NGFW{running-ospfv3}enable
Enable Open Shortest Path First (OSPFv3).
Syntax enable
Example
NGFW{running-ospfv3}enable
196 Edit Running Configuration Commands
NGFW{running-ospfv3}nsf
OSPFv3 non-stop forwarding.
Syntax nsf (enable|disable) enable Enable Graceful Restarts with Grace time of 120 disable Disable Graceful Restarts
Example
NGFW{running-ospfv3}nsf enable
NGFW{running-ospfv3}passive-interface
Suppress routing updates on an interface.
Syntax passive-interface INTERFACE
Example
NGFW{running-ospfv3}passive-interface name
NGFW{running-ospfv3}redistribute
Redistribute routes from another routing protocol.
Syntax redistribute PROTOCOL [metric-type (1-2)] [metric (0-16777214)] [route-map
ROUTE-MAP]
PROTOCOL OSPFv3 protocol list
Possible values for PROTOCOL are: connected Connected static Static routes ripng Routing Information Protocol next generation (RIPng) metric-type OSPFv3 exterior metric type for redistributed routes
(1-2) Set OSPFv3 exterior metric type
(0-16777214) Set metric for redistribute routes route-map Route map reference
ROUTE-MAP Route map name
Example
NGFW{running-ospfv3}redistribute static metric 2
NGFW{running-ospfv3}router-id
OSPFv3 router-id.
Syntax router-id ROUTER-ID router-id OSPFv3 router ID
ROUTER-ID OSPFv3 router ID in IPv4 address format
Example
NGFW{running-ospfv3}router-id 198.51.100.1
NGFW Command Line Interface Reference 197
running-pim-smv4 Context Commands
NGFW{running}router pim-smv4
NGFW{running-pim-smv4}bsr-candidate
Toggle bootstrap router (BSR) candidate.
Syntax bsr-candidate interface INTERFACE bsr-candidate priority (0-255) interface Interface that has global address for Bootstrap messages priority Priority of the BSR candidate
Example
NGFW{running-pim-smv4}bsr-candidate priority 2
NGFW{running-pim-smv4}delete
Delete file or configuration item.
Syntax delete bsr-candidate delete dr-priority delete rp-address (all|(A.B.C.D A.B.C.D/M)) delete rp-candidate delete rp-candidate group (all|A.B.C.D/M) delete threshold
Valid entries: bsr-candidate Toggle bootstrap router (BSR) candidate dr-priority Delete the DR priority set for the device rp-address Static group-to-RP mapping rp-candidate Delete the RP-candidate configuration rp-candidate Toggle RP candidate threshold Shortest path tree switch threshold
Example
NGFW{running-pim-smv4}delete bsr-candidate
NGFW{running-pim-smv4}disable
Disable PIM-SM IPv4 on the device.
Syntax disable
Example
NGFW{running-pim-smv4}disable
NGFW{running-pim-smv4}dr-priority
Configure the DR priority for the device.
Syntax dr-priority (0-4294967295)
(0-4294967295) The priority used to elect the DR
198 Edit Running Configuration Commands
Example
NGFW{running-pim-smv4}dr-priority 2
NGFW{running-pim-smv4}enable
Enable PIM-SM IPv4 on the device.
Syntax enable
Example
NGFW{running-pim-smv4}enable
NGFW{running-pim-smv4}rp-address
Static mapping of multicast groups to RP.
Syntax rp-address A.B.C.D A.B.C.D/M
A.B.C.D IPv4 address for static RP
A.B.C.D/M IPv4 multicast group for static RP
Example
NGFW{running-pim-smv4}rp-address 198.51.0.100
NGFW{running-pim-smv4}rp-candidate
Toggle RP candidate.
Syntax rp-candidate group A.B.C.D/M rp-candidate interface INTERFACE rp-candidate priority (0-255) group Specifies multicast group range for RP candidate interface Interface that has global address for Candidate RP advertising priority Priority of the RP candidate
Example
NGFW{running-pim-smv4}rp-candidate priority 1
NGFW{running-pim-smv4}threshold
Data rate that triggers shortest path tree switch.
Syntax threshold RATE threshold Shortest path tree switch threshold
RATE The rate for shortest path tree switching (1-4294967295 bytes/s).
Default: 1000 bytes/s.
Example
NGFW{running-pim-smv4}threshold 1000
NGFW Command Line Interface Reference 199
running-pim-smv6 Context Commands
NGFW{running}router pim-smv6
NGFW{running-pim-smv6}bsr-candidate
Toggle bootstrap router (BSR) candidate.
Syntax bsr-candidate interface INTERFACE bsr-candidate priority (0-255)
Interface priority
Interface that has global address for Bootstrap messages
Priority of the BSR
Example
NGFW{running-pim-smv6}bsr-candidate priority 1
NGFW{running-pim-smv6}delete
Delete file or configuration item.
Syntax delete bsr-candidate delete dr-priority delete rp-address (all|(X:X::X:X X:X::X:X/M)) delete rp-candidate delete rp-candidate group (all|X:X::X:X/M) delete threshold
Valid entries:
bsr-candidate Toggle bootstrap router (BSR) candidate
dr-priority Delete the DR priority set for the device
rp-address Delete group-to-RP mapping
rp-candidate Delete the RP-candidate configuration
rp-candidate Toggle RP candidate
threshold Shortest path tree switch threshold
Example
NGFW{running-pim-smv6}delete rp-address ?
Valid entries at this position are:
X:X::X:X Specified static RP IPv6 address
all Delete ALL group-to-RP mapping
NGFW{running-pim-smv6}disable
Disable PIM-SM IPv6 on the device.
Syntax disable
Example
NGFW{running-pim-smv6}disable
NGFW{running-pim-smv6}dr-priority
Configure the DR priority for the device.
200 Edit Running Configuration Commands
Syntax dr-priority (0-4294967295)
(0-4294967295) The priority used to elect the DR.
Example
NGFW{running-pim-smv6}dr-priority 2
NGFW{running-pim-smv6}enable
Enable PIM-SM IPv6 on the device.
Syntax enable
Example
NGFW{running-pim-smv6}enable
NGFW{running-pim-smv6}rp-address
Static mapping of multicast groups to RP.
Syntax rp-address X:X::X:X X:X::X:X/M rp-address Static group-to-RP mapping
X:X::X:X IPv6 address for staic RP
X:X::X:X/M IPv6 multicast group prefix for static RP
Example
NGFW{running-pim-smv6}rp-address ?
Valid entry at this position is:
X:X::X:X IPv6 address for staic RP
NGFW{running-pim-smv6}rp-candidate
Toggle RP candidate.
Syntax rp-candidate group X:X::X:X/M rp-candidate interface INTERFACE rp-candidate priority <0-255> group Specifies multicast group range for RP candidate interface Interface that have global address for Candidate RP advertising priority Priority of the RP
Example
NGFW{running-pim-smv6}rp-candidate priority 2
NGFW{running-pim-smv6}threshold
Data rate at which to perform shortest path tree switch.
Syntax threshold RATE threshold Shortest path tree switch threshold
NGFW Command Line Interface Reference 201
RATE The rate for shortest path tree switching (1-4294967295 bytes/s).
Default: 1000 bytes/s
Example
NGFW{running-pim-smv6}threshold 1000
running-pppoeX Context Commands
NGFW{running}interface pppoe0
NGFW{running-pppoe0}auth
Authenticated configuration.
Syntax auth ppp reply (chap|chap-md5|ms-chapv2|pap|ms-chap) auth ppp user-id USER PASSWORD ppp Configure PPP authenticated options
Example
NGFW{running-pppoe0}auth ppp reply chap-md5
NGFW{running-pppoe0}auth ppp user-id myuser mypassword
NGFW{running-pppoe0}autoconfv6
Enable or disable IPv6 autoconfiguration on interface.
Syntax autoconfv6 (enable|disable)
Example
NGFW{running-pppoe0}autoconfv6 enable
NGFW{running-pppoe0}bind
Bind PPPoE interface to specific ethernet port.
Syntax bind (none|ethernetX) ethX Ethernet port name none Do not bind this PPPoE interface
Example
NGFW{running-pppoe0}bind ethernet5
NGFW{running-pppoe0}bind none
202
NGFW{running-pppoe0}delete
Delete file or configuration item.
Syntax delete auth ppp reply all delete auth ppp reply (chap|chap-md5|ms-chapv2|pap|ms-chap) delete auth ppp user-id delete ip igmp delete ip igmp version delete ipv6 mld
Edit Running Configuration Commands
delete ipv6 mld version delete log-option ppp all delete log-option ppp PPP-LOG-OPTION delete prefix (all|X:X::X:X/M) delete shutdown
Valid entries: auth Authenticated configuration ip Delete IP settings ipv6 Delete IPv6 log-option Delete service log option prefix Delete IPv6 prefix shutdown Shutdown logical interface state
Example
NGFW{running-pppoe0}delete auth ppp reply chap-md5
NGFW{running-pppoe0}delete auth ppp user-id
NGFW{running-pppoe0}delete ip igmp version
NGFW{running-pppoe0}delete ip igmp
NGFW{running-pppoe0}delete ipv6 mld
NGFW{running-pppoe0}delete log-option ppp auth
NGFW{running-pppoe0}delete prefix 100::/64
NGFW{running-pppoe0}delete shutdown
NGFW{running-pppoe0}description
Enter description for the interface.
Syntax description TEXT
Example
NGFW{running-pppoe0}description "pppoe interface 0"
NGFW{running-pppoe0}dns-request
Configure IP DNS server address request.
Syntax dns-request (enable|disable)
Example
NGFW{running-pppoe0}dns-request enable
NGFW{running-pppoe0}ip
Configure IP settings.
Syntax ip igmp ip igmp version (1|2|3)
Example
NGFW{running-pppoe0}ip igmp version 3
NGFW Command Line Interface Reference 203
NGFW{running-pppoe0}ipcp
Enable or disable IPCP for IPv4.
Syntax ipcp (enable|disable)
Example
NGFW{running-pppoe0}ipcp enable
NGFW{running-pppoe0}ipcp disable
NGFW{running-pppoe0}ipv6
Configure IPv6 settings.
Syntax ipv6 mld ipv6 mld version (1|2)
Example
NGFW{running-pppoe0}ipv6 mld version 2
NGFW{running-pppoe0}ipv6cp
Enable or disable IPCP for IPv6.
Syntax ipv6cp (enable|disable)
Example
NGFW{running-pppoe0}ipv6cp enable
NGFW{running-pppoe0}keep-alive
LCP keep alive period in seconds.
Syntax keep-alive ppp disable keep-alive ppp (default|(0-600)) [retry (0-600)]
Example
NGFW{running-pppoe0}keep-alive ppp default retry 1
NGFW{running-pppoe0}keep-alive ppp disable
204
NGFW{running-pppoe0}log-option
Add service log option.
Syntax log-option ppp all log-option ppp (PPP-LOG-OPTION)
PPP-LOG-OPTION valid entries: all Enable all optional log items auth Link authentication events ipcp IPCP events and negotiation ipv6cp IPV6CP events and negotiation
Edit Running Configuration Commands
l2tp L2TP high level events l2tp2 L2TP more detailed events l2tp3 L2TP packet dumps pptp PPTP high level events pptp2 PPTP more detailed events pptp3 PPTP packet dumps lcp LCP events and negotiation phys Physical layer events radius Radius authentication events echo Keep-alive events bund Bundle events iface IP interface and route management events link Link events frame Dump all incoming and outgoing frames fsm All state machine events (except echo and reset)
Example
NGFW{running-pppoe0}log-option ppp auth
NGFW{running-pppoe0}mru
Configure interface MRU.
Syntax mru (default|(64-65535))
Example
NGFW{running-pppoe0}mru 1500
NGFW{running-pppoe0}mru default
NGFW{running-pppoe0}mtu
Configure interface MTU.
Syntax mtu (default|(68-9216))
Example
NGFW{running-pppoe0}mtu default
NGFW{running-pppoe0}mtu 1500
NGFW{running-pppoe0}prefix
Configure IPv6 prefix.
Syntax prefix X:X::X:X/M [valid-lifetime (1-4294967295)] [preferred-lifetime
(1-4294967295)]
X:X::X:X/M IPv6 prefix valid-lifetime Configure valid lifetime
<1-4294967295> Valid lifetime in seconds (default is 2592000) preferred-lifetime Configure preferred lifetime
<1-4294967295> Preferred lifetime in seconds
(default is 604800 - cannot exceed valid lifetime)
NGFW Command Line Interface Reference 205
Example
NGFW{running-pppoe0}prefix 100:0:0:0:0:0:0:0/64 valid-lifetime 2592000 preferred-lifetime 604800
NGFW{running-pppoe0}ra-autoconf-level
Modify IPv6 Router Advertisement autoconfiguration level.
Syntax ra-autoconf-level AUTOCONF
Possible values for AUTOCONF are: none No parameter is autoconfigured address other full
Address is autoconfigured
Some other parameters are autoconfigured
Most parameters are autoconfigured
Example
NGFW{running-pppoe0}ra-autoconf-level full
NGFW{running-pppoe0}ra-interval
Modify IPv6 Router Advertisement interval value.
Syntax ra-interval (90-1800000)
INTERVAL Router Advert emission period (in milliseconds)
Example
NGFW{running-pppoe0}ra-interval 600
NGFW{running-pppoe0}ra-interval-transmit
Modify IPv6 Router Advertisement interval transmit.
Syntax ra-interval-transmit (enable|disable)
Example
NGFW{running-pppoe0}ra-interval-transmit enable
NGFW{running-pppoe0}ra-lifetime
Modify IPv6 Router Advertisement prefix lifetime in seconds.
Syntax ra-lifetime (0-9000000)
Example
NGFW{running-pppoe0}ra-lifetime 1800
NGFW{running-pppoe0}ra-mtu
Modify IPv6 Router Advertisement MTU value.
206 Edit Running Configuration Commands
Syntax ra-mtu (none|(68-9216)) none Not configured
MTU MTU value advertised (0 if none)
Example
NGFW{running-pppoe0}ra-mtu 1500
NGFW{running-pppoe0}ra-transmit-mode
Modify IPv6 Router Advertisement transmit mode.
Syntax ra-transmit-mode MODE
Possible values for MODE are: always Router Advert message is always sent never smart
Router Advert message is never sent
Router Advert message is sent if a prefix is defined
Example
NGFW{running-pppoe0}ra-transmit-mode smart
NGFW{running-pppoe0}service
Configure PPPoE service name.
Syntax service (none|NAME)
Example
NGFW{running-pppoe0}service myPPPoEservice
NGFW{running-pppoe0}service none
NGFW{running-pppoe0}shutdown
Shutdown logical interface state.
Syntax shutdown
Example
NGFW{running-pppoe0}shutdown
NGFW{running-pppoe0}tcp4mss
Configure interface TCP MSS for IPv4.
Syntax tcp4mss (disable|automatic|(4-65535))
Valid entries: disable Disable service automatic Automatically select TCP MSS based on interface MTU
VALUE TCP MSS value for IPv4
NGFW Command Line Interface Reference 207
Example
NGFW{running-pppoe0}tcp4mss automatic
NGFW{running-pppoe0}tcp6mss
Configure interface TCP MSS for IPv6.
Syntax tcp6mss (disable|automatic|(4-65535))
Valid entries: disable Disable service automatic Automatically select TCP MSS based on interface MTU
VALUE TCP MSS value for IPv6
Example
NGFW{running-pppoe0}tcp6mss automatic
running-pptpX Context Commands
NGFW{running}interface pptp0
NGFW{running-pptp0}always-ack
Enable or disable always-ack option.
Syntax always-ack (enable|disable)
Example
NGFW{running-pptp0}always-ack enable
NGFW{running-pptp0}always-ack disable
NGFW{running-pptp0}auth
Authenticated configuration.
Syntax auth ppp reply ALGORITHM auth ppp user-id USER PASSWORD
Example
NGFW{running-pptp0}auth ppp reply chap-md5
NGFW{running-pptp0}auth ppp user-id myuser mypassword
NGFW{running-pptp0}autoconfv6
Enable or disable IPv6 autoconfiguration on interface.
Syntax autoconfv6 (enable|disable)
Example
NGFW{running-pptp0}autoconfv6 enable
208 Edit Running Configuration Commands
NGFW{running-pptp0}bind
Configure binding addresses of the pptp tunnel.
Syntax bind (none|(A.B.C.D A.B.C.D))
Example
NGFW{running-pptp0}bind 192.168.1.1 192.168.100.1
NGFW{running-pptp0}delayed-ack
Enable or disable delayed-ack option.
Syntax delayed-ack (enable|disable)
Example
NGFW{running-pptp0}delayed-ack enable
NGFW{running-pptp0}delete
Delete file or configuration item.
Syntax delete auth ppp reply all delete auth ppp reply (chap|chap-md5|ms-chapv2|pap|ms-chap) delete auth ppp user-id delete ip igmp delete ip igmp version delete ipv6 mld delete ipv6 mld version delete log-option ppp all delete log-option ppp PPP-LOG-OPTION delete prefix (all|X:X::X:X/M) delete shutdown
Example
NGFW{running-pptp0}delete auth ppp reply chap-md5
NGFW{running-pptp0}delete auth ppp user-id
NGFW{running-pptp0}delete ip igmp version
NGFW{running-pptp0}delete ip igmp
NGFW{running-pptp0}delete ipv6 mld
NGFW{running-pptp0}delete log-option ppp all
NGFW{running-pptp0}delete prefix 100::/64
NGFW{running-pptp0}delete shutdown
NGFW{running-pptp0}description
Enter description for the interface.
Syntax description TEXT
Example
NGFW{running-pptp0}description "pptp interface 0"
NGFW Command Line Interface Reference 209
NGFW{running-pptp0}dns-request
Configure IP DNS server address request.
Syntax dns-request (enable|disable)
Example
NGFW{running-pptp0}dns-request enable
NGFW{running-pptp0}dns-request disable
NGFW{running-pptp0}ip
Configure IP settings.
Syntax ip igmp ip igmp version (1|2|3)
Example
NGFW{running-pptp0}ip igmp version 3
NGFW{running-pptp0}ipcp
Enable or disable IPCP for IPv4.
Syntax ipcp (enable|disable)
Example
NGFW{running-pptp0}ipcp enable
NGFW{running-pptp0}ipcp disable
NGFW{running-pptp0}ipv6
Configure IPv6 settings.
Syntax ipv6 mld ipv6 mld version (1|2)
Example
NGFW{running-pptp0}ipv6 mld version 2
NGFW{running-pptp0}ipv6cp
Enable or disable IPCP for IPv6.
Syntax ipv6cp (enable|disable)
Example
NGFW{running-pptp0}ipv6cp enable
210 Edit Running Configuration Commands
NGFW{running-pptp0}keep-alive
LCP keep alive period in seconds.
Syntax keep-alive ppp disable keep-alive ppp (default|(0-600)) [retry (0-600)]
Example
NGFW{running-pptp0}keep-alive ppp default retry 1
NGFW{running-pptp0}keep-alive ppp disable
NGFW{running-pptp0}log-option
Add service log option.
Syntax log-option ppp all log-option ppp (PPP-LOG-OPTION)
PPP-LOG-OPTION valid entries: all Enable all optional log items auth Link authentication events ipcp IPCP events and negotiation ipv6cp IPV6CP events and negotiation l2tp L2TP high level events l2tp2 L2TP more detailed events l2tp3 L2TP packet dumps pptp PPTP high level events pptp2 PPTP more detailed events pptp3 PPTP packet dumps lcp LCP events and negotiation phys Physical layer events radius Radius authentication events echo Keep-alive events bund Bundle events iface IP interface and route management events link Link events frame Dump all incoming and outgoing frames fsm All state machine events (except echo and reset)
Example
NGFW{running-pptp0}log-option ppp all
NGFW{running-pptp0}mru
Configure interface MRU.
Syntax mru (default|(64-65535))
Example
NGFW{running-pptp0}mru 1500
NGFW{running-pptp0}mru default
NGFW{running-pptp0}mtu
Configure interface MTU.
NGFW Command Line Interface Reference 211
Syntax mtu (default|(68-9216))
Example
NGFW{running-pptp0}mtu 1500
NGFW{running-pptp0}prefix
Configure IPv6 prefix.
Syntax prefix X:X::X:X/M [valid-lifetime (1-4294967295)] [preferred-lifetime
(1-4294967295)]
Example
NGFW{running-pptp0}prefix 100:0:0:0:0:0:0:0/64 valid-lifetime 2592000 preferred-lifetime 604800
NGFW{running-pptp0}ra-autoconf-level
Modify IPv6 Router Advertisement autoconfiguration level.
Syntax ra-autoconf-level (none|address|other|full)
Valid entries: none No parameter is autoconfigured address other full
Address is autoconfigured
Some other parameters are autoconfigured
Most parameters are autoconfigured
Example
NGFW{running-pptp0}ra-autoconf-level full
NGFW{running-pptp0}ra-autoconf-level ?
NGFW{running-pptp0}ra-interval
Modify IPv6 Router Advertisement interval value in milliseconds.
Syntax ra-interval (90-1800000)
Example
NGFW{running-pptp0}ra-interval 600
NGFW{running-pptp0}ra-interval-transmit
Modify IPv6 Router Advertisement interval transmit.
Syntax ra-interval-transmit (enable|disable)
Example
NGFW{running-pptp0}ra-interval-transmit enable
212 Edit Running Configuration Commands
NGFW{running-pptp0}ra-lifetime
Modify IPv6 Router Advertisement prefix lifetime in seconds.
Syntax ra-lifetime (0-9000000)
Example
NGFW{running-pptp0}ra-lifetime 1800
NGFW{running-pptp0}ra-mtu
Modify IPv6 Router Advertisement MTU value.
Syntax ra-mtu (none|(68-9216))
Example
NGFW{running-pptp0}ra-mtu 1500
NGFW{running-pptp0}ra-transmit-mode
Modify IPv6 Router Advertisement transmit mode.
Syntax ra-transmit-mode (always|never|smart)
Valid entries: always Router Advert message is always sent never smart
Router Advert message is never sent
Router Advert message is sent if a prefix is defined
Example
NGFW{running-pptp0}ra-transmit-mode smart
NGFW{running-pptp0}shutdown
Shutdown logical interface state.
Syntax shutdown
Example
NGFW{running-pptp0}shutdown
NGFW{running-pptp0}tcp4mss
Configure interface TCP MSS for IPv4.
Syntax tcp4mss (disable|automatic|(4-65535)
Example
NGFW{running-pptp0}tcp4mss automatic
NGFW Command Line Interface Reference 213
NGFW{running-pptp0}tcp6mss
Configure interface TCP MSS for IPv6.
Syntax tcp6mss (disable|automatic|(4-65535)
Example
NGFW{running-pptp0}tcp6mss automatic
NGFW{running-pptp0}windowing
Enable or disable windowing option.
Syntax windowing (enable|disable)
Example
NGFW{running-pptp0}windowing enable
NGFW{running-pptp0}windowing disable
running-rep Context Commands
Immediate Commit Feature. Changes take effect immediately.
NGFW{running}rep
NGFW{running-rep}delete
Delete file or configuration item.
Syntax delete group REPGROUP delete profile REPPROFILE
Valid entries: group Reputation group profile Delete reputation profile
Example
NGFW{running-rep}delete group myrepgroup
WARNING: Are you sure you want to delete reputation group (y/n)? [n]: y
NGFW{running-rep}delete profile myrepprofile
WARNING: Are you sure you want to delete profile (y/n)? [n]: y
NGFW{running-rep}group
Create or enter reputation group context.
Syntax group REPGROUP
Valid entries:
REPGROUP Reputation usergroup name
Example
NGFW{running-rep}group myrepgroup
NGFW{running-rep-myrepgroup}
NGFW{running-rep-myrepgroup}help
Valid commands are:
214 Edit Running Configuration Commands
delete domain DOMAINNAME
delete ip SOURCEIP
description DESCRIPTION
display
domain NEWDOMAINNAME
help [full|COMMAND]
ip SOURCEIP
NGFW{running-rep}profile
Create or enter reputation profile context.
Syntax profile REPPROFILE
Example
NGFW{running-rep}profile myprofile
NGFW{running-rep-myprofile}help
Valid commands are:
CHECK-ADDRESS ACTION
action-when-pending ACTION
delete dns-except DOMAINNAME
delete filter ALLGROUPNAME
delete ip-except SOURCEIP DESTINATIONIP
display
dns-except NEWDOMAINNAME
filter ALLGROUPNAME( enable [threshold [XACTIONSETNAME]])|( disable)
help [full|COMMAND]
ip-except SOURCEIP DESTINATIONIP
NGFW{running-rep}rename
Rename a reputation profile or group.
Syntax rename group REPGROUP NEWREPGROUP rename profile REPPROFILE NEWREPPROFILE
Valid entries: group Reputation group profile Reputation profile
Example
NGFW{running-rep}rename profile oldname newname
running-rep-X (group X) Context Commands
Immediate Commit Feature. Changes take effect immediately.
NGFW{running-rep}group 1
NGFW{running-rep-1}delete
Delete file or configuration item.
Syntax delete domain DOMAINNAME delete ip (A.B.C.D|A.B.C.D/M|X:X::X:X|X:X::X:X/M)
NGFW Command Line Interface Reference 215
Valid entries: domain Domain name ip IP address IPv4/IPv6/CIDR
Example
NGFW{running-rep-1}delete domain example.com
NGFW{running-rep-1}delete ip 192.168.1.1
NGFW{running-rep-1}delete ip 100:0:0:0:0:0:0:0/64
NGFW{running-rep-1}description
Add a description to the reputation group.
Syntax description DESCRIPTION
Example
NGFW{running-rep-1}description "Rep Group 1"
NGFW{running-rep-1}domain
New domain name.
Syntax domain NEWDOMAIN
Example
NGFW{running-rep-1}domain example.com
NGFW{running-rep-1}ip
IP address IPv4/IPv6.
Syntax ip (A.B.C.D|A.B.C.D/M|X:X::X:X|X:X::X:X/M)
Example
NGFW{running-rep-1}ip 192.168.1.1
NGFW{running-rep-1}ip 192.168.1.0/24
NGFW{running-rep-1}ip 100:0:0:0:0:0:0:1
NGFW{running-rep-1}ip 100:0:0:0:0:0:0:0/64
running-rep-X (profile X) Context Commands
Immediate Commit Feature. Changes take effect immediately.
NGFW{running-rep}profile abc
NGFW{running-rep-abc}action-when-pending
Set pending action to permit or drop.
Syntax action-when-pending (permit|drop)
Example
NGFW{running-rep-abc}action-when-pending permit
216 Edit Running Configuration Commands
NGFW{running-rep-abc}check-source-address
Enables or disables check source address.
Syntax check-source-address (enable|disable)
Valid entries: enable Enable check source address disable Disable check source address
Example
NGFW{running-rep-abc}check-source-address enable
NGFW{running-rep-abc}check-destination-address
Enables or disables check destination address.
Syntax check-destination-address (enable|disable)
Example
NGFW{running-rep-abc}check-destination-address enable
NGFW{running-rep-abc}delete
Delete file or configuration item.
Syntax delete dns-except DOMAINNAME delete filter REPGROUP delete ip-except (A.B.C.D|A.B.C.D/M|X:X::X:X|X:X::X:X/M)
(A.B.C.D|A.B.C.D/M|X:X::X:X|X:X::X:X/M)
Example
NGFW{running-rep-abc}delete dns-except example.com
NGFW{running-rep-abc}delete filter "myrepgroup"
NGFW{running-rep-abc}delete ip-except 192.168.1.1 192.168.2.2
NGFW{running-rep-abc}delete ip-except 2001:2:0:0:0:0:0:0/48 2001:db8:0:0:0:0:0:0/32
NGFW{running-rep-abc}dns-except
DNS domain exception.
Syntax dns-except DOMAINNAME
Example
NGFW{running-rep-abc}dns-except example.com
NGFW{running-rep-abc}filter
Add a reputation filter rule.
Syntax filter REPGROUP disable filter REPGROUP enable [THRESHOLD [ACTIONSET]]
NGFW Command Line Interface Reference 217
Valid entries: enable Enable filter rule
THRESHOLD
ACTIONSET disable
Set threshold (0-100)
Apply action set name
Disable filter rule
Example
NGFW{running-rep-abc}filter "myrepgroup" enable
NGFW{running-rep-abc}filter "myrepgroup" enable 0 "Block + Notify"
NGFW{running-rep-abc}ip-except
Add IP address exception.
Syntax ip-except SOURCEIP DESTINATIONIP
SOURCEIP A.B.C.D or A.B.C.D/M or X:X::X:X or X:X::X:X/M
DESTINATIONIP A.B.C.D or A.B.C.D/M or X:X::X:X or X:X::X:X/M
Example
NGFW{running-rep-abc}ip-except 192.168.1.1 192.168.2.2
NGFW{running-rep-abc}ip-except 2001:2:0:0:0:0:0:0/48 2001:db8:0:0:0:0:0:0/32
running-rip Context Commands
NGFW{running}router rip
NGFW{running-rip}default-metric
Set default metric for imported routes.
Syntax default-metric (1-16)
Example
NGFW{running-rip}default-metric 2
218
NGFW{running-rip}delete
Delete file or configuration item.
Syntax delete default-metric (1-16) delete distance (1-255) delete equal-cost (2-255) delete passive-interface INTERFACE delete redistribute (connected|ospf|static|bgp) delete timers basic delete triggered-updates delete version (1|2)
Valid entries: default-metric Reset default metric for imported routes distance Reset administrative distance for routes learned via RIP to default equal-cost Reset equal-cost to default passive-interface Enable RIP routing updates on an interface redistribute Delete redistribute routes from another routing protocol timers Reset basic RIP timers to default
Edit Running Configuration Commands
triggered-updates Disable triggered-updates version Reset RIP version to default
Example
NGFW{running-rip}delete default-metric 1
NGFW{running-rip}delete distance 120
NGFW{running-rip}delete equal-cost 2
NGFW{running-rip}delete passive-interface ethernet1
NGFW{running-rip}delete redistribute static
NGFW{running-rip}delete timers basic
NGFW{running-rip}delete triggered-updates
NGFW{running-rip}delete version 2
NGFW{running-rip}disable
Disable Routing Information Protocol (RIP).
Syntax disable
Example
NGFW{running-rip}disable
NGFW{running-rip}distance
Set administrative distance for routes learned via RIP.
Syntax distance (1-255)
Example
NGFW{running-rip}distance 120
NGFW{running-rip}distribute-list
Filter networks for RIP routing updates.
Syntax distribute-list ACCESS-LIST (in|out) INTERFACE
Example
NGFW{running-rip}distribute-list myaccesslist in ethernet5
NGFW{running-rip}enable
Enable Routing Information Protocol (RIP).
Syntax enable
Example
NGFW{running-rip}enable
NGFW{running-rip}equal-cost
Set the equal cost for ECMP.
NGFW Command Line Interface Reference 219
Syntax equal-cost (2-255)
Example
NGFW{running-rip}equal-cost 2
NGFW{running-rip}passive-interface
Suppress RIP routing updates on an interface.
Syntax passive-interface (default|INTERFACE)
Valid entries: default "default" for all interfaces
INTERFACE Interface name
Example
NGFW{running-rip}passive-interface ethernet1
NGFW{running-rip}redistribute
Redistribute routes from another routing protocol.
Syntax redistribute (connected|ospf|static|bgp) [metric (0-15)] [route-map ROUTE-MAP]
Valid entries: connected Connected static ospf bgp
Static routes
Open Shortest Path First (OSPF)
Border Gateway Protocol (BGP) metric
(0-15) route-map
ROUTE-MAP
Metric
Metric for redistributed routes
Route map reference
Pointer to route-map entries
Example
NGFW{running-rip}redistribute static metric 1 route-map myroutemap1
NGFW{running-rip}timers
Set basic RIP timers.
Syntax timers basic ROUTING-TABLE-UPDATE ROUTING-INFORMATION-TIMEOUT GARBAGE-COLLECTION
Valid entries: basic Set basic RIP timers
ROUTING-TABLE-UPDATE Routing table update timer value (0-65535)
ROUTING-INFORMATION-TIMEOUT Routing information timeout timer value (0-65535)
GARBAGE-COLLECTION Garbage collection timer value (0-65535)
Example
NGFW{running-rip}timers basic 30 180 120
220 Edit Running Configuration Commands
NGFW{running-rip}triggered-updates
Enable RIP triggered-updates.
Syntax triggered-updates
Example
NGFW{running-rip}triggered-updates
NGFW{running-rip}version
Set RIP version.
Syntax version (1-2)
Example
NGFW{running-rip}version 2
running-ripng Context Commands
NGFW{running}router ripng
NGFW{running-ripng}default-metric
Set default metric for imported routes.
Syntax default-metric DEFAULT-METRIC
DEFAULT-METRIC (1-16)
Example
NGFW{running-ripng}default-metric 1
NGFW{running-ripng}delete
Delete file or configuration item.
Syntax delete default-metric DEFAULT-METRIC delete distance DISTANCE delete distribute-list ACCESS-LIST (in|out) INTERFACE delete equal-cost COST delete passive-interface INTERFACE delete redistribute PROTOCOL delete timers basic delete triggered-updates
Valid entries: default-metric Reset default metric for imported routes distance Reset administrative distance for routes learned via RIPng to default distribute-list Delete RIPng distribute list entry equal-cost Reset equal-cost to default passive-interface Enable RIPng routing updates on an interface redistribute Delete redistribute routes from another routing protocol timers Reset basic RIPng timers to default triggered-updates Disable triggered-updates
NGFW Command Line Interface Reference 221
Example
NGFW{running-ripng}delete triggered-updates
NGFW{running-ripng}disable
Disable Routing Information Protocol next generation (RIPng).
Syntax disable
Example
NGFW{running-ripng}disable
NGFW{running-ripng}distance
Set administrative distance for routes learned by way of RIPng.
Syntax distance DISTANCE
DISTANCE Distance (1-255)
Example
NGFW{running-ripng}distance 2
NGFW{running-ripng}distribute-list
Filter networks in RIPng routing updates.
Syntax distribute-list ACCESS-LIST (in|out) INTERFACE
Valid entries: distribute-list Filter networks in RIPng routing updates
ACCESS-LIST Access list name in Incoming out Outbound
INTERFACE Interface name
Example
NGFW{running-ripng}distribute-list mylist in ?
Valid entry at this position is:
INTERFACE Interface name
NGFW{running-ripng}enable
Enable Routing Information Protocol next generation (RIPng).
Syntax enable
Example
NGFW{running-ripng}enable
222
NGFW{running-ripng}equal-cost
Set the equal cost for ECMP.
Edit Running Configuration Commands
Syntax equal-cost EQUAL-COST
EQUAL-COST (2-255)
Example
NGFW{running-ripng}equal-cost 2
NGFW{running-ripng}passive-interface
Suppress RIPng routing updates on an interface.
Syntax passive-interface (default|INTERFACE) default "default" for all interfaces
INTERFACE Interface name
Example
NGFW{running-ripng}passive-interface default
NGFW{running-ripng}redistribute
Redistribute routes from another routing protocol.
Syntax redistribute PROTOCOL [metric (0-16)] [route-map ROUTE-MAP]
Possible values for PROTOCOL are: connected Connected static ospfv3
Static routes
Open Shortest Path First (OSPFv3) metric
(0-16) route-map
ROUTE-MAP
Metric
Metric for redistributed routes
Route map reference
Pointer to route-map entries
Example
NGFW{running-ripng}redistribute connected
NGFW{running-ripng}timers
Set basic RIPng timers.
Syntax timers basic ROUTING-TABLE-UPDATE ROUTING-INFORMATION-TIMEOUT GARBAGE-COLLECTION
Valid entries: basic Set basic RIPng timers
ROUTING-TABLE-UPDATE Routing table update timer value (0-65535)
ROUTING-INFORMATION-TIMEOUT Routing information timeout timer value (0-65535)
GARBAGE-COLLECTION Garbage collection timer value (0-65535)
Example
NGFW{running-ripng}timers basic 60 90 120
NGFW Command Line Interface Reference 223
NGFW{running-ripng}triggered-updates
Enable RIPng triggered-updates.
Syntax triggered-updates
Example
NGFW{running-ripng}triggered-updates
running-route-map Context Commands
NGFW{running}route-map mymap permit 10
NGFW{running-route-map}delete
Delete file or configuration item.
Syntax delete match as-path delete match community-list delete match ip address ACCESS-LIST-NAME delete match ip next-hop A.B.C.D
delete match metric delete set as-path prepend delete set comm-list delete set community delete set ip next-hop A.B.C.D
delete set local-preference delete set metric
Example
NGFW{running-route-map}delete match as-path
NGFW{running-route-map}delete match community-list
NGFW{running-route-map}delete match ip next-hop 198.162.0.24
NGFW{running-route-map}delete match metric
NGFW{running-route-map}delete set as-path prepend
NGFW{running-route-map}match
Specifies the matching condition.
Syntax match as-path ASPATH-LIST-NAME match community-list COMMUNITY-LIST-NAME match ip address ACCESS-LIST-NAME match ip next-hop A.B.C.D
match metric (1-65535)
Example
NGFW{running-route-map}match metric 2
224
NGFW{running-route-map}set
Sets the route attributes.
Syntax set as-path prepend( ASNUMBER){1,24} set comm-list COMMUNITY-LIST-NAME delete
Edit Running Configuration Commands
set community ((AA:NN)|internet|local-as|no-advertise|no-export) set ip next-hop A.B.C.D
set local-preference (0-65535) set metric (1-65535)
Example
NGFW{running-route-map}set as-path prepend 64497
NGFW{running-route-map}set as-path prepend 64496 64511 65536 65551
running-schedules Context Commands
NGFW{running}schedules
NGFW{running-schedules}delete
Deletes a schedule.
Syntax delete schedule (all|SCHEDULENAME)
Example
NGFW{running-schedules}delete schedule myhours1
NGFW{running-schedules}delete schedule all
NGFW{running-schedules}rename
Rename a schedule.
Syntax rename schedule SCHEDULENAME NEWSCHEDULENAME
Example
NGFW{running-schedules}rename schedule myhours1 myhours2
NGFW{running-schedules}schedule
Create or enter a schedule context.
Syntax schedule SCHEDULENAME
Example
NGFW{running-schedules}schedule myhours1
running-schedules-X Context Commands
NGFW{running-schedules}schedule myhours1
NGFW{running-schedule-myhours1}delete
Delete a schedule-entry.
Syntax delete schedule-entry (all|SCHEDULENAME)
Example
NGFW{running-schedule-myhours1}delete schedule-entry -mtwtf- from 09:00 to 10:00
NGFW Command Line Interface Reference 225
NGFW{running-schedule-myhours1}description
Enter description for the segment.
Syntax description TEXT
Example
NGFW{running-schedule-myhours1}description "After Normal Business Hours"
NGFW{running-schedule-myhours1}schedule-entry
Add a schedule entry.
Syntax schedule-entry DAYS START-TIME
Example
NGFW{running-schedule-myhours1}schedule-entry s-----s from 00:00 to 23:59
NGFW{running-schedule-myhours1}schedule-entry -mtwtf- from 18:00 to 23:59
NGFW{running-schedule-myhours1}schedule-entry -mtwtf- from 00:00 to 07:00
NGFW{running-schedule-myhours1}schedule-entry -mtwtf- from 09:00 to 10:00
running-segmentX Context Commands
NGFW{running}segment0
NGFW{running-segment0}bind
Bind ethernet port pairs to segment.
Syntax bind (ethernet1+ethernet2 | ethernet3+ethernet4 | ethernet5+ethernet6 | ethernet7+ethernet8)
Example
NGFW{running-segment0}bind ethernet1+ethernet2
NGFW{running-segment0}delete
Delete binding.
Syntax delete (bind|high-availability|link-down)
Valid entries: bind Unbind ethernet port pairs high-availability Intrinsic HA Layer 2 Fallback action link-down Link down synchronization mode
Example
NGFW{running-segment0}delete bind
NGFW{running-segment0}delete high-availability
NGFW{running-segment0}delete link-down
NGFW{running-segment0}description
Enter description for the segment.
226 Edit Running Configuration Commands
Syntax description TEXT
Example
NGFW{running-segment0}description “My Segment”
NGFW{running-segment0}high-availability
Intrinsic HA Layer 2 Fallback action block or permit.
Syntax high-availability (block|permit) block Enable block all permit Enable permit all
Example
NGFW{running-segment0}high-availability permit
NGFW{running-segment0}link-down
Link down synchronization mode.
Syntax link-down breaker [wait-time WAIT-TIME] link-down hub link-down wire [wait-time WAIT-TIME]
Valid entries: breaker Enable breaker action hub wire
Enable hub action
Enable wire action
WAIT-TIME Time to wait before synchronizing in seconds
Example
NGFW{running-segment0}link-down wire wait-time 30
NGFW{running-segment0}restart
Restart both ethernet ports of segment.
Syntax restart
Example
NGFW{running-segment0}restart
running-services Context Commands
NGFW{running}services
NGFW{running-services}delete
Delete service(s).
Syntax delete service (all|SERVICENAME)
NGFW Command Line Interface Reference 227
Example
NGFW{running-services}delete service myservice2
NGFW{running-services}delete service all
NGFW{running-services}rename
Rename service.
Syntax rename service SERVICENAME NEWSERVICENAME
Example
NGFW{running-services}rename service myservice1 myservice2
NGFW{running-services}service
Create or enter a service context.
Syntax service SERVICENAME
Example
NGFW{running-services}service myservice1
running-services-X Context Commands
NGFW{running-services}service myservice1
NGFW{running-services-myservice1}delete
Delete service parameters.
Syntax delete icmp (all|NAME|NUMBER) delete icmpv6 (all|NAME|NUMBER) delete port tcp PORT [to LASTPORT] delete port udp PORT [to LASTPORT] delete port tcp all delete port udp all delete protocol (all|PROTONUM) delete service (all|SERVICENAME)
Valid entries: icmp Delete ICMPv4 icmpv6 Delete ICMPv6 port Delete port(s) protocol Delete packet protocol number(s) service Delete member service
Example
NGFW{running-services-myservice1}delete icmp any
NGFW{running-services-myservice1}delete icmpv6 any
NGFW{running-services-myservice1}delete port udp 53
NGFW{running-services-myservice1}delete port tcp all
NGFW{running-services-myservice1}delete protocol 6
NGFW{running-services-myservice1}delete service http
NGFW{running-services-myservice1}delete service dns
228 Edit Running Configuration Commands
NGFW{running-services-myservice1}description
Apply service description.
Syntax description TEXT
Example
NGFW{running-services-myservice1}description "my service 1"
NGFW{running-services-myservice1}icmp
Apply ICMPv4.
Syntax icmp (NAME|NUMBER)
ICMP-CODENAMES
NUMBER
Apply ICMPv4 code name
Apply ICMP type number (0-255)
Example
NGFW{running-services-myservice1}icmp any
NGFW{running-services-myservice1}icmp 0
NGFW{running-services-myservice1}icmp echo-reply
NGFW{running-services-myservice1}icmpv6
Apply ICMPv6.
Syntax icmpv6 (NAME|NUMBER)
ICMP6-CODENAMES
NUMBER
Apply ICMPv6 code name
Apply ICMPv6 type number (0-255)
Example
NGFW{running-services-myservice1}icmpv6 any
NGFW{running-services-myservice1}icmpv6 129
NGFW{running-services-myservice1}icmpv6 echo-reply
NGFW{running-services-myservice1}port
Apply TCP or UDP port number.
Syntax port tcp PORT [to LASTPORT] port udp PORT [to LASTPORT]
Valid entries: tcp Apply TCP
PORT Apply port number to Set port range to
LAST-PORT Apply last port of range udp Apply UDP
Example
NGFW{running-services-myservice1}port tcp 80 to 88
NGFW{running-services-myservice1}port udp 53
NGFW Command Line Interface Reference 229
NGFW{running-services-myservice1}protocol
Apply protocol number.
Syntax protocol IPPROTOCOL
IPPROTOCOL Apply packet protocol number
Example
NGFW{running-services-myservice1}protocol 6
NGFW{running-services-myservice1}service
Apply member service.
Syntax service SERVICENAME
SERVICENAME Existing service name
Example
NGFW{running-services-myservice1}service http
NGFW{running-services-myservice1}service dns
running-smr Context Commands
NGFW{running}router smr
NGFW{running-smr}delete
Delete file or configuration item.
Syntax delete dscp xmit delete monitor A.B.C.D/M A.B.C.D [INTERFACE] delete timer delete ttl xmit
Valid entries: dscp Delete the DSCP value in the outbound ICMP packets monitor Monitored route timer Base timer ttl Delete the TTL setting for ICMP packets
Example
NGFW{running-smr}delete dscp xmit
NGFW{running-smr}delete timer
NGFW{running-smr}delete monitor 198.162.0.100/24 ?
Valid entry at this position is:
A.B.C.D The Gateway of the route
NGFW{running-smr}dscp
Define the global DSCP value.
Syntax dscp xmit 0xXX xmit Define the DSCP in the outbound ICMP packets
0xXX 6-bit Hexadecimal value (0x0 - 0x3f)
230 Edit Running Configuration Commands
Example
NGFW{running-smr}dscp xmit 0x0
NGFW{running-smr}monitor
Define monitoring parameters for a route.
Syntax monitor A.B.C.D/M A.B.C.D MULT MAXFAILURE [A.B.C.D] monitor A.B.C.D/M A.B.C.D MULT MAXFAILURE distance DISTANCE [A.B.C.D] monitor Monitor a static route
A.B.C.D/M The monitored route
A.B.C.D The Gateway of the route
MULT Timer multiplier for the polling (range: 1-255)
MAXFAILURE Failure limit for the polling (range: 1-16)
A.B.C.D Probe target different from the route gateway distance Administrative distance of the route
DISTANCE Administrative distance value (default: 10, range: 1-255)
Example
NGFW{running-smr}monitor 192.168.0.100/24 192.168.0.102 2 3
NGFW{running-smr}timer
Define time base for polling.
Syntax timer MSEC
MSEC base timer in milliseconds (50-300000). Default: 200
Example
NGFW{running-smr}timer 200
NGFW{running-smr}ttl
Define TTL of ICMP packets.
Syntax ttl recv (1-255) ttl xmit (1-255)
Valid entries: recv Define expected TTL of received ICMP packets xmit Define TTL of transmitted ICMP echo packets
Example
NGFW{running-smr}ttl recv 10
running-snat Context Commands
NGFW{running}src-nat
NGFW{running-snat}delete
Delete source NAT rule(s).
NGFW Command Line Interface Reference 231
Syntax delete rule (all|SRCNATRULEID)
Example
NGFW{running-snat}delete rule 123
NGFW{running-snat}rename
Rename source NAT rule.
Syntax rename rule SRCNATRULEID NEWSRCNATRULEID
Example
NGFW{running-snat}rename rule 123 snat1
NGFW{running-snat}rule
Create or enter a rule context.
Syntax rule (auto|SRCNATRULEID) [POSITION_VALUE]
Example
NGFW{running-snat}rule 123
running-snat-rule-X Context Commands
NGFW{running-snat}rule snat1
NGFW{running-snat-rule-snat1}delete
Delete file or configuration item.
Syntax delete dst-zone (include|exclude) (all|ZONENAME) delete src-address (include|exclude) group ADDRESSGROUP delete dst-address (include|exclude) group ADDRESSGROUP delete src-address (include|exclude) ipaddress A.B.C.D
delete dst-address (include|exclude) ipaddress A.B.C.D
delete src-address (include|exclude) ipaddress A.B.C.D/M delete dst-address (include|exclude) ipaddress A.B.C.D/M delete src-address (include|exclude) range A.B.C.D A.B.C.D
delete dst-address (include|exclude) range A.B.C.D A.B.C.D
delete translate-to interface delete translate-to ipaddress (A.B.C.D|A.B.C.D/M) delete translate-to range A.B.C.D A.B.C.D
Valid entries: dst-address Delete destination addresses dst-zone Delete destination security zone src-address Delete source addresses translate-to Apply translation
Example
NGFW{running-snat-rule-snat1}delete translate-to range 192.168.1.100 192.168.1.200
NGFW{running-snat-rule-snat1}delete dst-zone include all
NGFW{running-snat-rule-snat1}delete dst-address include ipaddress 192.168.1.0/24
232 Edit Running Configuration Commands
NGFW{running-snat-rule-snat1}delete src-address exclude ipaddress 192.168.1.1
NGFW{running-snat-rule-snat1}description
Apply rule description.
Syntax description TEXT
Example
NGFW{running-snat-rule-snat1}description "source nat rule 1"
NGFW{running-snat-rule-snat1}dst-address
Apply destination address.
Syntax dst-address (include|exclude) group ADDRESSGROUP dst-address (include|exclude) ipaddress A.B.C.D
dst-address (include|exclude) ipaddress A.B.C.D/M dst-address (include|exclude) range A.B.C.D A.B.C.D
Example
NGFW{running-snat-rule-snat1}dst-address include ipaddress 192.168.1.0/24
NGFW{running-snat-rule-snat1}dst-address exclude ipaddress 192.168.1.1
NGFW{running-snat-rule-snat1}dst-address include range 192.168.1.100 192.168.1.200
NGFW{running-snat-rule-snat1}dst-zone
Apply destination security zone.
Syntax dst-zone (include|exclude) ZONENAME
Example
NGFW{running-snat-rule-snat1}dst-zone include myzone1
NGFW{running-snat-rule-snat1}dst-zone exclude myzone1
NGFW{running-snat-rule-snat1}move
Move rule position in the rule table.
Syntax move after SRCNATRULEID move before SRCNATRULEID move to position VALUE
Valid entries: after Move rule position after the rule identifier
SRCNATRULEID Apply source NAT rule identifier before Move rule position before the rule identifier to Move to rule position position Apply rule position
VALUE Apply rule position number
Example
NGFW{running-snat-rule-snat1}move after snat1
NGFW Command Line Interface Reference 233
NGFW{running-snat-rule-snat1}move before snat1
NGFW{running-snat-rule-snat1}move to position 1
NGFW{running-snat-rule-snat1}src-address
Apply source address.
Syntax src-address (include|exclude) group ADDRESSGROUP src-address (include|exclude) ipaddress A.B.C.D
src-address (include|exclude) ipaddress A.B.C.D/M src-address (include|exclude) range A.B.C.D A.B.C.D
Example
NGFW{running-snat-rule-snat1}src-address include ipaddress 192.168.1.0/24
NGFW{running-snat-rule-snat1}src-address exclude ipaddress 192.168.1.1
NGFW{running-snat-rule-snat1}src-address include range 192.168.1.100 192.168.1.200
NGFW{running-snat-rule-snat1}translate-to
Apply translation.
Syntax translate-to interface translate-to ipaddress (A.B.C.D|A.B.C.D/M) translate-to range A.B.C.D A.B.C.D
Valid entries: interface Apply translate interface ipaddress Apply IP address range Apply IP address range
Example
NGFW{running-snat-rule-snat1}translate-to interface
NGFW{running-snat-rule-snat1}translate-to ipaddress 192.168.1.1
NGFW{running-snat-rule-snat1}translate-to ipaddress 192.168.1.0/24
NGFW{running-snat-rule-snat1}translate-to range 192.168.1.100 192.168.1.200
running-snmp Context Commands
NGFW{running}snmp
NGFW{running-snmp}authtrap
Enable or disable SNMP authentication failure trap.
Syntax authtrap (enable|disable)
Example
NGFW{running-snmp}authtrap enable
NGFW{running-snmp}community
Configure SNMP read-only community.
Syntax community COMMUNITY [SOURCE]
234 Edit Running Configuration Commands
COMMUNITY Text to identify SNMP system community
SOURCE IP (A.B.C.D|X:X::X:X), subnet (A.B.C.D/M|X:X::X:X/M), or "default" default allow any IPv4/6 source
Example
NGFW{running-snmp}community mycommunity default
NGFW{running-snmp}delete
Delete file or configuration item.
Syntax delete community (COMMUNITY|all) delete trapsession ((A.B.C.D|X:X::X:X|FQDN) ver VERSION)|all) delete username (USERNAME|all)
Valid entries: community Delete SNMP read-only community trapsession Delete a configured trap session username Delete a configured user
Example
NGFW{running-snmp}delete community mycommunity
NGFW{running-snmp}delete community all
NGFW{running-snmp}delete trapsession 192.168.1.1 ver 3
NGFW{running-snmp}delete trapsession all
NGFW{running-snmp}engineID
Configure SNMPv3 engine ID.
Syntax engineID ENGINE-ID
ENGINE-ID SNMPv3 Engine ID (1-32 hex octets, ex: 0x800012ef0302a11aab33f4)
Example
NGFW{running-snmp}engineID 0x800012ef0302a11aab33f4
NGFW{running-snmp}snmp
Enable or disable SNMP.
Syntax snmp (enable|disable)
Example
NGFW{running-snmp}snmp enable
NGFW{running-snmp}trapsession
Configure SNMP v2c or v3 trap destinations.
Syntax trapsession (A.B.C.D|X:X::X:X|FQDN) [port PORT] ver 2c COMMUNITY [inform] trapsession (A.B.C.D|X:X::X:X|FQDN) [port PORT] ver 3 USERNAME level noAuthNoPriv
[inform]
NGFW Command Line Interface Reference 235
trapsession (A.B.C.D|X:X::X:X|FQDN) [port PORT] ver 3 USERNAME level authNoPriv authtype (MD5|SHA) AUTHPASS [inform] trapsession (A.B.C.D|X:X::X:X|FQDN) [port PORT] ver 3 USERNAME level authPriv authtype (MD5|SHA) AUTHPASS privproto PRIVPROTO [PRIVPASS] [inform]
Valid entries:
HOST IP address or DNS host name port Configure SNMP port
PORT SNMP port (default 162) ver Configure SNMP version (2c, or 3)
2c SNMPv2c
COMMUNITY Text to identify SNMP system community inform Send information message instead of a trap
3 SNMPv3
USERNAME Text to identify USM user name (for authentication/privacy) level Configure security level (noAuthNoPriv|authNoPriv/|authPriv) noAuthNoPriv No authentication, no privacy authNoPriv Authentication, no privacy authtype Configure authentication type (MD5|SHA)
AUTHTYPE Authentication type
Possible values for AUTHTYPE are:
MD5 Message Digest 5
SHA Secure Hash Algorithm
AUTHPASS Authentication passphrase - must be at least 8 characters authPriv Authentication and privacy privproto Configure privacy protocol (DES|AES)
PRIVPROTO Privacy protocol
Possible values for PRIVPROTO are:
DES Data Encryption Security
AES Advanced Encryption Security
PRIVPASS Optional privacy passphrase - must be at least 8 characters
Example
NGFW{running-snmp}trapsession snmpserver.example.com ver 2c mycommunity inform
NGFW{running-snmp}trapsession 192.168.1.1 port 162 ver 2c mycommunity
NGFW{running-snmp}trapsession 192.168.1.1 port 162 ver 3 mysnmpusername level authNoPriv authtype SHA mysnmppassword inform
NGFW{running-snmp}trapsession 100:0:0:0:0:0:0:1 ver 3 mysnmpusername level authNoPriv authtype SHA mysnmppassword inform
NGFW{running-snmp}username
Configure SNMPv3 USM read-only user.
Syntax username USERNAME level noAuthNoPriv username USERNAME level authNoPriv authtype AUTHTYPE AUTHPASS username USERNAME level authPriv authtype AUTHTYPE AUTHPASS privproto PRIVPROTO
[PRIVPASS]
Valid entries:
USERNAME Text to identify USM user name (for authentication/privacy) level Configure security level (noAuthNoPriv|authNoPriv/|authPriv) noAuthNoPriv No authentication, no privacy authNoPriv Authentication, no privacy authtype Configure authentication type (MD5|SHA)
AUTHTYPE Authentication type
Possible values for AUTHTYPE are:
MD5 Message Digest 5
SHA Secure Hash Algorithm
236 Edit Running Configuration Commands
AUTHPASS Authentication passphrase - must be at least 8 characters authPriv Authentication and privacy privproto Configure privacy protocol (DES|AES)
PRIVPROTO Privacy protocol
Possible values for PRIVPROTO are:
DES Data Encryption Security
AES Advanced Encryption Security
PRIVPASS Optional privacy passphrase - must be at least 8 characters
Example
NGFW{running-snmp}username mysnmpusername level noAuthNoPriv
NGFW{running-snmp}username mysnmpusername level authNoPriv authtype SHA mysnmppassword
NGFW{running-snmp}username mysnmpusername level authPriv authtype SHA mysnmppassword privproto AES mysnmpprivpassword
running-vlanX Context Commands
NGFW{running}interface vlan0
NGFW{running-vlan0}arp/ndp
Enable or disable ARP and NDP on interface.
Syntax arp/ndp (enable|disable)
Example
NGFW{running-vlan0}arp/ndp enable
NGFW{running-vlan0}autoconfv6
Enable or disable IPv6 autoconfiguration on interface.
Syntax autoconfv6 (enable|disable)
Example
NGFW{running-vlan0}autoconfv6 enable
NGFW{running-vlan0}bind
Bind an interface to vlan.
Syntax bind PORT id vlanid
PORT Bind interface over ethernet, aggregated link or VLAN port id VLAN ID vlanid VLAN ID
Example
NGFW{running-vlan0}bind ethernet2 ?
Valid entry at this position is:
id VLAN ID
NGFW{running-vlan0}delete
Delete file or configuration item.
NGFW Command Line Interface Reference 237
Syntax delete bind delete ip igmp delete ip igmp version delete ip ospf area delete ip ospf authentication mode md5 (1-255) KEY delete ip ospf authentication mode text KEY delete ip ospf cost (1-65535) delete ip ospf dead-interval (1-65535) delete ip ospf hello-interval (1-65535) delete ip ospf priority (0-255) delete ip ospf retransmit-interval (3-65535) delete ip ospf transmit-delay (1-65535) delete ip pim-sm delete ip rip delete ip rip authentication mode md5 delete ip rip authentication mode text delete ip rip receive version (v1-only|v2-only|v1-or-v2) delete ip rip send version (v1-only|v2-only|v1-or-v2) delete ip rip split-horizon delete ipaddress (all|A.B.C.D/M|X:X::X:X/M) delete ipaddress dhcpv4 delete ipaddress dhcpv6 delete ipv6 mld delete ipv6 mld version delete ipv6 ospfv3 area delete ipv6 ospfv3 cost delete ipv6 ospfv3 dead-interval delete ipv6 ospfv3 hello-interval delete ipv6 ospfv3 priority delete ipv6 ospfv3 retransmit-interval delete ipv6 ospfv3 transmit-delay delete ipv6 pim-sm delete ipv6 ripng delete ipv6 ripng split-horizon delete prefix (all|X:X::X:X/M) delete shutdown
Valid entries: bind Bind an interface to vlan ip Configure IP settings ip Delete IP settings ipaddress Delete DHCPv4 client context ipaddress Delete DHCPv6 client context ipaddress Delete IP address ipv6 Configure IPv6 settings ipv6 Delete IPv6 prefix Delete IPv6 prefix shutdown Shutdown logical interface state
Example
NGFW{running-vlan0}delete bind
NGFW{running-vlan0}delete ip igmp
NGFW{running-vlan0}delete ip rip authentication mode md5
NGFW{running-vlan0}description
Enter description for the interface.
238 Edit Running Configuration Commands
Syntax description TEXT
Example
NGFW{running-vlan0}description "My interface description"
NGFW{running-vlan0}ip
Configure IP settings.
Syntax ip igmp ip igmp version (1|2|3) ip ospf area (A.B.C.D|(0-4294967295)) ip ospf authentication mode md5 (1-255) KEY ip ospf authentication mode text KEY ip ospf cost (1-65535) ip ospf dead-interval (1-65535) ip ospf hello-interval (1-65535) [A.B.C.D] ip ospf priority (0-255) ip ospf retransmit-interval (3-65535) ip ospf transmit-delay (1-65535) ip pim-sm ip rip ip rip authentication mode md5 (0-2147483647) KEY ip rip authentication mode text ip rip receive version (v1-only|v2-only|v1-or-v2) ip rip send version (v1-only|v2-only|v1-or-v2) ip rip split-horizon [poison-reverse]
Example
NGFW{running-vlan0}ip igmp
NGFW{running-vlan0}ip ospf area 192.168.0.24
NGFW{running-vlan0}ipaddress
Configure IP address.
Syntax ipaddress (A.B.C.D/M|X:X::X:X/M) [primary] ipaddress (dhcpv4|dhcpv6)
Valid entries:
A.B.C.D/M IPv4 address with netmask length
X:X::X:X/M IPv6 address with prefix length dhcpv4 Configure DHCPv4 client dhcpv6 Enter DHCPv6 client context
Example
NGFW{running-vlan0}ipaddress dhcpv4
NGFW{running-vlan0}ipv6
Configure IPv6 settings.
Syntax ipv6 mld
NGFW Command Line Interface Reference 239
ipv6 mld version (1|2) ipv6 ospfv3 area (A.B.C.D|<0-4294967295>) ipv6 ospfv3 cost COST ipv6 ospfv3 dead-interval VALUE ipv6 ospfv3 hello-interval VALUE ipv6 ospfv3 priority VALUE ipv6 ospfv3 retransmit-interval VALUE ipv6 ospfv3 transmit-delay VALUE ipv6 pim-sm ipv6 ripng ipv6 ripng split-horizon (simple|poison-reverse|inactive)
Valid entries: mld ospfv3 pim-sm ripng area
<0-4294967295>
A.B.C.D
cost
COST dead-interval
VALUE hello-interval
VALUE priority
VALUE
Configure MLD settings
Configure OSPFv3 over the interface
Configure PIM-SM over the interface
Configure RIPng over the interface
Enable the interface in an OSPFv3 area
OSPFv3 area ID as a decimal value
OSPFv3 area ID in IP address format
OSPFv3 interface cost
Cost value (1-65535)
Interval after which a neighbor is declared dead
Dead interval value (1-65535)
Interval between HELLO packets
Hello interval value (1-65535)
OSPFv3 interface priority
Priority value (0-255) retransmit-interval Interval between retransmitting lost link state advertisements
VALUE transmit-delay
VALUE
Retransmit interval value (3-65535)
Link state transmit delay
Transmit delay value (1-65535)
Example
NGFW{running-vlan0}ipv6 mld
NGFW{running-vlan0}ipv6 ripng split-horizon simple
NGFW{running-vlan0}mtu
Configure interface MTU.
Syntax mtu (default|VALUE) default Default value is applied
VALUE Interface MTU value (68-9216)
Example
NGFW{running-vlan0}mtu default
240
NGFW{running-vlan0}prefix
Configure IPv6 prefix.
Syntax prefix X:X::X:X/M [valid-lifetime (1-4294967295)] [preferred-lifetime
(1-4294967295)]
Valid entries:
X:X::X:X/M IPv6 prefix
Edit Running Configuration Commands
valid-lifetime Configure valid lifetime
(1-4294967295) Valid lifetime in seconds (default is 2592000) preferred-lifetime Configure preferred lifetime
(1-4294967295) Preferred lifetime in seconds
(default is 604800 - cannot exceed valid lifetime)
Example
NGFW{running-vlan0}prefix 2001:db8::/32
NGFW{running-vlan0}prefix 2001:db8::/32 valid-lifetime 2592000
NGFW{running-vlan0}ra-autoconf-level
Modify IPv6 Router Advertisement autoconfiguration level.
Syntax ra-autoconf-level AUTOCONF
Valid entries:
AUTOCONF Router Advert Autoconfiguration level (DHCP)
Possible values for AUTOCONF are: none No parameter is autoconfigured address Address is autoconfigured other Some other parameters are autoconfigured full Most parameters are autoconfigured
Example
NGFW{running-vlan0}ra-autoconf-level full
NGFW{running-vlan0}ra-interval
Modify IPv6 Router Advertisement interval value.
Syntax ra-interval INTERVAL
Valid entries:
INTERVAL Router Advert emission period (in milliseconds)
Example
NGFW{running-vlan0}ra-interval 240
NGFW{running-vlan0}ra-interval-transmit
Modify IPv6 Router Advertisement interval transmit.
Syntax ra-interval-transmit (enable|disable)
Valid entries: enable Enable router advertisement disable Disable router advertisement
Example
NGFW{running-vlan0}ra-interval-transmit enable
NGFW Command Line Interface Reference 241
NGFW{running-vlan0}ra-lifetime
Modify IPv6 Router Advertisement prefix lifetime in seconds.
Syntax ra-lifetime (0-9000000)
Example
NGFW{running-vlan0}ra-lifetime 9000000
NGFW{running-vlan0}ra-mtu
Modify IPv6 Router Advertisement MTU value.
Syntax ra-mtu (none|MTU) none Not configured
MTU MTU value advertised (68-9216)(0 if none)
Example
NGFW{running-vlan0}ra-mtu 9216
NGFW{running-vlan0}ra-transmit-mode
Modify IPv6 Router Advertisement transmit mode.
Syntax ra-transmit-mode MODE
MODE Router Advertisement transmit mode
Possible values for MODE are: always never smart
Router Advert message is always sent
Router Advert message is never sent
Router Advert message is sent if a prefix is defined
Example
NGFW{running-vlan0}ra-transmit-mode always
NGFW{running-vlan0}shutdown
Shutdown logical interface state.
Syntax shutdown
Example
NGFW{running-vlan0}shutdown
242
NGFW{running-vlan0}tcp4mss
Configure interface TCP MSS for IPv4.
Syntax tcp4mss (disable|automatic|VALUE)
Valid entries: disable Disable service
Edit Running Configuration Commands
automatic Automatically select TCP MSS based on interface MTU
VALUE TCP MSS value for IPv4 (4-65535)
Example
NGFW{running-vlan0}tcp4mss 4
NGFW{running-vlan0}tcp6mss
Configure interface TCP MSS for IPv6.
Syntax tcp6mss (disable|automatic|VALUE)
Valid entries: disable Disable service automatic Automatically select TCP MSS based on interface MTU
VALUE TCP MSS value for IPv6 (4-65535)
Example
NGFW{running-vlan0}tcp6mss automatic
running-zones Context Commands
NGFW{running}zones
NGFW{running-zones}delete
Delete security zone(s).
Syntax delete zone (all|ZONENAME)
Valid entries: zone Delete security zone(s) all
ZONENAME
All settings
Existing security zone name
Example
NGFW{running-zones}delete zone all
NGFW{running-zones}delete zone myzone1
NGFW{running-zones}rename
Rename a specified zone.
Syntax rename zone ZONENAME NEWZONENAME
Valid entries: zone
ZONENAME
NEWZONENAME
Enter security zone context
Existing security zone name
New security zone name
Example
NGFW{running-zones}rename zone myzone1 myzone2
NGFW{running-zones}zone
Enter security zone context.
NGFW Command Line Interface Reference 243
Syntax zone ZONENAME
Example
NGFW{running-zones}zone myzone1
running-zones-X Context Commands
NGFW{running-zones}zone myzone1
NGFW{running-zones-myzone1}application-visibility
Enable or Disable application visibility.
Syntax application-visibility (enable|disable)
Example
NGFW{running-zones-myzone1}application-visibility enable
NGFW{running-zones-myzone1}bind
Bind interfaces to zones.
Syntax bind INTERFACE
Example
NGFW{running-zones-myzone1}bind ethernet5
NGFW{running-zones-myzone1}delete
Delete file or configuration item.
Syntax delete bind (INTERFACE|all)
Valid entries: bind Bind interfaces to zones
INTERFACE Delete interface from zone all Delete all interfaces bound to the zone
Example
NGFW{running-zones-myzone1}delete bind ethernet5
NGFW{running-zones-myzone1}description
Enter description for the zone.
Syntax description TEXT
Example
NGFW{running-zones-myzone1}description "my zone 1"
244 Edit Running Configuration Commands
advertisement
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Key Features
- Protection against a wide range of threats, including viruses, malware, and intrusions
- Advanced firewall capabilities, including stateful inspection and deep packet inspection
- Intrusion prevention system (IPS) to block known and unknown attacks
- Application control to restrict access to unauthorized applications
- Web filtering to block access to malicious websites
- Virtual private network (VPN) support for secure remote access
Related manuals
Frequently Answers and Questions
What are the benefits of using the HP TippingPoint Next Generation Firewall Series?
What is the difference between a firewall and an IPS?
How do I configure the HP TippingPoint Next Generation Firewall Series?
advertisement