HP VPN Firewall Appliances Getting Started Command Reference Part number: 5998-4173 Software version: F1000-A-EI/F1000-S-EI (Feature 3726) F1000-E (Release 3177) F5000 (Feature 3211) F5000-S/F5000-C (Release 3808) VPN firewall modules (Release 3177) 20-Gbps VPN firewall modules (Release 3817) Document version: 6PW101-20130923
Legal and notice information © Copyright 2013 Hewlett-Packard Development Company, L.P. No part of this documentation may be reproduced or transmitted in any form or by any means without prior written consent of Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Contents Login management commands ··································································································································· 1 activation-key ···························································································································································· 1 authentication-mode ················································································································································· 2 a
oap reboot ····························································································································································· 42 ACSEI commands ······················································································································································· 43 ACSEI server commands ··············································································································································· 43
schedule reboot at ················································································································································· 91 schedule reboot delay··········································································································································· 92 shutdown-interval ··················································································································································· 93 sysname ···
Login management commands activation-key Use activation-key to define a shortcut key for starting a terminal session. Use undo activation-key to restore the default. Syntax activation-key character undo activation-key Default Pressing the Enter key starts a terminal session.
* no decompiling or reverse-engineering shall be allowed. * ****************************************************************************** User interface con0 is available. Please press ENTER. 3. Press Enter. Pressing Enter does not start a session. 4. Enter s. A terminal session is started. %Mar 2 18:40:27:981 2005 Sysname SHELL/5/LOGIN: Console login from con0 authentication-mode Use authentication-mode to set the authentication mode for a user interface.
Examples # Enable the none authentication mode for user interface VTY 0. system-view [Sysname] user-interface vty 0 [Sysname-ui-vty0] authentication-mode none # Enable password authentication for user interface VTY 0 and set the password to 321.
Parameters command: Specifies the command to be automatically executed. Usage guidelines This command is not supported on the console user interface. The system automatically executes the specified command when a user logs in to the user interface, and tears down the user connection after the command is executed. If the command triggers another task, the system does not tear down the user connection until the task is completed.
Syntax command accounting undo command accounting Default Command accounting is disabled, and the accounting server does not record executed commands. Views User interface view Default command level 3: Manage level Usage guidelines When command accounting is enabled and command authorization is not, every executed command is recorded on the HWTACACS server. When both command accounting and command authorization are enabled, only the authorized and executed commands are recorded on the HWTACACS server.
[Sysname] user-interface vty 0 [Sysname-ui-vty0] command authorization databits Use databits to specify the number of data bits for each character. Use undo databits to restore the default. Syntax databits { 5 | 6 | 7 | 8 } undo databits Default Eight data bits are used for each character. Views User interface view Default command level 2: System level Parameters 5: Uses five data bits for each character. 6: Uses six data bits for each character. 7: Uses seven data bits for each character.
Parameters |: Filters command output by specifying a regular expression. For more information about regular expressions, see the chapter on CLI in Getting Started Guide. begin: Displays the first line that matches the specified regular expression and all lines that follow. exclude: Displays all lines that do not match the specified regular expression. include: Displays all lines that match the specified regular expression.
include: Displays all lines that match the specified regular expression. regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters. Examples # Display information about HTTPS. display ip https HTTPS port: 443 SSL server policy: test Certificate access-control-policy: Basic ACL: 2222 Current connection: 0 Operation status: Running Table 2 Command output Field Description HTTPS port Port number used by the HTTPS service.
regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters. Usage guidelines This command is not supported in FIPS mode. Examples # Display the configuration of the device when it serves as a Telnet client. display telnet client configuration The source IP address is 1.1.1.1. The output shows that the device uses the source IPv4 address 1.1.1.1 for outgoing Telnet packets when it serves as a Telnet client.
exclude: Displays all lines that do not match the specified regular expression. include: Displays all lines that match the specified regular expression. regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters. Examples # Display information about user interface 0. display user-interface 0 Idx + 0 Type Tx/Rx Modem Privi Auth Int CON 0 9600 - - 3 N + : Current user-interface is active.
49:UXXX X 2 character mode users. 52 UI never used. (U) (X) 2 total UI in use Table 4 Command output Field Description 0:U 0 represents the absolute number of the user interface. If the user interface is not used, an X is displayed. If the user interface is in use, a U is displayed. For example, 49:UXXX X shows that the absolute number of the first user interface is 49, and the user interface is in use. User interfaces from 50 to 52 are not in use.
+ : Current operation user. F : Current operation user work in async mode. The output shows that two users have logged in to the device: you are using user interface VTY 0, and the other user is using the console user interface. Your IP address is 192.168.0.214 and user privilege level is 3. Table 5 Command output Field Description Idx Absolute number of the user interface. UI Relative number of the user interface.
Table 6 Command output Field Description UserID Web user ID. Name Web username. Language Language used in Web login. Level Web user level. State Web user status. LinkCount Number of tasks running for the Web user. LoginTime Login time. LastTime Last time when the Web user accessed the device. escape-key Use escape-key to define a shortcut key for terminating a task. Use undo escape-key to disable the shortcut key for terminating tasks.
the task running on Device A. If you Telnet to Device B from Device A, you can only use e to terminate the task running on Device B, rather than use e as a common character. It is a good practice to specify a key sequence. Examples # Define character a as the shortcut key for terminating a task. system-view [Sysname] user-interface console 0 [Sysname-ui-console0] escape-key a # To verify the configuration: 1. Ping IP address 192.168.1.
Hardware Compatibility F5000 Yes F5000-S/F5000-C Yes VPN firewall modules Yes 20-Gbps VPN firewall modules Yes console: Specifies the console user interface. vty: Specifies a VTY user interface. num2: Specifies the relative number of a user interface. Usage guidelines This command cannot release the connection you are using. Examples # Release user interface VTY 1: 1. Display which users are operating the device.
Default command level 2: System level Parameters size-value: Specifies the maximum number of history commands the buffer can store, in the range of 0 to 256. Usage guidelines Each user interface uses a separate command history buffer to save commands successfully executed by its user. The size of the buffer determines how many history commands the buffer can store.
Examples # Set the idle-timeout timer to 1 minute and 30 seconds. system-view [Sysname] user-interface console 0 [Sysname-ui-console0] idle-timeout 1 30 ip http acl Use ip http acl to associate the HTTP service with an ACL. Use undo ip http acl to remove the association. Syntax ip http acl acl-number undo ip http acl acl-number Default The HTTP service is not associated with any ACL.
ip http enable Use ip http enable to enable the HTTP service. Use undo ip http enable to disable the HTTP service. Syntax ip http enable undo ip http enable Default The HTTP service is enabled. Views System view Default command level 2: System level Usage guidelines The device can act as the HTTP server that can be accessed only after the HTTP service is enabled. This command is not supported in FIPS mode. Examples # Enable the HTTP service.
Default command level 3: Manage level Parameters port-number: Port number of the HTTP service, in the range of 1 to 65535. Usage guidelines Verify that the port number is not used by another service, because this command does not check for conflicts with configured port numbers. This command is not supported in FIPS mode. Examples # Configure the port number of the HTTP service as 8080.
system-view [Sysname] acl number 2001 [Sysname-acl-basic-2001] rule permit source 10.10.0.0 0.0.255.255 [Sysname-acl-basic-2001] quit [Sysname] ip https acl 2001 Related commands • display ip https • acl number (ACL and QoS Command Reference) ip https certificate access-control-policy Use ip https certificate access-control-policy to associate the HTTPS service with a certificate attribute access control policy. Use undo ip https certificate access-control-policy to remove the association.
Syntax ip https enable undo ip https enable Default The HTTPS service is disabled. Views System view Default command level 3: Manage level Usage guidelines The device can act as the HTTP server that can be accessed only after the HTTP service is enabled. Enabling the HTTPS service triggers an SSL handshake negotiation process: • If the local certificate of the device exists, the SSL negotiation succeeds, and the HTTPS service can be started.
Usage guidelines Verify that the port number is not used by another service, because this command does not check for conflicts with configured port numbers. Examples # Configure the port number of the HTTPS service as 6000. system-view [Sysname] ip https port 6000 Related commands display ip https ip https ssl-server-policy Use ip https ssl-server-policy to associate the HTTPS service with an SSL server-end policy. Use undo ip https ssl-server-policy to remove the association.
lock Use lock to lock the current user interface. Syntax lock Default This function is disabled. Views User view Default command level 3: Manage level Usage guidelines When you must leave the device for a while, use this command to lock the current user interface to prevent unauthorized access. After you enter this command, you are asked to enter a password (up to 16 characters) and then confirm it by entering the password again. To unlock the user interface, press Enter and enter the correct password.
Use undo parity to restore the default. Syntax parity { even | mark | none | odd | space } undo parity Default The setting is none, and no parity check is performed. Views User interface view Default command level 2: System level Parameters even: Performs even parity check. mark: Performs mark parity check. none: Disables parity check. odd: Performs odd parity check. space: Performs space parity check. Usage guidelines This command is only applicable to console and AUX user interfaces.
In FIPS mode, Telnet is not supported. Views VTY interface view Default command level 3: Manage level Parameters all: Supports all the three protocols (Telnet and SSH) in non-FIPS mode and SSH in FIPS mode. ssh: Supports SSH only. telnet: Supports Telnet only. This keyword is not available for FIPS mode. Usage guidelines This configuration is effective only for a user who logs in to the user interface after the configuration is made.
Usage guidelines When screen output pauses, press the Space key to display the next screen. Not all terminals support this setting. For example, assume you set screen-length to 40, but the terminal can display 24 lines in one screen at most. When you press Space, the device sends 40 lines to the terminal, but the screen displays only lines 18 through 40. To view the first 17 lines, press the page up or page down key.
num2: Specifies the relative number of a user interface. Usage guidelines To end message input, press Ctrl+Z. To cancel message input and return to user view, press Ctrl+C. Examples # Send message hello abc to your own user interface Console 0.
***Message from vty0 to vty1 *** Note please, I will reboot the system in 3 minutes! set authentication password Use set authentication password to set a password for password authentication. Use undo set authentication password to remove the password. Syntax set authentication password [ hash ] { cipher | simple } password undo set authentication password Default No password is set for password authentication.
Related commands authentication-mode shell Use shell to enable the terminal service for a user interface. Use undo shell to disable the terminal service for a user interface. Syntax shell undo shell Default The terminal service is enabled on all user interfaces. Views User interface view Default command level 3: Manage level Usage guidelines The console user interface does not support the undo shell command. You cannot disable the terminal service on the user interface you are using.
Views User interface view Default command level 2: System level Parameters speed-value: Transmission rate in bps. The transmission rates available for asynchronous serial interfaces include: 300 bps, 600 bps, 1200 bps, 2400 bps, 4800 bps, 9600 bps, 19200 bps, 38400 bps, 57600 bps, and 115200 bps. The transmission rate varies with devices and configuration environments. Usage guidelines This command is only applicable to console and AUX user interfaces.
Examples # Set the number of stop bits to 1.5 for the console user interface. system-view [Sysname] user-interface console 0 [Sysname-ui-console0] stopbits 1.5 telnet Use telnet to Telnet to a host in an IPv4 network.
Use undo telnet client source to remove the configuration. Syntax telnet client source { interface interface-type interface-number | ip ip-address } undo telnet client source Default No source IPv4 address or source interface is specified for outgoing Telnet packets. The source IPv4 address is the primary IPv4 address of the outbound interface. Views System view Default command level 2: System level Parameters interface interface-type interface-number: Specifies a source interface.
Parameters remote-host: Specifies the IP address or host name of a remote host, a case-insensitive string of 1 to 46 characters. -i interface-type interface-number: Specifies the outbound interface for sending Telnet packets. This option is required when the destination address is a link-local address. port-number: Specifies the TCP port number for the Telnet service on the remote host. It ranges from 0 to 65535 and defaults to 23.
Use undo terminal type to restore the default. Syntax terminal type { ansi | vt100 } undo terminal type Default The terminal display type is ANSI. Views User interface view Default command level 2: System level Parameters ansi: Specifies the terminal display type ANSI. vt100: Specifies the terminal display type VT100. Usage guidelines The device supports two terminal display types: ANSI and VT100.
Parameters level: Specifies a user privilege level in the range of 0 to 3. Usage guidelines User privilege levels include visit, monitor, system, and manage, represented by the number 0, 1, 2 and 3 respectively. You can change the user privilege level when necessary. FIPS supports only AAA authentication. This command is not available in FIPS mode. Examples # Set the command level for users logging in through VTY 0 to 0.
aux: Specifies an AUX user interface. The following matrix shows the aux keyword and hardware compatibility: Hardware Compatibility F1000-A-EI/F1000-S-EI No F1000-E Yes F5000 Yes F5000-S/F5000-C Yes VPN firewall modules Yes 20-Gbps VPN firewall modules Yes console: Specifies the console user interface. vty: Specifies a VTY user interface. first-num2: Specifies the relative number of the first user interface. last-num2: Specifies the relative number of the last user interface.
Views User view Default command level 3: Manage level Parameters verification-code: Fixed verification code for Web login, a case-sensitive 4-character string. Usage guidelines If you configure the web captcha command multiple times, the most recent configuration takes effect. After you configure a fixed verification code for Web login, a Web user can use the code for login, without caring about the verification code displayed on the login page.
• If the PKI certificate of the user is correct and not expired, the CN field in the certificate is used as the username to perform AAA authentication. If the authentication succeeds, the user automatically enters the Web interface of the device. • If the PKI certificate of the user is correct and not expired, but the AAA authentication fails, the device shows the Web login page. The user can log in to the device after entering correct username and password.
Views System view Default command level 2: System level Parameters pieces: Size of the buffer for Web login logging, in the number of log messages.
OAP module commands The commands described in this chapter are applicable to only the following network devices when a firewall module is installed: HP 5800, HP 7500, HP 9500, HP 10500, and HP 12500. Unless otherwise noted, the term "OAP module" refers to the firewall module throughout this chapter.
Press CTRL+K to quit. Connected to OAP! # In IRF mode, access the CLI of the OAP module in slot 5 on member device 2. oap connect chassis 2 slot 5 Press CTRL+K to quit. oap management-ip Use oap management-ip to configure the management IP address of an OAP module on the device. Use undo oap management-ip to restore the default.
oap reboot Use oap reboot to reset an OAP module. Syntax In standalone mode: oap reboot slot slot-number In IRF mode: oap reboot chassis chassis-number slot slot-number Views User view Default command level 3: Manage level Parameters slot slot-number: Specifies an OAP module by its slot number. (In standalone mode.) chassis chassis-number slot slot-number: Specifies an OAP module on an IRF member device. (In IRF mode.) Examples # In standalone mode, reset the OAP module in slot 3.
ACSEI commands The following matrix shows the feature and hardware compatibility: Hardware Compatibility F1000-A-EI/F1000-S-EI No F1000-E No F5000 No F5000-S/F5000-C No VPN firewall modules Yes 20-Gbps VPN firewall modules Yes ACSEI server commands The commands in this section apply to the network device. acsei client close Use acsei client close to close an ACSEI client.
acsei client reboot Use acsei client reboot to restart an ACSEI client. Syntax acsei client reboot client-id Views ACSEI server view Default command level 2: System level Parameters client-id: Specifies the ID of the ACSEI client to be restarted. Examples # Restart ACSEI client 1. system-view [Sysname] acsei server [Sysname-acsei-server] acsei client reboot 1 acsei server Use acsei server to enter ACSEI server view.
Default ACSEI server is disabled. Views System view Default command level 2: System level Examples # Enable ACSEI server. system-view [Sysname] acsei server enable acsei timer clock-sync Use acsei timer clock-sync to set the synchronization timer that is used for clock synchronization from the ACSEI server to the ACSEI client. Use undo acsei timer clock-sync to restore the default.
Syntax acsei timer monitor seconds undo acsei timer monitor Default The monitoring timer is set to 5 seconds. Views ACSEI server view Default command level 2: System level Parameters seconds: Specifies the ACSEI client monitoring time in seconds, in the range of 0 to 10. Setting it to 0 disables the ACSEI server from monitoring the ACSEI client. Examples # Set the ACSEI client monitoring timer to 6 seconds.
Information about multiple ACSEI clients is displayed in order of registration time. Examples # Display information about ACSEI client 1. display acsei client info 1 Client ID: 1 Client Description: SecBlade FW Hardware: A.0 System Software: COMWAREV500R002B108D005 Application Software: V300R002B01D804 CPU: RMI XLR732 1000MHz PCB Version: A.0 CPLD Version: 3.0 Bootrom Version: Basic BootRom Version:1.28,Extend BootRom Version:1.
|: Filters command output by specifying a regular expression. For more information about regular expressions, see the chapter on CLI in Getting Started Guide. begin: Displays the first line that matches the specified regular expression and all lines that follow. exclude: Displays all lines that do not match the specified regular expression. include: Displays all lines that match the specified regular expression.
Default command level 2: System level Usage guidelines You can enable ACSEI client on only one interface on the firewall module. However, you can enable ACSEI client on the firewall card and the network device at the same time. Examples # Enable ACSEI client on interface Ten-GigabitEthernet 0/0.
display acsei-client status Use display acsei-client status to display the current status of the ACSEI client. Syntax display acsei-client status [ | { begin | exclude | include } regular-expression ] Views Any view Default command level 1: Monitor level Parameters |: Filters command output by specifying a regular expression. For more information about regular expressions, see the chapter on CLI in Getting Started Guide.
Device management commands The following matrix shows the storage media supported on different firewalls and firewall modules: Hardware Storage medium F1000-A-EI/F1000-S-EI flash0 F1000-E cfa0 F5000 cfa0 F5000-S/F5000-C cfa0 VPN firewall modules cfa0 20-Gbps VPN firewall modules cfa0 All examples in this chapter use the storage medium cfa0. clock datetime Use clock datetime to set the system time and date.
• clock summer-time repeating • clock timezone • display clock clock summer-time one-off Use clock summer-time one-off to adopt daylight saving time from the start-time of the start-date to the end-time of the end-date. Daylight saving time adds the add-time to the standard time of the device. Use undo clock summer-time to cancel the configuration of the daylight saving time.
[Sysname] clock summer-time abc1 one-off 6 08/01/2011 6 09/01/2011 1 Related commands • clock datetime • clock summer-time repeating • clock timezone • display clock clock summer-time repeating Use clock summer-time repeating to set a recurring daylight saving schedule. Use undo clock summer-time to cancel the configuration of the daylight saving time.
add-time: Specifies a time to be added to the standard time of the device, in the hh:mm:ss format. Zeros can be omitted, unless you specify 00:00:00. Usage guidelines The interval between start-time start-date and end-time end-date must be longer than one day and shorter than one year. If the current system time is in the specified daylight saving days, the add-time value automatically adds to the system time. To verify the setting, use the display clock command.
Usage guidelines To verify the setting, use the display clock command. The timestamps in system messages are adjusted in reference to the time zone and daylight saving schedule. Examples # Set the local time zone to add five hours to UTC time.
Usage guidelines Two users are allowed to enter system view by default. If multiple users enter system view to configure certain attribute, the most recent configuration applies. When the number of users has already reached the limit, other users can not enter system view. Examples # Configure to allow up to four users to enter system view concurrently.
************************************************************************** User interface con0 is available. Please press ENTER. # Disable displaying the copyright statement. system-view [Sysname] undo copyright-info enable • When a Telnet user logs in, the user view prompt appears: • When a console user quits user view, the following message appears: User interface con0 is available. Please press ENTER. display clock Use display clock to display the system time and date.
09:41:23 UTC Thu 12/15/2005 Related commands • clock datetime • clock summer-time one-off • clock summer-time repeating • clock timezone display configure-user Use display configure-user to display the users that have logged in to the device but are not in user view. Syntax display configure-user [ | { begin | exclude | include } regular-expression ] Views Any view Default command level 1: Monitor level Parameters |: Filters command output by specifying a regular expression.
Field Description Idx Absolute ID of the user interface. UI Type and relative ID of the user interface that the user used for login. Delay Delay between the last CLI input and the execution of the display configure-user command, in the format hh:mm:ss Type User type, Telnet or SSH. Userlevel User level, level 0 (visit level), level 1 (monitor level), level 2 (system level), or level 3 (manage level) Following are more details. Detailed information about the login user.
display cpu-usage Use display cpu-usage to display CPU usage statistics. Syntax display cpu-usage [ entry-number [ offset ] [ verbose ] ] [ | { begin | exclude | include } regular-expression ] Views Any view Default command level 1: Monitor level Parameters entry-number: Number of entries to be displayed, which is in the range of 1 to 60. offset: Offset between the serial number of the first CPU usage rate record to be displayed and that of the last CPU usage rate record to be displayed.
# Display the last fifth and sixth record entries in CPU usage statistics. display cpu-usage 2 4 ===== CPU usage info (no: 0 idx: 58) ===== CPU Usage Stat. Cycle: 60 (Second) CPU Usage : 3% CPU Usage Stat. Time : 2006-07-10 10:56:55 CPU Usage Stat. Tick : 0x1d9d(CPU Tick High) 0x3a659a70(CPU Tick Low) Actual Stat. Cycle : 0x0(CPU Tick High) 0x95030517(CPU Tick Low) ===== CPU usage info (no: 1 idx: 57) ===== CPU Usage Stat. Cycle: 60 (Second) CPU Usage : 3% CPU Usage Stat.
display cpu-usage history Use display cpu-usage history to display historical CPU usage statistics in charts. Syntax display cpu-usage history [ task task-id ] [ | { begin | exclude | include } regular-expression ] Views Any view Default command level 1: Monitor level Parameters task task-id: Displays the historical CPU usage statistics for the specified task, where task-id represents the task number.
70%| 65%| 60%| 55%| 50%| 45%| 40%| 35%| 30%| 25%| 20%| 15%| # 10%| 5%| ### # ######## -----------------------------------------------------------10 20 30 40 50 60 (minutes) cpu-usage last 60 minutes(SYSTEM) The output shows the historical CPU usage statistics (with the task name SYSTEM) in the last 60 minutes: • 5%: 12 minutes ago • 10%: 13 minutes ago • 15%: 14 minutes ago • 10%: 15 minutes ago • 5%: 16 and 17 minutes ago • 10%: 18 minutes ago • 5%: 19 minutes ago • 2% or lower
10%| 5%| # -----------------------------------------------------------10 20 30 40 50 60 (minutes) cpu-usage last 60 minutes(T03M) The output shows the historical CPU usage statistics of task 6 (with the task name T03M) in the last 60 minutes: • 5%: 20 minutes ago • 2% or lower than 2%: other time display device Use display device to display device information.
exclude: Displays all lines that do not match the specified regular expression. include: Displays all lines that match the specified regular expression. regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters. Examples # Display device information. display device Status :OK Type :RPU Hardware :B Driver :1.0 CPLD :2.0 SubCard Num :3 CFCard Num :1 Usb Num :1 Table 10 Command output Field Description Status Card status. Type Card type.
Hardware Value range F1000-A-EI/F1000-S-EI 0, indicates the PCB. F1000-E 0, indicates the PCB. F5000 0 to 4, 0 for the MPU and 1 to 4 for a service card. F5000-S/F5000-C 0, indicates the PCB. VPN firewall modules 0, indicates the firewall module itself. 20-Gbps VPN firewall modules 0, indicates the firewall module itself. |: Filters command output by specifying a regular expression. For more information about regular expressions, see the chapter on CLI in Getting Started Guide.
Parameters |: Filters command output by specifying a regular expression. For more information about regular expressions, see the chapter on CLI in Getting Started Guide. begin: Displays the first line that matches the specified regular expression and all lines that follow. exclude: Displays all lines that do not match the specified regular expression. include: Displays all lines that match the specified regular expression.
Parameters slot slot-number: See the usage guidelines for this command. |: Filters command output by specifying a regular expression. For more information about regular expressions, see the chapter on CLI in Getting Started Guide. begin: Displays the first line that matches the specified regular expression and all lines that follow. exclude: Displays all lines that do not match the specified regular expression. include: Displays all lines that match the specified regular expression.
Related commands temperature-limit display fan Use display fan to display the operating states of fans. Syntax display fan [ fan-id | verbose ] [ | { begin | exclude | include } regular-expression ] Views Any view Default command level 1: Monitor level Parameters fan-id: Displays the operating state of the specified fan, where fan-id represents the built-in fan ID.
Syntax display flowengine-usage [ | { begin | exclude | include } regular-expression ] Views Any view Default command level 1: Monitor level Parameters |: Filters command output by specifying a regular expression. For more information about regular expressions, see the chapter on CLI in Getting Started Guide. begin: Displays the first line that matches the specified regular expression and all lines that follow. exclude: Displays all lines that do not match the specified regular expression.
Default command level 1: Monitor level Parameters |: Filters command output by specifying a regular expression. For more information about regular expressions, see the chapter on CLI in Getting Started Guide. begin: Displays the first line that matches the specified regular expression and all lines that follow. exclude: Displays all lines that do not match the specified regular expression. include: Displays all lines that match the specified regular expression.
55%| 50%| 45%| 40%| 35%| 30%| 25%| 20%| 15%| 10%| ### 5%|##### -----------------------------------------------------------10 20 30 40 50 60 (minutes) flowengine-usage last 60 minutes(SYSTEM) The output shows the historical flow engine usage statistics for the recent 60 minutes: • 5%: one and two minutes ago • 10%: three, four, and five minutes ago display job Use display job to display information about scheduled jobs configured by using the job command.
Time 1: Execute command save 1.cfg after 40 minutes The output shows that the current configuration will be automatically saved to the configuration file 1.cfg in 40 minutes. Table 12 Command output Field Description Job name Name of the scheduled job. Specified view View containing the commands in the job. Time timeID Execution time of each command in the job. Execute command Command string.
Table 13 Command output Field Description System Total Memory(bytes) Total size of the system memory (in bytes) Total Used Memory(bytes) Size of the memory used (in bytes) Used Rate Percentage of the memory used to the total memory. display power Use display power to display power supply information.
Power 1 Status: Normal display reboot-type Use display reboot-type to display the mode of the last reboot. Syntax display reboot-type [ | { begin | exclude | include } regular-expression ] Views Any view Default command level 2: System level Parameters |: Filters command output by specifying a regular expression. For more information about regular expressions, see the chapter on CLI in Getting Started Guide.
|: Filters command output by specifying a regular expression. For more information about regular expressions, see the chapter on CLI in Getting Started Guide. begin: Displays the first line that matches the specified regular expression and all lines that follow. exclude: Displays all lines that do not match the specified regular expression. include: Displays all lines that match the specified regular expression.
Examples # Display the configuration of the job configured by using the schedule job command. display schedule job Specified command: execute 1.bat Specified view: system view Executed time: at 12:00 10/31/2007 (in 0 hours and 16 minutes) If you change the system time within 16 minutes after you execute the schedule job command, the scheduled task becomes invalid. Then, if you execute the display schedule job command again, the scheduled job information is blank.
Related commands • schedule reboot at • schedule reboot delay display system-failure Use display system-failure to display the exception handling method. Syntax display system-failure [ | { begin | exclude | include } regular-expression ] Views Any view Default command level 3: Manage level Parameters |: Filters command output by specifying a regular expression. For more information about regular expressions, see the chapter on CLI in Getting Started Guide.
Parameters interface [ interface-type interface-number ]: Displays the key parameters of the transceiver module in an interface. The interface-type interface-number argument specifies an interface by its type and number. If no interface is specified, this command displays the key parameters of the transceiver modules in all interfaces. |: Filters command output by specifying a regular expression. For more information about regular expressions, see the chapter on CLI in Getting Started Guide.
Field Description Transfer Distance(xx) Transfer distance, with xx representing km for single-mode transceiver modules and m for other transceiver modules. If the transceiver module supports multiple transfer media, every two transfer distance values are separated by a comma. The corresponding transfer medium is included in the bracket following the transfer distance value. The following are the supported transfer media: • • • • • 9 um—9/125 um single-mode fiber. 50 um—50/125 um multi-mode fiber. 62.
Table 16 Common transceiver module alarms Field Remarks SFP/SFP+ RX loss of signal Incoming (RX) signal is lost. RX power high Incoming (RX) power is high. RX power low Incoming (RX) power is low. TX fault Transmit (TX) fault. TX bias high TX bias current is high. TX bias low TX bias current is low. TX power high TX power is high. TX power low TX power is low. Temp high Temperature is high. Temp low Temperature is low. Voltage high Voltage is high. Voltage low Voltage is low.
Field Remarks Wavelength unlocked Wavelength of optical signal exceeds the manufacturer's tolerance. Temp high Temperature is high. Temp low Temperature is low. Voltage high Voltage is high. Voltage low Voltage is low. Transceiver info I/O error Transceiver information read and write error. Transceiver info checksum error Transceiver information checksum error. Transceiver type and port configuration mismatch Transceiver type does not match port configuration.
specifies an interface by its type and number. If no interface is specified, this command displays the measured values of the digital diagnosis parameters for the transceiver modules in all interfaces. |: Filters command output by specifying a regular expression. For more information about regular expressions, see the chapter on CLI in Getting Started Guide. begin: Displays the first line that matches the specified regular expression and all lines that follow.
Parameters interface [ interface-type interface-number ]: Displays the electronic label data for the transceiver module in an interface. The interface-type interface-number argument specifies represents interface type and interface number. If no interface is specified, this command displays the electronic label data for the transceiver modules in all interfaces. |: Filters command output by specifying a regular expression.
exclude: Displays all lines that do not match the specified regular expression. include: Displays all lines that match the specified regular expression. regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters. Examples # Display system version information. display version header Use header to create a banner. Use undo header to clear a banner.
Please input banner content, and quit with the character '%'. Welcome to legal (header legal)% [Sysname] header login % Please input banner content, and quit with the character '%'. Welcome to login(header login)% [Sysname] header motd % Please input banner content, and quit with the character '%'. Welcome to motd(header motd)% [Sysname] header shell % Please input banner content, and quit with the character '%'.
job Use job to create a job or enter job view. Use undo job to delete a scheduled job. Syntax job job-name undo job job-name Default No job is created. Views System view Default command level 3: Manage level Parameters job-name: Specifies the name for a job, a string of 1 to 32 characters. Usage guidelines You can add commands in job view to execute at certain times. You can use the job command to create multiple jobs. Examples # Create the job saveconfiguration or enter its view.
Views System view Default command level 3: Manage level Parameters primary: Specifies the primary monitored interface. secondary: Specifies the secondary monitored interface. interface-type interface-number: Type and number of the interface to be monitored. Usage guidelines If you configure only the primary monitored interface or the secondary monitored interface, the device monitors the IP address of the configured interface.
Usage guidelines CAUTION: • Device reboot can interrupt network services. • If the main system software image file has been corrupted or does not exist, the device cannot reboot. You must re-specify a main system software image file, or power off the device and then power it on so the system can reboot with the backup system software image file. For data security, if you are performing file operations at the reboot time, the system does not reboot. Examples # Reboot the device.
Default command level 3: Manage level Parameters at time1 [ date ]: Specifies the time and/or date to execute a command. • time1: Sets time to execute the command, in the hh:mm format. The hh value is in the range of 0 to 23, and the mm value is in the range of 0 to 59. • date: Sets the date to execute the command, in the MM/DD/YYYY or YYYY/MM/DD format. The YYYY value is in the range of 2000 to 2035, the MM value is in the range of 1 to 12, and the DD value is in the range of 1 to 31.
telnet, ftp, and ssh2), the view (for example, system-view and quit), or the user status (for example, super). Examples # Schedule a job to execute the batch file 1.bat in system view in 60 minutes (assuming that the current time is 11:43). schedule job delay 60 view system execute 1.bat Info: Command execute 1.bat in system view will be executed at 12:43 10/31/2007 (in 1 hours and 0 minutes). # Schedule a job to execute the batch file 1.
If the reboot time is earlier than the current time, a reboot occurs at the reboot time the next day. • The device supports only one device reboot schedule. If you configure the schedule reboot at command multiple times, the most recent configuration takes effect. The schedule reboot at command and the schedule reboot delay command overwrite each other. The command that is configured most recently takes effect. The alert "REBOOT IN ONE MINUTE" appears one minute before the reboot time.
Usage guidelines CAUTION: • Device reboot can interrupt network services. • Changing any clock setting can cancel the reboot schedule. The reboot delay cannot exceed 30 x 24 x 60 minutes, or 30 days. The device supports only one device reboot schedule. If you configure the schedule reboot delay command multiple times, the most recent configuration takes effect. The schedule reboot at command and the schedule reboot delay command overwrite each other.
Parameters time: Specifies the port status detection timer in seconds, which is in the range of 0 to 300. Usage guidelines Some protocols might shut down ports under specific circumstances. For example, MSTP shuts down a BPDU guard–enabled port when the port receives a BPDU. In this case, you can set the port status detection timer. If the port is still down when the detection timer expires, the protocol module automatically cancel the shutdown action and restore the port to its original physical status.
Examples # Set the name of the device to Device. system-view [Sysname] sysname Device [Device] system-failure Use system-failure to configure the exception handling method. Use undo system-failure to restore the default. Syntax system-failure { maintain | reboot } undo system-failure Default The system adopts the reboot method to handle exceptions.
Default command level 2: System level Parameters slot slot-number: See the usage guidelines for this command. hotspot: Specifies a hotspot sensor, which is used for temperature monitoring and is typically placed near the chip that generates a great amount. sensor-number: Specifies the sensor number. It is an integer starting from 1, each number representing a temperature sensor of a device or card. lowerlimit: Lower temperature threshold in Celsius degrees. The value range depends on the hotspot sensor.
time at Use time at to add a command to run at a specific time and date in the job schedule. Use undo time to remove a command from the job schedule. Syntax time time-id at time date command command time time-id { one-off | repeating } at time [ month-date month-day | week-day week-daylist ] command command undo time time-id Views Job view Default command level 3: Manage level Parameters time timeid: Time setting entry, an integer that is in the range of 1 to 10.
Table 20 Command schedule options Command Description time timeid at time date command command Schedules a command to run at a specific time and date. The time or date must be later than the current system time or date. time timeid one-off at time command command time timeid one-off at time month-date month-day command command Schedules a command to run at a specific time on the current day. If the specified time has passed, the command runs the next day. The command runs only once.
# Schedule a job to save the configuration file at 8:00 AM on Friday and Saturday in the current week, which might be delayed to the next week if the time has passed. system-view [Sysname] job saveconfig [Sysname-job-saveconfig] view monitor [Sysname-job-saveconfig] time 1 one-off at 8:00 week-day fri sat command save a.cfg # Schedule a job to save the configuration file at 8:00 every Fridays and Saturdays.
The time ID (time-id) must be unique in a job. If two time and command bindings have the same time ID, the binding configured most recently takes effect. Changing a clock setting does not affect the schedule set by using the time delay command. Use Table 21 when you add commands in a job. Table 21 Command schedule options Command Description time timeid one-off delay time2 command command Schedules a command to run after a delay time.
Default Alarm traps are enabled for transceiver modules. Views System view Default command level 3: Manage level Usage guidelines If you install a transceiver module whose vendor name is not HP, the system repeatedly outputs traps and logs to notify you to replace the module. To continue to use such a transceiver module that is manufactured or customized by HP but has no vendor information, you can disable alarm traps so that the system stops outputting alarm traps.
system-view [Sysname] job creatvlan [Sysname-job-creatvlan] view system Related commands • job • time 102
User management commands acl (user interface view) Use acl to reference ACLs to control access to the VTY user interface. Use undo acl to cancel the ACL application. Syntax To use a basic or advanced ACL: acl [ ipv6 ] acl-number { inbound | outbound } undo acl [ ipv6 ] acl-number { inbound | outbound } To use an Ethernet frame header ACL: acl acl-number inbound undo acl acl-number inbound Default Access to the VTY user interface is not restricted.
If an ACL is referenced in VTY user interface view, the connection is permitted to be established only when packets for establishing a Telnet or SSH connection match a permit statement in the ACL. The system regards the basic/advanced ACL with the inbound keyword, the basic/advanced ACL with the outbound keyword, and Ethernet frame header ACL as different types of ACLs, which can coexist in one VTY user interface. The match order is basic/advanced ACL, Ethernet frame header ACL.
free web-users Use free web-users to log out Web users. Syntax free web-users { all | user-id user-id | user-name user-name } Views User view Default command level 2: System level Parameters all: Specifies all Web users. user-id: Web user ID, a hexadecimal number of eight digits. user-name: Web user name, a string of 1 to 80 characters. Examples # Log out all Web users.
In the local switching mode, if the authentication mode of the user interface is scheme, the user is locked for 15 minutes after five consecutive incorrect password attempts. Within the lock interval, the user cannot switch to a higher privilege level. The lock timer restarts when the user makes a new password attempt within the lock interval. Examples # Switch to user privilege level 2 from user privilege level 3.
local scheme: Uses the local password, if configured, for user privilege level switching authentication. If the password is not configured, the system allows a console user to switch the privilege level but uses AAA to authenticate other types of login users. scheme local: Uses AAA for user privilege level switching authentication. If the AAA configuration is incomplete or invalid or the server does not respond, the system uses the local password for the authentication.
Examples # Set the password for switching to privilege level 3 to plaintext abc.
License management commands The following matrix shows the feature and hardware compatibility: Hardware Compatibility F1000-A-EI/F1000-E-SI/F1000-S-AI Yes F1000-C-G/F1000-S-G/F1000-A-G Yes F1000-E No F100-C-G/F100-S-G Yes F100-M-G/F100-A-G/F100-E-G Yes F5000-A5 No F5000-S/F5000-C No Firewall modules No U200-A/U200-M/U200-CA Yes U200-S/U200-CS/U200-CM Yes display license U200LICS Use display license U200LICS to display the registration information of a particular feature.
Trial license registered. Trial time left: 90 days. License 1 -------------------------------Serial Number: aaaaa-bbbbb-ccccc-ddddd-eeeee-fffff-gggg1 Register Date: 2009-07-07 17:02:14 Trade Code : 213130A0AV0096000xx1 Type : Trial Status : Valid Table 22 Command output Field Description Trial time left Remaining validity time of a trial version. An official license has no time limitation. License 1 Number of the license. Trade Code Production serial number.
Examples # Register a feature such as IPS or AV. The serial number in this example is only for illustration. Use a valid serial number.
Basic CLI commands command-alias enable Use command-alias enable to enable the command keyword alias function. Use undo command-alias enable to disable the command keyword alias function. Syntax command-alias enable undo command-alias enable Default The command keyword alias function is disabled. Views System view Default command level 2: System level Usage guidelines Disabling the command keyword alias function does not delete the configured aliases, but the aliases do not take effect anymore.
Views System view Default command level 2: System level Parameters cmdkey: Complete form of the first keyword of a non-undo command, or the second keyword of an undo command. alias: Alias for the keyword, which must be different from the first keyword of any non-undo command. Usage guidelines Command keyword aliases take effect only after you enable the command keyword alias function. Examples # Define show as the alias of the display keyword.
Usage guidelines Command levels include four privileges: visit (0), monitor (1), system (2), and manage (3). You can assign a privilege level according to the user's need. When logging in to the device, the user can access the assigned level and all levels below it. Level changes can cause maintenance, operation, and security problems. HP recommends that you use the default command level or modifying the command level under the guidance of professional staff.
exclude: Displays all lines that do not match the specified regular expression. include: Displays all lines that match the specified regular expression. regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters. Usage guidelines To copy some content to the clipboard: 1. Move the cursor to the starting position of the content and then press the Esc+Shift+, combination. 2. Move the cursor to the ending position of the content and then press the Esc+Shift+.
Syntax display history-command [ | { begin | exclude | include } regular-expression ] Views Any view Default command level 1: Monitor level Parameters |: Filters command output by specifying a regular expression. For more information about regular expressions, see the chapter on CLI in Getting Started Guide. begin: Displays the first line that matches the specified regular expression and all lines that follow. exclude: Displays all lines that do not match the specified regular expression.
regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters. Examples # Display hotkey information. display hotkey ----------------- HOTKEY ----------------- =Defined hotkeys= Hotkeys Command CTRL_G display current-configuration CTRL_L display ip routing-table CTRL_O undo debug all =Undefined hotkeys= Hotkeys Command CTRL_T NULL CTRL_U NULL =System hotkeys= Hotkeys Function CTRL_A Move the cursor to the beginning of the current line.
Use undo hotkey to restore the default. Syntax hotkey { CTRL_G | CTRL_L | CTRL_O | CTRL_T | CTRL_U } command undo hotkey { CTRL_G | CTRL_L | CTRL_O | CTRL_T | CTRL_U } Default • Ctrl_G: display current-configuration (display the running configuration). • Ctrl_L: display ip routing-table (display the IPv4 routing table information). • Ctrl_O: undo debugging all (disable all debugging functions). • Ctrl_T: No command is assigned to this hotkey. • Ctrl_U: No command is assigned to this hotkey.
Examples # Return from GigabitEthernet 0/1 interface view to system view and then to user view. [Sysname-GigabitEthernet0/1] quit [Sysname] quit return Use return to return to user view from any other view. Pressing Ctrl+Z has the same effect. Syntax return Views Any view except user view Default command level 2: System level Examples # Return to user view from GigabitEthernet 0/1 interface view.
This command takes effect only for the current session. When you log out, the setting by this command is restored to the default. Examples # Disable pausing between screens of output for the current session. screen-length disable Related commands screen-length system-view Use system-view to enter system view from user view. Syntax system-view Views User view Default command level 2: System level Examples # Enter system view from user view.
Support and other resources Contacting HP For worldwide technical support information, see the HP support website: http://www.hp.
Conventions This section describes the conventions used in this documentation set. Command conventions Convention Description Boldface Bold text represents commands and keywords that you enter literally as shown. Italic Italic text represents arguments that you replace with actual values. [] Square brackets enclose syntax choices (keywords or arguments) that are optional. { x | y | ... } Braces enclose a set of required syntax choices separated by vertical bars, from which you select one.
Network topology icons Represents a generic network device, such as a router, switch, or firewall. Represents a routing-capable device, such as a router or Layer 3 switch. Represents a generic switch, such as a Layer 2 or Layer 3 switch, or a router that supports Layer 2 forwarding and other Layer 2 features. Represents a security product, such as a firewall, a UTM, or a load-balancing or security card that is installed in a device.
Index ACDEFHIJLNOPQRSTUVW display device,64 A display device manuinfo,65 acl (user interface view),103 display diagnostic-information,66 acsei client close,43 display environment,67 acsei client reboot,44 display fan,69 acsei server,44 display flowengine-usage,69 acsei server enable,44 display flowengine-usage history,70 acsei timer clock-sync,45 display history-command,115 acsei timer monitor,45 display hotkey,116 acsei-client enable,48 display ip http,6 activation-key,1 display ip http
schedule reboot delay,92 history-command max-size,15 hotkey,117 screen-length,25 I screen-length disable,119 send,26 idle-timeout,16 set authentication password,28 ip http acl,17 shell,29 ip http enable,18 shutdown-interval,93 ip http port,18 speed (user interface view),29 ip https acl,19 stopbits,30 ip https certificate access-control-policy,20 Subscription service,121 ip https enable,20 super,105 ip https port,21 super authentication-mode,106 ip https ssl-server-policy,22 super passw
