HP TippingPoint Next Generation Firewall Command Line Interface Reference Guide Version1.0.1 Abstract This reference manual describes the Next Generation Firewall Command Line Interface (CLI) and the commands you can use to configure and manage a NGFW appliance.
Legal and notice information © Copyright 2013 Hewlett-Packard Development Company, L.P. Hewlett-Packard Company makes no warranty of any kind with regard to this material, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose. Hewlett-Packard shall not be liable for errors contained herein or for incidental or consequential damages in connection with the furnishing, performance, or use of this material.
Table of Contents About This Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 Target Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Related Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Document Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show ii autoconf dhcpv4 client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . autoconf dhcpv6 client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show tse . . . . . . . . . . . show user-disk . . . . . . . show users . . . . . . . . . . show version . . . . . . . . shutdown . . . . . . . . . . . sms . . . . . . . . . . . . . . . snapshot create . . . . . . snapshot list . . . . . . . . . snapshot remove . . . . . . snapshot restore . . . . . . tcpdump . . . . . . . . . . . traceroute. . . . . . . . . . . traceroute6. . . . . . . . . . user-disk. . . . . . . . . . . . .. .. .. .. .. .. .. .. .. .. .. .. .. .. . . . . . . . . . . . . . . .. .. .. ..
ntp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76 reputation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77 route-map . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77 router . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
running-multicast-registration Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . running-notifycontacts (email) Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . running-notifycontacts-X (SNMP) Context Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . running-ntp Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
vi
About This Guide The Next Generation Firewall command line interface enables you to configure and manage the NGFW Appliance from a command line. The NGFW commands can be used in custom scripts to automate tasks.
Document Conventions This guide uses the following document conventions. • Typefaces, page 2 • Document Messages, page 2 Typefaces HP TippingPoint publications use the following typographic conventions for structuring information: Table 1-1 Document Typographic conventions Convention Element Medium blue text: Figure 1 Cross-reference links and e-mail addresses Blue, underlined text (http://www.hp.
IMPORTANT: Another type of note that provides clarifying information or specific instructions. TIP: Tips provide helpful hints and shortcuts, such as suggestions about how you can perform a task more easily or more efficiently. Customer Support HP is committed to providing quality customer support to all of its customers. Each customer is provided with a customized support agreement that provides detailed customer and support contact information.
4
1 Command Line Interface In addition to the Local System Manager (LSM) and the Centralized Management Capability of the Security Management System (SMS), a Command-line Interface (CLI) can be used to configure and manage the NGFW Appliance. The CLI is accessed directly through the console or remotely through SSH. Non-secure connections, such as Telnet, are not permitted. For the initial set up, the "superuser" account is set for the appliance.
Shortcut Navigation Keys The CLI has the ability to store typed commands in a circular memory. Typed commands can be recalled with the UP and DOWN arrow keys. The TAB key may be used to complete partial commands. If the partial command is ambiguous, pressing the TAB key twice gives a list of possible commands. Following is a list of shortcuts.
Table 1-3 Root, Edit and Log configuration modes Command Line prompt Description NGFW{}log-configure From the root command line mode, enter the log-configure command to access the log configuration mode. NGFW{log-configure} log configuration mode NGFW{log-configure}help display list of valid commands and syntax usage NGFW{log-configure}exit leave the log configuration mode Help The help command provides a list of commands within the current context and the command line usage.
NGFW{}edit NGFW{running}interface NGFW{running-mgmt}help NGFW{running-mgmt}host NGFW{running-mgmt}host mgmt host (displays valid entries for configuring management port host settings) ? (displays valid entries for host command) name yourhostname For a list of root commands and their usage see the Root Commands section. NOTE: Your membership role determines your command line interface.
NOTE: As you move through the context menu hierarchies, the command prompt changes accordingly. The help or display command can be entered at any level. Configuration File Versions When troubleshooting or needing to rollback a configuration, the current configuration setup can be viewed. Reviewing network configuration files should be a necessary step to becoming knowledgeable about your current system setup.
Show The show command is most efficient in providing critical information, such as traffic usage, router platform type, operating system revision, amount of memory, and the number of interfaces. The show command can also be used to evaluate logging, troubleshooting, tracking resources, sessions, and security settings. To view all the available show utilities, enter the help show command at the root command level. All the available commands along with the correct command line usage are displayed.
2 Global Commands Global commands can be used in any context. commit Initiates all pending configuration changes in the edit mode. NOTE: This command does not write the modifications to the startup configuration file. However, the save-config command can be run from the edit configuration context by using the exclamation mark. Syntax commit Example NGFW{running}commit NGFW{running}!save-config exit Exits the current context.
more Set session to display output page by page. Syntax more (enable|disable) Example NGFW{running}more enable display Displays the current configuration, or the candidate configuration before a commit is issued. Display options vary by context, enter the "help display" command in a context to view the available options.
3 Root Commands The top level root command line mode displays the NGFW{} prompt. Commands at this level are used for managing and monitoring system operations for the various subsystems. From the root command mode, you can access the configuration mode, and the available commands that apply to the appliance as a whole. Enter help full or help COMMANDNAME at the command prompt to display a list of available commands or help on a specific command.
clear clear clear clear clear clear np softlinx np tier-stats counter policy rate-limit streams users all [locked|ip-locked] users (NAME|A.B.C.D|X:X::X:X) [locked] Example NGFW{}clear log-file vpn Example NGFW{}clear ip bgp 10.10.10.10 soft in Not cleared BGP is not active Example NGFW{}clear ip bgp external soft Example NGFW{}clear users fred date Used alone to display the current date, or with arguments to configure the date in a 24 hour format.
flush bgp ip A.B.C.D [ipv4 (unicast|multicast) (in prefix-filter)|in|out|(soft [in|out])] flush bgp ip A.B.C.D [vpnv4 unicast in|out|(soft [in|out])] flush bgp ipv6 X:X::X:X [(in prefix-filter)|in|out|(soft [in|out])|rsclient] flush bgp [ip] dampening [A.B.C.D/M|(A.B.C.D [A.B.C.
Syntax log-configure Example NGFW{}log-configure NGFW{log-configure}help NGFW{log-configure}show log-file summary Related Commands Log Configure Commands logout Logs you out of the system. Syntax logout Example NGFW{} logout master-key The system master-key is used to encrypt the removable user-disk (the external CFast), and the system keystore. The user-disk holds traffic logs, packet capture data, and system snapshots. The keystore retains data such as device certificates and private keys.
ping Test connectivity with ICMP traffic. The mgmt option uses the management interface. Syntax ping (A.B.C.D|HOSTNAME) [count INT] [maxhop INT] [from A.B.C.D] [mgmt] [datasize INT] ping (A.B.C.D|HOSTNAME) [count (1-900000)] [maxhop (1-800)] [from A.B.C.
Reports Configure data collection for on-box reports.
set Syntax set cli filtering rule (auto-comment|no-auto-comment|(last-auto-comment-value INT)) Example NGFW{}set cli filtering rule auto-comment NGFW{}set cli filtering rule no-auto-comment show The show command enables you to view current system configuration, status, and statistics.
Table 3-1 20 Show command Command Description show ipv6 pim-sm Show ipv6 Protocol Independent Multicast - Sparse Mode (PIM-SM) routing information show ipv6 ripng Show RIPng routing information show ipv6 route ripng Show ripng route information show (ip|ipv6) route Show the unicast routes show key Show local server SSH key information show l2tp Show Layer 2 Tunneling Protocol information show license Shows the license number and status show log-file Shows the logfiles show log-file boot
Table 3-1 Show command Command Description show users Show users information show version Show device version information show aaa Syntax show aaa capabilities USER Example show aaa capabilities fred NGFW{}show aaa capabilities fred ID NAME STATE --------------------------------------------1 NGFW full 2 SECURITY full 3 FIREWALLRULES full 4 SECURITYZONES full 5 APPLICATIONGROUPS full 6 ADDRESSGROUPS full 7 SERVICES full 8 SCHEDULES full 9 INSPECTIONPROFILES full 10 IPS full 11 IPREPUTATION full 12 P
40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 CAPTIVEPORTAL GENERAL X509CERT VPN IKE IKECONFIGURATION IKESTATUS IPSEC IPSECCONFIGURATION IPSECSTATUS L2TP L2TPCONFIGURATION L2TPSTATUS REPORTING LOG FIREWALLLOG IPSLOG REPUTATIONLOG VPNLOG SYSTEMLOG AUDITLOG SECURITYREPORTS NETWORKREPORTS DEBUGTOOLS REBOOT SHUTDOWN SERVICEACCESS NETWORK INTERFACES SEGMENTS DHCPSERVER DHCPRELAY ARPNDP STATICROUTES STATICMONITOREDR
Example NGFW{}show agglink #AGGLINK TABLES Service ETHGRP is inactive show arp Syntax show arp Example NGFW{}show arp IP Address 15.226.140.
no data show cluster Syntax show cluster Example cluster.3-device23{} show cluster Cluster Status -------------Name: cluster Identifier: 3 State: Enabled Segment HA: Normal Master: cluster.3-device23 Members ------Name: cluster.3-device23 HA State: Active show date This command shows the GMT time or the local time and timezone for the appliance.
IP Address Mac Address Start date & time End date & time show dhcpv6 Syntax show dhcpv6 Example NGFW{}show dhcpv6 Service DHCPv6 client is inactive show dns Syntax show dns Example NGFW{}show dns # DNS PROXY Proxy Disabled # STATIC DNS # DYNAMIC V4 DNS # DYNAMIC V6 DNS show firewall Displays firewall rules and sessions.
-----------------------Name: firewall State: enabled Synchronization State: Not initialized Reason: Unable to determine synchronization state Total Entries: 353 Added Entries: 324 Deleted Entries: 0 Related Commands high-availability force (active|passive) high-availability segment force (normal|fallback) show interface Syntax show interface [INTERFACE [statistics [update INT]]] show interface [INTERFACE] multicast-registration Examples NGFW{}show interface ha Interface ha MAC Address 00:10:f3:2c:81:df E
show ip bgp Syntax show show show show show show show show show show show show ip ip ip ip ip ip ip ip ip ip ip ip bgp bgp bgp bgp bgp bgp bgp bgp bgp bgp bgp bgp debug A.B.C.D/M summary neighbors neighbors A.B.C.D neighbors A.B.C.
show ip mroute Shows the multicast routes. Syntax show ip mroute Example NGFW{}show ip mroute Source Group 152.168.1.2 239.255.255.2 In-interface pimreg Out-interface(s) ethernet1 show ip ospf Displays general information about Open Shortest Path First (OSPF) routing processes. Syntax show ip ospf ? show ip ospf (database|interface[IFACE]|neighbor [debug]|redistribute|route[debug]) Example NGFW{}show ip ospf OSPF Router with ID (15.255.125.122) OSPF Routing Process 0 [VRF 0], Router ID: 15.255.125.
Example NGFW{}show ip pim-sm interface Address Interface Mode 182.168.1.10 ethernet5 sparse Neighbor Count 1 Hello DR Intvl Pri 30 1 DR Address 182.168.1.20 Example ngfw{}show ip pim-sm neighbor Interface Address ethernet5 182.168.1.20 ngfw{}show ip pim-sm bsr-router PIMv2 Bootstrap information This system is the Bootstrap Router (BSR) BSR address: 182.168.1.10 Uptime: 00:00:26, BSR Priority: 10, Hash mask length: 30 Next bootstrap message in 00:00:34 ngfw{}show ip pim-sm rp The PIM RP Set Group: 239.
Example NGFW{}show ip route debug Codes: K - kernel route, C- connected, S - static, R - RIP, O - OSPF, B - BGP, > - selected route, * - FIB route K * C>* C>* C>* K>* S>* C>* C>* C>* C>* 127.0.0.0/8 is directly connected, unknown(0) inactive, rej 127.0.0.0/8 is directly connected, lo 192.168.1.0/24 is directly connected, ethernet13 192.168.100.0/24 is directly connected, ethernet14 224.0.0.2/32 is directly connected, lo501 0.0.0.0/0 [1/0] [vrf 500] via 15.220.140.254, mgmt 15.220.140.
Startup Query Count: 2 General Query Timer Expiry: 00:01:19 Multicast groups joined: NGFW{}show ipv6 mld groups MLD Connected Group Membership Group Address Interface Uptime ff1e:11::1 ethernet1 00:00:04 Expires 00:04:16 Last Reporter fe80::215:17ff:fe3c:edea%ethernet1 show ipv6 mroute Shows IPv6 routing information for multicast routes.
Example NGFW{}show ipv6 pim-sm interface Interface Mode ethernet5 sparse Address: fe80::210:f3ff:fe24:5b82 DR Address: this system Neighbor Count 1 Hello DR Interval Priority 30 1 NGFW{}show ipv6 pim-sm neighbor Interface Address ethernet5 fe80::210:f3ff:fe24:5b5b PIM6v2 Bootstrap information This system is the Bootstrap Router (BSR) BSR address: 2001:200::10 Uptime: 00:20:00, BSR Priority: 10, Hash mask length: 126 Next bootstrap message in 00:00:00 NGFW{}show ipv6 pim-sm rp The PIM6 RP Set Group: ff1
Codes: O - ospfv3, > - selected route, * - FIB route O>* 1:1::/64 [110/2] via fe80::20c:29ff:fee0:c919, ethernet2, 00:00:28 O>* 2:2::2:2/128 [110/1] via fe80::72ca:9bff:fe76:16b1, ethernet2, 00:00:28 O>* 2100::/64 [110/2] via fe80::72ca:9bff:fe76:16b1, ethernet2, 00:00:28 O>* 2100::2/128 [110/1] via fe80::72ca:9bff:fe76:16b1, ethernet2, 00:00:28 show ipv6 route ripng Shows the RIPng routes.
show license Syntax show license Example NGFW{}show license License: 1.0.0.11 (Transitional) Feature -------License Update TOS Update DV Auxiliary DV ReputationDV Status -----OK OK OK Info Info Permit Expiration ------- ---------Allow 10/3/2013 Allow 10/3/2013 Allow 10/3/2013 Deny Never Deny Never Details -------Using the transitional license. Not licensed to use feature. Not licensed to use feature.
show log-file summary [raw|tab|csv|rawcsv] [addUUID] [ASC|DESC|(tail [COUNT])] [seqnum] [more] show log-file system [raw|tab|csv|rawcsv] [addUUID] [ASC|DESC|(tail [COUNT])] [seqnum] [more] show log-file vpn [raw|tab|csv|rawcsv] [addUUID] [ASC|DESC|(tail [COUNT])] [seqnum] [more] show log-file boot [raw|tab|csv|rawcsv] [addUUID] [ASC|DESC|(tail [COUNT])] [seqnum] [more] show log-file audit [raw|tab|csv|rawcsv] [addUUID] [ASC|DESC] [search [(options)]{0,2} PATTERN] [start-time START] [end-time END] [seqnum[ [
show log-file ipsAlert [raw|tab|csv|rawcsv] [addUUID] [ASC|DESC] [search COLUMN cmp PATTERN [and|or COLUMN cmp PATTERN]{1,25}] [start-time START] [end-time END] [seqnum[ [begin BEGIN] [end END]]] [count COUNT] [more] show log-file ipsBlock [raw|tab|csv|rawcsv] [addUUID] [ASC|DESC] [search COLUMN cmp PATTERN [and|or COLUMN cmp PATTERN]{1,25}] [start-time START] [end-time END] [seqnum[ [begin BEGIN] [end END]]] [count COUNT] [more] show log-file quarantine [raw|tab|csv|rawcsv] [addUUID] [ASC|DESC] [search COL
Example NGFW{}show log quarantine show log-file FILE_NAME stat Shows the beginning sequence number, ending sequence number, and number of messages for the given log file. Syntax show log-file FILE_NAME stat Example NGFW{}show log ipsBlock stat Display limited to 500 lines...
ADDRCONF(NETDEV_UP): ethernet7: link is not ready device ethernet7 entered promiscuous mode Example To tail the last 5 lines of the boot log file: NGFW{}show log-file boot tail 5 bridge1: port 8(ethernet7) entering disabled state bridge1: port 8(ethernet7) entering disabled state ADDRCONF(NETDEV_UP): ethernet7: link is not ready device ethernet8 left promiscuous mode device ethernet7 left promiscuous mode show mfg-info Shows manufacturing information.
Rx Tx Tx Tx Rx Tx packets dropped no pcb = packets OK = packets dropped = packets dropped no pcb = bytes OK = bytes OK = 0 275262516 1374 0 14864242660 16515754024 show np general statistics Shows general network processor information.
Other Ipv6Protocol: TCP UDP ICMPv6 ICMP IPv6 in IPv6 IPv4 in IPv6 GRE AH Other 132843 65240426 378 1350 3908 0 89760 2442 1398 0 53034 265014 1135803 1406824 0 77281416 1938618 1106502 0 44444961 show np reassembly Syntax show np reassembly (ip|tcp) Example NGFW{}show np reassembly ip Summary: Frags incoming Frags kept Frags outgoing Frags passed thru Frags dropped (duplicate) Frags recently reassembled Frags dropped (other) Dgrams completed = = = = = = = = 0 0 0 0 0 0 0 0 show np rule-stats Syntax
Sleuth inspected packets Sleuth matched packets Matched HW (Sleuth) but not softLinx Sleuth gave up Sleuth bypassed Sleuth bypassed zero payload length Sleuth overflow Matched nothing Linx rules created Linx rules deleted Discarded by the softlinx Total packets sent to softlinx Embedded Trigger matches Engine Trigger matches Trigger matches False pkt matches Good pkt matches SoftLinx trigger match roll over Highest flow based trigger match = = = = = = = = = = = = = = = = = = = 0 0 0 0 0 0 0 281567607 0 0
show quarantine-list Syntax show quarantine-list Example NGFW{}show quarantine-list IP Reason show reports Show the status of the data collection for reports. Syntax show reports Example NGFW{}show reports CPU Utilization: Disk Utilization: Fan Speed: Memory Utilization: Network Bandwidth: Rate Limiter: Temperature: Traffic Profile: VPN: enabled enabled enabled enabled enabled enabled enabled enabled enabled show service Shows the state of all the services.
Service Service Service NTP PPP-CtrlPlane ETHGRP-LACP is inactive is inactive is inactive show sms Syntax show sms Example NGFW{}show sms Device is not under SMS control show snmp Syntax show snmp Example NGFW{}show snmp #SNMP Status Enabled Version Engine ID Auth.
Example NGFW{}show system connections ipv4 Active Internet connections (servers and established) vrfid Proto Recv-Q Send-Q Local Address Foreign Address 0 tcp 0 0 127.0.0.1:60000 0.0.0.0:* 0 tcp 0 0 127.0.0.1:616 0.0.0.0:* State LISTEN LISTEN Example NGFW{}show system connections unix Active UNIX domain sockets (servers and established) Proto RefCnt Flags Type State I-Node unix 2 [ ACC ] STREAM LISTENING 40709 /var/tmp/apache2/logs/fcgidsock/7095.
show system statistics Syntax show system statistics [PROTO] [non-zero] Example NGFW{}show system statistics show system usage Show system usage displays the overall system usage. You can run once, or display an updated version every INT seconds. Ctrl-C will exit a re-occurring update. Syntax show system usage [update INT] Example NGFW{} show system usage update 12 show system virtual-memory Shows the system’s kernel memory usage in a table with the following column headings.
+ Service: captive-portals + captive-portal-config: 48 Bytes Maximum amounts: 175 Bytes Calls to alloc : 1 times + Service: misc + miscellaneous: 1383 Bytes Maximum amounts: 1585 Bytes Calls to alloc : 10 times + xmlMem: 4341373 Bytes Maximum amounts: 85010535 Bytes Calls to alloc : 53906 times show terminal Shows terminal type information.
NGFW{}show tse connection-table blocks Second device: NGFW{}show tse connection-table blocks The ‘TRHA’ indicates this is a connection created by state synchronization. show tse Shows threat suppression engine information. Syntax show tse (connection-table(blocks|trusts)|rate-limit) Example NGFW{}show tse connection-table blocks Blocked connections: None found.
Failsafe: 1.0.0.1801 System Boot Time: Sun Sept 15 21:14:57 2013 Uptime: 05:17:01 shutdown Allows you to shutdown the system. Syntax shutdown Example NGFW{}shutdown You are about to shutdown the device. Please use the front panel buttons to restart the device manually. Make sure you have Committed all your changes, and clicked the Save Configuration button if you wish these changes to be applied when the device is restarted.
Example NGFW{}snapshot list Name Date OS Version DV Version Model Restore ---------------- -------------------------- ---------- ---------- ------- -----s_041713 Wednesday, April 17 2013 1.0.0.3913 3.2.0.15172 S1020F Yes snapshot remove Syntax snapshot remove Example NGFW{}snapshot remove s_041713 Success snapshot restore Restore system from saved snapshot.
traceroute Traceroute shows you the path a packet of information takes from your computer to your designation. It lists all the routers it passes through until it reaches its destination, or fails. Traceroute tells you how long router to router hops take. Syntax traceroute (A.B.C.D|HOSTNAME) [from A.B.C.D] [mgmt] (traceroute|traceroute6) X:X::X:X [from X:X::X:X] [mgmt] Example NGFW{}traceroute 192.168.140.254 traceroute: Warning: ip checksums disabled traceroute to 192.168.140.254 (192.168.140.
Example NGFW{}user-disk encryption enable WARNING: Changing the encryption status of the user disk will erase all traffic log, snapshot, and packet capture data on the disk. Do you want to continue (y/n)? [n]: y Success: User disk encryption enabled.
52 Root Commands
4 Log Configure Commands Enter the log-configure command to access the log configuration context. Enter a question mark (?) at the NGFW{log-configure} prompt to display a list of valid command entries. Then enter help commandname to display help for a specific command. display Displays log configuration settings.
email set queueFile QUEUEFILE email set deadletter DEADLETTER email delete (sleepSeconds|maxRequeue|queueFile|deadletter) Example NGFW{log-configure}email NGFW{log-configure}email NGFW{log-configure}email NGFW{log-configure}email NGFW{log-configure}email NGFW{log-configure}email NGFW{log-configure}email NGFW{log-configure}email set sleepSeconds 600 delete sleepSeconds set maxRequeue 1 delete maxRequeue set queueFile myqueuefile delete queueFile set deadletter mydeadletterfile delete deadletter log-file-s
log-test log-test log-test log-test log-test log-test log-test (all|audit|vpn|quarantine|logID (all|audit|vpn|quarantine|logID (all|audit|vpn|quarantine|logID (all|audit|vpn|quarantine|logID (all|audit|vpn|quarantine|logID (all|audit|vpn|quarantine|logID (all|audit|vpn|quarantine|logID LOGID) LOGID) LOGID) LOGID) LOGID) LOGID) LOGID) [critical [MESSAGE]] [error [MESSAGE]] [warning [MESSAGE]] [notice [MESSAGE]] [info [MESSAGE]] [debug [MESSAGE]] [msg MESSAGE] Valid entries: all All log systems audit Audi
maxFileSize MAXFILESIZE MB FILE_NAME Files Records delete Max size a 'rotated' log file Max log rotation file size in MB (10 - 500) Megabytes Local log file name Number of logrotation files Number of records between log daemon size checks Delete the logrotation parameter Example NGFW{log-configure}rotate NGFW{log-configure}rotate NGFW{log-configure}rotate NGFW{log-configure}rotate NGFW{log-configure}rotate NGFW{log-configure}rotate NGFW{log-configure}rotate NGFW{log-configure}rotate 56 Log Configure Com
5 Edit Running Configuration Commands Enter the edit command to access the configuration mode. In edit mode, you can perform numerous configurations, such as firewall rules and policies, and authentication. Once you have executed the edit command the CLI prompt will appear as NGFW{running}. Configuration options, and sub contexts are available until you exit. To exit the edit configuration mode, enter exit.
Table 5-2 Network Commands running-dhcp-relay Context Commands NGFW{running}dhcp relay running-dhcp-server Context Commands NGFW{running}dhcp server running-dhcp-server-X Context Commands NGFW{running-dhcp-server}scope myscope Policy Table 5-3 Policy Commands (immediate commit context) running-actionsets Context Commands running-actionsets-X Context Commands running-addressgroups Context Commands running-addressgroups-X Context Commands (immediate commit context) running-app-filter-mgmt Context Co
Table 5-3 Policy Commands running-snat Context Commands running-snat-rule-X Context Commands NGFW{running}src-nat NGFW{running-snat}rule snat1 running-zones Context Commands running-zones-X Context Commands NGFW{running}zones NGFW{running-zones}zone myzone1 Authentication Table 5-4 Authentication Commands running-aaa Context Commands running-aaa-ldap-group-X Context Commands running-aaa-radius-group-X Context Commands NGFW{running-aaa} NGFW{running-aaa}ldap-group mygroup NGFW{running-aaa}radius-gro
Example NGFW{}edit NGFW{running}aaa NGFW{running-aaa}help NGFW{running-aaa}display user fred xml fred $password$ 1373049840 NGFW{running-aaa}exit Related commands running-aaa Context Commands actionsets Enters action sets context mode. Changes are committed and take effect immediately.
threshold verbosity Set quarantine threshold value Set packet trace verbosity Related commands running-actionsets Context Commands addressgroups Enters address group context.
NOTE: Attempting to create an application group from the CLI will result in an error while parsing the CRITERIASTRING parameter. The CRITERIASTRING format is deliberately obfuscated and not supported to prevent users from creating or editing application group criteria from the CLI. Support for setting and getting criteria through the obfuscated format is included so that users can still copy output of CLI display commands and paste them back in.
display enable help [full|COMMAND] list periodic proxy ADDR port PORT proxy-password PASSWD proxy-username USER update NGFW{running-autodv}? Valid entries at this position are: calendar Enter Calender Style delete Delete file or configuration item disable Disable service display Display file or configuration item enable Enable service help Display help information list List Installed DVs periodic Enter Periodic Style proxy Configure proxy proxy-password Proxy password proxy-username Proxy username update Up
delete rule all|RULEID help [full|COMMAND] rename rule RULEID NEWRULEID rule (auto|RULEID) [POSITION_VALUE] set max-session-time MINUTES set inactive-timeout MINUTES set port PORT set certificate CERTNAME set login-page|status-page foreground-color|background-color HEX|COLOR set login-page header-HTML|footer-HTML|failed-HTML set status-page foreground-color|background-color HEX|COLOR set status-page main-HTML reset max-session-time|inactive-timeout|port|certificate reset login-page|status-page foreground-co
Example NGFW{running}cluster NGFW{running-cluster}help Valid commands are: check CHECK_TYPE enable|disable cluster-name NAME delete standby enable|disable help [full|COMMAND] member-id ID member-name NAME standby tct NGFW{running-cluster}? Valid entries at this position are: check Perform consistency check cluster-name Apply Cluster Name delete Delete file or configuration item disable Disable clustering enable Enable clustering help Display help information member-id Cluster Member ID member-name Cluster m
Example NGFW{running}delete NGFW{running}delete NGFW{running}delete NGFW{running}delete NGFW{running}delete NGFW{running}delete NGFW{running}delete NGFW{running}delete NGFW{running}delete NGFW{running}delete NGFW{running}delete NGFW{running}delete NGFW{running}delete NGFW{running}delete NGFW{running}delete NGFW{running}delete NGFW{running}delete NGFW{running}delete NGFW{running}delete NGFW{running}delete NGFW{running}delete NGFW{running}delete segment78 interface agglink0 interface bridge0 interface gre0 i
delete proxy cache maximum negative ttl delete proxy cache maximum ttl delete proxy cache size domain-name NAME domain-search primary NAME help [full|COMMAND] name-server A.B.C.D|X:X::X:X proxy cache cleaning interval cache cleaning interval in minutes proxy cache forwarder A.B.C.
Example NGFW{running}firewall NGFW{running-firewall}help Valid commands are: default-block-rule DEFACTIONSET delete rule all|XRULEID help [full|COMMAND] rename rule XRULEID NEWRULEID rule (auto|RULEID) [POSITION_VALUE] NGFW{running-firewall}? Valid entries at this position are: default-block-rule Apply action set for default block rule delete Delete firewall rule help Display help information rename Rename a firewall rule rule Create or enter a rule context Related commands running-firewall Context Command
arp auto-restart Configure static ARP entry Enable/disable automatic restart on detection of critical problem delete Delete file or configuration item display Display general context ephemeral-port-range Set the range of the ephemeral port (default is 32768-61000) forwarding Enable or disable IPv4/IPv6 forwarding help Display help information host Configure static address to host name association https Enable or disable WEB server configuration inband-management Inband Management management-service Managem
delete failover-group name enable|disable failover-group base-mac X:X:X:X:X:X failover-group name NAME help [full|COMMAND] state-sync (global [enable|disable])|(FEATURE [enable|disable|(log-level SEVERITY)]) NGFW{running-high-availability}? Valid entries at this position are: delete Delete file or configuration item disable Disable high-availability enable Enable high-availability failover-group Failover Group help Display help information state-sync State synchronization NGFW{running-high-availability}help
interface interface interface interface interface interface interface interface interface bridgeX ethernetX greX l2tpX loopbackX mgmt pppoeX pptpX vlanX Example NGFW{running}interface bridge2 NGFW{running-bridge2}? Valid entries at this position are: arp/ndp Enable or disable ARP and NDP on interface autoconfv6 Enable or disable IPv6 autoconfiguration on interface bind Bind bridged network interface over ethernet/VLAN/agglink delete Delete file or configuration item description Enter description for the i
Syntax ip access-list NAME (permit|deny) A.B.C.D/M ip as-path access-list NAME (permit|deny) ASN_FILTER delete ip as-path access-list NAME (permit|deny) ASN_FILTER ip community-list NAME (permit|deny) ((AA:NN)|internet|local-as|no-advertise|no-export) delete ip community-list NAME (permit|deny) ((AA:NN)|internet|local-as|no-advertise|no-export) ip prefix-list NAME (permit|deny) A.B.C.D/M [ge GE-VALUE] [le LE-VALUE] ip route A.B.C.D/M A.B.C.
profile PROFILENAME quarantine-duration DURATION rename profile XPROFILENAME NEWPROFILENAME NGFW{running-ips}? Valid entries at this position are: afc-mode AFC mode afc-severity AFC severity connection-table Connection table timeout delete Delete a profile deployment-choices Get deployment choices display Display all ips configuration and profiles display-categoryrules Display category rules for all profiles gzip-decompression GZIP decompression mode help Display help information profile Create/enter a IPS
Valid commands are: auth enable|disable auth shared-secret A.B.C.D|any secret-key bind none|any|(A.B.C.D [port]) delete auth shared-secret A.B.C.
NGFW{running-log}display # LOG SERVICES log system "Management #log audit "Management log vpn "Management log quarantine "Management # SUB-SERVICES sub-system INIT sub-system XMS sub-system TOS sub-system HTTPD sub-system GATED sub-system LOGIN sub-system PACEMAKER sub-system COROSYNC sub-system CRMADMIN Console" Console" Console" Console" notice ALL info ALL info notice info notice none notice error notice none Related commands running-log Context Commands multicast-registration Enters multicast regis
Entering Immediate Commit Feature. Changes take effect immediately.
server Configure remote NTP server Related commands running-ntp Context Commands reputation Enters Reputation context mode. Syntax reputation Example NGFW{running}reputation Entering Immediate Commit Feature. Changes take effect immediately.
router Enters the specified router protocol context.
delete schedule all|SCHEDULENAME help [full|COMMAND] rename schedule SCHEDULENAME NEWSCHEDULENAME schedule SCHEDULENAME NGFW{running-schedules}? Valid entries at this position are: delete Delete a schedule help Display help information rename Rename a schedule schedule Create or enter a schedule context Related commands running-schedules Context Commands segmentX Enters Segment context mode. The X represents a segment number, for example segment0.
services Enters services context mode.
Valid entries at this position are: authtrap Configure SNMP authentication failure trap community Configure SNMP read-only community delete Delete file or configuration item engineID Configure SNMPv3 engine ID help Display help information snmp Enable or disable SNMP trapsession Configure a trap/inform username Configure SNMPv3 USM read-only user Related commands running-snmp Context Commands src-nat Enters source NAT context mode.
delete vpn (all|NAME) help [full|COMMAND] ipsec enable|disable log vpn CONTACT-NAME [SEVERITY] manual phase1 VERSION proposal NAME phase2 VERSION proposal NAME policy NAME [PRIORITY] pre-shared-key local A.B.C.D|X:X::X:X|LFQDN remote A.B.C.
Related commands running-zones Context Commands Contexts and Related Commands running-aaa Context Commands NGFW{running-aaa}delete Delete file or configuration item.
Syntax ldap-group LDAPNAME Example NGFW{running-aaa}ldap-group mygroup NGFW{running-aaa}ldap-schema Configure LDAP schema. Syntax ldap-schema SCHEMA SCHEMA (active-directory|novell-edirectory|fedora-ds|rfc2798|rfc2307nis|samba|custom) Example NGFW{running-aaa}ldap-schema custom NGFW{running-aaa-ldap-schema-custom} NGFW{running-aaa}login Configure login settings.
NGFW{running-aaa}remote-login-group Configure LDAP or RADIUS group to use for either network or administrative login. Syntax remote-login-group (network|administrator) (GROUP|none) Example NGFW{running-aaa}remote-login-group administrator group1 NGFW{running-aaa}role Configure an access role. Syntax role ROLE [OLDROLE] Example NGFW{running-aaa}role myrole1 NGFW{running-aaa}user Configure a name identified user.
Syntax bind-dn DN Example NGFW{running-aaa-ldap-group-mygroup1}bind-dn CN=admin,OU=People,DC=example,DC=com NGFW{running-aaa-ldap-group-mygroup1}bind-password Configure LDAP bind password. Syntax bind-password PASSWORD Example NGFW{running-aaa-ldap-group-mygroup1}bind-password mysecret NGFW{running-aaa-ldap-group-mygroup1}delete Delete file or configuration item. Syntax delete server (ADDRESS|all) Example NGFW{running-aaa-ldap-group-mygroup1}delete server 192.168.1.
NGFW{running-aaa-ldap-group-mygroup1}server Configure LDAP server address. Syntax server (A.B.C.D|X:X::X:X) priority (1-6) Example NGFW{running-aaa-ldap-group-mygroup1}server 192.168.1.1 priority 1 NGFW{running-aaa-ldap-group-mygroup1}server 192.168.1.2 priority 2 NGFW{running-aaa-ldap-group-mygroup1}timeout Configure timeout. Syntax timeout SECONDS Example NGFW{running-aaa-ldap-group-mygroup1}timeout 10 NGFW{running-aaa-ldap-group-mygroup1}tls Configure TLS.
NGFW{running-aaa-radius-group-2}delete Delete file or configuration item. Syntax delete server (A.B.C.D|X:X::X:X|all) Example NGFW{running-aaa-radius-group-2}delete server 192.168.1.1 NGFW{running-aaa-radius-group-2}retries Configure server retries. Syntax retries (0-5) Example NGFW{running-aaa-radius-group-2}retries 3 NGFW{running-aaa-radius-group-2}server Configure server. Syntax server (A.B.C.
NGFW{running-actionsets}rename Rename action set oldname newname. Syntax rename actionset ACTIONSETNAME NEWACTIONSETNAME Example NGFW{running-actionsets}rename actionset myactionset1 myactionset2 running-actionsets-X Context Commands NGFW{running-actionsets-myactionset1}action Set action type. Available values: permit, rate-limit, block, trust. Immediate Commit Feature. Changes take effect immediately.
NGFW{running-actionsets-myactionset1}delete Delete file or configuration item. Syntax delete delete delete delete allow-access DESTIP contact XCONTACTNAME limit-quarantine SOURCEIP no-quarantine SOURCEIP Example NGFW{running-actionsets-myactionset1}delete NGFW{running-actionsets-myactionset1}delete NGFW{running-actionsets-myactionset1}delete NGFW{running-actionsets-myactionset1}delete allow-access 192.168.1.1 contact mycontact1 limit-quarantine 192.168.1.1 no-quarantine 192.168.1.
NGFW{running-actionsets-myactionset1}http-showname Set or clear HTTP show name display option. Syntax http-showname (enable|disable) Example NGFW{running-actionsets-myactionset1}http-showname enable NGFW{running-actionsets-myactionset1}limit-quarantine Add IP for limit quarantine. Syntax limit-quarantine SOURCEIP Example NGFW{running-actionsets-myactionset1}limit-quarantine 192.168.1.1 NGFW{running-actionsets-myactionset1}limit-rate Set the rate value for rate-limit action.
Example NGFW{running-actionsets-myactionset1}packet-trace enable NGFW{running-actionsets-myactionset1}priority Set packet trace priority. Syntax priority PRIORITY Example NGFW{running-actionsets-myactionset1}priority medium NGFW{running-actionsets-myactionset1}quarantine Set quarantine option. Available options: no, immediate, threshold.
running-addressgroups Context Commands NGFW{running-addressgroups}addressgroup Create or enter an address group context. Syntax addressgroup GROUPNAME Example NGFW{running}addressgroups NGFW{running-addressgroups}addressgroup mygroup1 NGFW{running-addressgroups-mygroup1} NGFW{running-addressgroups}delete Delete address group parameters.
Example NGFW{running-addressgroups-mygroup1}group mygroup2 NGFW{running-addressgroups-mygroup1}ipaddress Apply IPv4 or IPv6 address. Syntax ipaddress (A.B.C.D|A.B.C.D/M|X:X::X:X|X:X::X:X/M) Example NGFW{running-addressgroups-mygroup1}ipaddress 192.168.1.1 NGFW{running-addressgroups-mygroup1}ipaddress 192.168.1.0/24 NGFW{running-addressgroups-mygroup1}range Apply IPv4 or IPv6 address range. Syntax range (A.B.C.D A.B.C.D)|(X:X::X:X X:X::X:X) Example NGFW{running-addressgroups-mygroup1}range 192.168.1.
Example NGFW{running-agglink0}bind NGFW{running-agglink0}bind NGFW{running-agglink0}bind NGFW{running-agglink0}bind ethernet5 ethernet6 ethernet7 ethernet8 mode mode mode mode active active active active priority priority priority priority 1 1 1 1 NGFW{running-agglink0}delete Delete file or configuration item.
NGFW{running-agglink0}delete NGFW{running-agglink0}delete NGFW{running-agglink0}delete NGFW{running-agglink0}delete NGFW{running-agglink0}delete NGFW{running-agglink0}delete NGFW{running-agglink0}delete NGFW{running-agglink0}delete ip rip authentication mode md5 ip rip authentication mode text ip rip receive version v2-only ip rip send version v2-only ip rip split-horizon shutdown ipaddress 192.168.1.1/24 ipaddress 100:0:0:0:0:0:0:1/64 NGFW{running-agglink0}description Enter description for the interface.
NGFW{running-agglink0}ip rip split-horizon poison-reverse NGFW{running-agglink0}ipaddress Configure IP address. Syntax ipaddress (A.B.C.D/M|X:X::X:X/M) [primary] ipaddress dhcpv4 Example NGFW{running-agglink0}ipaddress 192.168.1.1/24 NGFW{running-agglink0}ipaddress 100:0:0:0:0:0:0:1/64 primary NGFW{running-agglink0}ipv6 Configure IPv6 settings. Syntax ipv6 ipv6 ipv6 ipv6 ipv6 ipv6 ipv6 ipv6 ipv6 ipv6 ipv6 mld mld version (1|2) ospfv3 area (A.B.C.
Syntax mac-address (automatic|X:X:X:X:X:X) Example NGFW{running-agglink0}mac-address a1:b2:c3:d4:e5:f6 NGFW{running-agglink0}mac-address automatic NGFW{running-agglink0}mtu Configure interface MTU in bytes. Syntax mtu (default|VALUE) VALUE (68-9216) Example NGFW{running-agglink0}mtu 1500 NGFW{running-agglink0}prefix Configure IPv6 prefix.
Syntax ra-interval-transmit (enable|disable) Example NGFW{running-agglink0}ra-interval-transmit enable NGFW{running-agglink0}ra-lifetime Modify IPv6 Router Advertisement prefix lifetime in seconds. Syntax ra-lifetime (0-9000000) Example NGFW{running-agglink0}ra-lifetime 1800 NGFW{running-agglink0}ra-mtu Modify IPv6 Router Advertisement MTU value in bytes.
Example NGFW{running-agglink0}tcp4mss automatic NGFW{running-agglink0}tcp6mss Configure interface TCP MSS for IPv6. Syntax tcp6mss (disable|automatic|VALUE) VALUE 4-65535 Example NGFW{running-agglink0}tcp6mss automatic running-app-filter-mgmt Context Commands Immediate Commit Feature. Changes take effect immediately. Change management settings for an application filter.
NGFW{running-app-groups}delete Delete application-group. Syntax delete application-group APPNAME Example NGFW{running-app-groups}delete application-group FaceBook NGFW{running-app-groups}rename Rename application-group. Syntax rename application-group APPNAME NEWAPPNAME Example NGFW{running-app-groups}rename application-group FaceBook facebook1 running-app-groups-X Context Commands Immediate Commit Feature. Changes take effect immediately.
Example NGFW{running-autodv}calendar NGFW{running-autodv}delete Delete file or configuration item. Syntax delete proxy delete proxy-password delete proxy-username Example NGFW{running-autodv}delete proxy-password NGFW{running-autodv}delete proxy-username NGFW{running-autodv}delete proxy NGFW{running-autodv}disable Disable service. Syntax disable Example NGFW{running-autodv}disable NGFW{running-autodv}enable Enable service.
Example NGFW{running-autodv}periodic NGFW{running-autodv}proxy Configure proxy. Syntax proxy ADDR port PORT proxy-password PASSWD proxy-username USER Example NGFW{running-autodv}proxy 192.168.1.1 port 443 NGFW{running-autodv}proxy-password mypassword NGFW{running-autodv}proxy-username myusername NGFW{running-autodv}update Update AutoDV. Syntax update Example NGFW{running-autodv}update running-autodv-calendar Context Commands Immediate Commit Feature. Changes take effect immediately.
Example NGFW{running-autodv-calendar}time ? Valid entry at this position is: HOURS Value range is 0 - 23 NGFW{running-autodv-calendar}time 17:00 running-autodv-periodic Context Commands Immediate Commit Feature. Changes take effect immediately. NGFW{running-autodv}periodic NGFW{running-autodv-periodic}day Day of the week to update.
Example NGFW{running-bgp-1}help aggregate-address Configure BGP aggregate entries Syntax: aggregate-address A.B.C.D/M [as-set] [summary-only] aggregate-address Configure BGP aggregate entries A.B.C.D/M Aggregate prefix as-set Generate AS set path information summary-only Filter more specific routes from updates NGFW{running-bgp-1}always-compare-med Always compare MEDs from neighbors in different AS. Syntax always-compare-med NGFW{running-bgp-1}delete Delete file or configuration item.
distance graceful-restart local-preference neighbor network redistribute router-id timers Delete Delete Delete Delete Delete Delete Delete Delete administrative distances BGP graceful restart the default local preference configured BGP neighbor a network to announce via BGP route redistribution from another routing protocol the BGP router identifier BGP timers NGFW{running-bgp-1}deterministic-med Pick the best-MED route from the neighboring AS.
Syntax: enable enable Enable BGP NGFW{running-bgp-1}graceful-restart Set the BGP graceful restart.
neighbor NAME peer-group NGFW{running-bgp-1}network Specify a network to announce through the BGP. Syntax network A.B.C.D/M Example NGFW{running-bgp-1}network 192.168.0.3/24 NGFW{running-bgp-1}redistribute Redistribute routes from another routing protocol.
running-blockedStreams Context Commands NGFW{running}blockedStreams NGFW{running-blockedStreams}flushallstreams Flush All Reports. Syntax flushallstreams Example NGFW{running-blockedStreams}flushallstreams NGFW{running-blockedStreams}flushstreams Flush reports. Syntax flushstreams Example NGFW{running-blockedStreams}flushstreams NGFW{running-blockedStreams}list List reports.
Syntax bind PORT Example NGFW{running-bridge0}bind NGFW{running-bridge0}bind NGFW{running-bridge0}bind NGFW{running-bridge0}bind ethernet5 ethernet6 ethernet7 ethernet8 NGFW{running-bridge0}delete Delete file or configuration item. Syntax delete delete delete delete delete delete delete delete delete delete bind (all|PORT) ip igmp ip igmp version ipaddress (all|A.B.C.
ip ospf hello-interval VALUE [A.B.C.D] ip ospf priority VALUE ip ospf retransmit-interval VALUE ip ospf transmit-delay VALUE ip rip ip rip authentication mode md5 (0-2147483647) KEY ip rip authentication mode text ip rip receive version VERSION ip rip send version VERSION ip rip split-horizon [poison-reverse] ipaddress (A.B.C.D/M|X:X::X:X/M) [primary] ipv6 mld Example NGFW{running-bridge0}ip igmp version 3 NGFW{running-bridge0}ip igmp NGFW{running-bridge0}ipaddress Configure IP address.
Example NGFW{running-bridge0}mtu 1280 NGFW{running-bridge0}prefix Configure IPv6 prefix. Syntax prefix X:X::X:X/M [valid-lifetime SECONDS] [preferred-lifetime SECONDS] SECONDS (1-4294967295) Example NGFW{running-bridge0}prefix 100:0:0:0:0:0:0:0/64 valid-lifetime 2592000 preferred-lifetime 604800 NGFW{running-bridge0}ra-autoconf-level Modify IPv6 Router Advertisement autoconfiguration level.
Syntax ra-lifetime (0-9000000) Example NGFW{running-bridge0}ra-lifetime 1800 NGFW{running-bridge0}ra-mtu Modify IPv6 Router Advertisement MTU value. Syntax ra-mtu (none|MTU) MTU value advertised(68-9216)(0 if none) Example NGFW{running-bridge0}ra-mtu none NGFW{running-bridge0}ra-mtu 1500 NGFW{running-bridge0}ra-transmit-mode Modify IPv6 Router Advertisement transmit mode.
NGFW{running-bridge0}tcp6mss Configure interface TCP MSS for IPv6. Syntax tcp6mss (disable|automatic|4-65535) disable automatic (4-65535) Disable service Automatically select TCP MSS based on interface MTU TCP MSS value for IPv6 Example NGFW{running-bridge0}tcp6mss automatic running-captive-portal Context Commands NGFW{running}captive-portal NGFW{running-captive-portal}delete Delete captive portal rule(s).
Syntax rule (auto|RULEID) [POSITION_VALUE] Example NGFW{running-captive-portal}rule auto NGFW{running-captive-portal}rule 20010 1 NGFW{running-captive-portal}rule watershed NGFW{running-captive-portal}set Set a Captive Portal parameter.
NGFW{running-captive-portal-rule-20000}description Apply rule description. Syntax description TEXT Example NGFW{running-captive-portal-rule-20000}description "captive portal rule" NGFW{running-captive-portal-rule-20000}dst-address Apply destination address. Syntax dst-address dst-address dst-address dst-address (include|exclude) (include|exclude) (include|exclude) (include|exclude) group ADDRESSGROUP ipaddress (A.B.C.D|X:X::X:X) ipaddress (A.B.C.D/M|X:X::X:X/M) range ((A.B.C.D A.B.C.
NGFW{running-captive-portal-rule-20000}src-zone Apply source security zone. Syntax src-zone (include|exclude) ZONENAME Example NGFW{running-captive-portal-rule-20000}src-zone include myzone1 NGFW{running-captive-portal-rule-20000}src-zone exclude myzone1 running-certificates Context Commands NGFW{running}certificates NGFW{running-certificates}ca-certificate Add CA certificate.
2048 4096 2048-bit key size (default) 4096-bit key size Example NGFW{running-certificates}cert-request myrequest (Enter 'exit' to abort the command) Enter Common Name (string, required): www.example.com Enter Country (two letter code or 'none')[none]: US Enter State (string or 'none')[none]: Enter Locality (string or 'none')[none]: Enter Organization (string or 'none')[none]: Enter Unit (string or 'none')[none]: Enter E-mail (string or 'none')[none]: Enter FQDN (a string or 'none')[none]: www.example.
NQ9TR7THyOy9dwftwoKSXEmSMA0GCSqGSIb3DQEBBAUAA4GBAIzxQr3OK9Jzq+wh ZfKLLd0S7PbNZH7BfO7voEGtuC5fSPqbziwmOt9FYAg+U0rvIrHQI2DxSPHoxOA9 PISrOJgU6A2+VTbkZTJB32/Zng/hTDUQUkyyjllskdmafS1b9SSs0Z7SPuLu6VDB zR6PBzoFwaWk3nX2lYsk/gFpf07z -----END CERTIFICATE----- NGFW{running-certificates}crl Certificate revocation list. Syntax crl Example NGFW{running-certificates}crl NGFW{running-certificates}delete Delete file or configuration item.
zR6PBzoFwaWk3nX2lYsk/gFpf07z -----END CERTIFICATE----# CERTIFICATE REQUESTS cert-request myrequest key-size 2048 -----BEGIN CERTIFICATE REQUEST----MIICpjCCAY4CAQAwJzELMAkGA1UEBhMCVVMxGDAWBgNVBAMTD3d3dy5leGFtcGxl ... c8vOS1+G6R6o5s6tHDGPNYyVfCD1W+vxdCXVGR5zLsoB5eTL7bDR1NFKu/77FvKu dLTq8hPpOt7gvQ== -----END CERTIFICATE REQUEST----# Subject Identity # CN= www.example.com C = US ST= none L = none O = none OU= none Email= none FQDN = www.example.
Example NGFW{running-certificates-crl}help add Valid commands are: # Enter context addressgroups # Other commands add CANAME local-import|(uri CRLURI) NGFW{running-certificates-crl}cache Enable or disable CRL cache fetched via HTTP. Syntax cache (enable|disable) Example NGFW{running-certificates-crl}cache enable NGFW{running-certificates-crl}delete Delete a CRL URI or file for a specified Certificate Authority.
Example NGFW{running-cluster}check config enable NGFW{running-cluster}cluster-name Apply cluster name. Syntax cluster-name NAME Example NGFW{running-cluster}cluster-name ? Valid entry at this position is: NAME Cluster name (1-30 characters) NGFW{running-cluster}delete Delete file or configuration item. Syntax delete standby Example NGFW{running-cluster}delete ? Valid entry at this position is: standby Remove the device from standby NGFW{running-cluster}disable Disable clustering.
Example NGFW{running-cluster}member-id ? Valid entry at this position is: ID Member ID NGFW{running-cluster}member-name Cluster member name. Syntax member-name NAME Example NGFW{running-cluster}member-name ? Valid entry at this position is: NAME Member name (1-30 characters) NGFW{running-cluster}standby Sets the device on standby. Syntax standby Example NGFW{running-cluster}standby NGFW{running-cluster}tct Enter cluster traffic context.
NGFW{running-cluster-tct}encryption Apply encryption hash.
NGFW{running-cluster-tct}mtu Apply MTU. Syntax mtu (68-9216) Example NGFW{running-cluster-tct}mtu 1500 NGFW{running-cluster-tct}multicast Apply multicast IPv4 address. Syntax multicast A.B.C.D Example NGFW{running-cluster-tct}multicast 192.168.0.32 NGFW{running-cluster-tct}physical-media Apply physical-media settings. Auto-negotiation is the default.
Example NGFW{running-cluster-tct}retry 3 NGFW{running-cluster-tct}timeout Apply timeout. Syntax timeout N N Apply timeout value(100-10000) Example NGFW{running-cluster-tct}timeout 160 NGFW{running-cluster-tct}ttl Apply TTL. Syntax ttl N N Apply TTL value(1-255) Example NGFW{running-cluster-tct}ttl 2 running-dhcp-relay Context Commands NGFW{running}dhcp relay NGFW{running-dhcp-relay}client Configure client interface.
Syntax disable Example NGFW{running-dhcp-relay}help disable Disable DHCP relay Syntax: disable disable Disable service NGFW{running-dhcp-relay}enable Enable service. Syntax enable Example NGFW{running-dhcp-relay}help enable Enable DHCP relay Syntax: enable enable Enable service NGFW{running-dhcp-relay}server Configure server interface. Syntax server (interface IFNAME)|(address A.B.C.D) Example NGFW{running-dhcp-relay}help server address Configure server address Syntax: server (address A.B.C.D) A.B.C.
NGFW{running-dhcp-server}disable Disable server. Syntax disable Example NGFW{running-dhcp-server}disable NGFW{running-dhcp-server}display Display configuration item. Syntax display scope NAME Example NGFW{running-dhcp-server}help display Valid commands are: # Manage context display [xml] # Other commands display scope NAME [xml] NGFW{running-dhcp-server}enable Enable server. Syntax enable Example NGFW{running-dhcp-server}enable NGFW{running-dhcp-server}scope Configure scope.
Example NGFW{running-dhcp-server-myscope}help address-range Configure IP address range Syntax: address-range A.B.C.D A.B.C.D A.B.C.D First address A.B.C.D Last address NGFW{running-dhcp-server-myscope}default-gateway Configure default gateway. Syntax default-gateway (myself|A.B.C.D) Example NGFW{running-dhcp-server-myscope}help default-gateway Configure default gateway Syntax: default-gateway myself|A.B.C.D myself Use subnets IP address as default gateway A.B.C.
Example NGFW{running-dhcp-server-myscope}help dns-server Configure DNS server Syntax: dns-server A.B.C.D primary|secondary|tertiary A.B.C.D IPv4 address primary Configure primary server secondary Configure secondary server tertiary Configure tertiary server NGFW{running-dhcp-server-myscope}domain-name Configure Domain Name. Syntax domain-name NAME Example NGFW{running-dhcp-server-myscope}domain-name americas NGFW{running-dhcp-server-myscope}exclude Configure excluded IP address. Syntax exclude A.B.C.
Configure DHCPv4 lease Syntax: lease <0-1073741824> <0-1073741824> Lease value in seconds (0-1073741824) NGFW{running-dhcp-server-myscope}option Configure options.
Syntax delete rule (all|DSTNATRULEID) Example NGFW{running-dnat}delete rule 123 NGFW{running-dnat}rename Rename destination NAT rule. Syntax rename dnat DSTNATRULEID NEWDSTNATRULEID Example NGFW{running-dnat}rename rule 123 dnat1 NGFW{running-dnat}rule Create or enter a rule context.
NGFW{running-dnat-rule-dnat1}description Apply rule description. Syntax description TEXT Example NGFW{running-dnat-rule-dnat1}description "destination nat rule" NGFW{running-dnat-rule-dnat1}dst-address Apply destination address. Syntax dst-address (include|exclude) ipaddress (A.B.C.D|A.B.C.D/M) dst-address (include|exclude) range A.B.C.D A.B.C.D dst-address (include|exclude) group ADDRESSGROUP Example NGFW{running-dnat-rule-dnat1}dst-address include ipaddress 192.168.1.
Syntax src-zone (include|exclude) ZONENAME Example NGFW{running-dnat-rule-dnat1}src-zone include myzone1 NGFW{running-dnat-rule-dnat1}src-zone exclude myzone1 NGFW{running-dnat-rule-dnat1}tcp Create tcp protocol translation. Syntax tcp dst-port PORT [to PORT] translate-to TRANS-PORT [to TRANS-PORT] Example NGFW{running-dnat-rule-dnat1}tcp dst-port 80 to 81 translate-to 8080 to 8081 NGFW{running-dnat-rule-dnat1}translate-to Apply translation. Syntax translate-to ipaddress (A.B.C.D|A.B.C.
Example NGFW{running-dns}delete proxy cache ? Valid entries at this position are: cleaning Delete cleaning forwarder Delete forwarder maximum Delete maximum size Delete size NGFW{running-dns}delete domain-search tertiary NGFW{running-dns}delete domain-search secondary NGFW{running-dns}delete domain-search primary NGFW{running-dns}domain-name Configure domain name.
Syntax proxy proxy proxy proxy proxy proxy (enable|disable) cache cleaning interval cache cleaning interval in minutes cache forwarder A.B.C.D|X:X::X:X cache maximum negative ttl cache maximum negative ttl in minutes cache maximum ttl cache maximum ttl in minutes cache size cache size in megabytes Example NGFW{running-dns}proxy enable running-ethernetX Context Commands NGFW{running}interface ethernet1 NGFW{running-ethernet1}arp/ndp Enable or disable ARP and NDP on interface.
delete delete delete delete delete delete delete delete delete delete delete delete delete delete delete delete delete ipaddress (all|A.B.C.
NGFW{running-ethernet1}ip Configure IP settings. Syntax ip ip ip ip ip ip ip ip ip ip ip ip ip ip ip ip ip ip igmp igmp version (1|2|3) ospf area (A.B.C.D|(0-4294967295)) ospf authentication mode md5 (1-255) KEY ospf authentication mode text KEY ospf cost (1-65535) ospf dead-interval (1-65535) ospf hello-interval (1-65535) [A.B.C.
delete dhcp dhcp display dns-request help ntp-request option Delete file or configuration item Configure DHCPv4 client Enable or disable DHCPv4 client service Display DHCPv4 client context Ask for DNS server IPv4 address or not Display help information Ask for NTP server IPv4 address or not Configure DHCPv4 client option name NGFW{running-ethernet1-dhcpv4}help Valid commands are: client identifier none|(hexa HEXA-ID)|(ascii ASCII-ID) client name none|NAME defaultroute-request enable|disable delete option
ipv6 ripng split-horizon poison-reverse Configure IPv6 settings Configure RIPng over the interface Enable split-horizon Enable poison-reverse NGFW{running-ethernet1}mtu Configure interface MTU. Syntax mtu (default|(68-9216)) Example NGFW{running-ethernet1}mtu 1500 NGFW{running-ethernet1}physical-media Apply physical-media settings. Auto-negotiation is the default or specify a supported port speed and mode.
Example NGFW{running-ethernet1}ra-autoconf-level full NGFW{running-ethernet1}ra-interval Modify IPv6 Router Advertisement interval value. Syntax ra-interval MILLISECONDS ra-interval (90-1800000) Example NGFW{running-ethernet1}ra-interval 600 NGFW{running-ethernet1}ra-interval-transmit Modify IPv6 Router Advertisement interval transmit.
smart Router Advert message is sent if a prefix is defined Example NGFW{running-ethernet1}ra-transmit-mode smart NGFW{running-ethernet1}restart Restart Ethernet port. Syntax restart Example NGFW{running-ethernet1}restart NGFW{running-ethernet1}shutdown Shutdown logical interface state. Syntax shutdown Example NGFW{running-ethernet1}shutdown NGFW{running-ethernet1}tcp4mss Configure interface TCP MSS for IPv4.
running-firewall Context Commands NGFW{running}firewall NGFW{running-firewall}default-block-rule Apply action set for default block rule. Syntax default-block-rule DEFACTIONSET Example NGFW{running-firewall}default-block-rule "Block + Notify + Trace" NGFW{running-firewall}delete Delete firewall rule. Syntax delete rule (all|XRULEID) Example NGFW{running-firewall}delete rule myrule1 NGFW{running-firewall}delete rule myrule1 NGFW{running-firewall}rename Rename a firewall rule.
Example NGFW{running-firewall-rule-myrule1}action "Permit + Notify + Trace" NGFW{running-firewall-rule-myrule1}application-group Apply application group. Syntax application-group APPGROUPNAME application-group ANONYMOUS CRITERIASTRING Example NGFW{running-firewall-rule-myrule1}application-group facebook NGFW{running-firewall-rule-myrule1}application-group ANONYMOUS NGFW{running-firewall-rule-myrule1}delete Delete file or configuration item.
delete delete delete delete delete dst-zone (exclude all|ZONENAME) user (include all|USERNAME) user (exclude all|USERNAME) user-group (include all|IN_GRP_NAME|IN_DN_GRP_NAME) user-group (exclude all|EX_GRP_NAME|EX_DN_GRP_NAME) Example NGFW{running-firewall-rule-myrule1}delete NGFW{running-firewall-rule-myrule1}delete NGFW{running-firewall-rule-myrule1}delete NGFW{running-firewall-rule-myrule1}delete NGFW{running-firewall-rule-myrule1}delete NGFW{running-firewall-rule-myrule1}delete NGFW{running-firewall-r
NGFW{running-firewall-rule-myrule1}dst-address include range 192.168.1.100 192.168.1.200 NGFW{running-firewall-rule-myrule1}dst-address include group mygroup1 NGFW{running-firewall-rule-myrule1}dst-zone Apply destination security zone. Syntax dst-zone (include|exclude) ZONENAME Example NGFW{running-firewall-rule-myrule1}dst-zone include myzone1 NGFW{running-firewall-rule-myrule1}dst-zone exclude myzone1 NGFW{running-firewall-rule-myrule1}enable Enable rule.
Syntax schedule (include|exclude) SCHEDULENAME Example NGFW{running-firewall-rule-myrule1}schedule include myhours1 NGFW{running-firewall-rule-myrule1}schedule exclude myhours1 NGFW{running-firewall-rule-myrule1}services Apply IP Services.
NGFW{running-firewall-rule-myrule1}user Apply user name. Syntax user (include|exclude) USER_NAME Example NGFW{running-firewall-rule-myrule1}user include myuser1 NGFW{running-firewall-rule-myrule1}user-group Apply user group name or LDAP-group DN. Syntax user-group (include|exclude) (USER_GRP_NAME|LDAP_GROUP_DN) Example NGFW{running-firewall-rule-myrule1}user-group include group1 running-gen Context Commands NGFW{running}gen NGFW{running-gen}arp Configure static ARP entry. Syntax arp A.B.C.
NGFW{running-gen}delete host myhost NGFW{running-gen}delete ndp 100::1 ethernet5 NGFW{running-gen}delete arp all NGFW{running-gen}help delete arp Delete configured static ARP entry Syntax: delete arp all|(ENTRY INTERFACE) delete Delete file or configuration item arp Delete configured static ARP entry all All settings ENTRY IPv4 address of ARP entry INTERFACE Interface of NDP entry NGFW{running-gen}ephemeral-port-range Set the range of the ephemeral port (default is 32768-61000).
Example NGFW{running-gen}https enable NGFW{running-gen}inband-management Inband Management. Syntax inband-management (enable|disable) Example NGFW{running-gen}inband-management enable NGFW{running-gen}management-service Management of a service to use the management port or the network port.
Example NGFW{running-gen}ndp 100:0:0:0:0:0:0:1 ethernet5 a1:b2:c3:d4:e5:f6 NGFW{running-gen}ssh Enable or disable ssh service. Syntax ssh (enable|disable) Example NGFW{running-gen}ssh enable NGFW{running-gen}timezone Display or configure time zone.
running-greX Context Commands NGFW{running}interface gre0 NGFW{running-gre0}autoconfv6 Enable or disable IPv6 autoconfiguration on interface. Syntax autoconfv6 (enable|disable) Example NGFW{running-gre0}autoconfv6 enable NGFW{running-gre0}bind Configure the GRE tunnel encapsulation. Syntax bind (local global ip) (remote global ip) bind A.B.C.D A.B.C.D bind X:X::X:X X:X::X:X Example NGFW{running-gre0}bind 192.168.1.1 192.168.2.
delete delete delete delete delete delete delete delete delete delete delete delete delete delete delete delete delete delete ip rip send version VERSION ip rip split-horizon ipaddress A.B.C.
Example NGFW{running-gre0}description "GRE tunnel 0" NGFW{running-gre0}ip Configure IP settings. Syntax ip ip ip ip ip ip ip ip ip ip ip ip ip ip ip ip ip igmp igmp version (1|2|3) ospf area (A.B.C.D|(0-4294967295)) ospf authentication mode md5 (1-255) KEY ospf authentication mode text KEY ospf cost (1-65535) ospf dead-interval (1-65535) ospf hello-interval (1-65535) [A.B.C.
NGFW{running-gre0}ipv6 Configure IPv6 settings. Syntax ipv6 ipv6 ipv6 ipv6 ipv6 ipv6 ipv6 ipv6 ipv6 ipv6 ipv6 mld mld version (1|2) ospfv3 area (A.B.C.
Syntax shutdown Example NGFW{running-gre0}shutdown NGFW{running-gre0}tcp4mss Configure interface TCP MSS for IPv4. Syntax tcp4mss (disable|automatic|4-65535) disable automatic VALUE Disable service Automatically select TCP MSS based on interface MTU TCP MSS value for IPv4 Example NGFW{running-gre0}tcp4mss automatic NGFW{running-gre0}tcp6mss Configure interface TCP MSS for IPv6.
Example NGFW{running-high-availability}disable NGFW{running-high-availability}enable Enable high-availability. Syntax enable Example NGFW{running-high-availability}enable NGFW{running-high-availability}failover-group Allows you to define name and MAC address for a Failover Group. Syntax failover-group base-mac X:X:X:X:X:X failover-group name NAME Example NGFW{running-high-availability}failover-group name mygroupname NGFW{running-high-availability}state-sync Allows you to define state synchronization.
automatic manual Automatic AFC mode Manual AFC mode NGFW{running-ips}afc-severity Configures AFC severity level. Syntax afc-severity SEVERITY Example NGFW{running-ips}afc-severity ? Valid entries for SEVERITY: critical Critical severity error Error severity info Info severity warning Warning severity NGFW{running-ips}connection-table Configures connection table timeout.
Aggressive Core Edge Perimeter "Offers a more aggressive security posture that may require tuning based upon specific application protocol usage." "Recommended for deployment in the network core." "Recommended for deployment in a Server Farm/DMZ." "Recommended for deployment at an Internet entry point." NGFW{running-ips}display-categoryrules Display category rules for all profiles.
Example NGFW{running-ips}quarantine-duration 60 NGFW{running-ips}rename Renames a profile. Syntax rename profile PROFILENAME NEWPROFILENAME Example NGFW{running-ips}rename profile myprofile yourprofile running-ips-X Context Commands Immediate Commit Feature. Changes take effect immediately. NGFW{running-ips}profile 1 NGFW{running-ips-1}categoryrule Enters categoryrule context.
Example NGFW{running-ips-1}delete filter 9 NGFW{running-ips-1}deployment Change deployment. Syntax deployment (Aggressive|Core|Default|Edge|Perimeter) Example NGFW{running-ips-1}deployment Default NGFW{running-ips-1}description Edit description for a profile. Syntax description DESCRIPTION Example NGFW{running-ips-1}description "my description" NGFW{running-ips-1}filter Creates or enters a filter context.
pre-shared-keys retransmit-timeout retransmit-tries trust user vpn Delete Delete Delete Delete delete Delete pre-shared-keys Dead Peer Detection retransmit-timeout Dead Peer Detection retransmit-tries certification authority trust user context IPsec Virtual Private Networks Example NGFW{running-ipsec}delete phase1 proposal all NGFW{running-ipsec}ipsec Enables or disables IPsec. Syntax ipsec (enable|disable) Example NGFW{running-ipsec}ipsec enable NGFW{running-ipsec}log Add log to a log session.
Example NGFW{running-ipsec}phase1 1 proposal propname NGFW{running-phase1-proposal-propname}help NGFW{running-phase1-proposal-propname}? NGFW{running-ipsec}phase2 Enters phase2 proposal context.
Enter pre-shared key:************** NGFW{running-ipsec}retransmit-timeout Configures IKEv2 Dead Peer Detection retransmission timeout in seconds. Syntax retransmit-timeout TIMEOUT TIMEOUT Configure IKEv2 Dead Peer Detection retransmission timeout in seconds Example NGFW{running-ipsec}retransmit-timeout 60 NGFW{running-ipsec}retransmit-tries Configures IKEv2 Dead Peer Detection maximum retransmission tries.
NGFW{running-ipsec-vpn-myvpn}? running-ipsec-policy-X Context Commands and their Usage NGFW{running}vpn ipsec NGFW{running-ipsec}policy myipsecpolicy NGFW{running-ipsec-policy-myipsecpolicy}mode Configure encapsulation mode. Syntax mode MODE Example NGFW{running-ipsec-policy-myipsecpolicy}mode tunnel NGFW{running-ipsec-policy-myipsecpolicy}policy Enable or Disable IPsec Policy.
running-ipsec-vpn-X Context Commands and their Usage NGFW{running}vpn ipsec NGFW{running-ipsec}vpn myvpn NGFW{running-ipsec-vpn-myvpn}certificate Configure certificate name. Syntax certificate CERTNAME Example NGFW{running-ipsec-vpn-myvpn}delete Delete file or configuration item. Syntax delete delete delete delete delete delete delete certificate exchange-mode identity ip-pool peers proposal user-group Example NGFW{running-ipsec-vpn-myvpn}dpddelay Configure Dead Peer Detection delay in seconds.
Syntax exchange-mode (main|aggressive) Example NGFW{running-ipsec-vpn-myvpn}exchange-mode aggressive NGFW{running-ipsec-vpn-myvpn}identity Configure local and remote IKE Identities. Syntax identity local ((ip-address A.B.C.D|X:X::X:X|anyLADDR)|(fqdn HOSTNAME|anyLHOSTNAME)|(user-fqdn EMAILADDRESS|anyLEMAIL)|(asn1dn asn1dn|anyLASNDNAME)) [remote (ip-address A.B.C.
Example NGFW{running-ipsec-vpn-myvpn}nat-traversal enable NGFW{running-ipsec-vpn-myvpn}peer Configure local and remote VPN Peers. Syntax peer local (A.B.C.D|X:X::X:X) remote (A.B.C.D|X:X::X:X) Example NGFW{running-ipsec-vpn-myvpn}peer local 192.168.1.1 remote 192.168.2.2 NGFW{running-ipsec-vpn-myvpn}proposal Configure Phase1 and Phase2 IKE proposals. Syntax proposal PHASE1 PHASE2 Example NGFW{running-ipsec-vpn-myvpn}proposal myphase1 myphase2 NGFW{running-ipsec-vpn-myvpn}rekey Enable or disable rekey.
running-l2tp-serverX Context Commands NGFW{running}l2tp-server0 NGFW{running-l2tp-server0}auth Authenticated configuration. Syntax auth (enable|disable) auth shared-secret (A.B.C.D|any) secret-key Example NGFW{running-l2tp-server0}auth enable NGFW{running-l2tp-server0}bind Configures bind service of L2TP server. Syntax bind (none|any|(A.B.C.D [port])) Valid entries: none Remove bind configuration any Configure any bind A.B.C.
NGFW{running-l2tp-server0}sequencing Enables or disables sequence configuration. Syntax sequencing (enable|disable) Example NGFW{running-l2tp-server0}sequencing enable running-l2tpX Context Commands NGFW{running}interface l2tp0 NGFW{running-l2tp0}auth Authenticated configuration.
Example NGFW{running-l2tp0}bind 192.168.2.1 192.168.200.1 NGFW{running-l2tp0}bind none NGFW{running-l2tp0}delete Delete file or configuration item.
NGFW{running-l2tp0}ip Configure IP settings. Syntax ip igmp ip igmp version (1|2|3) Example NGFW{running-l2tp0}ip igmp NGFW{running-l2tp0}ip igmp version 3 NGFW{running-l2tp0}ipcp Enable or disable IPCP for IPv4. Syntax ipcp (enable|disable) Example NGFW{running-l2tp0}ipcp enable NGFW{running-l2tp0}ipcp disable NGFW{running-l2tp0}ipv6 Configure IPv6 settings. Syntax ipv6 mld ipv6 mld version (1|2) Example NGFW{running-l2tp0}ipv6 mld NGFW{running-l2tp0}ipv6cp Enable or disable IPCP for IPv6.
NGFW{running-l2tp0}log-option Add service log option.
Syntax prefix X:X::X:X/M [valid-lifetime (1-4294967295)] [preferred-lifetime (1-4294967295)] Example NGFW{running-l2tp0}prefix 100:0:0:0:0:0:0:0/64 valid-lifetime 2592000 preferred-lifetime 604800 NGFW{running-l2tp0}ra-autoconf-level Modify IPv6 Router Advertisement autoconfiguration level.
NGFW{running-l2tp0}ra-mtu Modify IPv6 Router Advertisement MTU value. Syntax ra-mtu (none|(68-9216)) none Not configured (0 if none) Example NGFW{running-l2tp0}ra-mtu 1500 NGFW{running-l2tp0}ra-transmit-mode Modify IPv6 Router Advertisement transmit mode.
Valid entries: disable Disable service automatic Automatically select TCP MSS based on interface MTU VALUE TCP MSS value for IPv4 (4-65535) Example NGFW{running-l2tp0}tcp4mss automatic NGFW{running-l2tp0}tcp6mss Configure interface TCP MSS for IPv6.
NGFW{running-log}delete NGFW{running-log}delete NGFW{running-log}delete NGFW{running-log}delete NGFW{running-log}delete log-option fib events recv log audit mycontactname ALL log vpn mycontactname error log quarantine mycontactname none log system mycontactname info NGFW{running-log}log Add log to a log session.
pptp3 lcp phys radius echo bund iface link frame fsm PPTP packet dumps LCP events and negotiation Physical layer events Radius authentication events Keep-alive events Bundle events IP interface and route management events Link events Dump all incoming and outgoing frames All state machine events (except echo and reset) Possible values for xmsd LOG_OPTION: ethgrp Enable logging ethgrp addressgroups Enable logging addressgroups security-zones Enable logging security zones bnet Enable logging bnet bridge Ena
osi pdh pim4sm pim6sm ports ppp pppoeserver pppserver routing schedules serialport services snmp snoop svti system qos xmsupdate vrf vrrp wifi xipc Enable Enable Enable Enable Enable Enable Enable Enable Enable Enable Enable Enable Enable Enable Enable Enable Enable Enable Enable Enable Enable Enable logging logging logging logging logging logging logging logging logging logging logging logging logging logging logging logging logging logging logging logging logging logging osi pdh pim4sm pim6sm ports ppp
running-loopbackX Context Commands NGFW{running}interface loopback0 NGFW{running-loopback0}delete Delete file or configuration item.
NGFW{running-loopback0}delete NGFW{running-loopback0}delete NGFW{running-loopback0}delete NGFW{running-loopback0}delete NGFW{running-loopback0}delete NGFW{running-loopback0}delete NGFW{running-loopback0}delete ipv6 ipv6 ipv6 ipv6 ipv6 ipv6 ipv6 ospfv3 dead-interval ospfv3 hello-interval ospfv3 priority ospfv3 retransmit-interval ospfv3 transmit-delay ripng split-horizon poison-reverse ripng split-horizon NGFW{running-loopback0}description Enter description for the interface.
NGFW{running-loopback0}ipaddress Configure IP address. Syntax ipaddress (A.B.C.D/M|X:X::X:X/M) [primary] ipaddress dhcpv4 Example NGFW{running-loopback0}ipaddress 192.168.1.1/24 NGFW{running-loopback0}ipaddress 100:0:0:0:0:0:0:1/64 primary NGFW{running-loopback0}ipv6 Configure IPv6 settings. Syntax ipv6 ipv6 ipv6 ipv6 ipv6 ipv6 ipv6 ipv6 ipv6 ospfv3 area (A.B.C.
delete sa esp ((A.B.C.D|X:X::X:X) SPI) Valid entries: sa esp all (A.B.C.D|X:X::X:X) SPI Configure Security Association Delete ESP Security Associations Delete all ESP Security Associations Security Association remote address Security Parameter Index Example NGFW{running-manual-sa}delete sa esp 192.168.2.2 1 NGFW{running-manual-sa}sa Configure Security Association. Syntax sa esp (A.B.C.D A.B.C.
running-mgmt Context Commands NGFW{running}interface mgmt NGFW{running-mgmt}delete Delete file or configuration item. Syntax delete delete delete delete delete delete delete delete host (location|contact) ip-filter ACTION SERVICE4 [ip ADDRESS4] ip-filter ACTION SERVICE6 [ip ADDRESS6] ip-filter ACTION ip (ADDRESS4|ADDRESS6) ipaddress all|A.B.C.D/M|X:X::X:X/M route A.B.C.D/M [A.B.C.
ip-filter (allow|deny) ip (A.B.C.D/M|X:X::X:X/M|A.B.C.D|X:X::X:X) Valid entries: allow Allow IPv4/IPv6 rule deny Deny IPv4/IPv6 rule default Default rule Possible values for service are: https allow/deny HTTPS. This will affect SMS which uses HTTPS ssh allow/deny SSH icmp allow/deny ICMP/ICMPv6 snmp allow/deny SNMP ip IP address A.B.C.D/M X:X::X:X/M A.B.C.
NGFW{running-mgmt}route Add IPv4/IPv6 static route. Syntax route A.B.C.D/M A.B.C.D [DISTANCE] route X:X::X:X/M X:X::X:X [DISTANCE] A.B.C.D/M X:X::X:X/M Unicast IPv4 prefix address Unicast IPv6 prefix address Example NGFW{running-mgmt}route 192.168.0.0/24 192.168.0.2 1 NGFW{running-mgmt}route 2001:2:0:0:0:0:0:0/48 100:0:0:0:0:0:0:2 running-multicast-registration Context Commands NGFW{running}multicast-registration NGFW{running-multicast-registration}igmp-version Configure system IGMP version.
Syntax contact CONTACTNAME contact NEWNAME email contact NEWNAME snmp COMMUNITY IP [PORT] Example NGFW{running-notifycontacts}contact mycontact1 email NGFW{running-notifycontacts}contact mycontact1 snmp mysecret 192.168.1.1 NGFW{running-notifycontacts}delete Delete a contact. Syntax delete contact XCONTACTNAME Example NGFW{running-notifycontacts}delete contact mycontact1 WARNING: Are you sure you want to delete this contact (y/n)? [n]: y NGFW{running-notifycontacts}email-from-address From email address.
Syntax email-threshold THRESHOLD Example NGFW{running-notifycontacts}email-threshold 1 NGFW{running-notifycontacts}email-to-default-address Default to email address. Syntax email-to-default-address EMAIL Example NGFW{running-notifycontacts}email-to-default-address mycontact@example.com NGFW{running-notifycontacts}rename Rename contact with new name.
Syntax period PERIOD Example NGFW{running-notifycontacts-mycontact1}period 1 NGFW{running-notifycontacts-mycontact1}port Set SNMP host port. Syntax port PORT Example NGFW{running-notifycontacts-mycontact1}port 162 running-ntp Context Commands NGFW{running}ntp NGFW{running-ntp}delete Delete file or configuration item.
NGFW{running-ntp}ntp Enable or disable NTP service. Syntax ntp (enable|disable) Example NGFW{running-ntp}ntp enable NGFW{running-ntp}polling-interval Configure NTP server minimum polling interval. Syntax polling-interval SECONDS SECONDS Interval in seconds Possible values for SECONDS are: 2 2 seconds 4 4 seconds 8 8 seconds 16 16 seconds 32 32 seconds 64 64 seconds Example NGFW{running-ntp}polling-interval 16 NGFW{running-ntp}server Configure remote NTP server. Syntax server (dhcp|A.B.C.
Example NGFW{running-phase1-proposal-myphase1}auth local pre-shared-key remote pre-shared-key NGFW{running-phase1-proposal-myphase1}dh-group ISAKMP Diffie-Hellman group. Syntax dh-group (1|2|5|14) Example NGFW{running-phase1-proposal-myphase1}dh-group 5 NGFW{running-phase1-proposal-myphase1}encryption ISAKMP encryption algorithm. Syntax encryption (3des|aes128|aes192|aes256) Example NGFW{running-phase1-proposal-myphase1}encryption aes256 NGFW{running-phase1-proposal-myphase1}hash ISAKMP hash algorithm.
Syntax auth2 (hmac-md5|hmac-sha1) [hmac-sha1|hmac-md5] Example NGFW{running-phase2-proposal-myphase2}auth2 hmac-sha1 NGFW{running-phase2-proposal-myphase2}auth2 hmac-md5 hmac-sha1 NGFW{running-phase2-proposal-myphase2}auth2 hmac-sha1 hmac-md5 NGFW{running-phase2-proposal-myphase2}dh-group Perfect Forward Secrecy Diffie-Hellman group. Syntax dh-group (1|2|5|14|none) Example NGFW{running-phase2-proposal-myphase2}dh-group 5 NGFW{running-phase2-proposal-myphase2}encryption2 IPsec encryption algorithm.
area (A.B.C.D|(0-4294967295)) virtual-link A.B.C.D authentication simple SIMPLE-PASSWORD area (A.B.C.D|(0-4294967295)) virtual-link A.B.C.D authentication md5 KEY-ID MD5-KEY-STRING (0-4294967295) A.B.C.
NGFW{running-ospf}disable Disable Open Shortest Path First (OSPF). Syntax disable Example NGFW{running-ospf}disable NGFW{running-ospf}distance Set OSPF administrative distance.
rip bgp Routing Information Protocol (RIP) Border Gateway Protocol (BGP) metric-type (1-2) metric (0-16777214) route-map ROUTE-MAP OSPF exterior metric type for redistributed routes Set OSPF exterior type metric Metric Set metric for redistributed routes Route map reference Route map name Example NGFW{running-ospf}redistribute rip metric-type ? Valid entry at this position is: <1-2> Set OSPF exterior type metric NGFW{running-ospf}redistribute rip metric-type 1 route-map name NGFW{running-ospf}rfc1583-c
Valid entries at nssa range stub tsa virtual-link this position are: Configure a not-so-stubby area (NSSA) Summarize routes matching address/mask (border routers only) Configure a stubby area Configure a totally stubby area (TSA) Configure a virtual link over a transit area NGFW{running-ospfv3}delete Delete file or configuration item. Syntax delete delete delete delete delete delete delete delete delete delete area AREA-ID AREA-TYPE area AREA-ID range X:X::X:X/M area AREA-ID virtual-link A.B.C.
NGFW{running-ospfv3}nsf OSPFv3 non-stop forwarding. Syntax nsf (enable|disable) enable Enable Graceful Restarts with Grace time of 120 disable Disable Graceful Restarts Example NGFW{running-ospfv3}nsf enable NGFW{running-ospfv3}passive-interface Suppress routing updates on an interface. Syntax passive-interface INTERFACE Example NGFW{running-ospfv3}passive-interface name NGFW{running-ospfv3}redistribute Redistribute routes from another routing protocol.
running-pim-smv4 Context Commands NGFW{running}router pim-smv4 NGFW{running-pim-smv4}bsr-candidate Toggle bootstrap router (BSR) candidate. Syntax bsr-candidate interface INTERFACE bsr-candidate priority (0-255) interface priority Interface that has global address for Bootstrap messages Priority of the BSR candidate Example NGFW{running-pim-smv4}bsr-candidate priority 2 NGFW{running-pim-smv4}delete Delete file or configuration item.
Example NGFW{running-pim-smv4}dr-priority 2 NGFW{running-pim-smv4}enable Enable PIM-SM IPv4 on the device. Syntax enable Example NGFW{running-pim-smv4}enable NGFW{running-pim-smv4}rp-address Static mapping of multicast groups to RP. Syntax rp-address A.B.C.D A.B.C.D/M A.B.C.D A.B.C.D/M IPv4 address for static RP IPv4 multicast group for static RP Example NGFW{running-pim-smv4}rp-address 198.51.0.100 NGFW{running-pim-smv4}rp-candidate Toggle RP candidate. Syntax rp-candidate group A.B.C.
running-pim-smv6 Context Commands NGFW{running}router pim-smv6 NGFW{running-pim-smv6}bsr-candidate Toggle bootstrap router (BSR) candidate. Syntax bsr-candidate interface INTERFACE bsr-candidate priority (0-255) Interface priority Interface that has global address for Bootstrap messages Priority of the BSR Example NGFW{running-pim-smv6}bsr-candidate priority 1 NGFW{running-pim-smv6}delete Delete file or configuration item.
Syntax dr-priority (0-4294967295) (0-4294967295) The priority used to elect the DR. Example NGFW{running-pim-smv6}dr-priority 2 NGFW{running-pim-smv6}enable Enable PIM-SM IPv6 on the device. Syntax enable Example NGFW{running-pim-smv6}enable NGFW{running-pim-smv6}rp-address Static mapping of multicast groups to RP.
RATE The rate for shortest path tree switching (1-4294967295 bytes/s). Default: 1000 bytes/s Example NGFW{running-pim-smv6}threshold 1000 running-pppoeX Context Commands NGFW{running}interface pppoe0 NGFW{running-pppoe0}auth Authenticated configuration.
delete delete delete delete delete ipv6 mld version log-option ppp all log-option ppp PPP-LOG-OPTION prefix (all|X:X::X:X/M) shutdown Valid entries: auth Authenticated configuration ip Delete IP settings ipv6 Delete IPv6 log-option Delete service log option prefix Delete IPv6 prefix shutdown Shutdown logical interface state Example NGFW{running-pppoe0}delete NGFW{running-pppoe0}delete NGFW{running-pppoe0}delete NGFW{running-pppoe0}delete NGFW{running-pppoe0}delete NGFW{running-pppoe0}delete NGFW{running-
NGFW{running-pppoe0}ipcp Enable or disable IPCP for IPv4. Syntax ipcp (enable|disable) Example NGFW{running-pppoe0}ipcp enable NGFW{running-pppoe0}ipcp disable NGFW{running-pppoe0}ipv6 Configure IPv6 settings. Syntax ipv6 mld ipv6 mld version (1|2) Example NGFW{running-pppoe0}ipv6 mld version 2 NGFW{running-pppoe0}ipv6cp Enable or disable IPCP for IPv6. Syntax ipv6cp (enable|disable) Example NGFW{running-pppoe0}ipv6cp enable NGFW{running-pppoe0}keep-alive LCP keep alive period in seconds.
l2tp l2tp2 l2tp3 pptp pptp2 pptp3 lcp phys radius echo bund iface link frame fsm L2TP high level events L2TP more detailed events L2TP packet dumps PPTP high level events PPTP more detailed events PPTP packet dumps LCP events and negotiation Physical layer events Radius authentication events Keep-alive events Bundle events IP interface and route management events Link events Dump all incoming and outgoing frames All state machine events (except echo and reset) Example NGFW{running-pppoe0}log-option ppp au
Example NGFW{running-pppoe0}prefix 100:0:0:0:0:0:0:0/64 valid-lifetime 2592000 preferred-lifetime 604800 NGFW{running-pppoe0}ra-autoconf-level Modify IPv6 Router Advertisement autoconfiguration level.
Syntax ra-mtu (none|(68-9216)) none Not configured MTU MTU value advertised (0 if none) Example NGFW{running-pppoe0}ra-mtu 1500 NGFW{running-pppoe0}ra-transmit-mode Modify IPv6 Router Advertisement transmit mode.
Example NGFW{running-pppoe0}tcp4mss automatic NGFW{running-pppoe0}tcp6mss Configure interface TCP MSS for IPv6. Syntax tcp6mss (disable|automatic|(4-65535)) Valid entries: disable Disable service automatic Automatically select TCP MSS based on interface MTU VALUE TCP MSS value for IPv6 Example NGFW{running-pppoe0}tcp6mss automatic running-pptpX Context Commands NGFW{running}interface pptp0 NGFW{running-pptp0}always-ack Enable or disable always-ack option.
NGFW{running-pptp0}bind Configure binding addresses of the pptp tunnel. Syntax bind (none|(A.B.C.D A.B.C.D)) Example NGFW{running-pptp0}bind 192.168.1.1 192.168.100.1 NGFW{running-pptp0}delayed-ack Enable or disable delayed-ack option. Syntax delayed-ack (enable|disable) Example NGFW{running-pptp0}delayed-ack enable NGFW{running-pptp0}delete Delete file or configuration item.
NGFW{running-pptp0}dns-request Configure IP DNS server address request. Syntax dns-request (enable|disable) Example NGFW{running-pptp0}dns-request enable NGFW{running-pptp0}dns-request disable NGFW{running-pptp0}ip Configure IP settings. Syntax ip igmp ip igmp version (1|2|3) Example NGFW{running-pptp0}ip igmp version 3 NGFW{running-pptp0}ipcp Enable or disable IPCP for IPv4.
NGFW{running-pptp0}keep-alive LCP keep alive period in seconds. Syntax keep-alive ppp disable keep-alive ppp (default|(0-600)) [retry (0-600)] Example NGFW{running-pptp0}keep-alive ppp default retry 1 NGFW{running-pptp0}keep-alive ppp disable NGFW{running-pptp0}log-option Add service log option.
Syntax mtu (default|(68-9216)) Example NGFW{running-pptp0}mtu 1500 NGFW{running-pptp0}prefix Configure IPv6 prefix. Syntax prefix X:X::X:X/M [valid-lifetime (1-4294967295)] [preferred-lifetime (1-4294967295)] Example NGFW{running-pptp0}prefix 100:0:0:0:0:0:0:0/64 valid-lifetime 2592000 preferred-lifetime 604800 NGFW{running-pptp0}ra-autoconf-level Modify IPv6 Router Advertisement autoconfiguration level.
NGFW{running-pptp0}ra-lifetime Modify IPv6 Router Advertisement prefix lifetime in seconds. Syntax ra-lifetime (0-9000000) Example NGFW{running-pptp0}ra-lifetime 1800 NGFW{running-pptp0}ra-mtu Modify IPv6 Router Advertisement MTU value. Syntax ra-mtu (none|(68-9216)) Example NGFW{running-pptp0}ra-mtu 1500 NGFW{running-pptp0}ra-transmit-mode Modify IPv6 Router Advertisement transmit mode.
NGFW{running-pptp0}tcp6mss Configure interface TCP MSS for IPv6. Syntax tcp6mss (disable|automatic|(4-65535) Example NGFW{running-pptp0}tcp6mss automatic NGFW{running-pptp0}windowing Enable or disable windowing option. Syntax windowing (enable|disable) Example NGFW{running-pptp0}windowing enable NGFW{running-pptp0}windowing disable running-rep Context Commands Immediate Commit Feature. Changes take effect immediately. NGFW{running}rep NGFW{running-rep}delete Delete file or configuration item.
delete domain DOMAINNAME delete ip SOURCEIP description DESCRIPTION display domain NEWDOMAINNAME help [full|COMMAND] ip SOURCEIP NGFW{running-rep}profile Create or enter reputation profile context.
Valid entries: domain Domain name ip IP address IPv4/IPv6/CIDR Example NGFW{running-rep-1}delete domain example.com NGFW{running-rep-1}delete ip 192.168.1.1 NGFW{running-rep-1}delete ip 100:0:0:0:0:0:0:0/64 NGFW{running-rep-1}description Add a description to the reputation group. Syntax description DESCRIPTION Example NGFW{running-rep-1}description "Rep Group 1" NGFW{running-rep-1}domain New domain name. Syntax domain NEWDOMAIN Example NGFW{running-rep-1}domain example.
NGFW{running-rep-abc}check-source-address Enables or disables check source address. Syntax check-source-address (enable|disable) Valid entries: enable Enable check source address disable Disable check source address Example NGFW{running-rep-abc}check-source-address enable NGFW{running-rep-abc}check-destination-address Enables or disables check destination address.
Valid entries: enable Enable filter rule THRESHOLD Set threshold (0-100) ACTIONSET Apply action set name disable Disable filter rule Example NGFW{running-rep-abc}filter "myrepgroup" enable NGFW{running-rep-abc}filter "myrepgroup" enable 0 "Block + Notify" NGFW{running-rep-abc}ip-except Add IP address exception. Syntax ip-except SOURCEIP DESTINATIONIP SOURCEIP DESTINATIONIP A.B.C.D or A.B.C.D/M or X:X::X:X or X:X::X:X/M A.B.C.D or A.B.C.
triggered-updates version Disable triggered-updates Reset RIP version to default Example NGFW{running-rip}delete NGFW{running-rip}delete NGFW{running-rip}delete NGFW{running-rip}delete NGFW{running-rip}delete NGFW{running-rip}delete NGFW{running-rip}delete NGFW{running-rip}delete default-metric 1 distance 120 equal-cost 2 passive-interface ethernet1 redistribute static timers basic triggered-updates version 2 NGFW{running-rip}disable Disable Routing Information Protocol (RIP).
Syntax equal-cost (2-255) Example NGFW{running-rip}equal-cost 2 NGFW{running-rip}passive-interface Suppress RIP routing updates on an interface. Syntax passive-interface (default|INTERFACE) Valid entries: default INTERFACE "default" for all interfaces Interface name Example NGFW{running-rip}passive-interface ethernet1 NGFW{running-rip}redistribute Redistribute routes from another routing protocol.
NGFW{running-rip}triggered-updates Enable RIP triggered-updates. Syntax triggered-updates Example NGFW{running-rip}triggered-updates NGFW{running-rip}version Set RIP version. Syntax version (1-2) Example NGFW{running-rip}version 2 running-ripng Context Commands NGFW{running}router ripng NGFW{running-ripng}default-metric Set default metric for imported routes.
Example NGFW{running-ripng}delete triggered-updates NGFW{running-ripng}disable Disable Routing Information Protocol next generation (RIPng). Syntax disable Example NGFW{running-ripng}disable NGFW{running-ripng}distance Set administrative distance for routes learned by way of RIPng. Syntax distance DISTANCE DISTANCE Distance (1-255) Example NGFW{running-ripng}distance 2 NGFW{running-ripng}distribute-list Filter networks in RIPng routing updates.
Syntax equal-cost EQUAL-COST EQUAL-COST (2-255) Example NGFW{running-ripng}equal-cost 2 NGFW{running-ripng}passive-interface Suppress RIPng routing updates on an interface. Syntax passive-interface (default|INTERFACE) default INTERFACE "default" for all interfaces Interface name Example NGFW{running-ripng}passive-interface default NGFW{running-ripng}redistribute Redistribute routes from another routing protocol.
NGFW{running-ripng}triggered-updates Enable RIPng triggered-updates. Syntax triggered-updates Example NGFW{running-ripng}triggered-updates running-route-map Context Commands NGFW{running}route-map mymap permit 10 NGFW{running-route-map}delete Delete file or configuration item. Syntax delete delete delete delete delete delete delete delete delete delete delete match as-path match community-list match ip address ACCESS-LIST-NAME match ip next-hop A.B.C.
set set set set community ((AA:NN)|internet|local-as|no-advertise|no-export) ip next-hop A.B.C.D local-preference (0-65535) metric (1-65535) Example NGFW{running-route-map}set as-path prepend 64497 NGFW{running-route-map}set as-path prepend 64496 64511 65536 65551 running-schedules Context Commands NGFW{running}schedules NGFW{running-schedules}delete Deletes a schedule.
NGFW{running-schedule-myhours1}description Enter description for the segment. Syntax description TEXT Example NGFW{running-schedule-myhours1}description "After Normal Business Hours" NGFW{running-schedule-myhours1}schedule-entry Add a schedule entry.
Syntax description TEXT Example NGFW{running-segment0}description “My Segment” NGFW{running-segment0}high-availability Intrinsic HA Layer 2 Fallback action block or permit. Syntax high-availability (block|permit) block permit Enable block all Enable permit all Example NGFW{running-segment0}high-availability permit NGFW{running-segment0}link-down Link down synchronization mode.
Example NGFW{running-services}delete service myservice2 NGFW{running-services}delete service all NGFW{running-services}rename Rename service. Syntax rename service SERVICENAME NEWSERVICENAME Example NGFW{running-services}rename service myservice1 myservice2 NGFW{running-services}service Create or enter a service context.
NGFW{running-services-myservice1}description Apply service description. Syntax description TEXT Example NGFW{running-services-myservice1}description "my service 1" NGFW{running-services-myservice1}icmp Apply ICMPv4.
NGFW{running-services-myservice1}protocol Apply protocol number. Syntax protocol IPPROTOCOL IPPROTOCOL Apply packet protocol number Example NGFW{running-services-myservice1}protocol 6 NGFW{running-services-myservice1}service Apply member service.
Example NGFW{running-smr}dscp xmit 0x0 NGFW{running-smr}monitor Define monitoring parameters for a route. Syntax monitor A.B.C.D/M A.B.C.D MULT MAXFAILURE [A.B.C.D] monitor A.B.C.D/M A.B.C.D MULT MAXFAILURE distance DISTANCE [A.B.C.D] monitor A.B.C.D/M A.B.C.D MULT MAXFAILURE A.B.C.
Syntax delete rule (all|SRCNATRULEID) Example NGFW{running-snat}delete rule 123 NGFW{running-snat}rename Rename source NAT rule. Syntax rename rule SRCNATRULEID NEWSRCNATRULEID Example NGFW{running-snat}rename rule 123 snat1 NGFW{running-snat}rule Create or enter a rule context. Syntax rule (auto|SRCNATRULEID) [POSITION_VALUE] Example NGFW{running-snat}rule 123 running-snat-rule-X Context Commands NGFW{running-snat}rule snat1 NGFW{running-snat-rule-snat1}delete Delete file or configuration item.
NGFW{running-snat-rule-snat1}delete src-address exclude ipaddress 192.168.1.1 NGFW{running-snat-rule-snat1}description Apply rule description. Syntax description TEXT Example NGFW{running-snat-rule-snat1}description "source nat rule 1" NGFW{running-snat-rule-snat1}dst-address Apply destination address. Syntax dst-address dst-address dst-address dst-address (include|exclude) (include|exclude) (include|exclude) (include|exclude) group ADDRESSGROUP ipaddress A.B.C.D ipaddress A.B.C.D/M range A.B.C.D A.B.
NGFW{running-snat-rule-snat1}move before snat1 NGFW{running-snat-rule-snat1}move to position 1 NGFW{running-snat-rule-snat1}src-address Apply source address. Syntax src-address src-address src-address src-address (include|exclude) (include|exclude) (include|exclude) (include|exclude) group ADDRESSGROUP ipaddress A.B.C.D ipaddress A.B.C.D/M range A.B.C.D A.B.C.D Example NGFW{running-snat-rule-snat1}src-address include ipaddress 192.168.1.
COMMUNITY SOURCE default Text to identify SNMP system community IP (A.B.C.D|X:X::X:X), subnet (A.B.C.D/M|X:X::X:X/M), or "default" allow any IPv4/6 source Example NGFW{running-snmp}community mycommunity default NGFW{running-snmp}delete Delete file or configuration item. Syntax delete community (COMMUNITY|all) delete trapsession ((A.B.C.
trapsession (A.B.C.D|X:X::X:X|FQDN) [port PORT] ver 3 USERNAME level authNoPriv authtype (MD5|SHA) AUTHPASS [inform] trapsession (A.B.C.
AUTHPASS Authentication passphrase - must be at least 8 characters authPriv Authentication and privacy privproto Configure privacy protocol (DES|AES) PRIVPROTO Privacy protocol Possible values for PRIVPROTO are: DES Data Encryption Security AES Advanced Encryption Security PRIVPASS Optional privacy passphrase - must be at least 8 characters Example NGFW{running-snmp}username mysnmpusername level noAuthNoPriv NGFW{running-snmp}username mysnmpusername level authNoPriv authtype SHA mysnmppassword NGFW{running
Syntax delete delete delete delete delete delete delete delete delete delete delete delete delete delete delete delete delete delete delete delete delete delete delete delete delete delete delete delete delete delete delete delete delete delete delete delete bind ip igmp ip igmp version ip ospf area ip ospf authentication mode md5 (1-255) KEY ip ospf authentication mode text KEY ip ospf cost (1-65535) ip ospf dead-interval (1-65535) ip ospf hello-interval (1-65535) ip ospf priority (0-255) ip ospf retransm
Syntax description TEXT Example NGFW{running-vlan0}description "My interface description" NGFW{running-vlan0}ip Configure IP settings. Syntax ip ip ip ip ip ip ip ip ip ip ip ip ip ip ip ip ip ip igmp igmp version (1|2|3) ospf area (A.B.C.D|(0-4294967295)) ospf authentication mode md5 (1-255) KEY ospf authentication mode text KEY ospf cost (1-65535) ospf dead-interval (1-65535) ospf hello-interval (1-65535) [A.B.C.
ipv6 ipv6 ipv6 ipv6 ipv6 ipv6 ipv6 ipv6 ipv6 ipv6 ipv6 mld version (1|2) ospfv3 area (A.B.C.D|<0-4294967295>) ospfv3 cost COST ospfv3 dead-interval VALUE ospfv3 hello-interval VALUE ospfv3 priority VALUE ospfv3 retransmit-interval VALUE ospfv3 transmit-delay VALUE pim-sm ripng ripng split-horizon (simple|poison-reverse|inactive) Valid entries: mld ospfv3 pim-sm ripng area <0-4294967295> A.B.C.
valid-lifetime (1-4294967295) preferred-lifetime (1-4294967295) Configure valid lifetime Valid lifetime in seconds (default is 2592000) Configure preferred lifetime Preferred lifetime in seconds (default is 604800 - cannot exceed valid lifetime) Example NGFW{running-vlan0}prefix 2001:db8::/32 NGFW{running-vlan0}prefix 2001:db8::/32 valid-lifetime 2592000 NGFW{running-vlan0}ra-autoconf-level Modify IPv6 Router Advertisement autoconfiguration level.
NGFW{running-vlan0}ra-lifetime Modify IPv6 Router Advertisement prefix lifetime in seconds. Syntax ra-lifetime (0-9000000) Example NGFW{running-vlan0}ra-lifetime 9000000 NGFW{running-vlan0}ra-mtu Modify IPv6 Router Advertisement MTU value. Syntax ra-mtu (none|MTU) none MTU Not configured MTU value advertised (68-9216)(0 if none) Example NGFW{running-vlan0}ra-mtu 9216 NGFW{running-vlan0}ra-transmit-mode Modify IPv6 Router Advertisement transmit mode.
automatic VALUE Automatically select TCP MSS based on interface MTU TCP MSS value for IPv4 (4-65535) Example NGFW{running-vlan0}tcp4mss 4 NGFW{running-vlan0}tcp6mss Configure interface TCP MSS for IPv6.
Syntax zone ZONENAME Example NGFW{running-zones}zone myzone1 running-zones-X Context Commands NGFW{running-zones}zone myzone1 NGFW{running-zones-myzone1}application-visibility Enable or Disable application visibility. Syntax application-visibility (enable|disable) Example NGFW{running-zones-myzone1}application-visibility enable NGFW{running-zones-myzone1}bind Bind interfaces to zones.
