HP TippingPoint Next Generation Firewall Series Uživatelská příručka

HP TippingPointNext Generation Firewall Command Line Interface Reference GuideVersion1.0.1AbstractThis reference manual describes the Next Generation

2Document ConventionsThis guide uses the following document conventions.• Typefaces, page 2• Document Messages, page 2TypefacesHP TippingPoint publica

92 Edit Running Configuration CommandsExampleNGFW{running-actionsets-myactionset1}packet-trace enableNGFW{running-actionsets-myactionset1}prioritySet

NGFW Command Line Interface Reference 93running-addressgroups Context Commands NGFW{running-addressgroups}addressgroupCreate or enter an address group

94 Edit Running Configuration CommandsExampleNGFW{running-addressgroups-mygroup1}group mygroup2NGFW{running-addressgroups-mygroup1}ipaddressApply IPv4

NGFW Command Line Interface Reference 95ExampleNGFW{running-agglink0}bind ethernet5 mode active priority 1NGFW{running-agglink0}bind ethernet6 mode ac

96 Edit Running Configuration CommandsNGFW{running-agglink0}delete ip rip authentication mode md5NGFW{running-agglink0}delete ip rip authentication mo

NGFW Command Line Interface Reference 97NGFW{running-agglink0}ip rip split-horizon poison-reverseNGFW{running-agglink0}ipaddressConfigure IP address.S

98 Edit Running Configuration CommandsSyntaxmac-address (automatic|X:X:X:X:X:X)ExampleNGFW{running-agglink0}mac-address a1:b2:c3:d4:e5:f6NGFW{running-

NGFW Command Line Interface Reference 99Syntaxra-interval-transmit (enable|disable)ExampleNGFW{running-agglink0}ra-interval-transmit enableNGFW{runnin

100 Edit Running Configuration CommandsExampleNGFW{running-agglink0}tcp4mss automaticNGFW{running-agglink0}tcp6mssConfigure interface TCP MSS for IPv6

NGFW Command Line Interface Reference 101NGFW{running-app-groups}deleteDelete application-group.Syntaxdelete application-group APPNAMEExampleNGFW{runn

CLI reference guide 3IMPORTANT: Another type of note that provides clarifying information or specific instructions.TIP: Tips provide helpful hints and

102 Edit Running Configuration CommandsExampleNGFW{running-autodv}calendarNGFW{running-autodv}deleteDelete file or configuration item.Syntaxdelete pro

NGFW Command Line Interface Reference 103ExampleNGFW{running-autodv}periodicNGFW{running-autodv}proxyConfigure proxy.Syntaxproxy ADDR port PORTproxy-p

104 Edit Running Configuration CommandsExampleNGFW{running-autodv-calendar}time ?Valid entry at this position is: HOURS Value range is 0 - 23NGFW{r

NGFW Command Line Interface Reference 105ExampleNGFW{running-bgp-1}help aggregate-addressConfigure BGP aggregate entriesSyntax: aggregate-address A.B.

106 Edit Running Configuration Commands distance Delete administrative distances graceful-restart Delete BGP graceful restart local

NGFW Command Line Interface Reference 107Syntax: enable enable Enable BGPNGFW{running-bgp-1}graceful-restartSet the BGP graceful restart.Syntaxgrac

108 Edit Running Configuration Commandsneighbor NAME peer-groupNGFW{running-bgp-1}networkSpecify a network to announce through the BGP.Syntaxnetwork A

NGFW Command Line Interface Reference 109running-blockedStreams Context Commands NGFW{running}blockedStreamsNGFW{running-blockedStreams}flushallstream

110 Edit Running Configuration CommandsSyntaxbind PORTExampleNGFW{running-bridge0}bind ethernet5NGFW{running-bridge0}bind ethernet6NGFW{running-bridge

NGFW Command Line Interface Reference 111ip ospf hello-interval VALUE [A.B.C.D]ip ospf priority VALUEip ospf retransmit-interval VALUEip ospf transmit

4

112 Edit Running Configuration CommandsExampleNGFW{running-bridge0}mtu 1280NGFW{running-bridge0}prefixConfigure IPv6 prefix.Syntaxprefix X:X::X:X/M [v

NGFW Command Line Interface Reference 113Syntaxra-lifetime (0-9000000)ExampleNGFW{running-bridge0}ra-lifetime 1800NGFW{running-bridge0}ra-mtu Modify I

114 Edit Running Configuration CommandsNGFW{running-bridge0}tcp6mssConfigure interface TCP MSS for IPv6.Syntaxtcp6mss (disable|automatic|4-65535)disab

NGFW Command Line Interface Reference 115Syntaxrule (auto|RULEID) [POSITION_VALUE]ExampleNGFW{running-captive-portal}rule autoNGFW{running-captive-por

116 Edit Running Configuration CommandsNGFW{running-captive-portal-rule-20000}descriptionApply rule description.Syntaxdescription TEXTExampleNGFW{runn

NGFW Command Line Interface Reference 117NGFW{running-captive-portal-rule-20000}src-zoneApply source security zone.Syntaxsrc-zone (include|exclude) ZO

118 Edit Running Configuration Commands2048 2048-bit key size (default)4096 4096-bit key sizeExampleNGFW{running-certificates}cert

NGFW Command Line Interface Reference 119NQ9TR7THyOy9dwftwoKSXEmSMA0GCSqGSIb3DQEBBAUAA4GBAIzxQr3OK9Jzq+whZfKLLd0S7PbNZH7BfO7voEGtuC5fSPqbziwmOt9FYAg+U

120 Edit Running Configuration CommandszR6PBzoFwaWk3nX2lYsk/gFpf07z-----END CERTIFICATE----- # CERTIFICATE REQUESTS cert-request myrequest k

NGFW Command Line Interface Reference 121ExampleNGFW{running-certificates-crl}help addValid commands are: # Enter context addressgroups # Other com

NGFW Command Line Interface Reference 51 Command Line InterfaceIn addition to the Local System Manager (LSM) and the Centralized Management Capability

122 Edit Running Configuration CommandsExampleNGFW{running-cluster}check config enableNGFW{running-cluster}cluster-nameApply cluster name.Syntaxcluste

NGFW Command Line Interface Reference 123ExampleNGFW{running-cluster}member-id ?Valid entry at this position is: ID Member IDNGFW{running-cluster}m

124 Edit Running Configuration CommandsNGFW{running-cluster-tct}encryptionApply encryption hash.Syntaxencryption (enable|disable)encryption hash (none

NGFW Command Line Interface Reference 125NGFW{running-cluster-tct}mtuApply MTU.Syntaxmtu (68-9216)ExampleNGFW{running-cluster-tct}mtu 1500NGFW{running

126 Edit Running Configuration CommandsExampleNGFW{running-cluster-tct}retry 3NGFW{running-cluster-tct}timeoutApply timeout.Syntaxtimeout NN Apply tim

NGFW Command Line Interface Reference 127SyntaxdisableExampleNGFW{running-dhcp-relay}help disableDisable DHCP relaySyntax: disable disable Disable

128 Edit Running Configuration CommandsNGFW{running-dhcp-server}disableDisable server.SyntaxdisableExampleNGFW{running-dhcp-server}disableNGFW{running

NGFW Command Line Interface Reference 129ExampleNGFW{running-dhcp-server-myscope}help address-rangeConfigure IP address rangeSyntax: address-range A.B

130 Edit Running Configuration CommandsExampleNGFW{running-dhcp-server-myscope}help dns-serverConfigure DNS serverSyntax: dns-server A.B.C.D primary|s

NGFW Command Line Interface Reference 131Configure DHCPv4 leaseSyntax: lease <0-1073741824><0-1073741824> Lease value in seconds (0-1073

6 Command Line InterfaceShortcut Navigation KeysThe CLI has the ability to store typed commands in a circular memory. Typed commands can be recalled w

132 Edit Running Configuration CommandsSyntaxdelete rule (all|DSTNATRULEID)ExampleNGFW{running-dnat}delete rule 123NGFW{running-dnat}renameRename dest

NGFW Command Line Interface Reference 133NGFW{running-dnat-rule-dnat1}descriptionApply rule description.Syntaxdescription TEXTExampleNGFW{running-dnat

134 Edit Running Configuration CommandsSyntaxsrc-zone (include|exclude) ZONENAMEExampleNGFW{running-dnat-rule-dnat1}src-zone include myzone1NGFW{runni

NGFW Command Line Interface Reference 135ExampleNGFW{running-dns}delete proxy cache ?Valid entries at this position are: cleaning Delete cleaning

136 Edit Running Configuration CommandsSyntaxproxy (enable|disable)proxy cache cleaning interval cache cleaning interval in minutesproxy cache forward

NGFW Command Line Interface Reference 137delete ipaddress (all|A.B.C.D/M|X:X::X:X/M)delete ipaddress dhcpv4delete ipaddress dhcpv6delete ipv6 mlddelet

138 Edit Running Configuration CommandsNGFW{running-ethernet1}ipConfigure IP settings.Syntaxip igmpip igmp version (1|2|3)ip ospf area (A.B.C.D|(0-429

NGFW Command Line Interface Reference 139 delete Delete file or configuration item dhcp Configure DHCPv4 cli

140 Edit Running Configuration Commands ipv6 Configure IPv6 settings ripng Configure RIPng over the interface split-horizon

NGFW Command Line Interface Reference 141ExampleNGFW{running-ethernet1}ra-autoconf-level fullNGFW{running-ethernet1}ra-intervalModify IPv6 Router Adve

NGFW Command Line Interface Reference 7HelpThe help command provides a list of commands within the current context and the command line usage. The hel

142 Edit Running Configuration Commandssmart Router Advert message is sent if a prefix is definedExampleNGFW{running-ethernet1}ra-transmi

NGFW Command Line Interface Reference 143running-firewall Context Commands NGFW{running}firewallNGFW{running-firewall}default-block-rule Apply action

144 Edit Running Configuration CommandsExampleNGFW{running-firewall-rule-myrule1}action "Permit + Notify + Trace"NGFW{running-firewall-rule-

NGFW Command Line Interface Reference 145delete dst-zone (exclude all|ZONENAME)delete user (include all|USERNAME)delete user (exclude all|USERNAME)del

146 Edit Running Configuration CommandsNGFW{running-firewall-rule-myrule1}dst-address include range 192.168.1.100 192.168.1.200NGFW{running-firewall-r

NGFW Command Line Interface Reference 147Syntaxschedule (include|exclude) SCHEDULENAMEExampleNGFW{running-firewall-rule-myrule1}schedule include myhou

148 Edit Running Configuration CommandsNGFW{running-firewall-rule-myrule1}userApply user name.Syntaxuser (include|exclude) USER_NAMEExampleNGFW{runnin

NGFW Command Line Interface Reference 149NGFW{running-gen}delete host myhostNGFW{running-gen}delete ndp 100::1 ethernet5NGFW{running-gen}delete arp al

150 Edit Running Configuration CommandsExampleNGFW{running-gen}https enableNGFW{running-gen}inband-management Inband Management.Syntaxinband-managemen

NGFW Command Line Interface Reference 151ExampleNGFW{running-gen}ndp 100:0:0:0:0:0:0:1 ethernet5 a1:b2:c3:d4:e5:f6NGFW{running-gen}sshEnable or disabl

8 Command Line InterfaceNGFW{}editNGFW{running}interface mgmtNGFW{running-mgmt}help host (displays valid entries for configuring management port host

152 Edit Running Configuration Commandsrunning-greX Context Commands NGFW{running}interface gre0NGFW{running-gre0}autoconfv6Enable or disable IPv6 aut

NGFW Command Line Interface Reference 153delete ip rip send version VERSIONdelete ip rip split-horizondelete ipaddress A.B.C.Ddelete ipaddress X:X::X:

154 Edit Running Configuration CommandsExampleNGFW{running-gre0}description "GRE tunnel 0"NGFW{running-gre0}ipConfigure IP settings.Syntaxip

NGFW Command Line Interface Reference 155NGFW{running-gre0}ipv6Configure IPv6 settings.Syntaxipv6 mldipv6 mld version (1|2)ipv6 ospfv3 area (A.B.C.D|(

156 Edit Running Configuration CommandsSyntaxshutdownExampleNGFW{running-gre0}shutdownNGFW{running-gre0}tcp4mssConfigure interface TCP MSS for IPv4.Sy

NGFW Command Line Interface Reference 157ExampleNGFW{running-high-availability}disableNGFW{running-high-availability}enable Enable high-availability.S

158 Edit Running Configuration Commands automatic Automatic AFC mode manual Manual AFC modeNGFW{running-ips}afc-severityConfigures AFC severi

NGFW Command Line Interface Reference 159Aggressive "Offers a more aggressive security posture that may require tuning based upon specific a

160 Edit Running Configuration CommandsExampleNGFW{running-ips}quarantine-duration 60NGFW{running-ips}renameRenames a profile.Syntaxrename profile PRO

NGFW Command Line Interface Reference 161ExampleNGFW{running-ips-1}delete filter 9NGFW{running-ips-1}deploymentChange deployment.Syntaxdeployment (Agg

NGFW Command Line Interface Reference 9NOTE: As you move through the context menu hierarchies, the command prompt changes accordingly. The help or dis

162 Edit Running Configuration Commandspre-shared-keys Delete pre-shared-keysretransmit-timeout Delete Dead Peer Detection retransmit-timeoutre

NGFW Command Line Interface Reference 163ExampleNGFW{running-ipsec}phase1 1 proposal propnameNGFW{running-phase1-proposal-propname}helpNGFW{running-ph

164 Edit Running Configuration CommandsEnter pre-shared key:**************NGFW{running-ipsec}retransmit-timeoutConfigures IKEv2 Dead Peer Detection re

NGFW Command Line Interface Reference 165NGFW{running-ipsec-vpn-myvpn}?running-ipsec-policy-X Context Commands and their UsageNGFW{running}vpn ipsecNG

166 Edit Running Configuration Commandsrunning-ipsec-vpn-X Context Commands and their UsageNGFW{running}vpn ipsecNGFW{running-ipsec}vpn myvpnNGFW{runn

NGFW Command Line Interface Reference 167Syntaxexchange-mode (main|aggressive)ExampleNGFW{running-ipsec-vpn-myvpn}exchange-mode aggressiveNGFW{running

168 Edit Running Configuration CommandsExampleNGFW{running-ipsec-vpn-myvpn}nat-traversal enableNGFW{running-ipsec-vpn-myvpn}peerConfigure local and re

NGFW Command Line Interface Reference 169running-l2tp-serverX Context Commands NGFW{running}l2tp-server0NGFW{running-l2tp-server0}authAuthenticated co

170 Edit Running Configuration CommandsNGFW{running-l2tp-server0}sequencingEnables or disables sequence configuration.Syntaxsequencing (enable|disable

NGFW Command Line Interface Reference 171ExampleNGFW{running-l2tp0}bind 192.168.2.1 192.168.200.1NGFW{running-l2tp0}bind noneNGFW{running-l2tp0}delete

10 Command Line InterfaceShowThe show command is most efficient in providing critical information, such as traffic usage, router platform type, operat

172 Edit Running Configuration CommandsNGFW{running-l2tp0}ipConfigure IP settings.Syntaxip igmpip igmp version (1|2|3)ExampleNGFW{running-l2tp0}ip igm

NGFW Command Line Interface Reference 173NGFW{running-l2tp0}log-optionAdd service log option.Syntaxlog-option ppp alllog-option ppp (PPP-LOG-OPTION)PP

174 Edit Running Configuration CommandsSyntaxprefix X:X::X:X/M [valid-lifetime (1-4294967295)] [preferred-lifetime (1-4294967295)]ExampleNGFW{running-

NGFW Command Line Interface Reference 175NGFW{running-l2tp0}ra-mtuModify IPv6 Router Advertisement MTU value.Syntaxra-mtu (none|(68-9216))none Not

176 Edit Running Configuration CommandsValid entries:disable Disable serviceautomatic Automatically select TCP MSS based on interface MTUVALUE

NGFW Command Line Interface Reference 177NGFW{running-log}delete log-option fib events recvNGFW{running-log}delete log audit mycontactname ALLNGFW{run

178 Edit Running Configuration Commandspptp3 PPTP packet dumpslcp LCP events and negotiationphys Physical layer eventsradius Radius auth

NGFW Command Line Interface Reference 179osi Enable logging osipdh Enable logging pdhpim4sm Enable logging pim4smpim6sm

180 Edit Running Configuration Commandsrunning-loopbackX Context Commands NGFW{running}interface loopback0NGFW{running-loopback0}deleteDelete file or

NGFW Command Line Interface Reference 181NGFW{running-loopback0}delete ipv6 ospfv3 dead-intervalNGFW{running-loopback0}delete ipv6 ospfv3 hello-interv

NGFW Command Line Interface Reference 112 Global CommandsGlobal commands can be used in any context.commitInitiates all pending configuration changes

182 Edit Running Configuration CommandsNGFW{running-loopback0}ipaddressConfigure IP address.Syntaxipaddress (A.B.C.D/M|X:X::X:X/M) [primary]ipaddress

NGFW Command Line Interface Reference 183delete sa esp ((A.B.C.D|X:X::X:X) SPI)Valid entries:sa Configure Security Associationesp

184 Edit Running Configuration Commandsrunning-mgmt Context Commands NGFW{running}interface mgmtNGFW{running-mgmt}deleteDelete file or configuration i

NGFW Command Line Interface Reference 185ip-filter (allow|deny) ip (A.B.C.D/M|X:X::X:X/M|A.B.C.D|X:X::X:X)Valid entries:allow Allow IPv4/IPv6 r

186 Edit Running Configuration CommandsNGFW{running-mgmt}routeAdd IPv4/IPv6 static route.Syntaxroute A.B.C.D/M A.B.C.D [DISTANCE]route X:X::X:X/M X:X:

NGFW Command Line Interface Reference 187Syntaxcontact CONTACTNAMEcontact NEWNAME emailcontact NEWNAME snmp COMMUNITY IP [PORT]Example NGFW{running-no

188 Edit Running Configuration CommandsSyntaxemail-threshold THRESHOLDExample NGFW{running-notifycontacts}email-threshold 1NGFW{running-notifycontacts

NGFW Command Line Interface Reference 189Syntaxperiod PERIODExample NGFW{running-notifycontacts-mycontact1}period 1NGFW{running-notifycontacts-myconta

190 Edit Running Configuration CommandsNGFW{running-ntp}ntpEnable or disable NTP service.Syntaxntp (enable|disable)Example NGFW{running-ntp}ntp enable

NGFW Command Line Interface Reference 191ExampleNGFW{running-phase1-proposal-myphase1}auth local pre-shared-key remote pre-shared-keyNGFW{running-phas

Legal and notice information© Copyright 2013 Hewlett-Packard Development Company, L.P.Hewlett-Packard Company makes no warranty of any kind with regar

12 Global CommandsmoreSet session to display output page by page.Syntaxmore (enable|disable)ExampleNGFW{running}more enabledisplayDisplays the current

192 Edit Running Configuration CommandsSyntaxauth2 (hmac-md5|hmac-sha1) [hmac-sha1|hmac-md5]ExampleNGFW{running-phase2-proposal-myphase2}auth2 hmac-sh

NGFW Command Line Interface Reference 193area (A.B.C.D|(0-4294967295)) virtual-link A.B.C.D authentication simple SIMPLE-PASSWORDarea (A.B.C.D|(0-4294

194 Edit Running Configuration CommandsNGFW{running-ospf}disableDisable Open Shortest Path First (OSPF).SyntaxdisableExample NGFW{running-ospf}disable

NGFW Command Line Interface Reference 195rip Routing Information Protocol (RIP)bgp Border Gateway Protocol (BGP)metric-type OSPF

196 Edit Running Configuration CommandsValid entries at this position are: nssa Configure a not-so-stubby area (NSSA) range Summa

NGFW Command Line Interface Reference 197NGFW{running-ospfv3}nsfOSPFv3 non-stop forwarding.Syntaxnsf (enable|disable)enable Enable Graceful Restart

198 Edit Running Configuration Commandsrunning-pim-smv4 Context Commands NGFW{running}router pim-smv4 NGFW{running-pim-smv4}bsr-candidateToggle bootst

NGFW Command Line Interface Reference 199Example NGFW{running-pim-smv4}dr-priority 2NGFW{running-pim-smv4}enableEnable PIM-SM IPv4 on the device.Synta

200 Edit Running Configuration Commandsrunning-pim-smv6 Context Commands NGFW{running}router pim-smv6NGFW{running-pim-smv6}bsr-candidateToggle bootstr

NGFW Command Line Interface Reference 201Syntaxdr-priority (0-4294967295)(0-4294967295) The priority used to elect the DR.Example NGFW{running-pim-smv

NGFW Command Line Interface Reference 133 Root CommandsThe top level root command line mode displays the NGFW{} prompt. Commands at this level are use

202 Edit Running Configuration CommandsRATE The rate for shortest path tree switching (1-4294967295 bytes/s). Default: 1000 bytes/sExample NGFW

NGFW Command Line Interface Reference 203delete ipv6 mld versiondelete log-option ppp alldelete log-option ppp PPP-LOG-OPTIONdelete prefix (all|X:X::X

204 Edit Running Configuration CommandsNGFW{running-pppoe0}ipcpEnable or disable IPCP for IPv4.Syntaxipcp (enable|disable)Example NGFW{running-pppoe0}

NGFW Command Line Interface Reference 205l2tp L2TP high level eventsl2tp2 L2TP more detailed eventsl2tp3 L2TP packet dumpspptp PPTP high

206 Edit Running Configuration CommandsExampleNGFW{running-pppoe0}prefix 100:0:0:0:0:0:0:0/64 valid-lifetime 2592000 preferred-lifetime 604800NGFW{run

NGFW Command Line Interface Reference 207Syntaxra-mtu (none|(68-9216))none Not configuredMTU MTU value advertised (0 if none)ExampleNGFW{runn

208 Edit Running Configuration CommandsExampleNGFW{running-pppoe0}tcp4mss automaticNGFW{running-pppoe0}tcp6mssConfigure interface TCP MSS for IPv6.Syn

NGFW Command Line Interface Reference 209NGFW{running-pptp0}bindConfigure binding addresses of the pptp tunnel.Syntaxbind (none|(A.B.C.D A.B.C.D))Exam

210 Edit Running Configuration CommandsNGFW{running-pptp0}dns-requestConfigure IP DNS server address request.Syntaxdns-request (enable|disable)Example

NGFW Command Line Interface Reference 211NGFW{running-pptp0}keep-aliveLCP keep alive period in seconds.Syntaxkeep-alive ppp disablekeep-alive ppp (def

14 Root Commandsclear np softlinxclear np tier-statsclear counter policyclear rate-limit streamsclear users all [locked|ip-locked]clear users (NAME|A.

212 Edit Running Configuration CommandsSyntaxmtu (default|(68-9216))ExampleNGFW{running-pptp0}mtu 1500NGFW{running-pptp0}prefixConfigure IPv6 prefix.S

NGFW Command Line Interface Reference 213NGFW{running-pptp0}ra-lifetimeModify IPv6 Router Advertisement prefix lifetime in seconds.Syntaxra-lifetime (

214 Edit Running Configuration CommandsNGFW{running-pptp0}tcp6mssConfigure interface TCP MSS for IPv6.Syntaxtcp6mss (disable|automatic|(4-65535)Exampl

NGFW Command Line Interface Reference 215 delete domain DOMAINNAME delete ip SOURCEIP description DESCRIPTION display domain NEWDOMAINNAME help

216 Edit Running Configuration CommandsValid entries:domain Domain nameip IP address IPv4/IPv6/CIDRExample NGFW{running-rep-1}delete domain ex

NGFW Command Line Interface Reference 217NGFW{running-rep-abc}check-source-addressEnables or disables check source address.Syntaxcheck-source-address

218 Edit Running Configuration CommandsValid entries:enable Enable filter ruleTHRESHOLD Set threshold (0-100)ACTIONSET Apply action set namedisable Di

NGFW Command Line Interface Reference 219triggered-updates Disable triggered-updatesversion Reset RIP version to defaultExample NGFW{run

220 Edit Running Configuration CommandsSyntaxequal-cost (2-255)ExampleNGFW{running-rip}equal-cost 2NGFW{running-rip}passive-interfaceSuppress RIP rout

NGFW Command Line Interface Reference 221NGFW{running-rip}triggered-updatesEnable RIP triggered-updates.Syntaxtriggered-updatesExampleNGFW{running-rip

NGFW Command Line Interface Reference 15flush bgp ip A.B.C.D [ipv4 (unicast|multicast) (in prefix-filter)|in|out|(soft [in|out])]flush bgp ip A.B.C.D

222 Edit Running Configuration CommandsExampleNGFW{running-ripng}delete triggered-updatesNGFW{running-ripng}disableDisable Routing Information Protoco

NGFW Command Line Interface Reference 223Syntaxequal-cost EQUAL-COSTEQUAL-COST (2-255)ExampleNGFW{running-ripng}equal-cost 2NGFW{running-ripng}passive

224 Edit Running Configuration CommandsNGFW{running-ripng}triggered-updatesEnable RIPng triggered-updates.Syntaxtriggered-updatesExampleNGFW{running-r

NGFW Command Line Interface Reference 225set community ((AA:NN)|internet|local-as|no-advertise|no-export)set ip next-hop A.B.C.Dset local-preference (

226 Edit Running Configuration CommandsNGFW{running-schedule-myhours1}descriptionEnter description for the segment.Syntaxdescription TEXTExample NGFW

NGFW Command Line Interface Reference 227Syntaxdescription TEXTExampleNGFW{running-segment0}description “My Segment”NGFW{running-segment0}high-availab

228 Edit Running Configuration CommandsExampleNGFW{running-services}delete service myservice2NGFW{running-services}delete service allNGFW{running-serv

NGFW Command Line Interface Reference 229NGFW{running-services-myservice1}descriptionApply service description.Syntaxdescription TEXTExampleNGFW{runni

230 Edit Running Configuration CommandsNGFW{running-services-myservice1}protocolApply protocol number.Syntaxprotocol IPPROTOCOLIPPROTOCOL Apply packet

NGFW Command Line Interface Reference 231ExampleNGFW{running-smr}dscp xmit 0x0NGFW{running-smr}monitorDefine monitoring parameters for a route.Syntaxm

16 Root CommandsSyntaxlog-configureExampleNGFW{}log-configureNGFW{log-configure}helpNGFW{log-configure}show log-file summaryRelated CommandsLog Config

232 Edit Running Configuration CommandsSyntaxdelete rule (all|SRCNATRULEID)Example NGFW{running-snat}delete rule 123NGFW{running-snat}renameRename sou

NGFW Command Line Interface Reference 233NGFW{running-snat-rule-snat1}delete src-address exclude ipaddress 192.168.1.1NGFW{running-snat-rule-snat1}des

234 Edit Running Configuration CommandsNGFW{running-snat-rule-snat1}move before snat1NGFW{running-snat-rule-snat1}move to position 1NGFW{running-snat-

NGFW Command Line Interface Reference 235COMMUNITY Text to identify SNMP system communitySOURCE IP (A.B.C.D|X:X::X:X), subnet (A.B.C.D/M|X:X::X

236 Edit Running Configuration Commandstrapsession (A.B.C.D|X:X::X:X|FQDN) [port PORT] ver 3 USERNAME level authNoPriv authtype (MD5|SHA) AUTHPASS [in

NGFW Command Line Interface Reference 237AUTHPASS Authentication passphrase - must be at least 8 charactersauthPriv Authentication and pri

238 Edit Running Configuration CommandsSyntaxdelete binddelete ip igmpdelete ip igmp versiondelete ip ospf areadelete ip ospf authentication mode md5

NGFW Command Line Interface Reference 239Syntaxdescription TEXTExample NGFW{running-vlan0}description "My interface description"NGFW{running

240 Edit Running Configuration Commandsipv6 mld version (1|2)ipv6 ospfv3 area (A.B.C.D|<0-4294967295>)ipv6 ospfv3 cost COSTipv6 ospfv3 dead-inte

NGFW Command Line Interface Reference 241valid-lifetime Configure valid lifetime(1-4294967295) Valid lifetime in seconds (default is 2592000)pre

NGFW Command Line Interface Reference 17ping Test connectivity with ICMP traffic. The mgmt option uses the management interface.Syntaxping (A.B.C.D|HO

242 Edit Running Configuration CommandsNGFW{running-vlan0}ra-lifetimeModify IPv6 Router Advertisement prefix lifetime in seconds.Syntaxra-lifetime (0-

NGFW Command Line Interface Reference 243automatic Automatically select TCP MSS based on interface MTUVALUE TCP MSS value for IPv4 (4-65535)Ex

244 Edit Running Configuration CommandsSyntaxzone ZONENAMEExample NGFW{running-zones}zone myzone1running-zones-X Context Commands NGFW{running-zones}z

18 Root CommandsReportsConfigure data collection for on-box reports.Syntaxreports (reset|enable|disable) [all|cpu|disk|fan|memory|network|rate-limiter

NGFW Command Line Interface Reference 19setSyntaxset cli filtering rule (auto-comment|no-auto-comment|(last-auto-comment-value INT))ExampleNGFW{}set c

20 Root Commandsshow ipv6 pim-sm Show ipv6 Protocol Independent Multicast - Sparse Mode (PIM-SM) routing informationshow ipv6 ripng Show RIPng routing

NGFW Command Line Interface Reference 21show aaaSyntaxshow aaa capabilities USERExampleshow aaa capabilities fredNGFW{}show aaa capabilities fredID

CLI Reference Guide iTable of ContentsAbout This Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

22 Root Commands40 CAPTIVEPORTAL full41 GENERAL full42 X509CERT full43 VPN

NGFW Command Line Interface Reference 23ExampleNGFW{}show agglink#AGGLINK TABLESService ETHGRP is inactiveshow arpSyntaxshow arp ExampleNGFW{}show arp

24 Root Commandsno datashow clusterSyntax show clusterExamplecluster.3-device23{} show clusterCluster Status--------------Name: clusterIdentifie

NGFW Command Line Interface Reference 25IP Address Mac Address Start date & time End date & timeshow dhcpv6Syntaxshow dhcpv6Examp

26 Root Commands ------------------------ Name: firewall State: enabled Synchronization State: Not initialized Reason: Unable to determine synchr

NGFW Command Line Interface Reference 27show ip bgp Syntaxshow ip bgpshow ip bgp debugshow ip bgp A.B.C.D/Mshow ip bgp summaryshow ip bgp neighborssho

28 Root Commandsshow ip mrouteShows the multicast routes.Syntaxshow ip mrouteExampleNGFW{}show ip mrouteSource Group In-interface

NGFW Command Line Interface Reference 29ExampleNGFW{}show ip pim-sm interfaceAddress Interface Mode Neighbor Hello DR DR Ad

30 Root CommandsExampleNGFW{}show ip route debugCodes: K - kernel route, C- connected, S - static, R - RIP, O - OSPF, B - BGP, > - selected r

NGFW Command Line Interface Reference 31 Startup Query Count: 2 General Query Timer Expiry: 00:01:19 Multicast groups joined:NGFW{}show ipv6 mld gr

iishow autoconf dhcpv4 client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23show auto

32 Root CommandsExampleNGFW{}show ipv6 pim-sm interfaceInterface Mode Neighbor Hello DR

NGFW Command Line Interface Reference 33Codes: O - ospfv3, > - selected route, * - FIB routeO>* 1:1::/64 [110/2] via fe80::20c:29ff:fee0:c919, e

34 Root Commandsshow licenseSyntaxshow licenseExampleNGFW{}show licenseLicense: 1.0.0.11 (Transitional)Feature Status Permit Expiration Details

NGFW Command Line Interface Reference 35show log-file summary [raw|tab|csv|rawcsv] [addUUID] [ASC|DESC|(tail [COUNT])] [seqnum] [more]show log-file sy

36 Root Commandsshow log-file ipsAlert [raw|tab|csv|rawcsv] [addUUID] [ASC|DESC] [search COLUMN cmp PATTERN [and|or COLUMN cmp PATTERN]{1,25}] [start-

NGFW Command Line Interface Reference 37ExampleNGFW{}show log quarantineshow log-file FILE_NAME statShows the beginning sequence number, ending sequen

38 Root CommandsADDRCONF(NETDEV_UP): ethernet7: link is not readydevice ethernet7 entered promiscuous modeExampleTo tail the last 5 lines of the boot

NGFW Command Line Interface Reference 39Rx packets dropped no pcb = 0Tx packets OK = 275262516Tx packets dropped

40 Root Commands Other 132843 65240426Ipv6Protocol: TCP 378 265014 U

NGFW Command Line Interface Reference 41Sleuth inspected packets = 0Sleuth matched packets = 0

CLI Reference Guide iiishow tse . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

42 Root Commandsshow quarantine-listSyntaxshow quarantine-listExampleNGFW{}show quarantine-listIP Reasonshow reportsShow the status of the data collec

NGFW Command Line Interface Reference 43Service NTP is inactiveService PPP-CtrlPlane is inactiveService ETHGRP-LACP is inactivesh

44 Root CommandsExampleNGFW{}show system connections ipv4Active Internet connections (servers and established)vrfid Proto Recv-Q Send-Q Local Address

NGFW Command Line Interface Reference 45show system statisticsSyntaxshow system statistics [PROTO] [non-zero]ExampleNGFW{}show system statisticsshow s

46 Root Commands+ Service: captive-portals + captive-portal-config: 48 Bytes Maximum amounts: 175 Bytes Calls to all

NGFW Command Line Interface Reference 47NGFW{}show tse connection-table blocks Second device:NGFW{}show tse connection-table blocks The ‘TRHA’ indicat

48 Root Commands Failsafe: 1.0.0.1801 System Boot Time: Sun Sept 15 21:14:57 2013 Uptime: 05:17:01shutdownAllows you to shu

NGFW Command Line Interface Reference 49ExampleNGFW{}snapshot list Name Date OS Version DV Version Model Restore --

50 Root CommandstracerouteTraceroute shows you the path a packet of information takes from your computer to your designation. It lists all the routers

NGFW Command Line Interface Reference 51ExampleNGFW{}user-disk encryption enableWARNING: Changing the encryption status of the user disk will erase al

ivntp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

52 Root Commands

NGFW Command Line Interface Reference 534 Log Configure CommandsEnter the log-configure command to access the log configuration context. Enter a quest

54 Log Configure Commandsemail set queueFile QUEUEFILEemail set deadletter DEADLETTERemail delete (sleepSeconds|maxRequeue|queueFile|deadletter)Exampl

NGFW Command Line Interface Reference 55log-test (all|audit|vpn|quarantine|logID LOGID) [critical [MESSAGE]]log-test (all|audit|vpn|quarantine|logID L

56 Log Configure CommandsmaxFileSize Max size a 'rotated' log fileMAXFILESIZE Max log rotation file size in MB (10 - 500

NGFW Command Line Interface Reference 575 Edit Running Configuration CommandsEnter the edit command to access the configuration mode. In edit mode, yo

58 Edit Running Configuration CommandsPolicyrunning-dhcp-relay Context CommandsNGFW{running}dhcp relayrunning-dhcp-server Context CommandsNGFW{running

NGFW Command Line Interface Reference 59AuthenticationRoutingVPNEdit Context CommandsaaaEnter Authentication and Authorization and Auditing context mo

60 Edit Running Configuration CommandsExampleNGFW{}editNGFW{running}aaaNGFW{running-aaa}helpNGFW{running-aaa}display user fred xml<?xml version=&qu

NGFW Command Line Interface Reference 61threshold Set quarantine threshold valueverbosity Set packet trace verbosityRelated commandsrunning-actionsets

CLI Reference Guide vrunning-multicast-registration Context Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186r

62 Edit Running Configuration CommandsNOTE: Attempting to create an application group from the CLI will result in an error while parsing the CRITERIAS

NGFW Command Line Interface Reference 63 display enable help [full|COMMAND] list periodic proxy ADDR port PORT proxy-password PASSWD proxy-use

64 Edit Running Configuration Commands delete rule all|RULEID help [full|COMMAND] rename rule RULEID NEWRULEID rule (auto|RULEID) [POSITION_VALUE]

NGFW Command Line Interface Reference 65ExampleNGFW{running}clusterNGFW{running-cluster}helpValid commands are: check CHECK_TYPE enable|disable clus

66 Edit Running Configuration CommandsExampleNGFW{running}delete segment78NGFW{running}delete interface agglink0NGFW{running}delete interface bridge0N

NGFW Command Line Interface Reference 67 delete proxy cache maximum negative ttl delete proxy cache maximum ttl delete proxy cache size domain-nam

68 Edit Running Configuration CommandsExampleNGFW{running}firewallNGFW{running-firewall}helpValid commands are: default-block-rule DEFACTIONSET dele

NGFW Command Line Interface Reference 69arp Configure static ARP entryauto-restart Enable/disable automatic restart on detection of critical problemde

70 Edit Running Configuration Commandsdelete failover-group nameenable|disablefailover-group base-mac X:X:X:X:X:Xfailover-group name NAMEhelp [full|CO

NGFW Command Line Interface Reference 71interface bridgeXinterface ethernetXinterface greXinterface l2tpXinterface loopbackXinterface mgmtinterface pp

vi

72 Edit Running Configuration CommandsSyntaxip access-list NAME (permit|deny) A.B.C.D/Mip as-path access-list NAME (permit|deny) ASN_FILTERdelete ip a

NGFW Command Line Interface Reference 73profile PROFILENAMEquarantine-duration DURATIONrename profile XPROFILENAME NEWPROFILENAMENGFW{running-ips}?Val

74 Edit Running Configuration CommandsValid commands are:auth enable|disableauth shared-secret A.B.C.D|any secret-keybind none|any|(A.B.C.D [port])del

NGFW Command Line Interface Reference 75NGFW{running-log}display# LOG SERVICES log system "Management Console" notice #log audit &

76 Edit Running Configuration CommandsEntering Immediate Commit Feature. Changes take effect immediately.NGFW{running-notifycontacts}helpValid command

NGFW Command Line Interface Reference 77server Configure remote NTP serverRelated commandsrunning-ntp Context CommandsreputationEnt

78 Edit Running Configuration CommandsrouterEnters the specified router protocol context.Syntaxrouter bgp ASNUMBERrouter ospfrouter ospfv3router pim-s

NGFW Command Line Interface Reference 79 delete schedule all|SCHEDULENAME help [full|COMMAND] rename schedule SCHEDULENAME NEWSCHEDULENAME schedul

80 Edit Running Configuration CommandsservicesEnters services context mode.SyntaxservicesExampleNGFW{running}servicesNGFW{running-services}helpValid c

NGFW Command Line Interface Reference 81Valid entries at this position are: authtrap Configure SNMP authentication failure trap com

CLI reference guide 1About This GuideThe Next Generation Firewall command line interface enables you to configure and manage the NGFW Appliance from a

82 Edit Running Configuration Commands delete vpn (all|NAME) help [full|COMMAND] ipsec enable|disable log vpn CONTACT-NAME [SEVERITY] manual pha

NGFW Command Line Interface Reference 83Related commandsrunning-zones Context CommandsContexts and Related Commandsrunning-aaa Context CommandsNGFW{ru

84 Edit Running Configuration CommandsSyntaxldap-group LDAPNAMEExampleNGFW{running-aaa}ldap-group mygroupNGFW{running-aaa}ldap-schema Configure LDAP s

NGFW Command Line Interface Reference 85NGFW{running-aaa}remote-login-groupConfigure LDAP or RADIUS group to use for either network or administrative

86 Edit Running Configuration CommandsSyntaxbind-dn DNExampleNGFW{running-aaa-ldap-group-mygroup1}bind-dn CN=admin,OU=People,DC=example,DC=comNGFW{run

NGFW Command Line Interface Reference 87NGFW{running-aaa-ldap-group-mygroup1}serverConfigure LDAP server address.Syntaxserver (A.B.C.D|X:X::X:X) prior

88 Edit Running Configuration CommandsNGFW{running-aaa-radius-group-2}deleteDelete file or configuration item.Syntaxdelete server (A.B.C.D|X:X::X:X|al

NGFW Command Line Interface Reference 89NGFW{running-actionsets}renameRename action set oldname newname.Syntaxrename actionset ACTIONSETNAME NEWACTION

90 Edit Running Configuration CommandsNGFW{running-actionsets-myactionset1}deleteDelete file or configuration item.Syntaxdelete allow-access DESTIPdel

NGFW Command Line Interface Reference 91NGFW{running-actionsets-myactionset1}http-shownameSet or clear HTTP show name display option.Syntaxhttp-showna