3Com® X Family Command Line Interface Reference X5 (25-user license) – 3CRTPX5-25-96 X5 (unlimited license) – 3CRTPX5-U-96 X506 – 3CRX506-96 Version 2.5.1 Part Number TECHD-178 Rev B01 Published April 2007 http://www.3com.
3Com Corporation 350 Campus Drive Marlborough, MA 01752-3064 Copyright © 2005–2007, 3Com Corporation. All rights reserved. No part of this documentation may be reproduced in any form or by any means or used to make any derivative work (such as translation, transformation, or adaptation) without written permission from 3Com Corporation.
Contents Contents iii About This Guide v Welcome to the X Family CLI Target Audience Conventions Related Documentation Customer Support v vi vi viii viii Chapter 1: X Family Startup Configuration 1 Overview Initial Configuration Configuration Categories Initiating the Setup Wizard Account Security Level Super-User Data Host Configuration Timekeeping Options Network Deployment Configuration Virtual Interface Configuration Basic Security Zone Configuration Assigning Zones to Virtual Interfaces Configuring D
! alias boot bugreport clear cls configure debug exit halt help high-availability history logout ping quarantine quit reboot setup show snapshot traceroute traffic-capture tree who whoami Chapter 3: Navigation Overview Logging in to the CLI Navigation Console Settings Index 131 iv X Family CLI Reference V 2.5.
About This Guide Explains who this guide is intended for, how the information is organized, where information updates can be found, and how to obtain customer support if you cannot resolve a problem. Welcome to the X Family CLI Welcome to the X family Command Line Interface (CLI). The CLI is the interface for issuing commands via a command line prompt for the X family device. You use this interface to configure, monitor, and report on the X family devices in your network.
About This Guide Target Audience This guide is intended for super-users and administrators who manage one or more X family devices.
Conventions Typeface This guide uses the following typographical conventions: bold light font brackets [] <1 | 2 > Italic Hyperlink used for commands or parameters, which must be entered exactly as shown. used for variables, for which you supply a value. used to indicate an optional element. angle brackets and vertical bars are used to indicate a choice that must be made. used for guide titles, variables, and important terms. used for cross references in a document or links to a Web site.
About This Guide Note Notes tell you about information that might not be obvious or that does not relate directly to the current topic, but that may affect relevant behavior. For example: Note: Some command examples in this document are split across several lines due to space constraints; however, you must enter them on a single line (with no carriage returns). Tip Tips are suggestions about how you can perform a task more easily or more efficiently.
1 X Family Startup Configuration The X family device is a high-speed, comprehensive security system. This section describes the steps required to start managing the X family device. Overview You must complete basic configuration of the X family device to pass traffic in the default configuration. The X Family Setup Wizard provides a convenient way for you to enter the necessary configuration data when you install a new device on your network, or when you move or reconfigure a device within your network.
Chapter 1. X Family Startup Configuration LSM provides HTTP and HTTPS (secure management) access. This access requires one of the following browsers: • • • • Microsoft Internet Explorer 6.0 or later Firefox 1.5 or later Mozilla 1.7 or later Netscape 8.1 or later Using the LSM, you have a graphical display for reviewing, searching, and modifying settings. The GUI interface also provides graphical reports for monitoring the device traffic, triggered filters, and packet statistics.
Configuration Categories Table 1–1: Out-of-the-Box Terminal Setup Wizard Configuration Settings (Continued) Out-of-the-Box Setup Subsequent Setups Settings Timekeeping Options Timekeeping Options NTP or CMOS clock time zone daylight saving time NTP: up to four time servers or peers CMOS clock: date time Modify interfaces Modify virtual interfaces IP allocation settings Subnet mask NAT enable/disable Modify security zones Modify security zones Create zone Allocate ports to zones Assign zones to i
Chapter 1. X Family Startup Configuration Table 1–1: Out-of-the-Box Terminal Setup Wizard Configuration Settings (Continued) Out-of-the-Box Setup Subsequent Setups Settings — Default E-Mail Contact TO: email FROM: email email domain SMTP server IP email aggregation period — Remote Syslog Server IP address Initiating the Setup Wizard When the Setup Wizard runs, the following screen displays: Welcome to the TippingPoint Technologies Initial Setup wizard. Press any key to begin Initial Setup Wizard.
Super-User Data Table 1–2: Security Levels Level Description Level 2 Includes Level 1 restrictions and requires the following: •2 alphabetic characters •1 numeric character •1 non-alphanumeric character (special characters such as ! ? and *). Example There are three security levels for specifying user names and passwords: Level 0: User names and passwords are unrestricted. Level 1: Names must be at least 6 characters long; passwords at least 8.
Chapter 1. X Family Startup Configuration Table 1–4: Password Examples for Level 2 Security Valid Passwords 6 Invalid Passwords my-b1rthday mybirthday (must contain numeric) myd*g’snam3 mydogsnam3 (must contain a non-alphanumeric character) X Family CLI Reference V 2.5.
Host Configuration Example In this example, the password is presented in italics. In the actual dialog, the password would not be visible. Please enter a user name that we will use to create your superuser account. Spaces are not allowed. Name: superuser Do you wish to accept [superuser] :Y Please enter your super-user account password: root--00 Verify password: root--00 Saving information...Done Your super-user account has been created.
Chapter 1. X Family Startup Configuration Time Zone The time zone option calculates and shows the local time. System logs are kept in Universal Time (UTC), but the device calculates local time for display purposes. Entering the proper time zone enables the device to display local time properly. Daylight Saving Time The daylight saving time option enables and disables the calculation of time based on the time of year.
Network Deployment Configuration Enter [A]ccept, [C]hange, or [E]xit without saving [C]: A Network Deployment Configuration The Network Deployment Configuration dialog selects the type of network deployment that the X family device will use. The following deployments are available: • Routed mode: All IP subnets are unique, and addressees that traverse to the WAN zone may be subject to Network Address Translation (NAT).
Chapter 1. X Family Startup Configuration Virtual interfaces: Id Type Mode IP Address 1 internal static 192.168.1.254 2 external dhcp 10.0.1.200 3 4 5 6 Subnet Mask 255.255.255.0 255.255.255.0 NAT external-ip disable Enter [A]ccept, [C]hange, [R]emove or [E]xit without saving [C]: a Basic Security Zone Configuration The Security Zone dialog modifies the basic configuration of security zones, which divide your network into logical security domains.
Assigning Zones to Virtual Interfaces Security zones: # Z on e na me 1 L AN 2 V PN 3 W AN 4 < em pt y> 5 < em pt y> 6 < em pt y> 7 < em pt y> 8 < em pt y> 9 < em pt y> 10 < em pt y> P ort s N one 1 6 Enter [A]ccept, [C]hange, [R]emove or [E]xit without saving [C]: a Assigning Zones to Virtual Interfaces The Modify Security Zones Mapping to Virtual Interfaces dialog maps existing zones to existing interfaces.
Chapter 1. X Family Startup Configuration Would you like to configure DNS? :y Would you like to use the DNS WAN connection ? <[Y],N>:n Enter DNS Server 1 IP Address Enter DNS Server 2 IP Address Enter DNS Server 3 IP Address Enter DNS Search Domain 1 ("" Enter DNS Search Domain 2 ("" Enter DNS Search Domain 3 ("" configuration obtained from the (0.0.0.0 to clear): []: 10.0.0.1 (0.0.0.0 to clear): []: 10.0.0.2 (0.0.0.0 to clear): []: to clear): []: example.
Enabling SMS Configuration Would you like to enable web filtering (license required) and set up firewall rules for all internal security zones? :y Please choose a web filtering server. For best performance, select the server location that is closest to you. Available locations are: # 1 2 3 4 Location North America (us.surfcpa.com) Europe 1 (uk1.surfcpa.com) Europe 2 (uk2.surfcpa.com) Asia (asia.surfcpa.
Chapter 1. X Family Startup Configuration When the SMS is on a different site than the device, a potential misconfiguration in the SMS may result in the loss of remote management access to the device. To protect against this you can enable a firewall rule to allow SSH and HTTPS access into the device from the WAN security zone and the internet. This rule will only be enabled after the SMS has timed out trying to acquire the device.
Web, CLI, and SNMP Server Options Default Server Settings The default settings of the Web, CLI, and SNMP servers are: Table 1–5: Default Web, CLI, and SNMP Server Options Name Default Setting Required By Reboot Required SSH ON secure CLI over network no HTTPS ON SMS, secure LSM yes HTTP OFF non-secure LSM yes SNMP ON SMS, NMS yes Note: You can use the CLI r eb oot command to reboot the X family device if you modify settings for which a reboot is required.
Chapter 1. X Family Startup Configuration Enable the SNMP agent ('No' disables SMS and NMS access)? [Yes]:y SSH: Yes HTTPS: Yes HTTP: No SNMP: Yes Enter [A]ccept, [C]hange, or [E]xit without saving [C]: e NMS Settings The NMS Options dialog configures the Network Monitoring System (NMS) settings available for the device. This feature enables monitoring of the device by an NMS, such as HP OpenView.
Additional Configuration Example In this example, the X family device was originally configured in Routed mode, as described in “Network Deployment Configuration” on page 9. In changing to NAT mode, an external virtual interface must also be configured, and you are prompted to do so after selecting NAT mode. The default IP addresses are accepted, and no additional configurations are made.
Chapter 1. X Family Startup Configuration Line Speed The line speed setting for port. A valid entry will meet the following criterion: • either 10 or 100 Duplex Setting The duplex setting for the port. A valid entry must be one of the following: • copper - full or half Auto Negotiation The auto negotiation setting determines whether the port will negotiate its speed based on the connection it can make.
Additional Configuration TO email address The TO email address is the email address to which alert notifications will be sent. A valid entry must meet the following criteria: • must be less than 129 characters long • must be a valid email address. For example: johndoe@mycompany.com FROM email address The FROM email address is the address that alert notifications will contain in the from field.
Chapter 1. X Family Startup Configuration Enter email server IP address []: 1.2.3.4 Enter period (in minutes) that email should be sent (1 - 10080) [1]: 5 To: employee@company.com From: acme@company.com Domain: company.com Email Server: 1.2.3.4 Period (minutes): 5 Enter [A]ccept, [C]hange, or [E]xit without saving [C]: a After the Setup Wizard After you have completed the setup wizard, if you have changed from the HTTPS to HTTP server or SNMP, you must reboot.
2 Command Reference Descriptions and usage of CLI commands. Overview The following tables list the CLI commands by functionality, grouped according to the corresponding LSM pages. Some CLI commands do not have corresponding functions in the LSM, and are listed in Table 2–9 on page 27.
Chapter 3 Command Reference Table 2–2: IPS Commands (Continued) LSM Screen Action Sets IPS Services Preferences CLI Command Page conf t notify-contact 58 conf t default-alert-sink 40 show action-sets 87 show conf default-alert-sink 89 show conf notify-contacts 91 show default-alert-sink 93 conf t port 59 show conf port 91 conf t protection-settings 60 conf t tse 67 show conf tse 92 show protection-settings 111 conf t firewall rule 45 show conf firewall rule 89 show firewall
Table 2–3: Firewall Commands (Continued) Web Filtering conf t web-filtering 78 show conf web-filtering 92 show conf web-filtering filter-service 93 show conf web-filtering manual-filter 93 conf t vpn ipsec 74 show conf vpn ipsec 92 show conf vpn ipsec sa 92 show vpn ipsec 117 conf t vpn debug 71 conf t vpn ike 71 show conf vpn ike 92 conf t vpn l2tp 76 show conf vpn l2tp 117 show vpn l2tp 92 conf t vpn pptp 77 show conf vpn pptp 92 show vpn pptp 117 clear log 31 conf t
Chapter 3 Command Reference Table 2–5: Event Commands (Continued) Reports show tse 116 show firewall monitor 94 show firewall rules counters 94 boot 29 conf t autodv 37 show autodv 87 show conf autodv 89 snapshot 118 conf t clock 38 show clock 88 conf t ntp 58 show ntp 111 show timezones 115 conf t sms 66 conf t nms 58 show conf sms 92 show conf nms 91 show sms 115 high-availability 82 conf t high-availability 49 show conf high-availability 90 show high-availabil
Table 2–6: System Commands (Continued) Configuration: Syslog Servers Configuration: Setup Wizard show conf default-alert-sink 89 conf t remote-syslog 62 show conf remote-syslog 91 setup 86 show conf host 64 conf t server 64 show conf server 92 show chassis 87 conf t clock 38 conf t ntp 58 show clock 88 show timezones 115 conf t interface virtual 51 show conf interface virtual 91 conf t zone 80 show conf zone 93 conf t dns 43 show conf dns 89 conf t interface ethernet
Chapter 3 Command Reference Table 2–7: Network Commands (Continued) Configuration: IP Interfaces Configuration: IP Address Groups Configuration: DNS Configuration: Default Gateway Routing DHCP Server Tools conf t interface virtual 51 show conf interface virtual 91 show interface virtual 96 conf t address-group 35 show conf address-group 89 conf t dns 43 show conf dns 89 conf t default-gateway 41 show conf default-gateway 87 conf t routing 63 show conf routing 91 show conf rout
Table 2–8: Authentication Commands (Continued) Privilege Groups RADIUS Preferences conf t authentication privilegegroups 36 show conf authentication privilegegroup 89 conf t authentication radius 36 show conf authentication radius 89 conf t user options 68 ! 28 history 83 alias 28 bugreport 30 cls 33 conf t session 65 show conf session 92 show session 114 exit 81 help 82 logout 83 quit 85 reboot 85 setup 86 show version 117 tree 120 Table 2–9: CLI Commands CLI
Chapter 3. Command Reference ! access: global; all The ! command executes a command in the history buffer. Use !! to repeat the previous command executed. !# indicates an item number in the history buffer. Use ! # to execute command # in the history buffer. See “execute command from history buffer” on page 83 for an example. alias access: global; all The alias command lists defines abbreviated commands. The command accepts an alias and the string that the alias will represent.
boot delete an alias Enter the alias command with an existing alias and no other parameters to delete that alias. hostname# alias eth Note: You cannot define an alias for an alias. Every alias must refer directly to a valid CLI command, or to valid command input. boot access: local; super, admin The boot command lists, rolls back to, and removes prior boot images on the device. Note: The device can store several software images. A minimum of one saved image is required for rollback purposes.
Chapter 3. Command Reference Using the boot command view available boot images Enter boot list-image to list all available boot images. hostname# boot list-image image1 image2 image3 remove a boot image from the device’s hard disk Enter boot remove-image image-name to remove a boot image from the device. roll back to the next most current image Enter boot rollback to roll back to a previous boot image.
clear clear access: global; super, admin The clear command resets logs or hardware interfaces. The command requires one of the following subcommands. arp-cache clears dynamic entries from the Address Resolution Protocol (ARP) cache. ARP is an internet protocol used to map an IP address to a MAC address. connection-table blocks clears all connection table block entries. counter interface clears interface counters. This command is disabled when the SMS manages the device.
Chapter 3. Command Reference log [alert | audit | block | firewallblock | firewallsession | packet-trace | system | vpn] clears the specified log or logs. When used without parameters, the command erases all entries in all logs. This command is disabled when the SMS manages the device. Note: When admin-level users issue the clear log command without parameters, the audit log is not cleared. Only super-user-level users can clear the audit log.
cls hostname# clear interface reset the card in slot n Enter the clear interface command and a slot number to reset the interface card in the specified slot. hostname# clear interface 2 reset port x on the interface card in slot n Enter the clear interface command, a slot number, and a port number to reset the specified port. erase all entries in all logs Enter the clear log command without any parameters to erase all entries in all logs.
Chapter 3. Command Reference conf t action-set action-set-name threshold threshold-period The configure terminal action-set command configures new or existing action sets. The following subcommands determine the action that each named action set takes. allowed-dest [add | remove] adds or removes a quarantine allowed destination. apply-only [add | remove] adds or removes a CIDR from the quarantine apply-only list. block creates or modifies an action set that blocks traffic.
configure rename renames the action set. web-block blocks web requests from quarantined hosts. web-page creates an internal web page to display web requests from a quarantined host. web-redirect url redirects web requests from a quarantined host to the URL that you specify. whitelist [add | remove] adds or removes a CIDR from a quarantine whitelist. Whitelisted CIDRs are always permitted. conf t address-groups The configure terminal address-groups commands configure IP address groups for the devices.
Chapter 3. Command Reference delete an IP address group Use configure terminal address-group remove to delete an IP address group. In this example, the “test” group is deleted: hostname# conf t address-group remove test conf t authentication The configure terminal authentication command configures RADIUS authentication and privilege groups on the device. privilege-groups remove name deletes a privilege group.
configure user-authentication < enable | disable > enables or disables RADIUS for user authentication. vpn-clients < enable | disable > enables or disables RADIUS authentication for VPN clients. Using conf t authentication enable RADIUS Use configure terminal authentication radius to enable RADIUS on the device.
Chapter 3. Command Reference conf t category-settings The configure terminal category-settings command enables and disables filter categories. The command also allows you to assign a specific action set to each category. The following categories can be configured: • • • • • • • • • • • • exploits identity-theft im network-equipment p2p reconnaissance security-policy spyware streaming-media traffic-normal virus vulnerabilities category disable disables the filter category.
configure timezone sets the timezone for the device. Tip: Use the show timezones command to view a list of available timezone abbreviations. Note: You cannot set the time or date on the device while the NTP server is enabled. You can set the time zone. Using conf t clock set the system date Use configure terminal clock date to set the system date. In this example, the date is set to March 30, 2006.
Chapter 3. Command Reference aggregate-alerts enables aggregation of connection flood alerts. Use no aggregate-alerts to disable alert aggregation. cps configures the settings to generate alerts on the number of connections per second. aggregate-alerts enables aggregation of alerts. Use no aggregate-alerts to disable alert aggregation. conf t default-alert-sink The configure terminal default-alert-sink command defines the default email recipient of traffic-triggered alerts.
configure set email notification server domain name Use configure terminal default-alert-sink domain to set the email notification server’s domain name. hostname# conf t default-a domain mycompany.com conf t default-gateway ip The configure terminal default-gateway command defines a default gateway for the device. The command configures the default route which is used to direct traffic when the device has no specific route information for the destination.
Chapter 3. Command Reference broadcast enables a central VPN DHCP relay agent that will broadcast DHCP requests received from a VPN tunnel. disable disables DHCP relay. server ip [ relay-from-vpn] sets the device to relay DHCP messages to a DHCP server at the IP address specified. Use the relay-from-vpn option to relay DHCP messages received from a VPN tunnel to the specified DHCP server. tunnel tunnel-name sets the device to relay DHCP messages over the named VPN tunnel.
configure mapping a static DHCP entry Use configure terminal dhcp-server static-map add to map a static DHCP entry for a MAC address to the IP address 1.2.3.4: hostname# conf t dhcp-server static-map add 1.2.3.4 mac 00:22:44:55:66:77 conf t dns The configure terminal dns command manually configures the DNS server information for the device. domain-name domain-name [domain-name2 [domain-name3] ] configures up to three domain names which will be used to resolve DNS lookups.
Chapter 3. Command Reference conf t filter The configure filter command configures a filter’s state and category for action set usage. The available states include disabled and enabled. When you configure a filter, you must know and enter the number for the filter. Only the reset subcommand supports “all” as an option. number [-profile “profile-name”] adaptive-config enables adaptive filtering for the filter. You must enter a filter number.
configure all reset removes all user changes to all filters’ configuration and resets all filters to the default values. conf t firewall alg sip The configure terminal firewall alg sip command configures an application layer gateway (ALG) to permit Session Initiation Protocol (SIP) sessions. sdp-port-range [any | port-range] configures the range of port numbers that SIP sessions can use.
Chapter 3. Command Reference remove id deletes a firewall rule. update id updates or creates a firewall with the specified ID. When a new rule is created, permit, block, or web-filter must be specified. authentication < disable | any | group name > enables or disables authentication. bandwidth < disable | < rule | session > guaranteed kbps max kbps pri pri > restricts the bandwidth. comment “description” stores a comment for the rule. counter-clear clears counters for the rule.
configure hostname# conf t firewall rule update 10 permit LAN WAN telnet update source and destination addresses Use configure terminal firewall rule update to update source and destination addresses for a firewall rule.
Chapter 3. Command Reference conf t firewall service Use configure terminal firewall service to configure the services that are used by the firewall rules. remove service-name deletes a service. update service-name < tcp | udp | icmp | esp | ah | gre | igmp | ipcomp | number > [port port-number [to port-number] ] creates a service or updates an existing service.
configure add a service to a service group Use configure terminal firewall service-group add-service to add a service to a service group. In this example, DNS service is added to the service group named ‘group1’: hostname# conf t firewall service-group add-service group1 dns-udp conf t firewall virtual-server The configure terminal firewall virtual-server command configures a virtual server or servers that will redirect traffic to a physical server on the LAN.
Chapter 3. Command Reference id id-number configures an ID number that will be used when a MAC address conflict occurs. Because MAC address conflicts normally do not occur, the ID number is not required. A standby device must have the same ID number as the active device for which it is on standby. conf t interface The configure terminal interface command configures device interfaces. The command abbreviation is conf t int.
configure turn auto negotiation on for a Ethernet port Use configure terminal interface ethernet negotiate to enable auto negotiation for a particular Ethernet port. In this example, auto negotiation is enabled on port 8, slot 2. The port is then restarted. deactivate a Ethernet port Use configure terminal interface ethernet shutdown to deactivate a Ethernet port. In this example, port 8, slot 2 is deactivated.
Chapter 3. Command Reference ha-mgmt-ip ip sets the virtual IP address that is used to manage the device in a high availability configuration. idle-disconnect < never | 15m | 30m | 1hr | 4hr > selects the length of period of inactivity after which the interface will disconnect. igmp [enable | disable] [query-interval seconds] [query-timeout seconds] [max-query-time seconds ] enables and configures IGMP.
configure zone < add | remove > zone-name adds a security zone to (or removes it from) this virtual interface. gre id Configures a GRE interface. igmp [enable | disable] [ query-interval secs] [query-timeout secs] [max-query-time secs] Enables and configures IGMP. local-ip ip-local Configures the IP Address of the tunnel. Choose an unused IP address that is routable through your network peer-ip ip configures the IP address of the tunnel on the remote device. pim-dm < enable | disable > enables PIM-DM.
Chapter 3. Command Reference zone < add | remove > zone-name adds a security zone to (or removes it from) this virtual interface. A GRE tunnel requires a security zone in order to function. internal id Configures an internal interface. bridge-mode < enable | disable > enables or disables bridge mode. (If bridge mode is enabled, proxy ARP mode is disabled; if bridge mode is disabled, proxy ARP mode is enabled.
configure zone < add | remove > zone-name adds a security zone to (or removes it from) this virtual interface. remove id Deletes an interface. Using conf t interface create a new internal interface Use configure terminal interface virtual int to create a new internal interface.
Chapter 3. Command Reference modify username [password password] [privilege-group group-name] modifies an existing local user. remove username removes the specified user. conf t log audit select The configure terminal log command enables or disables what is contained in the audit log. -all sets the log to gather all information. boot | no boot enables or disables gathering of boot information for the system. configuration | no configuration enables or disables gathering of configuration information.
configure oam | no oam enables or disables gathering of OAM information. policy | no policy enables or disables gathering of policy information. report | no report enables or disables gathering of report information. segment | no segment enables or disables gathering of segment information, such as port and system settings per segment of a device. server | no server enables or disables gathering of server information. sms | no sms enables or disables gathering of SMS information.
Chapter 3. Command Reference before a problem occurs. A critical threshold should be set to a value to warn you before a problem causes damage. disk [-major <60-100>] [-critical <60-100>] sets the threshold for warnings about the disk usage of the device hard disk. memory [-major <60-100>] [-critical <60-100>] sets the threshold for device memory usage warnings. temperature [-major <40-80>] [-critical <40-80>] sets the threshold for device temperature warnings.
configure duration minutes interval at which the X family device will check with the time server. enable turns on NTP timekeeping. fast < enable | disable > enables the device to trust the NTP server after the first time query. This sets the local time on the device immediately, but there is a risk that the set time will be incorrect. offset seconds If the difference between the new time and the current time is equal to or greater than the offset, the new time is accepted by the device.
Chapter 3. Command Reference add-pair [in name | out name] adds a security zone pairing to a profile. delete deletes an existing profile. description description-string enters a description for the profile. remove-pair [in name | out name] removes a security zone pairing from a profile. rename profile-name renames an existing profile. security creates a security profile.
configure app-limit creates an apply-only restriction for Application Protection and Infrastructure Protection filters. add -profile profile-name srcIP destIP adds a global exception for an entered source or destination IP address according to profile. remove -profile profile-name srcIP destIP removes a global exception for an entered source or destination IP address according to profile. perf-limit creates an apply-only restriction for Performance Protection filters.
Chapter 3. Command Reference sync-interval < alert | audit | block | firewallblock | firewallsession | sys | vpn > seconds sets the synchronization interval in seconds for the specified file. A value of 0 means all writes to that file are immediately written to the hard disk.
configure Using conf t remote-syslog designate a system to receive remote syslog messages Use configure terminal remote-syslog upd IP-address to designate a remote syslog system. In this example, the remote syslog system is configured on the IP address 1.2.3.4. stop sending syslog messages to a remote system Use configure terminal delete to stop sending syslog messages to a remote system. hostname# conf t remote-syslog upd 1.2.3.4 514 hostname# conf t remote-syslog delete 1.2.3.
Chapter 3. Command Reference enable PIM-DM Use configure terminal routing to globally enable PIM-DM. hostname# conf t routing multicast pim-dm enable conf t server The configure terminal server command activates and deactivates communications services on the device. Note: When you turn HTTP or HTTPS on or off, you must reboot the device before changes will take effect. CAUTION: The conf t server command activates HTTP. HTTP is not a secure service.
configure enable technical support diagnostic access Use configure terminal service-access to enable technical support diagnostic access to the device. disable technical support diagnostic access Use configure terminal no service-access to disable technical support diagnostic access to the device. hostname# conf t service-access hostname# conf t no service-access conf t session The configure terminal session command configures the display of the CLI session on your management terminal.
Chapter 3. Command Reference hostname# conf t session timeout 25 hostname# show session Current Session Settings Terminal Type = Console Screen width = 80 Screen height = 40 Hard wrap = Enabled More = Enabled Session Timeout = 25 conf t sms The configure terminal sms command enables or disables SMS management of the device and configures communications with the SMS. conf t no sms turns off SMS management and restores local control to the device.
configure enable remote deployment Use conf t sms remote-deploy to enable configuration of the device by a remote SMS. In the first example, the device will be configured by the SMS with the IP address 111.222.34.200: hostname# conf t sms remote-deploy 111.222.34.200 In the next example, configuration by primary and secondary SMS devices is enabled. The primary SMS IP address is 111.222.34.200, and the secondary SMS IP address is 111.222.34.201: hostname# conf t sms remote-deploy 111.222.34.200 111.222.
Chapter 3. Command Reference add username adds a user account to the system. You can add the password and role for the account with the following flags. -password password enters a password for the account. If you do not include the password on the command line, you will be prompted for the password after entering the configure terminal user add command. Note: Do not use quotation marks in passwords.
configure disable disables the account when expire-period is reached. A super-user must re-enable the account. expire expires the account when expire-period is reached. The user must enter a new password when logging on. notify nothing is done to the account. The user is notified that the account is expired and the user should change the password expire-period days sets the period of time in days that account passwords are valid. The expire-action setting controls what happens next to the account.
Chapter 3. Command Reference user remove username removes a user account. Using conf t user add a new user Use configure terminal user add to add a new user. In this example, the user kwalker is added with the password tap2-tap2: hostname# cft user add kwalker -role super -password tap2-tap2 enable a user who has been locked out Use cft user enable to enable a user who has been locked.
configure locks out an account for three minutes Use cft user option lockout-period to set the number of minutes that a user is locked out after the maximum number of failed login attempts. In this example, the lockout period is 3 minutes: hostname# cft user option lockout-period 3 locks out an account after five attempts Use cft user option max-attempts to set the maximum number of failed login attempts on user accounts.
Chapter 3. Command Reference auto-connect-phase2 < enable | disable > enables phase 2 auto-connect. Use auto-connect if you want to initiate the VPN on startup with IKE phase 2 proposals automatically established. Note: To enable phase 2 auto-connect, phase 1 autoconnect (auto-connect enable) must also be enabled. ca-cert < any | certificate-name > specifies the name of the CA certificate, if you are using certificates for authentication. dpd < enable | disable > enables dead peer detection.
configure phase1-lifetime < 600–999999 > selects the length of time in seconds you want the Security Association to last before new authentication and encryption keys must be exchanged (between 600 and 999999 seconds, default 28800). phase2-dh-group < 1 | 2 | 5 > selects the Diffie-Hellman group number for IKE phase 2. phase2-encryption < null | des-cbc | 3des-cbc | aes-cbc-128 | aes-cbc-192 | aes-cbc-256 > configures encryption for IKE phase 2.
Chapter 3. Command Reference name an IKE proposal and enter its context Use configure terminal vpn ike proposal to create an IKE proposal, which also opens the context for that proposal.
configure key selects and configures the keying mode. Some options are only valid on the High Encryption agent, which can be downloaded from the TMC. manual incoming-spi spi outgoing-spi spi encryption < des-cbc | 3des-cbc | aes-cbc-128 | aes-cbc-192 | aes-cbc-256 > authentication encryption-key key auth-key key configures manual mode. ike proposal proposal-name [shared-secret secret] [ peer-id id] configures IKE proposal.
Chapter 3. Command Reference remote < default-route | dhcp | group group-name | subnet ip netmask netmask | range ip1 ip2 > select the destination IP addresses that can be reached over this IPSec tunnel by specifying an IP address group, subnet, or range. Choose default-route if this device uses this IPSec tunnel as its default route for all network traffic that does not have a more specific route. Choose dhcp if the remote device receives IP addresses by DHCP over this IPSec tunnel.
configure addresses < radius | group name | none > configures how L2TP addresses are assigned. Either specify none, specify a RADIUS server, or specify an IP address group from which to have addresses assigned. disable disables the L2TP server. dns < relay | server-ip-1 [server-ip-2] > configures DNS servers. Use relay if you want the device to act as a proxy-DNS server (DNS relay), passing DNS queries to its configured DNS servers. You can also specify up to two DNS server IP addresses.
Chapter 3. Command Reference disable disables the PPTP server. dns < relay | server-ip-1 [server-ip-2] > configures DNS servers. Use relay if you want the device to act as a proxy-DNS server (DNS relay), passing DNS queries to its configured DNS servers, or specify up to two DNS server IP addresses. enable enables the PPTP server. encryption < disable | enable > enables Microsoft Point-to-Point Encryption. logout username [ip] logs out the named user or the named IP address.
configure filter-action < block | log | block-and-log > specifies the actions that occur when a web request is filtered. The device can block web requests, log them in the device’s system log, or both block and log them. Filtering actions apply to both the filtering service and manual filtering mode. filter-service cache configures the web filter cache. expiry hours configures the number of hours that the web filter cache will retain web pages.
Chapter 3. Command Reference conf t zone Use the configure terminal zone command to create and configure security zones on the device. add zone-name adds the named security zone. remove zone-name deletes a security zone. update zone-name updates the named security zone. addresses < disable | group group-name | subnet ip netmask mask | range ip1 ip2 > specifies the devices that are permitted inside a security zone by group, subnet, or IP address range.
debug debug access: super user Most debug commands should only be used when you are instructed to do so by technical support, but some commands can be useful in managing the device. factory-reset The debug factory-reset command returns the device to its factory defaults. CAUTION: Use this command only when instructed to do so by technical support. log syslog The debug log syslog command is used to review syslog server settings. audit ip reviews the settings of the audit log on the syslog server.
Chapter 3. Command Reference hostname# halt access: local; super-user, admin The halt command shuts down the device. seconds instructs the device to wait from 0-3600 seconds before initiating the halt sequence. now instructs the device to halt immediately. shut down X Family device Use halt to shut down the device.
history force standby forces the device into Standby state. history access: global; all The history command displays the last 30 commands typed from the command line. The command abbreviation is hist. The history command can be used in combination with the ! command to execute a command in the history buffer. Using history view history (command) buffer Use history to view the commands in the history buffer.
Chapter 3. Command Reference hostname# logout ping access: global; all The ping command tests whether you can reach a particular IP address and how long it takes to receive a reply. ip selects the destination IP address. count the number of packets to send. -d specifies reverse DNS lookup on responding IP address. -i specifies the interval between packets. -q suppresses statistics. -R records the route. -t specifies theTTL to use. -v sets verbose format.
quarantine quarantine access: global; all The quarantine command displays a list of quarantined hosts, and is used to add hosts to or remove hosts from from the list. add ip "action-set" adds a device to the list of quarantined devices. empty removes all devices from quarantine. list [filter ip] lists all devices that are quarantined, or those quarantined within a particular range of IP addresses that you specify using filter. remove ip removes the device at the specified IP address from quarantine.
Chapter 3. Command Reference now instructs the device to reboot immediately. Using reboot reboot the device Use the reboot to reboot the system. You will be asked to confirm the command. Enter Y to proceed with the reboot, enter N to cancel the reboot. hostname# reboot Are you sure you want to reboot the system? : Y Broadcast message from kscanlon Rebooting local processor in 5 seconds...
show show action-sets The show action-sets command lists the action sets. hostname# show action-sets Action Set Name Action TCP Reset ---------------------------Block+Notify+Trace Block Block Block Recommended Category Dependent Block + Notify Block Permit+Notify+Trace Permit Permit + Notify Permit Pkt Trace --------Enabled Channel ------Management Console Enabled Management Console Management Console Management Console show arp The show arp command shows the link level ARP table.
Chapter 3. Command Reference SLT1 Management Processor Simplex SLT3 Port Health Simplex SLT5 Threat Suppression Eng Simplex show all slots with more detail Active Active Active No Info No Info No Info No Info No Info No Info Use show chassis -details to show the status of a single module with more detail.
show Show configuration commands can be used to feed configuration information back to the console. Without parameters, the command shows the system’s configuration. action-set lists all action sets that have been defined for this device. Can be changed with conf t action-set action-set-name threshold threshold-period. address-group shows the configuration of the address group or groups. Can be changed with conf t address-groups. authentication [radius | privilege-group] shows authentication configuration.
Chapter 3. Command Reference alg shows the application layer gateway (ALG). alg sip show the Session Initiation Protocol (SIP) sessions. rule [id] [from src] [to dst] shows firewall rules. Enter a rule ID to display a single rule. The value of src or dst can be “this-device” to indicate the local device. schedule shows firewall schedules. service shows firewall services. service-group shows firewall service groups. virtual-servers shows firewall virtual servers.
show settings shows the persistent configuration settings for MDI-detection and the Ethernet polling interval setting. virtual shows settings for all virtual interfaces. log shows the persistent configuration of the audit log. Can be changed with conf t log audit select. monitor shows the persistent configuration of monitor thresholds. Can be changed with conf t monitor. nms shows the NMS settings for community string, IP address, and port. Can be changed with conf t nms.
Chapter 3. Command Reference server shows the persistent configuration of ssh, telnet, http, and https servers on the device. Can be changed with conf t server. service-access shows whether service-access is enabled or not. Can be changed with conf t service-access. session shows default session timeout for all sessions. Can be changed with conf t session. Note: show conf session does not show session settings because session settings are not persistent.
show filter-action shows the filter actions. filter-service shows the configuration of the filtering service. manual-filter shows the configuration of the manual filter. zone shows the configuration for a Security Zone. Using show conf show user options to be read in as commands Use show conf user to list the user options.
Chapter 3. Command Reference show filter number The show filter command shows filter data for a specific filter. Specify the filter by number. show firewall monitor The show firewall monitor command shows data usage for clients, services, and Web sites. clients shows client data usage. services shows service data usage. websites shows Web site data usage. Using show firewall monitor monitoring Web site data usage Use show firewall monitor websites to show data usage statistics from Web sites.
show show health The show health command shows memory, disk usage, temperature, and thresholds of the device. Use the show health command without parameters to see all health statistics, or with one of the parameters to see only memory or disk usage. disk-space shows current disk space usage for the /boot, /log, /usr, and /opt disk partitions.
Chapter 3. Command Reference show high-availability The show high-availability command shows the status of failover high availability: active, disabled, or standby. show interface The show interface command shows port type and status information. Use show interface without any options to show all ports. Use the ethernet, mgmtEthernet, or vnam options to show types of ports or individual ports.
show TX TX TX TX show status of a Ethernet port Unicast Pkts Multicast Pkts Broadcast Pkts Total Pkts 0 0 0 0 Slot/Port Type MTU Link Speed Duplex RX Unicast Pkts RX Multicast Pkts RX Broadcast Pkts RX Error Pkts RX Discards RX Unknown Protocols RX Total Pkts TX Unicast Pkts TX Multicast Pkts TX Broadcast Pkts TX Total Pkts 7/2 GigabitEthernet 1500 down(2) 1000 Half(2) 0 0 0 0 0 0 0 0 0 0 0 Slot/Port Type Internet Address Subnet Mask MAC Address Link 7/1 VNAM 0.0.0.0 0.0.0.
Chapter 3. Command Reference show status of a mgmt Ethernet port Use show interface mgmtEthernet to show the status of the Management Ethernet port. hostname# show int mgmt Slot/Port Type Internet Address Subnet Mask MAC Address MTU Link Speed RX Unicast Pkts RX Non-Unicast Pkts RX Error Pkts RX Discards RX Unknown Protocols RX Total Pkts TX Unicast Pkts TX Non-Unicast Pkts TX Total Pkts 1/1 Ethernet 192.168.65.14 255.255.255.
show Common show log command flags The different X family logs have a number of command flags that are common to all logs. -c clears the screen before displaying log entries. -end-time < yyyyyymmdd | hh:mm:ss | “yyyyyymmdd hh:mm:ss”> filters out log entries timestamped after yyyyyymmdd, hh:mm:ss , or “yyyyyymmdd hh:mm:ss”. -match shows only those log entries that match a specified pattern, similar to a file grep. -max-records <1-65535> shows the first 1 to 65535 records in the log.
Chapter 3. Command Reference -status < PASS | FAIL > displays only records with pass or fail status. -ip ip displays log records reflecting access from the specified IP address [WEB,CLI, SNMP, OTHER] displays records based on the interface through which the device was accessed. block displays block log entries.
show vpn displays a log of VPN sessions, events, and alerts. -module module-name displays records according to the module name. Refer to the log entries for module names. -loglevel [ CRIT | ERR | WARN | INFO | OTHER ] displays records according to the log level. show mfg-info The show mfg-info command displays the serial number, model number, MAC address, and other manufacturing information for the device. show np The show np command displays various network processor statistic sets.
Chapter 3. Command Reference protocol-mix displays protocol specific statistics broken down by layer. reassembly displays the specified reassembly statistics. ip displays the IP reassembly statistics. tcp displays the tcp reassembly statistics. rsp displays the Routing Switch Processor statistics. rule-stats displays the top 20 filters and associated success rates. softlinx displays statistical data for internal hardware/software engines. 102 X Family CLI Reference V 2.5.
show tier-stats displays general statistics with percentages for tier performance. • Tier 1 — Hardware tier. The ratio displays the amount of traffic directed at the management processor. • Tier 2 — PCI bus to the management CPU. The ratio displays the percentage of data that passed soft linx. • Tier 3 — Management CPU. The ratio displays the percentage of traffic that is actionable. xslcounters values displays the persistent values for the network processor xslcounters.
Chapter 3. Command Reference Bad Bad Bad Bad Bad show np engine packet statistics TCP flags UDP total len ICMP total len ARP addr type ARP addr len = = = = = 0 0 0 0 0 Use show np engine with the packet parameter to view the network processor packet statistics.
show show np engine parser statistics Use show np engine with the parse parameter to view the network processor parser statistics.
Chapter 3. Command Reference show np fast pattern processor statistics Use show np with the fpp parameter to view the network processor fast pattern processor statistics.
show show np linx statistics Use show np linx to view the network processor linx statistics.
Chapter 3. Command Reference Frag 001 Frag 011 Frag 100 Frag 101 Frag 111 Frag OFS Same IP addr Same port TCP DLEN show np ip reassembly statistics = = = = = = = = = 0 0 0 0 0 0 0 0 0 Use show np reas ip to view the network processor IP (internet protocol) reassembly statistics.
show show np routing switch processor statistics Flows pulled up Flows max active Frags max active = 0 = 0 = 0 Reasons for Dropping Flow: Could not allocate flow No mem for flow Expired flows due to old age Expired flows due to early retirement Expired frags due to old age Found missing sequence Saw pre-sequence Matched category Bypass/throttle on = = = = = = = = = 0 0 0 0 0 0 0 0 0 Reasons for Returning: Bad TCP checksum TTL too small TCP resend No trigger Reroute w/o flow (orphan) = = = = = 0 0 0
Chapter 3. Command Reference Blocks discarded ROB = 0 RSP LPORTs and Schedulers: blksLeft pdusPassd 0: 0: 0 0 0 0 0 0 0 0 0 0 0 - LPORT 31: SCH 0: 0 0 0 0 0 0 0 0 0 0 0 - LPORT SCH show np tierstats tttsPassd pdusDiscrd tttsDiscrd Use show np tier-stats to view the tier statistics. hostname# show np tier-stats Tier 1: Receive Mpbs = 56 Transmit Mpbs = 56 Receive pkts/sec = 14268 Maximum pkts/sec = 27355 Bytes/packet avg = 494 Utilization = 3 % Ratio to next tier = 62.
show show np xslcounters values Use show np xslcounters values to view the network processor xslcounter values. hostname# show np xslcounters values Slot timestamp synCount estCount ---- ---------- ---------- ---------3 5946554 0 0 activeCount ----------0 show ntp Use show ntp to view the current NTP status. You must use this command with one of the following subcommands. sessions displays information about the current NTP session. status displays the current clock and NTP status.
Chapter 3. Command Reference show ramdisk The show ramdisk command displays information on the RAM disk of the device. files shows the RAM disk files and sizes. stats shows the statistics of RAM disk size and usage, the sync interval countdown, and information regarding log files stored on the RAM. Using show ramdisk show RAM disk files Use show ramdisk files to view the current files and file sizes for RAM disk.
show /ramLog/log/audit/audit.log 30 11 FALSE 37 /ramLog/log/audit/audit.log.1 30 10 FALSE 0 /ramLog/log/block/block.log -1 0 TRUE 73 /ramLog/log/block/block.log.1 -1 0 FALSE 0 /ramLog/log/alert/alert.log -1 0 TRUE 2 /ramLog/log/alert/alert.log.1 -1 0 FALSE 0 /ramLog/log/peer/peer.log -1 0 FALSE 0 /ramLog/log/peer/peer.log.1 -1 0 FALSE 0 ------------------------------------------------------------- 21 1 0 0 0 0 0 0 1.76 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.03 0.00 0.06 0.00 0.00 0.00 0.00 0.00 0.02 0.
Chapter 3. Command Reference show routing table Use show routing table to view the routing table. hostname# show routing table Destination Subnet Mask Nexthop ----------------- ----------------- ----------127.0.0.0 255.0.0.0 127.0.0.1 192.168.1.0 255.255.255.0 192.168.1.254 192.168.2.0 255.255.255.0 192.168.2.254 10.245.230.224 255.255.255.224 10.245.230.239 Default 0.0.0.0 10.245.230.225 10.245.230.239 255.255.255.255 127.0.0.1 192.168.1.254 255.255.255.255 127.0.0.1 192.168.2.254 255.255.255.255 127.0.
show show sms The show sms command indicates if the device is under the control of an SMS. If it is under SMS control, it displays the SMS IP address. show sms status hostname# show sms Device is not under SMS control. show timezones The show timezones command lists all time zones that can be used when configuring the system clock.
Chapter 3. Command Reference show tse The show tse command displays information about the Threat Suppression Engine. adaptive-filter top-ten displays the top ten adaptive filters that are currently in use to reduce congestion on the Threat Suppression Engine (TSE). connection-table displays the connection-table information for the Threat Suppression Engine (TSE). blocks displays the blocked streams in the connection table. timeout displays the global timeout setting for the connection table.
show -------------------------------- ------------- -------------------- -------- -------- -------------------admin super-user 2003-08-28 13:39:10 Enabled 0 - show version The show version command displays the version of the device, the serial number, and the vulnerability filter package that is currently running. It also lists the model that you have, when it was last booted, and how long it has been running since the last boot.
Chapter 3. Command Reference Logged In: 0:00:55 show web-filter category [url] Use the show web-filter category command to show the filtering categories. Enter a specific URL to see what category it falls under. show Web filter category hostname# show web-filter category www.google.com 'www.google.com' belongs to category: Search Engines snapshot access: global; super-user, admin The snapshot command creates and manages snapshots of the system’s configuration settings.
traffic-capture -F specifies that the packet not be fragmented. This stops the traceroute from being fragmented as it is passed through various routes, allowing you to calculate the maximum MTU size. Note: This option is not supported when performing a UDP traceroute. -f sets the starting TTL. -I specifies ICMP ECHO instead of UDP probe. -m specifies the maximum number of hops. -n prints hop addresses numerically. -p sets the base UDP port.
Chapter 3. Command Reference file the name of the file that you want to export. list lists all the traffic capture files that have been saved to date. remove filename removes a packet capture file. start filename zone-pair initiates the traffic capture between the designated zone pair and saves the capture to the specified file name. Traffic can only be captured between the zone pairs that are defined in the security zone profiles.
who The -syntax option adds syntax information to the command tree. view tree (command hierarchy) Use tree to view the command tree. view tree (command hierarchy) with syntax notation Use tree -syntax to view the command tree with syntax notation.
Chapter 3. Command Reference whoami access: global; all The whoami command lists the username, access role, and current path of the logged in user. list your user information 122 hostname# whoami User name: sysadmin Role: super-user SSH: 1.2.3.4 Login: 2003-08-26 11:56:06 X Family CLI Reference V 2.5.
4 Navigation Describes the X family Command Line Interface. This chapter details how to log in, issue commands, and use the CLI. Overview The Command Line Interface (CLI) is a standard embedded system command line interface that enables you to perform hardware configuration, software configuration, and monitoring activities. Logging in to the CLI Log in to the CLI using an SSH session.
Chapter 4. Navigation Navigation The X family Command Line Interface offers the following features: • • • • • • Command Types Hierarchical Submenus Command Hints Command Completion Command Help Command Aliases Each of these features is described below. Command Types The CLI has two types of commands. • Global commands: Available from within any menu level in the CLI. Global commands do not report on or change configuration items. • Hierarchal commands: Available only within a menu or submenu.
Navigation Command Hints On each command level, you can view the hierarchical commands available at that level by typing a question mark (?). For example, when you are at the top level of the CLI: ho st nam e# ? Table 4–1: Command Hints Command Description boot Configures the OS image with which you want to boot. bugreport Sends bug report email to designated destination configure Configures hardware and software parameters. halt Halts system.
Chapter 4. Navigation Command Help At the CLI prompt, you can access the help topics for commands.
Navigation To see edit keys, type help edit: ho st nam e# help edit Available editing keystrokes Delete current character.....................Ctrl-d Delete text up to cursor.....................Ctrl-u Delete from cursor to end of line............Ctrl-k Move to beginning of line....................Ctrl-a Move to end of line..........................Ctrl-e Get prior command from history...............Ctrl-p Get next command from history................Ctrl-n Move cursor left.............................
Chapter 4. Navigation An alias that defines an entire command string can only be used to replace that command string, while an alias that defines a part of a command or a command parameter can be combined with additional command parameters.
Console Settings Tip: For best viewing, be sure to set your terminal software’s row and column settings to match your CLI session’s row and column settings. X Family CLI Reference V 2.5.
Chapter 4. Navigation 130 X Family CLI Reference V 2.5.
Index ! 28 A account security 4 action sets 22, 87 additional configuration 16 address groups 26 alert sink 40, 93 alias 27, 28, 127 application protection 60, 91, 111 ARP table 87 authentication 36 privilege groups 27 B boot 27, 29 bugreport 30 C category settings 21, 38 chassis 87 clear 31 clock 7, 24, 38, 58, 88, 115 cls 33 CMOS 3, 8 command overview 21 commands abbreviating 28 aliases 127 completing 125 editing 127 executing 28 help 126 hints 125 configuration 2, 16, 33, 86 configure 33 terminal moni
Index I R images 29 infrastructure protection 60, 91, 111 interface 26 ethernet 50, 90, 96 external virtual 51 GRE virtual 53 internal virtual 54 management port 90, 96 removing 55 settings 51, 91 virtual 51, 91, 96 interfaces 50 IP address groups 35 IPS services 22 RADIUS 27, 36 RAM disk statistics 112 RAM disk synchronization 61, 91 reboot 85 related documentation viii remote deployment 13 reset 81 rollback 29 routing 26, 63, 113 L local user 55 log 23, 91, 98 alert 99 audit 56, 99 block 100 clearing
Index T tech support viii temperature 95 terminal setup wizard 2, 20 account security 4 configuration settings 2 NMS 16 super-user 5 timekeeping 7 web/CLI/SNMP 14 Threat Management Center (TMC) viii Threat Suppression Engine (TSE) 24, 67, 92, 116 time zone 8, 115 timekeeping 7, 24, 38, 58, 88, 115 daylight saving time 8 NTP 8 peer time server 8 time server 8 time zone 8 traceroute 118 traffic-capture 119 tree 120 troubleshooting 30, 81 U user 26, 55, 67, 92, 116 V version number 117 VPN 23, 101, 117 IKE
Index 134 X Family CLI Reference V 2.5.
